UnixTime

Research Note

A.8 Technological Controls MOC

A.5 sets governance rules, A.6 manages people responsibilities, and A.7 protects the physical environment. A.8 tests whether technical systems enforce and evidence those decisions.

On this page

Section focus

A.8 controls protect information through technical safeguards such as endpoint protection, privileged access, access control, malware defense, logging, monitoring, network security, secure development, vulnerability management, and configuration control.

Covered controls

Control Topic Status Main evidence focus
A.8.1 User End Point Devices Protection of information stored, processed, or accessible through user endpoint devices draft Endpoint policy, inventory, MDM, encryption, patching, malware protection, remote access, session locking
A.8.2 Privileged Access Rights Restriction and management of privileged access rights draft Privileged access register, approval, separate admin IDs, logging, emergency access, review/removal
A.8.3 Information Access Restriction Restriction of access to information, assets, application functions, databases, reports, exports, and dynamic support sessions draft Access rule matrix, role configuration, database permission review, export controls, dynamic privilege/session records
A.8.4 Access to Source Code Management of read/write access to source code, development tools, and software libraries draft Repository access, change control, branch protection, CI/CD/build tool access, dependency integrity
A.8.5 Secure Authentication Secure authentication technologies and procedures based on access restrictions and risk draft Authentication standard, MFA configuration, failed logon controls, error message review, compensating controls
A.8.6 Capacity Management Monitoring and adjustment of resource use against current and expected capacity requirements draft Capacity plan, monitoring reports, thresholds, trend forecasts, scaling/tuning actions, staff capacity
A.8.7 Protection Against Malware Malware protection implemented and supported by user awareness draft Malware protection coverage, update status, scan settings, alert logs, infection response, awareness records
A.8.8 Management of Technical Vulnerabilities Technical vulnerability information obtained, exposure evaluated, and appropriate measures taken draft Vulnerability sources, scan/test reports, risk ratings, patch/change records, retests, exceptions
A.8.9 Configuration Management Configurations established, documented, implemented, monitored, and reviewed draft Configuration baselines, system mapping, compliance reports, exceptions, drift alerts, review records
A.8.10 Information Deletion Information deleted when no longer required draft Asset register, retention rules, deletion/destruction records, cloud/backup deletion, secure storage awaiting destruction
A.8.11 Data Masking Data masking used according to access policy, business requirements, and legislation draft Masking standard, decision register, role access, lookup segregation, re-combination logs, re-identification assessment
A.8.12 Data Leakage Prevention DLP measures applied to systems, networks, and devices processing sensitive information draft Sensitive data scope, approved flows, DLP rules, alerts, false positives, transfer approvals
A.8.13 Information Backup Backup copies maintained and regularly tested according to backup policy draft Backup scope, schedule, job logs, restore tests, backup protection, archive recoverability
A.8.14 Redundancy of Information Processing Facilities Redundancy implemented to meet availability requirements draft Availability requirements, redundancy architecture, risk assessments, failover tests, recovery records
A.8.15 Logging Logs produced, stored, protected, and analysed draft Logging standard, log sources, retention, protection, SIEM/rules, alert triage, corrective action
A.8.16 Monitoring Activities Networks, systems, and applications monitored for anomalous behaviour and potential incidents evaluated draft Detection use cases, source coverage, SIEM/IDS/IPS rules, thresholds, triage, escalation
A.8.19 Installation of Software on Operational Systems Software installation on operational systems securely managed draft Installation procedure, change approval, testing, deployment logs, rollback, licence/support checks
A.8.20 Networks Security Networks and network devices secured, managed, and controlled draft Network architecture, zoning, device configuration, access control, monitoring, change records
A.8.21 Security of Network Services Security mechanisms, service levels, and service requirements of network services identified, implemented, and monitored draft Service register, provider security features, SLA/security requirements, monitoring, failover/resilience evidence
A.8.22 Segregation of Networks Groups of services, users, and systems segregated in networks draft Zone model, connection matrix, firewall/routing rules, segmentation tests, wireless assessment
A.8.23 Web Filtering External website access managed to reduce malicious content exposure draft Web filtering policy, category rules, coverage, exceptions, bypass prevention, malicious destination alerts
A.8.24 Use of Cryptography Rules for effective cryptography and key management defined and implemented draft Cryptographic policy, use case register, approved algorithms, key lifecycle, CA/certificate review, legal assessment
A.8.25 Secure Development Life Cycle Rules for secure development of software and systems established and applied draft Secure development policy, training, code review, vulnerability remediation, supplier development checks
A.8.26 Application Security Requirements Application security requirements identified, specified, and approved draft Requirements register, risk traceability, approval, testing, transaction controls, exceptions
A.8.27 Secure System Architecture and Engineering Principles Secure engineering principles established, documented, maintained, and applied draft Architecture principles, design reviews, threat models, deviations, supplier communication
A.8.28 Secure Coding Secure coding principles applied to software development draft Coding standards, developer awareness, automated checks, secure code review, exceptions, generated code review
A.8.29 Security Testing in Development and Acceptance Security testing processes defined and implemented in development lifecycle draft Test plan, acceptance criteria, test results, remediation, retest, sign-off
A.8.30 Outsourced Development Outsourced system development directed, monitored, and reviewed draft Supplier development risk assessment, contract clauses, monitoring records, test/code review evidence, acceptance
A.8.31 Separation of Development Test and Production Environments Development, test, and production environments separated and secured draft Environment inventory, access separation, network restrictions, CI/CD controls, test data approvals, change records
A.8.32 Change Management Changes to information processing facilities and systems subject to change management procedures draft Change request, impact assessment, approval, testing, rollback, implementation log, emergency change review
A.8.33 Test Information Test information appropriately selected, protected, and managed draft Test data register, live-data approval, masking evidence, access review, output protection, deletion record
A.8.34 Protection of Information Systems During Audit Testing Audit tests and assurance activities on operational systems planned and agreed draft Audit test plan, management approval, rules of engagement, tool validation, access logs, results protection

How A.8 differs from A.5-A.7

A.5 sets governance rules, A.6 manages people responsibilities, and A.7 protects the physical environment. A.8 tests whether technical systems enforce and evidence those decisions.

Templates and working records

  • Iso27001
  • Iso27002
  • Annex a
  • Technological controls
  • Moc

Note Metadata

Aliases: A.8 Technological Controls, Technological Controls MOC

Source: 05 Annex A Technological Controls/A.8 Technological Controls MOC.md

Graph-sourced resources

Templates and evidence