Interdependency indicator -
ISO IEC 27002 control name EXAMPLE OF IMPLEMENTATION
Labelling of information
Control ID:
8.2.2
Domain:
8Asset Management
Subdomain:
8.2Information Classification

An appropriate set of procedures for information labelling should be developed and implemented in accordance with the information classification scheme adopted by the organisation.

In a system implementing metadata labelling of information (for the implemention of the classification scheme) count the number of information assets per category.
Classification of information
Control ID:
8.2.1
Domain:
8Asset Management
Subdomain:
8.2Information Classification

Information should be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification.

Create a list of information assets with their respective identified classification level. Count the number of information assets per classification level.
Access control policy
Control ID:
9.1.1
Domain:
9Access Control
Subdomain:
9.1Business requirements of acess control

An access control policy should be established, documented and reviewed based on business and information security requirements.

Count the number of systems that are governed by the access control policy.
Information access restriction
Control ID:
9.4.1
Domain:
9Access Control
Subdomain:
9.4System and appliccation access control

Access to information and application system functions should be restricted in accordance with the access control policy.

Create a list with access rights for the users. Review the list and count the number of resources being accessed.
Access to networks and network services
Control ID:
9.1.2
Domain:
9Access Control
Subdomain:
9.1Business requirements of acess control

Users should only be provided with access to the network and network services that they have been specifically authorized to use.

Count the number of network and network services under the control of Access Management.
Secure system engineering principles
Control ID:
14.2.5
Domain:
14System Acquisition, Development and Maintenance
Subdomain:
14.2Security in development and support processes

Principles for engineering secure systems should be established, documented, maintained and applied to any information system implementation efforts.

Count the number of secure system engineering principles recorded by the organisation. (Note: Each programming language should have at least one).
Information security requirements analysis and specification
Control ID:
14.1.1
Domain:
14System Acquisition, Development and Maintenance
Subdomain:
14.1Security requirements of information systems

The information security related requirements should be included in the requirements for new information systems or enhancements to existing information systems.

Review development efforts for new systems. Count the number of information security requirements identified.
Managing changes to supplier services
Control ID:
15.2.2
Domain:
15Supplier Relationships
Subdomain:
15.2Supplier service delivery management

Changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures and controls, should be managed, taking account of the criticality of business information, systems and processes involved and re-assessment of risks.

Review the change management documentation. Measure the mean amount of time needed for a supplier to successfully to implement changes.
Monitoring and review of supplier services
Control ID:
15.2.1
Domain:
15Supplier Relationships
Subdomain:
15.2Supplier service delivery management

Organisations should regularly monitor, review and audit supplier service delivery.

Count the number of characteristics / items being monitored per supplier.
Information security policy for supplier relationships
Control ID:
15.1.1
Domain:
15Supplier Relationships
Subdomain:
15.1Information security in supplier relatinships

Information security requirements for mitigating the risks associated with supplier’s access to the organisation’s assets should be agreed with the supplier and documented.

Review the information security policy for supplier relationships.
Information and communication technology supply chain
Control ID:
15.1.3
Domain:
15Supplier Relationships
Subdomain:
15.1Information security in supplier relatinships

Agreements with suppliers should include requirements to address the information security risks associated with information and communications technology services and product supply chain.

Review the relevant agreements and count the number of suppliers and subsuppliers connected with the provision of critical services.
Addressing security within supplier agreements
Control ID:
15.1.2
Domain:
15Supplier Relationships
Subdomain:
15.1Information security in supplier relatinships

All relevant information security requirements should be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organisation’s information.

Review the relevant agreements and count the number of suppliers connected with the provision of critical services.

We use cookies on our website to support technical features that enhance your user experience.
We also use analytics. To opt-out from analytics, click for more information.

I've read it More information