Purpose
How to use this page
Use this as a navigation and decision page. Follow the links for detailed control, audit, risk, evidence, and exam notes.
This map separates the ISO/IEC 27002 interpretation layer from the ISO/IEC 27001 requirement layer.
Use this note when you need to answer:
- what the control means in practice;
- what implementation guidance should be considered;
- what evidence proves operation;
- what risk logic explains why the control exists.
Current A.5 interpretation map
| Control | ISO 27001 question | ISO 27002 interpretation focus | ISO 27005 risk logic | Evidence anchor |
|---|---|---|---|---|
| A.5.1 Policies for Information Security | Are policies defined and maintained? | Policy structure, communication, review | Governance reduces inconsistent behavior | Policy Register |
| A.5.2 Information Security Roles and Responsibilities | Are responsibilities assigned? | Role clarity and accountability | Risk/control ownership | Control Owner Register |
| A.5.3 Segregation of Duties | Are conflicting duties separated? | Preventing unchecked authority | Fraud/error/abuse likelihood reduction | Segregation of Duties Matrix |
| A.5.4 Management Responsibilities | Do managers require security behavior? | Management enforcement | Human and culture risk treatment | Management Security Responsibilities Checklist |
| A.5.5 Contact with Authorities | Are authority contacts maintained? | Liaison and escalation | Legal/incident/continuity response | Authority Contact Register |
| A.5.6 Contact with Special Interest Groups | Are specialist groups used? | External knowledge flow | Better risk awareness | Special Interest Group Participation Register |
| A.5.7 Threat Intelligence | Is threat intelligence collected and used? | Contextualized intelligence and action | Risk identification and review | Threat Intelligence Register |
| A.5.8 Information Security in Project Management | Is security built into projects? | Project governance and lifecycle | Project/change risk treatment | Project Security Requirements Register |
| A.5.9 Inventory of Information and Other Associated Assets | Are assets known and owned? | Inventory, ownership, classification | Asset-based risk identification | Information and Associated Asset Inventory |
| A.5.10 Acceptable Use of Information and Other Associated Assets | Are use rules defined? | Handling and acceptable behavior | Misuse/mishandling reduction | Acceptable Use and Information Handling Rules |
| A.5.11 Return of Assets | Are assets returned or removed? | Leaver/mover/contractor return | Loss and lingering access risk | Asset Return Checklist |
| A.5.12 Classification of Information | Is information classified? | Protection need and handling levels | Impact analysis and proportional treatment | Information Classification and Handling Matrix |
| A.5.13 Labelling of Information | Are labels applied? | Making classification actionable | Handling error reduction | Information Classification and Handling Matrix |
| A.5.14 Information Transfer | Are transfers controlled? | Rules, channels, agreements | Leakage/interception/misdirection risk | Information Transfer Rules Matrix |
| A.5.15 Access Control | Are access rules defined? | Business need and least privilege | Unauthorized access reduction | Access Control Matrix |
| A.5.16 Identity Management | Are identities managed? | Identity lifecycle and uniqueness | Orphan/unaccountable identity risk | Identity Lifecycle Register |
| A.5.17 Authentication Information | Are secrets protected? | Credential handling and reset | Credential compromise risk | Authentication Information Handling Standard |
| A.5.18 Access Rights | Are rights provisioned/reviewed/removed? | Actual access vs authorized need | Excessive/stale access risk | Access Rights Request and Review Register |
| A.5.19 Information Security in Supplier Relationships | Are supplier risks managed? | Supplier process and tiering | Third-party exposure risk | Supplier Security Register |
| A.5.20 Addressing Information Security Within Supplier Agreements | Are security terms agreed? | Contractual requirements | Contractual control gap risk | Supplier Security Agreement Requirements Checklist |
| A.5.21 Managing Information Security in the ICT Supply Chain | Is ICT supply-chain risk managed? | Inherited supplier dependency | Supply-chain risk | ICT Supply Chain Risk Register |
| A.5.22 Monitoring, Review and Change Management of Supplier Services | Are suppliers monitored after go-live? | Review, change, incidents, nonconformity | Supplier drift and reassessment | Supplier Service Review and Change Log |
| A.5.23 Information Security for Use of Cloud Services | Are cloud services acquired, used, managed, and exited securely? | Cloud-specific supplier, shared responsibility, data location, and exit guidance | Cloud dependency, configuration, jurisdiction, and exit risk | Cloud Service Register |
| A.5.24 Information Security Incident Management Planning and Preparation | Is incident management planned and communicated before incidents occur? | Incident process, roles, reporting, recovery, and lessons learned | Incident impact reduction, risk monitoring, and corrective action | Incident Management Plan |
| A.5.25 Assessment and Decision on Information Security Events | Are events assessed and classified consistently? | Event triage criteria, categories, decision records, escalation timing | Event-to-incident decision quality and timely escalation | Event Triage and Incident Classification Register |
| A.5.26 Response to Information Security Incidents | Are incidents handled according to documented procedures? | Response playbooks, action logs, roles, management decisions, closure | Incident impact reduction and response accountability | Incident Response Record |
| A.5.27 Learning from Information Security Incidents | Are incident lessons used to improve controls? | Post-incident review, corrective action, training/control updates | Control improvement and recurrence reduction | Incident Lessons Learned Register |
| A.5.28 Collection of Evidence | Is evidence collected and preserved properly? | Evidence procedure, custody logs, restricted storage, forensic copies | Investigation quality and legal defensibility | Evidence Collection and Chain of Custody Log |
| A.5.29 Information Security During Disruption | Does security remain appropriate during disruption? | Security continuity objectives, BIA security requirements, crisis roles, supplier security | Security continuity and crisis control preservation | Information Security Continuity Requirements |
| A.5.30 ICT Readiness for Business Continuity | Can ICT recover according to continuity objectives? | ICT continuity requirements, RTO/RPO, playbooks, tests, supplier continuity | Availability and recovery risk treatment | ICT Continuity Requirements and Test Record |
| A.5.31 Legal, Statutory, Regulatory and Contractual Requirements | Are applicable obligations known, owned, current, and mapped to controls? | Requirements register, control mapping, legal advice, crypto assessment, change traceability | Compliance risk treatment and obligation traceability | Legal and Contractual Requirements Register |
| A.5.32 Intellectual Property Rights | Are IP rights and licence restrictions protected in practice? | IP procedures, software inventory, licence checks, source-code/library/AI review | Legal and contractual risk from unauthorized use or copying | Intellectual Property Rights Register |
| A.5.33 Protection of Records | Are required records protected through retention? | Records inventory, retention schedule, access control, archive/readability checks, disposal evidence | Integrity, availability, confidentiality, and retention compliance | Records Retention and Protection Register |
| A.5.34 Privacy and Protection of PII | Are privacy and PII requirements identified and met? | PII inventory, requirements matrix, access review, training, breach readiness | Privacy compliance and personal-data protection risk | PII Inventory and Privacy Requirements Matrix |
| A.5.35 Independent Review of Information Security | Is security management and implementation independently reviewed? | Review schedule, independence basis, report, findings, corrective action, management reporting | Assurance and improvement risk treatment | Independent Information Security Review Plan and Report |
| A.5.36 Compliance with Policies, Rules and Standards for Information Security | Is compliance with policies and standards regularly reviewed? | Manager reviews, technical checks, authorized tools, findings, retest evidence | Policy drift and technical nonconformity risk treatment | Policy and Technical Compliance Review Register |
| A.5.37 Documented Operating Procedures | Are operating procedures documented, controlled, and available? | Procedure register, version control, approvals, operator awareness, supplier procedures | Operational consistency and error reduction | Operating Procedure Register |
Current A.6 interpretation map
| Control | ISO 27001 question | ISO 27002 interpretation focus | ISO 27005 risk logic | Evidence anchor |
|---|---|---|---|---|
| A.6.1 Screening | Are background verification checks performed before joining and ongoing where justified? | Identity, CV, qualification, reference, gap, proportionality, legal limits, retention, and data protection | Personnel trust, insider misuse, fraud, unauthorized disclosure, and excessive PII collection risk | Personnel Screening Register |
| A.6.2 Terms and Conditions of Employment | Do employment and contractual agreements state information security responsibilities? | Security and legal responsibilities, confidentiality, remote/customer-site work, post-employment duties, personnel data handling, and updates when roles change | Responsibility ambiguity, contractual noncompliance, confidentiality breach, and weak enforceability risk | Security Terms and Conditions Checklist |
| A.6.3 Information Security Awareness Education and Training | Do personnel and relevant interested parties receive appropriate awareness, education, training, and updates? | Baseline awareness, specialist training, role fit, timing before access, content currency, records, and effectiveness metrics | Human error, social engineering, competence, policy nonconformity, and control-operation risk | Security Awareness and Training Plan |
| A.6.4 Disciplinary Process | Is there a formal and communicated process for information security policy violations? | Disciplinary criteria, evidence threshold, fair treatment, proportionality, communication, and closure | Policy non-compliance, deterrence, insider behavior, and security culture risk | Policy Violation and Disciplinary Action Register |
| A.6.5 Responsibilities After Termination or Change of Employment | Are continuing duties and access/asset changes after termination or role change defined and enforced? | Leaver/mover notification, access removal, asset return, urgent cases, continuing confidentiality/legal duties | Stale access, excessive privilege, asset loss, confidentiality breach, and SoD risk | Leaver and Role Change Security Checklist |
| A.6.6 Confidentiality or Non-Disclosure Agreements | Are confidentiality/NDA requirements identified, documented, reviewed, and signed? | Requirement analysis, agreement type, signing before access, legal enforceability, register, and review cycle | Unauthorized disclosure, weak legal protection, contractual confidentiality, and third-party risk | Confidentiality Agreement Register |
| A.6.7 Remote Working | Are security measures implemented when personnel work remotely? | Authorization, remote location, secure connection, endpoint, physical controls, data limits, asset register, non-work use | Off-premises information exposure, endpoint loss, insecure network, unauthorized viewing, and remote access risk | Remote Working Authorization Register |
| A.6.8 Information Security Event Reporting | Can personnel report observed or suspected events through timely appropriate channels? | Event definition, reporting channels, forms, no-blame culture, user awareness, triage linkage, external notification criteria | Delayed detection, under-reporting, incident escalation, risk-data distortion, and missed notification risk | Information Security Event Reporting Channel Register |
Current A.7 interpretation map
| Control | ISO 27001 question | ISO 27002 interpretation focus | ISO 27005 risk logic | Evidence anchor |
|---|---|---|---|---|
| A.7.1 Physical Security Perimeters | Are security perimeters defined and used to protect areas containing information and associated assets? | Zone model, physical boundary completeness, shared premises, emergency routes, out-of-hours access, perimeter review | Unauthorized physical access, tampering, theft, shared-premises bypass, and zone exposure risk | Physical Security Zone Register |
| A.7.2 Physical Entry | Are secure areas protected by appropriate entry controls and access points? | Entry authorization, badges, visitor registration/escort, physical access review, delivery/loading controls, despatch records | Unauthorized entry, visitor movement, badge/key misuse, loading bay bypass, equipment theft, and tampering risk | Secure Area Access Register |
| A.7.3 Securing Offices Rooms and Facilities | Is physical security for offices, rooms, and facilities designed and implemented? | Room/facility risk, information concentration, signage, directories, access clues, specialized controls, control fit | Room-level exposure, target identification, internal information leakage, centralized repository, and facility design risk | Office Room and Facility Security Assessment |
| A.7.4 Physical Security Monitoring | Are premises continuously monitored for unauthorized physical access? | Monitoring scope, alarm response, escalation, tests, false alarms, incident linkage, evidence retention | Unauthorized access detection, delayed response, theft/tampering, physical incident escalation, and false-alarm risk | Physical Security Monitoring Procedure |
| A.7.5 Protecting Against Physical and Environmental Threats | Is protection against physical and environmental threats designed and implemented? | Site hazards, neighbor risks, specialist advice, fire/flood/environmental controls, secondary effects, continuity linkage | Fire, flood, environmental failure, utility failure, hazardous neighbor, civil unrest, and site outage risk | Physical and Environmental Threat Assessment |
| A.7.6 Working in Secure Areas | Are security measures for working in secure areas designed and implemented? | Need-to-know, device restrictions, media movement, supervision, dual control, consistent third-party treatment | Unauthorized disclosure, recording, copying, media removal, unauthorized modification, and weak supervision risk | Secure Area Working Procedure |
| A.7.7 Clear Desk and Clear Screen | Are clear desk and clear screen rules defined and appropriately enforced? | Papers, removable media, screens, printers, faxes, auto-lock, observation, awareness, enforcement | Unattended information exposure, shoulder surfing, photography, removable media loss, printer/fax exposure, and misfiling risk | Clear Desk and Clear Screen Checklist |
| A.7.8 Equipment Siting and Protection | Is equipment securely sited and protected? | Equipment location, environmental exposure, access to network devices, screen visibility, interference, remote equipment, staff use rules | Equipment damage, unauthorized physical access, unauthorized viewing, environmental exposure, interference, remote equipment, and unmanaged asset risk | Equipment Siting and Protection Assessment |
| A.7.9 Security of Assets Off-Premises | Are off-site assets protected? | Authorization, off-site custody, mobile/BYOD protection, long-term loan attestation, leaver return, secure erase, risk acceptance | Off-site loss/theft, BYOD exposure, weak custody, unreturned assets, cross-border exposure, and unmanaged residual risk | Off-Premises Asset Authorization Register |
| A.7.10 Storage Media | Is storage media managed through acquisition, use, transportation, and disposal according to classification and handling rules? | Approved media, inventory, classification, movement, secure transport, key separation, disposal, damaged media, destruction records | Media loss, unauthorized access, insecure transport, poor disposal, damaged media recovery, malware from unapproved media, and classification handling risk | Storage Media Handling Procedure |
| A.7.11 Supporting Utilities | Are information processing facilities protected from failures in supporting utilities? | Utility dependencies, power/cooling/telecoms/water/fire protection, UPS/generator capacity, alarms, emergency lighting, provider agreements, BMS security | Power failure, cooling failure, telecommunications outage, water/site closure, fire protection failure, emergency lighting failure, BMS compromise, and availability risk | Supporting Utility Dependency Register |
| A.7.12 Cabling Security | Are cables protected from interception, interference, or damage? | Cable routes, connectors, labels, segregation, locked cabinets, external junctions, tamper/interception risk | Cable damage, interception, tampering, interference, inaccurate connection, external junction exposure, and availability risk | Cabling Route and Protection Register |
| A.7.13 Equipment Maintenance | Is equipment maintained correctly to protect confidentiality, integrity, and availability? | Maintenance schedules, authorized maintainers, fault logs, escorting, information protection, post-maintenance tamper checks | Equipment failure, unplanned outage, integrity loss, unauthorized maintenance access, information exposure during repair, and tampering risk | Equipment Maintenance Register |
| A.7.14 Secure Disposal or Re-Use of Equipment | Is equipment containing storage media verified before disposal or reuse? | Storage identification, sanitization, overwriting, destruction, licensed software removal, repair dispatch, contractor assurance | Residual data exposure, licensed software leakage, insecure reuse, insecure repair, contractor disposal risk, hidden storage, and privacy/IP compromise | Equipment Disposal and Reuse Register |
Current A.8 interpretation map
| Control | ISO 27001 question | ISO 27002 interpretation focus | ISO 27005 risk logic | Evidence anchor |
|---|---|---|---|---|
| A.8.1 User End Point Devices | Is information stored on, processed by, or accessible through user endpoint devices protected? | Endpoint policy, inventory, baseline controls, patching, malware protection, encryption, remote access, BYOD, session timeout, loss/theft reporting | Endpoint compromise, lost/stolen device, unmanaged BYOD, weak remote access, patch gap, malware, local data exposure, and unattended session risk | Endpoint Device Security Standard |
| A.8.2 Privileged Access Rights | Are privileged access rights restricted and managed? | Business justification, approval, separate privileged IDs, logging, review, emergency access, removal, log protection | Privilege misuse, shared admin account, unlogged admin activity, emergency access abuse, unauthorized change, and stale privilege risk | Privileged Access Register |
| A.8.3 Information Access Restriction | Is access to information and associated assets restricted according to the access control policy? | Owner-approved access rules, application/database role consistency, classification alignment, restricted functions, export controls, dynamic privilege sessions | Excessive access, shared database bypass, unauthorized extraction, maintenance utility misuse, dynamic privilege abuse, and policy enforcement failure | Information Access Rule Matrix |
| A.8.4 Access to Source Code | Is read/write access to source code, development tools, and software libraries appropriately managed? | Repository access, branch protection, code review, CI/CD access, dependency trust, source absence from production, integrity verification | Source disclosure, malicious code modification, compromised build tools, dependency compromise, and release integrity risk | Source Code Access Register |
| A.8.5 Secure Authentication | Are secure authentication technologies and procedures implemented based on access restrictions? | Risk-based authentication, MFA factor quality, failed logon controls, safe error messages, recovery controls, compensating controls | Credential compromise, brute force, account enumeration, weak authentication, and unauthorized access risk | Secure Authentication Standard |
| A.8.6 Capacity Management | Is resource use monitored and adjusted according to current and expected capacity needs? | Monitoring scope, thresholds, trend analysis, forecasting, scaling/tuning, cloud limits, staff capacity | Availability loss, resource exhaustion, service degradation, and capacity-related security failure risk | Capacity Management Plan |
| A.8.7 Protection Against Malware | Is malware protection implemented and supported by user awareness? | Malware protection coverage, updates, background/scheduled scanning, layered scanning, infection response, verification, user awareness | Malware infection, ransomware, credential theft, malicious downloads, outdated protection, lateral movement, and recovery verification risk | Malware Protection Standard |
| A.8.8 Management of Technical Vulnerabilities | Is vulnerability information obtained, exposure evaluated, and appropriate action taken? | Vulnerability intelligence, scanning/testing, exposure evaluation, patch/change control, rollback, retesting, exceptions | Known vulnerability exploitation, delayed patching, incomplete scanning, failed remediation, and residual vulnerability risk | Vulnerability Management Procedure |
| A.8.9 Configuration Management | Are configurations established, documented, implemented, monitored, and reviewed? | Baselines, local tailoring, implementation, monitoring, drift handling, exceptions, review | Insecure default, misconfiguration, unauthorized change, drift, and stale baseline risk | Configuration Baseline Register |
| A.8.10 Information Deletion | Is information deleted when no longer required? | Asset inventory, retention rules, deletion methods, cloud/backup deletion, destruction evidence, secure awaiting-destruction storage | Over-retention, privacy exposure, residual data recovery, cloud/backup persistence, and disposal risk | Information Deletion and Destruction Register |
| A.8.11 Data Masking | Is data masking used according to policy, business requirements, and legislation? | Masking, pseudonymisation, tokenisation, anonymisation, full-data access, lookup segregation, re-identification risk | Sensitive data overexposure, re-identification, test-data leakage, token lookup compromise, and privacy risk | Data Masking Standard |
| A.8.12 Data Leakage Prevention | Are DLP measures applied to systems, networks, and devices processing sensitive information? | Sensitive data scope, approved flows, DLP rules, alerts, false positives, transfer authorization, user awareness | Unauthorized transfer, exfiltration, unapproved cloud sharing, email leakage, removable media leakage, and false-positive fatigue risk | DLP Scope and Rule Register |
| A.8.13 Information Backup | Are backup copies maintained and regularly tested according to backup policy? | Backup scope, frequency, protection, job monitoring, restore tests, off-site/immutable storage, archive recovery | Data loss, ransomware recovery failure, backup breach, untested restore, and continuity failure risk | Backup Policy and Schedule |
| A.8.14 Redundancy of Information Processing Facilities | Is redundancy sufficient to meet availability requirements? | Availability requirements, redundancy architecture, risk assessment, dependency coverage, failover testing, recovery records | Single point of failure, untested failover, dependency outage, replication exposure, and continuity failure risk | Redundancy Requirements and Architecture Register |
| A.8.15 Logging | Are logs produced, stored, protected, and analysed? | Loggable events, log content, retention, protection, SIEM/correlation, alert triage, fault trend analysis | Undetected misuse, weak accountability, tampered evidence, missed incident, alert fatigue, and investigation failure risk | Logging and Monitoring Standard |
| A.8.16 Monitoring Activities | Are networks, systems, and applications monitored for anomalous behaviour and potential incidents evaluated? | Risk-based detection use cases, monitoring sources, IDS/IPS/SIEM/EDR rules, thresholds, correlation, alert triage, and out-of-hours escalation | Undetected attack, lateral movement, blind spots, alert fatigue, missed incident evaluation, and delayed response risk | Monitoring Detection Use Case Register |
| A.8.19 Installation of Software on Operational Systems | Is software installation on operational systems securely managed? | Installation authority, business approval, testing, change records, rollback, licence/support checks, production code protection | Unauthorized software, untested production change, unsupported software, licence exposure, integrity loss, and outage risk | Operational Software Installation Procedure |
| A.8.20 Networks Security | Are networks and network devices secured, managed, and controlled? | Architecture, zoning, network device hardening, routing, public network protection, virtual/cloud networks, monitoring, changes | Unauthorized access, interception, lateral movement, misconfiguration, insecure management path, virtual bypass, and availability risk | Network Security Architecture and Zoning Standard |
| A.8.21 Security of Network Services | Are network service security mechanisms, service levels, and requirements identified, implemented, and monitored? | Provider network services, security features, SLAs, resilience, failover, monitoring, compensating controls | Supplier network service exposure, weak service levels, provider control gap, failover weakness, and availability/security dependency risk | Network Service Security Requirements Register |
| A.8.22 Segregation of Networks | Are groups of services, users, and systems segregated in networks? | Zone design, inter-zone controls, firewall/routing rules, wireless risk, segmentation testing, exceptions | Lateral movement, unauthorized internal access, flat-network exposure, wireless bypass, and cloud segmentation risk | Network Zone and Connection Matrix |
| A.8.23 Web Filtering | Is access to external websites managed to reduce malicious content exposure? | Filtering policy, categories, coverage, exceptions, bypass prevention, alerts, user awareness | Malware download, phishing, command-and-control connection, malicious content exposure, and missed compromise signal risk | Web Filtering Policy and Category Matrix |
| A.8.24 Use of Cryptography | Are rules for effective cryptography and key management defined and implemented? | Crypto policy, approved algorithms, key lifecycle, CA/certificate control, legal checks, escrow/recovery, third-party key services | Key compromise, weak crypto, certificate misuse, legal restriction breach, failed recovery, confidentiality/integrity/authenticity failure risk | Cryptographic Controls Policy |
| A.8.25 Secure Development Life Cycle | Are secure development rules established and applied? | Secure development policy, training, code review, vulnerability remediation, supplier development, standards review | Insecure code, development environment compromise, hidden functionality, supplier development gap, and future production compromise risk | Secure Development Policy |
| A.8.26 Application Security Requirements | Are application security requirements identified, specified, and approved? | Risk-based requirements, approval, transaction controls, cryptography, network security, testing, acquisition | Missing requirements, weak transaction security, insecure acquired application, legal gap, and fraud risk | Application Security Requirements Register |
| A.8.27 Secure System Architecture and Engineering Principles | Are secure engineering principles established, maintained, and applied? | Secure architecture principles, design reviews, threat modelling, deviations, contractor communication, competence | Insecure architecture, weak trust boundaries, retrofitted security, architecture drift, and supplier design risk | Secure Architecture Principles Standard |
| A.8.28 Secure Coding | Are secure coding principles applied to software development? | Language-specific standards, developer awareness, automated review, manual review, generated code, exceptions | Coding vulnerability, hard-coded secret, insecure dependency, unsafe function, generated insecure code, and supplier code risk | Secure Coding Standard |
| A.8.29 Security Testing in Development and Acceptance | Are security testing processes defined and implemented in the development lifecycle? | Test planning, risk-based testing, acceptance criteria, vulnerability remediation, retesting, operations/user involvement | Untested vulnerability, defective input handling, access control failure, unresolved finding, insecure go-live risk | Security Test Plan |
| A.8.30 Outsourced Development | Are outsourced development activities directed, monitored, and reviewed? | Supplier development requirements, contracts, monitoring, deliverable testing, IP rights, audit/assurance, subcontractors | Supplier opacity, insecure outsourced code, hidden functionality, weak supplier assurance, IP dispute, and supply chain risk | Outsourced Development Security Requirements Checklist |
| A.8.31 Separation of Development Test and Production Environments | Are development, test, and production environments separated and secured? | Environment classes, access separation, network controls, production data in test, CI/CD promotion, shared admin paths | Unauthorized production change, test-to-prod compromise, sensitive test data exposure, shared credential, and deployment bypass risk | Development Environment Separation Standard |
| A.8.32 Change Management | Are changes to information processing facilities and systems subject to change management procedures? | Impact assessment, approval, testing, rollback, release records, emergency changes, documentation updates | Unauthorized change, outage, weakened control, failed rollback, configuration drift, and release traceability risk | Change Management Procedure |
| A.8.33 Test Information | Is test information appropriately selected, protected, and managed? | Synthetic data, live-data authorization, masking, access control, output protection, deletion, privacy requirements | Production data leakage, privacy noncompliance, uncontrolled test artifacts, weak deletion, and re-identification risk | Test Information Management Register |
| A.8.34 Protection of Information Systems During Audit Testing | Are audit tests and assurance activities on operational systems planned and agreed? | Test scope, management approval, tools, access logging, disruption control, result protection, independence | Audit-induced outage, uncontrolled tool use, sensitive result exposure, unauthorized access, and weak assurance risk | Audit Testing Plan and Authorization Record |
Related notes
- ISO27001
- Iso27002
- Annex a
- Control guidance
- Mapping
Note Metadata
Aliases: ISO 27002 Control Interpretation Map
Source: 11 ISO 27002 Knowledge Base/ISO 27002 Annex A Control Interpretation Map.md
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- ISO 27001 A.5.1 - Policies for Information Security
- ISO 27001 A.5.10 - Acceptable Use of Information and Other Associated Assets
- ISO 27001 A.5.11 - Return of Assets
- ISO 27001 A.5.12 - Classification of Information
- ISO 27001 A.5.13 - Labelling of Information
- ISO 27001 A.5.14 - Information Transfer
- ISO 27001 A.5.15 - Access Control
- ISO 27001 A.5.16 - Identity Management
- ISO 27001 A.5.17 - Authentication Information
- ISO 27001 A.5.18 - Access Rights
- ISO 27001 A.5.19 - Information Security in Supplier Relationships
- ISO 27001 A.5.2 - Information Security Roles and Responsibilities
- ISO 27001 A.5.20 - Addressing Information Security Within Supplier Agreements
- ISO 27001 A.5.21 - Managing Information Security in the ICT Supply Chain
- ISO 27001 A.5.22 - Monitoring, Review and Change Management of Supplier Services
- ISO 27001 A.5.23 - Information Security for Use of Cloud Services
- ISO 27001 A.5.24 - Information Security Incident Management Planning and Preparation
- ISO 27001 A.5.25 - Assessment and Decision on Information Security Events
- ISO 27001 A.5.26 - Response to Information Security Incidents
- ISO 27001 A.5.27 - Learning from Information Security Incidents
- ISO 27001 A.5.28 - Collection of Evidence
- ISO 27001 A.5.29 - Information Security During Disruption
- ISO 27001 A.5.3 - Segregation of Duties
- ISO 27001 A.5.30 - ICT Readiness for Business Continuity
- ISO 27001 A.5.31 - Legal, Statutory, Regulatory and Contractual Requirements
- ISO 27001 A.5.32 - Intellectual Property Rights
- ISO 27001 A.5.33 - Protection of Records
- ISO 27001 A.5.34 - Privacy and Protection of PII
- ISO 27001 A.5.35 - Independent Review of Information Security
- ISO 27001 A.5.36 - Compliance with Policies, Rules and Standards for Information Security
- ISO 27001 A.5.37 - Documented Operating Procedures
- ISO 27001 A.5.4 - Management Responsibilities
- ISO 27001 A.5.5 - Contact with Authorities
- ISO 27001 A.5.6 - Contact with Special Interest Groups
- ISO 27001 A.5.7 - Threat Intelligence
- ISO 27001 A.5.8 - Information Security in Project Management
- ISO 27001 A.5.9 - Inventory of Information and Other Associated Assets
- ISO 27001 A.6.1 - Screening
- ISO 27001 A.6.2 - Terms and Conditions of Employment
- ISO 27001 A.6.3 - Information Security Awareness, Education and Training
- ISO 27001 A.6.4 - Disciplinary Process
- ISO 27001 A.6.5 - Responsibilities After Termination or Change of Employment
- ISO 27001 A.6.6 - Confidentiality or Non-Disclosure Agreements
- ISO 27001 A.6.7 - Remote Working
- ISO 27001 A.6.8 - Information Security Event Reporting
- A.6 People Controls MOC
- ISO 27001 A.7.1 - Physical Security Perimeters
- ISO 27001 A.7.10 - Storage Media
- ISO 27001 A.7.11 - Supporting Utilities
- ISO 27001 A.7.12 - Cabling Security
- ISO 27001 A.7.13 - Equipment Maintenance
- ISO 27001 A.7.14 - Secure Disposal or Re-Use of Equipment
- ISO 27001 A.7.2 - Physical Entry
- ISO 27001 A.7.3 - Securing Offices, Rooms and Facilities
- ISO 27001 A.7.4 - Physical Security Monitoring
- ISO 27001 A.7.5 - Protecting Against Physical and Environmental Threats
- ISO 27001 A.7.6 - Working in Secure Areas
- ISO 27001 A.7.7 - Clear Desk and Clear Screen
- ISO 27001 A.7.8 - Equipment Siting and Protection
- ISO 27001 A.7.9 - Security of Assets Off-Premises
- A.7 Physical Controls MOC
- ISO 27001 A.8.1 - User End Point Devices
- ISO 27001 A.8.10 - Information Deletion
- ISO 27001 A.8.11 - Data Masking
- ISO 27001 A.8.12 - Data Leakage Prevention
- ISO 27001 A.8.13 - Information Backup
- ISO 27001 A.8.14 - Redundancy of Information Processing Facilities
- ISO 27001 A.8.15 - Logging
- ISO 27001 A.8.16 - Monitoring Activities
- ISO 27001 A.8.19 - Installation of Software on Operational Systems
- ISO 27001 A.8.2 - Privileged Access Rights
- ISO 27001 A.8.20 - Networks Security
- ISO 27001 A.8.21 - Security of Network Services
- ISO 27001 A.8.22 - Segregation of Networks
- ISO 27001 A.8.23 - Web Filtering
- ISO 27001 A.8.24 - Use of Cryptography
- ISO 27001 A.8.25 - Secure Development Life Cycle
- ISO 27001 A.8.26 - Application Security Requirements
- ISO 27001 A.8.27 - Secure System Architecture and Engineering Principles
- ISO 27001 A.8.28 - Secure Coding
- ISO 27001 A.8.29 - Security Testing in Development and Acceptance
- ISO 27001 A.8.3 - Information Access Restriction
- ISO 27001 A.8.30 - Outsourced Development
- ISO 27001 A.8.31 - Separation of Development Test and Production Environments
- ISO 27001 A.8.32 - Change Management
- ISO 27001 A.8.33 - Test Information
- ISO 27001 A.8.34 - Protection of Information Systems During Audit Testing
- ISO 27001 A.8.4 - Access to Source Code
- ISO 27001 A.8.5 - Secure Authentication
- ISO 27001 A.8.6 - Capacity Management
- ISO 27001 A.8.7 - Protection Against Malware
- ISO 27001 A.8.8 - Management of Technical Vulnerabilities
- ISO 27001 A.8.9 - Configuration Management
- A.8 Technological Controls MOC
- A.6 People Controls Implementation Guide
- A.7 Physical Controls Implementation Guide
- A.8 Technological Controls Implementation Guide
- ISO27001-A.5.7 Threat Intelligence
- ISO 27005 Risk Process Notes
- A.5 Controls Implementation Audit Risk Mapping
- A.6 People Controls Implementation Audit Risk Mapping
- A.7 Physical Controls Implementation Audit Risk Mapping
- A.8 Technological Controls Implementation Audit Risk Mapping
- ISO 27002 Knowledge Base
- Asset Threat Vulnerability Risk Control Evidence Data Model
- Acceptable Use and Information Handling Rules
- Access Control Matrix
- Access Rights Request and Review Register
- Application Security Requirements Register
- Asset Return Checklist
- Audit Testing Plan and Authorization Record
- Authentication Information Handling Standard
- Authority Contact Register
- Backup Policy and Schedule
- Cabling Route and Protection Register
- Capacity Management Plan
- Change Management Procedure
- Clear Desk and Clear Screen Checklist
- Cloud Service Register
- Confidentiality Agreement Register
- Configuration Baseline Register
- Template - Control Owner Register
- Cryptographic Controls Policy
- Data Masking Standard
- Development Environment Separation Standard
- DLP Scope and Rule Register
- Endpoint Device Security Standard
- Equipment Disposal and Reuse Register
- Equipment Maintenance Register
- Equipment Siting and Protection Assessment
- Event Triage and Incident Classification Register
- Evidence Collection and Chain of Custody Log
- ICT Continuity Requirements and Test Record
- ICT Supply Chain Risk Register
- Identity Lifecycle Register
- Incident Lessons Learned Register
- Incident Management Plan
- Incident Response Record
- Independent Information Security Review Plan and Report
- Information Access Rule Matrix
- Information and Associated Asset Inventory
- Information Classification and Handling Matrix
- Information Deletion and Destruction Register
- Information Security Continuity Requirements
- Information Security Event Reporting Channel Register
- Information Transfer Rules Matrix
- Intellectual Property Rights Register
- Leaver and Role Change Security Checklist
- Legal and Contractual Requirements Register
- Logging and Monitoring Standard
- Malware Protection Standard
- Template - Management Security Responsibilities Checklist
- Monitoring Detection Use Case Register
- Network Security Architecture and Zoning Standard
- Network Service Security Requirements Register
- Network Zone and Connection Matrix
- Off-Premises Asset Authorization Register
- Office Room and Facility Security Assessment
- Operating Procedure Register
- Operational Software Installation Procedure
- Outsourced Development Security Requirements Checklist
- Personnel Screening Register
- Physical and Environmental Threat Assessment
- Physical Security Monitoring Procedure
- Physical Security Zone Register
- PII Inventory and Privacy Requirements Matrix
- Policy and Technical Compliance Review Register
- Template - Policy Register
- Policy Violation and Disciplinary Action Register
- Privileged Access Register
- Project Security Requirements Register
- Records Retention and Protection Register
- Redundancy Requirements and Architecture Register
- Remote Working Authorization Register
- Secure Architecture Principles Standard
- Secure Area Access Register
- Secure Area Working Procedure
- Secure Authentication Standard
- Secure Coding Standard
- Secure Development Policy
- Security Awareness and Training Plan
- Security Terms and Conditions Checklist
- Security Test Plan
- Template - Segregation of Duties Matrix
- Source Code Access Register
- Special Interest Group Participation Register
- Storage Media Handling Procedure
- Supplier Security Agreement Requirements Checklist
- Supplier Security Register
- Supplier Service Review and Change Log
- Supporting Utility Dependency Register
- Template Control Card
- Test Information Management Register
- Threat Intelligence Register
- Vulnerability Management Procedure
- Web Filtering Policy and Category Matrix
- Annex A Controls MOC
- Audit Evidence Index
- ISO 27001 Overview