Policy element | Exists? | Checked? | Mapped? | Type |
ISO 27001 elements
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISMS-0.2 Process approach
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISMS-0.3 The ISMS follows the ISO standards
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISMS-1 Establishment of the ISMS
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISMS-4.2.1 Risk Management and Risk-appropriate Controls
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISMS-4.2.2 Implementation and Operation
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISMS-4.2.3 ISMS Monitoring and Review
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISMS-4.2.4 ISMS Maintenance and Improvement
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISMS-4.3.1 General Documentation
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISMS-4.3.2 Control of Documents
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISMS-4.3.3 Control of Records
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISMS-5.1 Management Commitment
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISMS-5.2.1 Resource Management - Provision of Resources
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISMS-5.2.2 Resource Management - Training, awareness, and competence
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISMS-6 Internal ISMS audit
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISMS-7 Management Review of the ISMS
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISMS-8 Continual Improvement
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISMS-A (normative) Control Objectives and Controls
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISMS-A.5 Security Policy
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISMS-A.6.1 Internal Organization
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISMS-A.6.2 External Parties
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISMS-A.7 Asset Responsibility and Classification
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISMS-A.8.1 Personnel - Prior to employment
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISMS-A.8.2-3 Personnel - During and After Employment
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISMS-A.9.1 Physical - Premises Controls
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISMS-A.9.2 Physical - Equipment security
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISMS-A.10.1 Operational Procedures and Responsibilities
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISMS-A.10.2 Third Party Service Delivery Management
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISMS-A.10.3 System Planning and Acceptance
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISMS-A.10.4-5 Malicious code and Backup Protections
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISMS-A.10.6-7 Network Security Management and Media Handling
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISMS-A.10.8-9 Information Exchanges and Electronic Commerce
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISMS-A.10.10 Monitoring
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISMS-A.11.1-2 Access Controls
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISMS-A.11.3 User Responsibilities
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISMS-A.11.4 Network Access Control
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISMS-A.11.5 Operating System Access Controls
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISMS-A.11.6-7 Application, Information, and Mobile Computing Controls
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISMS-A.12.1-2 System acquisition, development, and maintenance
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISMS-A.12.3-4 Cryptographic and file system controls
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISMS-A.12.5 Security in the development process
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISMS-A.12.6 Technical vulnerability management
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISMS-A.13 Incident Management
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISMS-A.14 Business Continuity Management
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISMS-A.15 Compliance
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISMS-B (informative) OECD Principles
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO 27002 elements
| | | | |
ISO-4 - Risk assessment and treatment
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-4.1 - Assessing security risks
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-4.2 - Treating security risks
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-5 - Security Policy
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-5.1 - Information security policy
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-5.1.1 - Information security policy document
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-5.1.2 - Review and evaluation
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-6 - 6 Organization of information security
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-6.1 - Internal organization
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-6.1.1 - Management commitment in information security
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-6.1.2 - Information security coordination
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-6.1.3 - Allocation of information security responsibilities
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-6.1.4 - Authorization process for information processing facilities
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-6.1.5 - Confidentiality agreements
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-6.1.6 - Contact with authorities
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-6.1.7 - Contact with special interest groups
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-6.1.8 - Independent review of information security
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-6.2 - External parties
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-6.2.1 - Identification of risks related to external parties
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-6.2.2 - Addressing security when dealing with customers
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-6.2.3 - Addressing security in third party agreements
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-7 - 7 - Asset management
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-7.1 - Responsibility for assets
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-7.1.1 - Inventory of Assets
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-7.1.2 - Ownership of assets
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-7.1.3 - Acceptable use of assets
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-7.2 - Information classification
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-7.2.1 - Classification guidelines
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-7.2.2 - Information labeling and handling
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-8 - 8 Human resources security
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-8.1 - Prior to employment
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-8.1.1 - Roles and responsibilities
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-8.1.2 - Screening
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-8.1.3 - Terms and conditions of employment
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-8.2 - During employment
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-8.2.1 - Management
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-8.2.2 - Information security education, awareness, and training
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-8.2.3 - Disciplinary process
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-8.3 - Termination or change of employment
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-8.3.1 - Termination responsibilities
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-8.3.2 - Return of assets
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-8.3.3 - Removal of access rights
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-9 - 9 - Physical and environmental security
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-9.1 - Secure areas
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-9.1.1 - Physical security perimeter
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-9.1.2 - Physical entry controls
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-9.1.3 - Securing offices, rooms, and facilities
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-9.1.4 - Protecting against external and environmental threats
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-9.1.5 - Working in secure areas
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-9.1.6 - Public access, delivery, and loading areas
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-9.2 - Equipment security
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-9.2.1 - Equipment siting and protection
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-9.2.2 - Supporting utilities
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-9.2.3 - Cabling security
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-9.2.4 - Equipment maintenance
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-9.2.5 - Security of equipment off-premises
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-9.2.6 - Secure disposal or reuse of equipment
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-9.2.7 - Removal of property
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-10 - Communications and operations management
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-10.1 - Operational procedures and responsibilities
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-10.1.1 - Documented operating procedures
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-10.1.2 - Change management
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-10.1.3 - Segregation of duties
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-10.1.4 - Separation of development, test, and operating facilities
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-10.2 - Third party service delivery management
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-10.2.1 - Service delivery
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-10.2.2 - Monitoring and review of third party services
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-10.2.3 - Managing changes to third party services
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-10.3 - System planning and acceptance
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-10.3.1 - Capacity management
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-10.3.2 - System acceptance
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-10.4 - Protection against malicious and mobile code
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-10.4.1 - Controls against malicious code
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-10.4.2 - Controls against mobile code
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-10.5 - Backup
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-10.5.1 - Information backup
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-10.6 - Network security management
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-10.6.1 - Network controls
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-10.6.2 - Security of network services
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-10.7 - Media handling
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-10.7.1 - Management of removable media
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-10.7.2 - Disposal of media
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-10.7.3 - Information handling procedures
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-10.7.4 - Security of system documentation
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-10.8 - Exchange of information
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-10.8.1 - Information exchange policies and procedures
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-10.8.2 - Exchange agreements
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-10.8.3 - Physical media in transit
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-10.8.4 - Electronic messaging
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-10.8.5 - Business information systems
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-10.9 - Electronic commerce services
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-10.9.1 - Electronic commerce
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-10.9.2 - On-line transactions
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-10.9.3 - Publicly available information
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-10.10 - Monitoring
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-10.10.1 - Audit logging
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-10.10.2 - Monitoring system use
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-10.10.3 - Protection of log information
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-10.10.4 - Administrator and operator logs
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-10.10.5 - Fault logging
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-10.10.6 - Clock synchronization
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-11 - 11 - Access control
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-11.1 - Business requirement for access control
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-11.1.1 - Access control policy
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-11.2 - User access management
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-11.2.1 - User registration
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-11.2.2 - Privilege management
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-11.2.3 - User password management
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-11.2.4 - Review of user access rights
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-11.3 - User responsibilities
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-11.3.1 - Password use
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-11.3.2 - Unattended user equipment
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-11.3.3 - Clear desk and clear screen policy
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-11.4 - Network access control
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-11.4.1 - Policy on use of network services
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-11.4.2 - User authentication for external connections
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-11.4.3 - Equipment identification in networks
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-11.4.4 - Remote diagnostic and configuration port protection
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-11.4.5 - Segregation in networks
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-11.4.6 - Network connection control
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-11.4.7 - Network routing control
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-11.5 - Operating system access control
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-11.5.1 - Server login control
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-11.5.2 - User identification and authentication
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-11.5.3 - Password management system
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-11.5.4 - Use of system utilities
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-11.5.5 - Session time-out
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-11.5.6 - Limitation of connection time
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-11.6 - Application and information access control
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-11.6.1 - Information access restriction
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-11.6.2 - Sensitive system isolation
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-11.7 - Mobile computing and teleworking
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-11.7.1 - Mobile computing and communications
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-11.7.2 - Teleworking
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-12 - 12 Information system acquisition, development & maintenance
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-12.1 - Security requirements of information systems
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-12.1.1 - Security requirements analysis and specification
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-12.2 - Correct processing in applications
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-12.2.1 - Input data validation
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-12.2.2 - Control of internal processing
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-12.2.3 - Message integrity
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-12.2.4 - Output data validation
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-12.3 - Cryptographic controls
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-12.3.1 - Policy on the use of cryptographic controls
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-12.3.2 - Key management
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-12.4 - Security of system files
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-12.4.1 - Control of operational software
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-12.4.2 - Protection of system test data
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-12.4.3 - Access control to program source code
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-12.5 - Security in development and support processes
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-12.5.1 - Change control procedures
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-12.5.2 - Technical review of application after system changes
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-12.5.3 - Restrictions on changes to software packages
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-12.5.4 - Information leakage
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-12.5.5 - Outsourced software development
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-12.6 - Technical vulnerability management
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-12.6.1 - Control of technical vulnerabilities
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-13 - 13 Information security incident management
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-13.1 - Reporting information security events and weaknesses
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-13.1.1 - Reporting information security events
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-13.1.2 - Reporting information security weaknesses
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-13.2 - Management of security incidents and improvements
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-13.2.1 - Responsibilities and procedures
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-13.2.2 - Learning from information security incidents
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-13.2.3 - Collection of evidence
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-14 - 14 Business continuity management (BCM)
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-14.1 - Information security aspects of BCM
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-14.1.1 - Including information security in the BCM process
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-14.1.2 - Business continuity and risk management
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-14.1.3 - Developing and implementing BCPs with information security
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-14.1.4 - Business continuity planning framework
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-14.1.5 - Testing, maintaining & re-assessing business continuity plans
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-15 - 15 Compliance
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-15.1 - Compliance with legal requirements
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-15.1.1 - Identification of applicable legislation
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-15.1.2 - Intellectual property rights (IPR)
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-15.1.3 - Protection of organizational records
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-15.1.4 - Data protection and privacy of personal information
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-15.1.5 - Prevention of misuse of information processing facilities
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-15.1.6 - Regulation of cryptographic controls
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-15.2 - Compliance with policies, standards, and technical compliance
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-15.2.1 - Compliance with security policy
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-15.2.2 - Technical compliance checking
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-15.3 - Information security audit controls
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-15.3.1 - Information system audit controls
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO-15.3.2 - Protection of system audit tools
| Y/N | I/C/R/N | S/R/C/P/N | S |
ISO 15489-1 elements
| | | | |
15489-1-1 - Scope
| Y/N | I/C/R/N | S/R/C/P/N | S |
15489-1-4 - Coverage (Benefits)
| Y/N | I/C/R/N | S/R/C/P/N | S |
15489-1-5 - Regulatory environment
| Y/N | I/C/R/N | S/R/C/P/N | S |
15489-1-6 - Policy and responsibilities
| Y/N | I/C/R/N | S/R/C/P/N | S |
15489-1-7.1 - Records management requirements - Principles of programs
| Y/N | I/C/R/N | S/R/C/P/N | S |
15489-1-7.2 - Records management requirements - Characteristics of a record
| Y/N | I/C/R/N | S/R/C/P/N | S |
15489-1-8.1 - Record system design and implementation: General
| Y/N | I/C/R/N | S/R/C/P/N | S |
15489-1-8.2 - Record system characteristics
| Y/N | I/C/R/N | S/R/C/P/N | S |
15489-1-8.3 - Designing and implementing records systems
| Y/N | I/C/R/N | S/R/C/P/N | S |
15489-1-8.4 - Design and implementation methodology
| Y/N | I/C/R/N | S/R/C/P/N | S |
15489-1-8.5 - Discontinuing records management
| Y/N | I/C/R/N | S/R/C/P/N | S |
15489-1-9.1 - Determining what is to be captured
| Y/N | I/C/R/N | S/R/C/P/N | S |
15489-1-9.2 - Determining how long to retain records
| Y/N | I/C/R/N | S/R/C/P/N | S |
15489-1-9.3 - Records capture
| Y/N | I/C/R/N | S/R/C/P/N | S |
15489-1-9.4 - Registration
| Y/N | I/C/R/N | S/R/C/P/N | S |
15489-1-9.5 - Classification
| Y/N | I/C/R/N | S/R/C/P/N | S |
15489-1-9.6 - Storage and handling
| Y/N | I/C/R/N | S/R/C/P/N | S |
15489-1-9.7 - Access
| Y/N | I/C/R/N | S/R/C/P/N | S |
15489-1-9.8 - Tracking
| Y/N | I/C/R/N | S/R/C/P/N | S |
15489-1-9.9 - Information disposition
| Y/N | I/C/R/N | S/R/C/P/N | S |
15489-1-9.10 - Documenting records management
| Y/N | I/C/R/N | S/R/C/P/N | S |
15489-1-10 - Monitoring and auditing
| Y/N | I/C/R/N | S/R/C/P/N | S |
15489-1-11 - Training
| Y/N | I/C/R/N | S/R/C/P/N | S |
GAISP elements
| | | | |
2.0 PERVASIVE PRINCIPLES
| Y/N | I/C/R/N | S/R/C/P/N | S |
2.1 Accountability Principle
| Y/N | I/C/R/N | S/R/C/P/N | S |
2.2 Awareness Principle
| Y/N | I/C/R/N | S/R/C/P/N | S |
2.3 Ethics Principle
| Y/N | I/C/R/N | S/R/C/P/N | S |
2.4 Multidisciplinary Principle
| Y/N | I/C/R/N | S/R/C/P/N | S |
2.5 Proportionality Principle
| Y/N | I/C/R/N | S/R/C/P/N | S |
2.6 Integration Principle
| Y/N | I/C/R/N | S/R/C/P/N | S |
2.7 Timeliness Principle
| Y/N | I/C/R/N | S/R/C/P/N | S |
2.8 Assessment Principle
| Y/N | I/C/R/N | S/R/C/P/N | S |
2.9 Equity Principle
| Y/N | I/C/R/N | S/R/C/P/N | S |
3.0 BROAD FUNCTIONAL PRINCIPLES
| Y/N | I/C/R/N | S/R/C/P/N | S |
3.1 Information Security Policy
| Y/N | I/C/R/N | S/R/C/P/N | S |
3.2 Education and Awareness
| Y/N | I/C/R/N | S/R/C/P/N | S |
3.3 Accountability
| Y/N | I/C/R/N | S/R/C/P/N | S |
3.4 Information Management
| Y/N | I/C/R/N | S/R/C/P/N | S |
3.5 Environmental Management
| Y/N | I/C/R/N | S/R/C/P/N | S |
3.6 Personnel Qualifications
| Y/N | I/C/R/N | S/R/C/P/N | S |
3.7 System Integrity
| Y/N | I/C/R/N | S/R/C/P/N | S |
3.8 Information Systems Life Cycle
| Y/N | I/C/R/N | S/R/C/P/N | S |
3.9 Access Control
| Y/N | I/C/R/N | S/R/C/P/N | S |
3.10 Operational Continuity and Contingency Planning
| Y/N | I/C/R/N | S/R/C/P/N | S |
3.11 Information Risk Management
| Y/N | I/C/R/N | S/R/C/P/N | S |
3.12 Network and Infrastructure Security
| Y/N | I/C/R/N | S/R/C/P/N | S |
3.13 Legal, Regulatory, and Contractual Requirements of Information Security
| Y/N | I/C/R/N | S/R/C/P/N | S |
3.14 Ethical Practices
| Y/N | I/C/R/N | S/R/C/P/N | S |
COSO elements
| | | | |
COSO-Materiality What is material
| Y/N | I/C/R/N | S/R/C/P/N | S |
COSO-SO Setting Objectives
| Y/N | I/C/R/N | S/R/C/P/N | S |
COSO-EI Event Identification
| Y/N | I/C/R/N | S/R/C/P/N | S |
COSO-RI Risk Identification
| Y/N | I/C/R/N | S/R/C/P/N | S |
COSO-RR Risk Response
| Y/N | I/C/R/N | S/R/C/P/N | S |
COSO-CA Control Activities
| Y/N | I/C/R/N | S/R/C/P/N | S |
COSO-IC Information and Communications
| Y/N | I/C/R/N | S/R/C/P/N | S |
COSO-M Monitoring
| Y/N | I/C/R/N | S/R/C/P/N | S |
COSO-BM Business Modeling
| Y/N | I/C/R/N | S/R/C/P/N | S |
COSO-Attestation Attestation requirements
| Y/N | I/C/R/N | S/R/C/P/N | S |
CoBit elements
| | | | |
PO1 Define a Strategic IT Plan
| Y/N | I/C/R/N | S/R/C/P/N | S |
PO2 Define the Information Architecture
| Y/N | I/C/R/N | S/R/C/P/N | S |
PO3 Determine the Technological Direction
| Y/N | I/C/R/N | S/R/C/P/N | S |
PO4 Define IT Organization and Relationships
| Y/N | I/C/R/N | S/R/C/P/N | S |
PO5 Manage the IT Investment
| Y/N | I/C/R/N | S/R/C/P/N | S |
PO6 Communicate Aims Direction
| Y/N | I/C/R/N | S/R/C/P/N | S |
PO7 Manage Human Resources
| Y/N | I/C/R/N | S/R/C/P/N | S |
PO8 Ensure Comply w/Extern Requirements
| Y/N | I/C/R/N | S/R/C/P/N | S |
PO9 Assess Risks
| Y/N | I/C/R/N | S/R/C/P/N | S |
PO10 Manage Projects
| Y/N | I/C/R/N | S/R/C/P/N | S |
PO11 Manage Quality
| Y/N | I/C/R/N | S/R/C/P/N | S |
AI1 Identify Solutions
| Y/N | I/C/R/N | S/R/C/P/N | S |
AI2 Acquire and Maintain Application Software
| Y/N | I/C/R/N | S/R/C/P/N | S |
AI3 Acquire & Maintain Tech Architecture
| Y/N | I/C/R/N | S/R/C/P/N | S |
AI4 Develop and Maintain IT Procedures
| Y/N | I/C/R/N | S/R/C/P/N | S |
AI5 Install and Accredit Systems
| Y/N | I/C/R/N | S/R/C/P/N | S |
AI6 Manage Changes
| Y/N | I/C/R/N | S/R/C/P/N | S |
DS1 Define Service Levels
| Y/N | I/C/R/N | S/R/C/P/N | S |
DS2 Manage Third-Party Services
| Y/N | I/C/R/N | S/R/C/P/N | S |
DS3 Manage Performance and Capacity
| Y/N | I/C/R/N | S/R/C/P/N | S |
DS4 Ensure Continuous Service
| Y/N | I/C/R/N | S/R/C/P/N | S |
DS5 Ensure Systems Security
| Y/N | I/C/R/N | S/R/C/P/N | S |
DS6 Identify and Attribute Costs
| Y/N | I/C/R/N | S/R/C/P/N | S |
DS7 Educate and Train Users
| Y/N | I/C/R/N | S/R/C/P/N | S |
DS8 Assist and Advise IT Customers
| Y/N | I/C/R/N | S/R/C/P/N | S |
DS9 Manage the Configuration
| Y/N | I/C/R/N | S/R/C/P/N | S |
DS10 Manage Problems and Incidents
| Y/N | I/C/R/N | S/R/C/P/N | S |
DS11 Manage Data
| Y/N | I/C/R/N | S/R/C/P/N | S |
DS12 Manage Facilities
| Y/N | I/C/R/N | S/R/C/P/N | S |
DS13 Manage Operations
| Y/N | I/C/R/N | S/R/C/P/N | S |
M1 Monitor the Processes
| Y/N | I/C/R/N | S/R/C/P/N | S |
M2 Assess Internal Control Adequacy
| Y/N | I/C/R/N | S/R/C/P/N | S |
M3 Obtain Independent Assurance
| Y/N | I/C/R/N | S/R/C/P/N | S |
M4 Provide for Independent Audit
| Y/N | I/C/R/N | S/R/C/P/N | S |
Incident management
| Y/N | I/C/R/N | S/R/C/P/N | S |
Problem management
| Y/N | I/C/R/N | S/R/C/P/N | S |
Configuration management
| Y/N | I/C/R/N | S/R/C/P/N | S |
Change management
| Y/N | I/C/R/N | S/R/C/P/N | S |
Release management
| Y/N | I/C/R/N | S/R/C/P/N | S |
Service level management
| Y/N | I/C/R/N | S/R/C/P/N | S |
Financial management and IT services
| Y/N | I/C/R/N | S/R/C/P/N | S |
Capacity management
| Y/N | I/C/R/N | S/R/C/P/N | S |
IT Service continuity management
| Y/N | I/C/R/N | S/R/C/P/N | S |
Availability management
| Y/N | I/C/R/N | S/R/C/P/N | S |
ITIL elements
| | | | |
Control
| Y/N | I/C/R/N | S/R/C/P/N | S |
- Policies
| Y/N | I/C/R/N | S/R/C/P/N | S |
- Organization
| Y/N | I/C/R/N | S/R/C/P/N | S |
- Reporting
| Y/N | I/C/R/N | S/R/C/P/N | S |
Plan
| Y/N | I/C/R/N | S/R/C/P/N | S |
- SLA section
| Y/N | I/C/R/N | S/R/C/P/N | S |
- Underlying contracts
| Y/N | I/C/R/N | S/R/C/P/N | S |
- OLA section
| Y/N | I/C/R/N | S/R/C/P/N | S |
- Reporting
| Y/N | I/C/R/N | S/R/C/P/N | S |
Implement
| Y/N | I/C/R/N | S/R/C/P/N | S |
- Classifications
| Y/N | I/C/R/N | S/R/C/P/N | S |
- Personnel security
| Y/N | I/C/R/N | S/R/C/P/N | S |
- Security policies
| Y/N | I/C/R/N | S/R/C/P/N | S |
- Access controls
| Y/N | I/C/R/N | S/R/C/P/N | S |
- Reporting
| Y/N | I/C/R/N | S/R/C/P/N | S |
Evaluate
| Y/N | I/C/R/N | S/R/C/P/N | S |
- Self-assessment
| Y/N | I/C/R/N | S/R/C/P/N | S |
- External Audit
| Y/N | I/C/R/N | S/R/C/P/N | S |
- Internal Audit
| Y/N | I/C/R/N | S/R/C/P/N | S |
- Assessment as result of security incident
| Y/N | I/C/R/N | S/R/C/P/N | S |
- Reporting
| Y/N | I/C/R/N | S/R/C/P/N | S |
Maintain
| Y/N | I/C/R/N | S/R/C/P/N | S |
- SLA sections
| Y/N | I/C/R/N | S/R/C/P/N | S |
- OLA sections
| Y/N | I/C/R/N | S/R/C/P/N | S |
- Requests for changes, additions, deletions
| Y/N | I/C/R/N | S/R/C/P/N | S |
- Reporting
| Y/N | I/C/R/N | S/R/C/P/N | S |
NIST SP800-53 elements
| | | | |
SP-AC-1 - Access Control Policy and Procedures (1) (1) (1)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-AC-2 - Account Management (2) (2 2.1 2.2 2.3) (2 2.1 2.2 2.3 2.4)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-AC-3 - Access Enforcement (3) (3 3.1) (3 3.1)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-AC-4 - Information Flow Enforcement () (4) (4)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-AC-5 - Separation of Duties () (5) (5)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-AC-6 - Least Privilege () (6) (6)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-AC-7 - Unsuccessful Login Attempts (7) (7) (7)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-AC-8 - System Use Notification (8) (8) (8)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-AC-9 - Previous Logon Notification () () ()
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-AC-10 - Concurrent Session Control () () (10)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-AC-11 - Session Lock () (11) (11)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-AC-12 - Session Termination () (12) (12)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-AC-13 - Supervision and Review Access Control (13) (13) (13 13.1)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-AC-14 - Permitted Actions w/o Identification or Authentication (14) (14 14.1) (14 14.1)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-AC-15 - Automated Marking () () (15)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-AC-16 - Automated Labeling () () ()
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-AC-17 - Remote Access (17) (17 17.1 17.2 17.3) (17 17.1 17.2 17.3)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-AC-18 - Wireless Access Restrictions () (18 18.1) (18 18.1)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-AC-19 - Access Control for Portable and Mobile Systems () (19) (19 19.1)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-AC-20 - Personally Owned Information Systems (20) (20) (20)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-AT-1 Security Awareness and Training Policy and Procedures (1) (1) (1)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-AT-2 Security Awareness (2) (2) (2)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-AT-3 Security Training (3) (3) (3)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-AT-4 Security Training Records (4) (4) (4)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-AU-1 Audit and Accountability Policy and Procedures (1) (1) (1)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-AU-2 Auditable Events (2) (2) (2)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-AU-3 Content of Audit Records (3) (3 3.1) (3 3.1 3.2)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-AU-4 Audit Storage Capacity (4) (4) (4)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-AU-5 Audit Processing (5) (5) (5 5.1)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-AU-6 Audit Monitoring, Analysis, and Reporting () (6) (6 6.1)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-AU-7 Audit Reduction and Report Generation () (7) (7 7.1)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-AU-8 Time Stamps () (8) (8)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-AU-9 Protection of Audit Information (9) (9) (9)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-AU-10 Non-repudiation () () ()
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-AU-11 Audit Retention (11) (11) (11)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-CA-1 Certification, Accreditation, Security Assessment Policies & Procedures (1) (1) (1)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-CA-2 Security Assessments () (2) (2)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-CA-3 Information System Connections (3) (3) (3)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-CA-4 Security Certification (4) (4) (4)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-CA-5 Plan of Action and Milestones (5) (5) (5)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-CA-6 Security Accreditation (6) (6) (6)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-CA-7 Continuous Monitoring (7) (7) (7)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-CM-1 Configuration Management Policy and Procedures (1) (1) (1)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-CM-2 Baseline Configuration (2) (2 2.1) (2 2.1 2.2)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-CM-3 Configuration Change Control () (3) (3 3.1)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-CM-4 Monitoring Configuration Changes () (4) (4)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-CM-5 Access Restrictions for Change () (5) (5 5.1)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-CM-6 Configuration Settings (6) (6) (6 6.1)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-CM-7 Least Functionality () (7) (7 7.1)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-CP-1 Contingency Planning Policy and Procedures (1) (1) (1)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-CP-2 Contingency Plan (2) (2 2.1) (2 2.1)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-CP-3 Contingency Training () (3) (3 3.1)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-CP-4 Contingency Plan Testing () (4 .1) (4 4.1 4.2)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-CP-5 Contingency Plan Update (5) (5) (5)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-CP-6 Alternate Storage Sites () (6 6.1) (6 6.1 6.2 6.3)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-CP-7 Alternate Processing Sites () (7 7.1 7.2 7.3) (7 7.1 7.2 7.3 7.4)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-CP-8 Telecommunications Services () (8 8.1 8.2) (8 8.1 8.2 8.3 8.4)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-CP-9 Information System Backup (9) (9 9.1) (9 9.1 9.2 9.3)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-CP-10 Information System Recovery and Reconstitution (10) (10) (10 10.1)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-IA-1 Identification and Authentication Policy and Procedures (1) (1) (1)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-IA-2 User Identification and Authentication (2) (2) (2 2.1)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-IA-3 Device Identification and Authentication () (3) (3)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-IA-4 Identifier Management (4) (4) (4)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-IA-5 Authenticator Management (5) (5) (5)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-IA-6 Authenticator Feedback (6) (6) (6)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-IA-7 Cryptographic Module Authentication (7) (7) (7)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-IR-1 Incident Response Policy and Procedures (1) (1) (1)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-IR-2 Incident Response Training () (2) (2 2.1 2.2)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-IR-3 Incident Response Testing () (3) (3 3.1)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-IR-4 Incident Handling (4) (4 4.1) (4 4.1)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-IR-5 Incident Monitoring () (5) (5 5.1)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-IR-6 Incident Reporting (6) (6 6.1) (6 6.1)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-IR-7 Incident Response Assistance (7) (7 7.1) (7 7.1)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-MA-1 System Maintenance Policy and Procedures (1) (1) (1)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-MA-2 Periodic Maintenance (2) (2 2.1) (2 2.1 2.2)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-MA-3 Maintenance Tools () (3) (3 3.1 3.2 3.3)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-MA-4 Remote Maintenance (4) (4) (4 4.1 4.2 4.3)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-MA-5 Maintenance Personnel (5) (5) (5)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-MA-6 Timely Maintenance () (6) (6)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-MP-1 Media Protection Policy and Procedures (1) (1) (1)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-MP-2 Media Access (2) (2) (2 2.1)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-MP-3 Media Labeling () (3) (3)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-MP-4 Media Storage () (4) (4)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-MP-5 Media Transport () (5) (5)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-MP-6 Media Sanitization () (6) (6)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-MP-7 Media Destruction and Disposal (7) (7) (7)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-PE-1 Physical and Environmental Protection Policy and Procedures (1) (1) (1)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-PE-2 Physical Access Authorizations (2) (2) (2)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-PE-3 Physical Access Control (3) (3) (3)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-PE-4 Access Control for Transmission Medium () () ()
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-PE-5 Access Control for Display Medium () (5) (5)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-PE-6 Monitoring Physical Access (6) (6 6.1) (6 6.1 6.2)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-PE-7 Visitor Control (7) (7 7.1) (7 7.1)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-PE-8 Access Logs (8) (8 8.1) (8 8.1)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-PE-9 Power Equipment and Power Cabling () (9) (9)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-PE-10 Emergency Shutoff () (10) (10)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-PE-11 Emergency Power () (11) (11 11.1)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-PE-12 Emergency Lighting (12) (12) (12)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-PE-13 Fire Protection (13) (13 13.1) (13 13.1 13.2)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-PE-14 Temperature and Humidity Controls (14) (14) (14)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-PE-15 Water Damage Protection (15) (15) (15 15.1)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-PE-16 Delivery and Removal (16) (16) (16)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-PE-17 Alternate Work Site () (17) (17)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-PL-1 Security Planning Policy and Procedures (1) (1) (1)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-PL-2 System Security Plan (2) (2) (2)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-PL-3 System Security Plan Update (3) (3) (3)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-PL-4 Rules of Behavior (4) (4) (4)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-PL-5 Privacy Impact Assessment (5) (5) (5)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-PS-1 Personnel Security Policy and Procedures (1) (1) (1)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-PS-2 Position Categorization (2) (2) (2)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-PS-3 Personnel Screening (3) (3) (3)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-PS-4 Personnel Termination (4) (4) (4)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-PS-5 Personnel Transfer (5) (5) (5)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-PS-6 Access Agreements (6) (6) (6)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-PS-7 Third-Party Personnel Security (7) (7) (7)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-PS-8 Personnel Sanctions (8) (8) (8)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-RA-1 Risk Assessment Policy and Procedures (1) (1) (1)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-RA-2 Security Categorization (2) (2) (2)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-RA-3 Risk Assessment (3) (3) (3)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-RA-4 Risk Assessment Update (4) (4) (4)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-RA-5 Vulnerability Scanning () (5) (5 5.1 5.2)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-SA-1 System and Services Acquisition Policy and Procedures (1) (1) (1)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-SA-2 Allocation of Resources (2) (2) (2)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-SA-3 Life Cycle Support (3) (3) (3)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-SA-4 Acquisitions (4) (4) (4)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-SA-5 Information System Documentation (5) (5 .1) (5 .1 .2)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-SA-6 Software Usage Restrictions (6) (6) (6)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-SA-7 User Installed Software (7) (7) (7)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-SA-8 Security Design Principles () (8) (8)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-SA-9 Outsourced Information System Services (9) (9) (9)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-SA-10 Developer Configuration Management () () (10)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-SA-11 Developer Security Testing () (11) (11)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-SC-1 System and Communications Protection Policy and Procedures (1) (1) (1)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-SC-2 Application Partitioning () (2) (2)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-SC-3 Security Function Isolation () () (3)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-SC-4 Information Remnants () (4) (4)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-SC-5 Denial of Service Protection (5) (5) (5)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-SC-6 Resource Priority () (6) (6)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-SC-7 Boundary Protection (7) (7 7.1) (7 7.1)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-SC-8 Transmission Integrity () (8) (8 8.1)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-SC-9 Transmission Confidentiality () (9) (9 9.1)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-SC-10 Network Disconnect () (10) (10)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-SC-11 Trusted Path () () ()
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-SC-12 Cryptographic Key Establishment and Management () (12) (12)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-SC-13 Use of Validated Cryptography (13) (13) (13)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-SC-14 Public Access Protections (14) (14) (14)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-SC-15 Collaborative Computing () (15) (15)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-SC-16 Transmission of Security Parameters () () ()
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-SC-17 Public Key Infrastructure Certificates () (17) (17)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-SC-18 Mobile Code () (18) (18)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-SC-19 Voice Over Internet Protocol () (19) (19)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-SI-1 System and Information Integrity Policy and Procedures (1) (1) (1)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-SI-2 Flaw Remediation (2) (2) (2)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-SI-3 Malicious Code Protection (3) (3 3.1) (3 3.1 3.2)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-SI-4 Intrusion Detection Tools and Techniques () (4) (4)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-SI-5 Security Alerts and Advisories (5) (5) (5)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-SI-6 Security Functionality Verification () (6) (6 6.1)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-SI-7 Software and Information Integrity () () (7)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-SI-8 Spam and Spyware Protection () (8) (8 8.1)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-SI-9 Information Input Restrictions () (9) (9)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-SI-10 Information Input Accuracy, Completeness, and Validity () (10) (10)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-SI-11 Error Handling () (11) (11)
| Y/N | I/C/R/N | S/R/C/P/N | S |
SP-SI-12 Information output handling and retention () (12) (12)
| Y/N | I/C/R/N | S/R/C/P/N | S |