Professional Documents
Culture Documents
The 'control cross check' spreadsheet characterises or classifies the controls recommended by ISO/IEC 27002 according to typ
... while the objectives are primarily to ensure confidentiality, integrity or availability of information assets, often more than o
Other classifications are possible. Furthermore, you may disagree with the particular classifications we have assigned to each
starting point for discussion. Feel free to modify this as you wish.
One way to use the cross check spreadsheet is to identify any controls that are excluded from your Statement of Applicability,
appropriate to your circumstances, in the spreadsheet. Then look down the columns to check that you still have a reasonable
set.
You may also use this spreadsheet when deciding how to treat identified risks, choosing a balanced set of controls giving defe
Copyright
This work is copyright © 2010, ISO27k Forum, some rights reserved. It is licensed under the Creative Commons Attribution-Noncommerci
reproduce, circulate, use and create derivative works from this provided that (a) it is not sold or incorporated into a commercial product, (
www.ISO27001security.com, and (c) if they are published or shared, derivative works are shared under the same terms as this.
Control Cross Check
5 Security policy
5.1 Information security policy
5.1.1 Information Security Policy document P P P P P P P P
5.1.2 Review of the information security policy P P P P P P P P
6 Organization of information security
6.1 Internal Organization
6.1.1 Management commitment to information security P P P P P P P P
6.1.2 Information security coordination P P P P P P P
6.1.3 Allocation of information security responsibilities P P P P P P P P
6.1.4 Authorization process for information processing facilities P P P P
6.1.5 Confidentiality agreements P P P
6.1.6 Contact with authorities P P P P P
6.1.7 Contact with special interest groups P P P P P P
6.1.8 Independent review of information security P P P P P P P P
6.2 External Parties
6.2.1 Identification of risks related to external parties P P P P P P
6.2.2 Addressing security when dealing with customers P P P P P P
6.2.3 Addressing security in third party agreements P P P P P P P P P
7 Asset Management
7.1 Responsibility for Assets
7.1.1 Inventory of Assets P P P P P P
7.1.2 Ownership of assets P P P P P P P P
7.1.3 Acceptable use of assets P P P P P
7.2 Information classification
7.2.1 Classification guidelines P P P
7.2.2 Information labelling and handling P P P P P P
8 Human Resources Security
8.1 Prior to employment
8.1.1 Roles and responsibilities P P P P P
8.1.2 Screening P P P P P
8.1.3 Terms and conditions of employment P P P P P
8.2 During employment
8.2.1 Management responsibilities P P P P P P P
8.2.2 Information security awareness, education and training P P P P P P P
8.2.3 Disciplinary process P P P P P P P
8.3 Termination or change of employment
8.3.1 Termination responsibilities P P P P P
8.3.2 Return of assets P P P P
8.3.3 Removal of access rights P P P P P
9 Physical and Environmental Security
9.1 Secure Areas
9.1.1 Physical security perimeter P P P P P P
9.1.2 Physical entry controls P P P P P P P
9.1.3 Securing offices, rooms and facilities P P P P P P P
9.1.4 Protecting against external and environmental attacks P P P
9.1.5 Working in secure areas P P P P P
9.1.6 Public access, delivery and loading areas P P P P P P
9.2 Equipment security
9.2.1 Equipment siting and protection P P P P P P
9.2.2 Supporting utilities P P P P P
384634629.xls 36
Control Cross Check
384634629.xls 46
Control Cross Check
384634629.xls 56
Control Cross Check
384634629.xls 66