100+ security controls

Our ISO27001-compliant security controls


Management direction for information security
☑️ Policies for information security
☑️ Review of the policies for information security

Internal organisation
☑️ Information security roles and responsibilities
☑️ Segregation of duties
☑️ Contact with authorities
☑️ Contact with special interest groups
☑️ Information security in project management

Mobile  devices and teleworking
☑️ Mobile device policy
☑️ Teleworking

☑️ Screening
☑️ Terms and conditions of employment
☑️ Management responsibilities
☑️ Information security awareness, education and training
☑️ Disciplinary process
☑️ Termination or change of employment responsibilities

Compliance with legal and contractual requirements
☑️ Identification of applicable legislation and contractual requirements
☑️ Intellectual property rights
☑️ Protection of records
☑️ Privacy and protection of personally identifiable information
☑️ Regulation of cryptographic controls

Information security reviews
☑️ Independent review of information security
☑️ Compliance with security policies and standards
☑️ Technical compliance review


Responsibility for assets
☑️ Inventory of assets
☑️ Ownership of assets
☑️ Acceptable use of assets
☑️ Return of assets

Information classification
☑️ Classification of information
☑️ Labelling of information
☑️ Handling of assets

Media handling
☑️ Management of removable media
☑️ Disposal of media

Access management

Business requirements of access controls
☑️ Access control policy
☑️ Access to networks and network services
☑️ User registration and de-registration

User access management
☑️ User registration and de-registration
☑️ User access provisioning
☑️ Management of privileged access rights
☑️ Management of secret authentication information
☑️ Review of user access rights
☑️ Removal or adjustment of access rights

User responsibilities
☑️ Use of secret authentication information

System and application access control
☑️ Information access restriction
☑️ Secure log-on procedures
☑️ Password management system
☑️ Use of privileged utility programs
☑️ Access control to program source code

Cryptographic controls
☑️ Policy on the use of cryptographic controls
☑️ Key management

Secure areas
☑️ Physical entry controls
☑️ Working in secure areas

☑️ Equipment siting and protection
☑️ Equipment maintenance
☑️ Removal of assets
☑️ Security of equipment and assets off-premises
☑️ Secure disposal or re-use of equipment
☑️ Unattended user equipment
☑️ Clear desk and clear screen policy

Technical measures

Operational procedures and responsibilities
☑️ Documented operating procedures
☑️ Change management
☑️ Capacity management
☑️ Separation of development, testing and operational environments

Protection from malware
☑️ Controls against malware


☑️ Information backup

Logging and monitoring
☑️ Event logging
☑️ Protection of log information
☑️ Administrator and operator logs
☑️ Clock synchronisation

Control of operational software
☑️ Installation of software on operational systems

Technical vulnerability management
☑️ Management of technical vulnerabilities
☑️ Restrictions on software installation

Information systems audit considerations
☑️ Information systems audit controls

Network security management
☑️ Network controls
☑️ Security of network services
☑️ Segregation in networks

Information transfer
☑️ Information transfer policies and procedures
☑️ Agreements on information transfer
☑️ Electronic messaging
☑️ Confidentiality or non-disclosure agreements

Security requirements of information systems
☑️ Information security requirements analysis and specification
☑️ Securing application services on public networks
☑️ Protecting application services transactions

Security in development and support processes
☑️ Secure development policy
☑️ System change control procedures
☑️ Technical review of applications after operating platform changes
☑️ Restrictions on changes to software packages
☑️ Secure system engineering principles
☑️ Secure development environment
☑️ System security testing
☑️ System acceptance testing

Test data
☑️ Protection of test data

Supplier management

Information security in supplier relationships
☑️ Information security policy for supplier relationships
☑️ Addressing security within supplier agreements
☑️ Information and communication technology supply chain

Supplier service delivery management
☑️ Monitoring and review of supplier services
☑️ Managing changes to supplier services

Incident and continuity

Management of information security incidents and improvements
☑️ Responsibilities and procedures
☑️ Reporting information security events
☑️ Reporting information security weaknesses
☑️ Assessment of and decision on information security events
☑️ Response to information security incidents
☑️ Learning from information security incidents
☑️ Collection of evidence

Information security continuity
☑️ Planning information security continuity
☑️ Implementing information security continuity
☑️ Verify, review and evaluate information security continuity

☑️ Availability of information processing facilities