Section focus
A.8 controls protect information through technical safeguards such as endpoint protection, privileged access, access control, malware defense, logging, monitoring, network security, secure development, vulnerability management, and configuration control.
Covered controls
| Control | Topic | Status | Main evidence focus |
|---|---|---|---|
| A.8.1 User End Point Devices | Protection of information stored, processed, or accessible through user endpoint devices | draft | Endpoint policy, inventory, MDM, encryption, patching, malware protection, remote access, session locking |
| A.8.2 Privileged Access Rights | Restriction and management of privileged access rights | draft | Privileged access register, approval, separate admin IDs, logging, emergency access, review/removal |
| A.8.3 Information Access Restriction | Restriction of access to information, assets, application functions, databases, reports, exports, and dynamic support sessions | draft | Access rule matrix, role configuration, database permission review, export controls, dynamic privilege/session records |
| A.8.4 Access to Source Code | Management of read/write access to source code, development tools, and software libraries | draft | Repository access, change control, branch protection, CI/CD/build tool access, dependency integrity |
| A.8.5 Secure Authentication | Secure authentication technologies and procedures based on access restrictions and risk | draft | Authentication standard, MFA configuration, failed logon controls, error message review, compensating controls |
| A.8.6 Capacity Management | Monitoring and adjustment of resource use against current and expected capacity requirements | draft | Capacity plan, monitoring reports, thresholds, trend forecasts, scaling/tuning actions, staff capacity |
| A.8.7 Protection Against Malware | Malware protection implemented and supported by user awareness | draft | Malware protection coverage, update status, scan settings, alert logs, infection response, awareness records |
| A.8.8 Management of Technical Vulnerabilities | Technical vulnerability information obtained, exposure evaluated, and appropriate measures taken | draft | Vulnerability sources, scan/test reports, risk ratings, patch/change records, retests, exceptions |
| A.8.9 Configuration Management | Configurations established, documented, implemented, monitored, and reviewed | draft | Configuration baselines, system mapping, compliance reports, exceptions, drift alerts, review records |
| A.8.10 Information Deletion | Information deleted when no longer required | draft | Asset register, retention rules, deletion/destruction records, cloud/backup deletion, secure storage awaiting destruction |
| A.8.11 Data Masking | Data masking used according to access policy, business requirements, and legislation | draft | Masking standard, decision register, role access, lookup segregation, re-combination logs, re-identification assessment |
| A.8.12 Data Leakage Prevention | DLP measures applied to systems, networks, and devices processing sensitive information | draft | Sensitive data scope, approved flows, DLP rules, alerts, false positives, transfer approvals |
| A.8.13 Information Backup | Backup copies maintained and regularly tested according to backup policy | draft | Backup scope, schedule, job logs, restore tests, backup protection, archive recoverability |
| A.8.14 Redundancy of Information Processing Facilities | Redundancy implemented to meet availability requirements | draft | Availability requirements, redundancy architecture, risk assessments, failover tests, recovery records |
| A.8.15 Logging | Logs produced, stored, protected, and analysed | draft | Logging standard, log sources, retention, protection, SIEM/rules, alert triage, corrective action |
| A.8.16 Monitoring Activities | Networks, systems, and applications monitored for anomalous behaviour and potential incidents evaluated | draft | Detection use cases, source coverage, SIEM/IDS/IPS rules, thresholds, triage, escalation |
| A.8.19 Installation of Software on Operational Systems | Software installation on operational systems securely managed | draft | Installation procedure, change approval, testing, deployment logs, rollback, licence/support checks |
| A.8.20 Networks Security | Networks and network devices secured, managed, and controlled | draft | Network architecture, zoning, device configuration, access control, monitoring, change records |
| A.8.21 Security of Network Services | Security mechanisms, service levels, and service requirements of network services identified, implemented, and monitored | draft | Service register, provider security features, SLA/security requirements, monitoring, failover/resilience evidence |
| A.8.22 Segregation of Networks | Groups of services, users, and systems segregated in networks | draft | Zone model, connection matrix, firewall/routing rules, segmentation tests, wireless assessment |
| A.8.23 Web Filtering | External website access managed to reduce malicious content exposure | draft | Web filtering policy, category rules, coverage, exceptions, bypass prevention, malicious destination alerts |
| A.8.24 Use of Cryptography | Rules for effective cryptography and key management defined and implemented | draft | Cryptographic policy, use case register, approved algorithms, key lifecycle, CA/certificate review, legal assessment |
| A.8.25 Secure Development Life Cycle | Rules for secure development of software and systems established and applied | draft | Secure development policy, training, code review, vulnerability remediation, supplier development checks |
| A.8.26 Application Security Requirements | Application security requirements identified, specified, and approved | draft | Requirements register, risk traceability, approval, testing, transaction controls, exceptions |
| A.8.27 Secure System Architecture and Engineering Principles | Secure engineering principles established, documented, maintained, and applied | draft | Architecture principles, design reviews, threat models, deviations, supplier communication |
| A.8.28 Secure Coding | Secure coding principles applied to software development | draft | Coding standards, developer awareness, automated checks, secure code review, exceptions, generated code review |
| A.8.29 Security Testing in Development and Acceptance | Security testing processes defined and implemented in development lifecycle | draft | Test plan, acceptance criteria, test results, remediation, retest, sign-off |
| A.8.30 Outsourced Development | Outsourced system development directed, monitored, and reviewed | draft | Supplier development risk assessment, contract clauses, monitoring records, test/code review evidence, acceptance |
| A.8.31 Separation of Development Test and Production Environments | Development, test, and production environments separated and secured | draft | Environment inventory, access separation, network restrictions, CI/CD controls, test data approvals, change records |
| A.8.32 Change Management | Changes to information processing facilities and systems subject to change management procedures | draft | Change request, impact assessment, approval, testing, rollback, implementation log, emergency change review |
| A.8.33 Test Information | Test information appropriately selected, protected, and managed | draft | Test data register, live-data approval, masking evidence, access review, output protection, deletion record |
| A.8.34 Protection of Information Systems During Audit Testing | Audit tests and assurance activities on operational systems planned and agreed | draft | Audit test plan, management approval, rules of engagement, tool validation, access logs, results protection |
How A.8 differs from A.5-A.7
A.5 sets governance rules, A.6 manages people responsibilities, and A.7 protects the physical environment. A.8 tests whether technical systems enforce and evidence those decisions.
Related concepts
- Risk Assessment
- Statement of Applicability
- Internal Audit
- A.5.15 Access Control
- A.5.16 Identity Management
- A.5.17 Authentication Information
- A.5.18 Access Rights
- A.6.7 Remote Working
- A.7.9 Security of Assets Off-Premises
- ISO 27002 Annex A Control Interpretation Map
- A.8 Technological Controls Implementation Audit Risk Mapping
Templates and working records
- Endpoint Device Security Standard
- Endpoint Device Inventory and Compliance Register
- Endpoint Loss or Theft Response Checklist
- Remote Access and Endpoint Connection Checklist
- Privileged Access Register
- Privileged Access Review Checklist
- Emergency Privileged Access Record
- Privileged Activity Log Review Checklist
- Information Access Rule Matrix
- Information Access Restriction Review Checklist
- Dynamic Privilege Session Record
- Sensitive Function and Export Control Checklist
- Source Code Access Register
- Development Tool and Library Integrity Checklist
- Source Code Change Control Checklist
- Secure Authentication Standard
- Authentication Mechanism Review Checklist
- Authentication Exception and Compensating Control Record
- Capacity Management Plan
- Capacity Monitoring and Forecast Register
- Critical System Capacity Review Checklist
- Malware Protection Standard
- Malware Protection Coverage and Update Register
- Malware Infection Response Record
- Malware Awareness Checklist
- Vulnerability Management Procedure
- Vulnerability Register and Remediation Tracker
- Patch Testing and Rollback Checklist
- Vulnerability Exception and Risk Acceptance Record
- Configuration Baseline Register
- Configuration Exception and Risk Acceptance Record
- Configuration Compliance Review Checklist
- Configuration Drift Alert Review Record
- Information Deletion and Destruction Register
- Information Retention and Deletion Rules
- Cloud and Backup Deletion Checklist
- Data Masking Standard
- Data Masking Decision Register
- Re-Identification Risk Assessment
- DLP Scope and Rule Register
- Approved Sensitive Data Flow Register
- DLP Alert Review and Tuning Log
- Sensitive Data Transfer Approval Record
- Backup Policy and Schedule
- Backup and Restore Test Record
- Backup Scope and Coverage Register
- Long-Term Archive Recoverability Checklist
- Redundancy Requirements and Architecture Register
- Redundancy Failover Test Record
- Availability Requirement Mapping
- Logging and Monitoring Standard
- Log Source and Retention Register
- Log Review and Alert Triage Record
- Log Integrity and Access Review Checklist
- Monitoring Detection Use Case Register
- Monitoring Coverage and Data Source Map
- Monitoring Alert Threshold Review
- Out-of-Hours Monitoring Escalation Checklist
- Operational Software Installation Procedure
- Operational Software Release and Installation Record
- Software Rollback and Fallback Checklist
- Software Licence and Support Verification Checklist
- Network Security Architecture and Zoning Standard
- Network Device Configuration and Change Review
- Network Monitoring and Corrective Action Register
- Virtual Network and Hypervisor Security Review
- Network Service Security Requirements Register
- Network Service Provider Review Checklist
- Network Service SLA and Security Feature Review
- Network Zone and Connection Matrix
- Network Segmentation Test Checklist
- Wireless Network Security Assessment
- Web Filtering Policy and Category Matrix
- Web Filtering Exception Register
- Web Filtering Coverage Review
- Cryptographic Controls Policy
- Cryptographic Use Case and Algorithm Register
- Cryptographic Key Management Register
- Certificate Authority and Certificate Review
- Key Escrow and Emergency Recovery Checklist
- Cryptographic Legal Requirements Assessment
- Secure Development Policy
- Secure Development Compliance Review Checklist
- Secure Code Review Record
- Developer Security Training Matrix
- Application Security Requirements Register
- Application Transaction Security Checklist
- Application Security Requirements Approval Record
- Secure Architecture Principles Standard
- Security Architecture Review Record
- Security Engineering Deviation Record
- Secure Coding Standard
- Secure Coding Compliance Review Checklist
- Secure Coding Exception Record
- AI-Generated Code Security Review Checklist
- Security Test Plan
- Security Acceptance Criteria Checklist
- Security Test Results and Remediation Tracker
- Security Acceptance Sign-Off Record
- Outsourced Development Security Requirements Checklist
- Outsourced Development Review Register
- Supplier Development Evidence Request List
- Development Environment Separation Standard
- Development Test Production Separation Checklist
- Test Data Security Approval Record
- Change Management Procedure
- Change Request and Security Impact Assessment
- Emergency Change Record
- Release and Rollback Plan
- Test Information Management Register
- Test Data Protection Checklist
- Audit Testing Plan and Authorization Record
- Audit Tool Validation Record
- A.8.1 Audit Checklist
- A.8.2 Audit Checklist
- A.8.3 Audit Checklist
- A.8.4 Audit Checklist
- A.8.5 Audit Checklist
- A.8.6 Audit Checklist
- A.8.7 Audit Checklist
- A.8.8 Audit Checklist
- A.8.9 Audit Checklist
- A.8.10 Audit Checklist
- A.8.11 Audit Checklist
- A.8.12 Audit Checklist
- A.8.13 Audit Checklist
- A.8.14 Audit Checklist
- A.8.15 Audit Checklist
- A.8.16 Audit Checklist
- A.8.19 Audit Checklist
- A.8.20 Audit Checklist
- A.8.21 Audit Checklist
- A.8.22 Audit Checklist
- A.8.23 Audit Checklist
- A.8.24 Audit Checklist
- A.8.25 Audit Checklist
- A.8.26 Audit Checklist
- A.8.27 Audit Checklist
- A.8.28 Audit Checklist
- A.8.29 Audit Checklist
- A.8.30 Audit Checklist
- A.8.31 Audit Checklist
- A.8.32 Audit Checklist
- A.8.33 Audit Checklist
- A.8.34 Audit Checklist
- Iso27001
- Iso27002
- Annex a
- Technological controls
- Moc
Note Metadata
Aliases: A.8 Technological Controls, Technological Controls MOC
Source: 05 Annex A Technological Controls/A.8 Technological Controls MOC.md
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
- A.8.1 Audit Checklist
- A.8.2 Audit Checklist
- A.8.3 Audit Checklist
- A.8.4 Audit Checklist
- A.8.5 Audit Checklist
- A.8.6 Audit Checklist
- A.8.7 Audit Checklist
- A.8.8 Audit Checklist
- A.8.9 Audit Checklist
- A.8.10 Audit Checklist
- A.8.11 Audit Checklist
- A.8.12 Audit Checklist
- A.8.13 Audit Checklist
- A.8.14 Audit Checklist
- A.8.15 Audit Checklist
- A.8.16 Audit Checklist
- A.8.19 Audit Checklist
- A.8.20 Audit Checklist
- A.8.21 Audit Checklist
- A.8.22 Audit Checklist
- A.8.23 Audit Checklist
- A.8.24 Audit Checklist
- A.8.25 Audit Checklist
- A.8.26 Audit Checklist
- A.8.27 Audit Checklist
- A.8.28 Audit Checklist
- A.8.29 Audit Checklist
- A.8.30 Audit Checklist
- A.8.31 Audit Checklist
- A.8.32 Audit Checklist
- A.8.33 Audit Checklist
- A.8.34 Audit Checklist
- Audit Testing Plan and Authorization Record
- Audit Tool Validation Record
- Development Test Production Separation Checklist
- Supplier Development Evidence Request List
Related Notes
- Internal Audit
- Risk Assessment
- Statement of Applicability
- ISO 27001 A.5.15 - Access Control
- ISO 27001 A.5.16 - Identity Management
- ISO 27001 A.5.17 - Authentication Information
- ISO 27001 A.5.18 - Access Rights
- ISO 27001 A.6.7 - Remote Working
- ISO 27001 A.7.9 - Security of Assets Off-Premises
- ISO 27001 A.8.1 - User End Point Devices
- ISO 27001 A.8.10 - Information Deletion
- ISO 27001 A.8.11 - Data Masking
- ISO 27001 A.8.12 - Data Leakage Prevention
- ISO 27001 A.8.13 - Information Backup
- ISO 27001 A.8.14 - Redundancy of Information Processing Facilities
- ISO 27001 A.8.15 - Logging
- ISO 27001 A.8.16 - Monitoring Activities
- ISO 27001 A.8.19 - Installation of Software on Operational Systems
- ISO 27001 A.8.2 - Privileged Access Rights
- ISO 27001 A.8.20 - Networks Security
- ISO 27001 A.8.21 - Security of Network Services
- ISO 27001 A.8.22 - Segregation of Networks
- ISO 27001 A.8.23 - Web Filtering
- ISO 27001 A.8.24 - Use of Cryptography
- ISO 27001 A.8.25 - Secure Development Life Cycle
- ISO 27001 A.8.26 - Application Security Requirements
- ISO 27001 A.8.27 - Secure System Architecture and Engineering Principles
- ISO 27001 A.8.28 - Secure Coding
- ISO 27001 A.8.29 - Security Testing in Development and Acceptance
- ISO 27001 A.8.3 - Information Access Restriction
- ISO 27001 A.8.30 - Outsourced Development
- ISO 27001 A.8.31 - Separation of Development Test and Production Environments
- ISO 27001 A.8.32 - Change Management
- ISO 27001 A.8.33 - Test Information
- ISO 27001 A.8.34 - Protection of Information Systems During Audit Testing
- ISO 27001 A.8.4 - Access to Source Code
- ISO 27001 A.8.5 - Secure Authentication
- ISO 27001 A.8.6 - Capacity Management
- ISO 27001 A.8.7 - Protection Against Malware
- ISO 27001 A.8.8 - Management of Technical Vulnerabilities
- ISO 27001 A.8.9 - Configuration Management
- A.8 Technological Controls Implementation Guide
- ISO 27001 Implementer Guide
- A.8 Technological Controls Implementation Audit Risk Mapping
- ISO 27001 Implementer Auditor ISO 27005 Mapping
- ISO 27002 Annex A Control Interpretation Map
- A.8.1 Audit Checklist
- A.8.10 Audit Checklist
- A.8.11 Audit Checklist
- A.8.12 Audit Checklist
- A.8.13 Audit Checklist
- A.8.14 Audit Checklist
- A.8.15 Audit Checklist
- A.8.16 Audit Checklist
- A.8.19 Audit Checklist
- A.8.2 Audit Checklist
- A.8.20 Audit Checklist
- A.8.21 Audit Checklist
- A.8.22 Audit Checklist
- A.8.23 Audit Checklist
- A.8.24 Audit Checklist
- A.8.25 Audit Checklist
- A.8.26 Audit Checklist
- A.8.27 Audit Checklist
- A.8.28 Audit Checklist
- A.8.29 Audit Checklist
- A.8.3 Audit Checklist
- A.8.30 Audit Checklist
- A.8.31 Audit Checklist
- A.8.32 Audit Checklist
- A.8.33 Audit Checklist
- A.8.34 Audit Checklist
- A.8.4 Audit Checklist
- A.8.5 Audit Checklist
- A.8.6 Audit Checklist
- A.8.7 Audit Checklist
- A.8.8 Audit Checklist
- A.8.9 Audit Checklist
- AI-Generated Code Security Review Checklist
- Application Security Requirements Approval Record
- Application Security Requirements Register
- Application Transaction Security Checklist
- Approved Sensitive Data Flow Register
- Audit Testing Plan and Authorization Record
- Audit Tool Validation Record
- Authentication Exception and Compensating Control Record
- Authentication Mechanism Review Checklist
- Availability Requirement Mapping
- Backup and Restore Test Record
- Backup Policy and Schedule
- Backup Scope and Coverage Register
- Capacity Management Plan
- Capacity Monitoring and Forecast Register
- Certificate Authority and Certificate Review
- Change Management Procedure
- Change Request and Security Impact Assessment
- Cloud and Backup Deletion Checklist
- Configuration Baseline Register
- Configuration Compliance Review Checklist
- Configuration Drift Alert Review Record
- Configuration Exception and Risk Acceptance Record
- Critical System Capacity Review Checklist
- Cryptographic Controls Policy
- Cryptographic Key Management Register
- Cryptographic Legal Requirements Assessment
- Cryptographic Use Case and Algorithm Register
- Data Masking Decision Register
- Data Masking Standard
- Developer Security Training Matrix
- Development Environment Separation Standard
- Development Test Production Separation Checklist
- Development Tool and Library Integrity Checklist
- DLP Alert Review and Tuning Log
- DLP Scope and Rule Register
- Dynamic Privilege Session Record
- Emergency Change Record
- Emergency Privileged Access Record
- Endpoint Device Inventory and Compliance Register
- Endpoint Device Security Standard
- Endpoint Loss or Theft Response Checklist
- Information Access Restriction Review Checklist
- Information Access Rule Matrix
- Information Deletion and Destruction Register
- Information Retention and Deletion Rules
- Key Escrow and Emergency Recovery Checklist
- Log Integrity and Access Review Checklist
- Log Review and Alert Triage Record
- Log Source and Retention Register
- Logging and Monitoring Standard
- Long-Term Archive Recoverability Checklist
- Malware Awareness Checklist
- Malware Infection Response Record
- Malware Protection Coverage and Update Register
- Malware Protection Standard
- Monitoring Alert Threshold Review
- Monitoring Coverage and Data Source Map
- Monitoring Detection Use Case Register
- Network Device Configuration and Change Review
- Network Monitoring and Corrective Action Register
- Network Security Architecture and Zoning Standard
- Network Segmentation Test Checklist
- Network Service Provider Review Checklist
- Network Service Security Requirements Register
- Network Service SLA and Security Feature Review
- Network Zone and Connection Matrix
- Operational Software Installation Procedure
- Operational Software Release and Installation Record
- Out-of-Hours Monitoring Escalation Checklist
- Outsourced Development Review Register
- Outsourced Development Security Requirements Checklist
- Patch Testing and Rollback Checklist
- Privileged Access Register
- Privileged Access Review Checklist
- Privileged Activity Log Review Checklist
- Re-Identification Risk Assessment
- Redundancy Failover Test Record
- Redundancy Requirements and Architecture Register
- Release and Rollback Plan
- Remote Access and Endpoint Connection Checklist
- Secure Architecture Principles Standard
- Secure Authentication Standard
- Secure Code Review Record
- Secure Coding Compliance Review Checklist
- Secure Coding Exception Record
- Secure Coding Standard
- Secure Development Compliance Review Checklist
- Secure Development Policy
- Security Acceptance Criteria Checklist
- Security Acceptance Sign-Off Record
- Security Architecture Review Record
- Security Engineering Deviation Record
- Security Test Plan
- Security Test Results and Remediation Tracker
- Sensitive Data Transfer Approval Record
- Sensitive Function and Export Control Checklist
- Software Licence and Support Verification Checklist
- Software Rollback and Fallback Checklist
- Source Code Access Register
- Source Code Change Control Checklist
- Supplier Development Evidence Request List
- Test Data Protection Checklist
- Test Data Security Approval Record
- Test Information Management Register
- Virtual Network and Hypervisor Security Review
- Vulnerability Exception and Risk Acceptance Record
- Vulnerability Management Procedure
- Vulnerability Register and Remediation Tracker
- Web Filtering Coverage Review
- Web Filtering Exception Register
- Web Filtering Policy and Category Matrix
- Wireless Network Security Assessment
- ISO 27001 Overview