A.18.2.3: Technical Compliance Review
Perform regular reviews of information systems for compliance with the organization’s information security policies and standards.
A.18.2.2: Compliance with Security Policies and Standards
Ensure that managers regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards, and any other security requirements.
A.18.2.1: Independent Review of Information Security
Conduct an independent review of the information security policy and its implementation at planned intervals or when significant changes occur.
A.18.1.5: Regulation of Cryptographic Controls
Ensure compliance with all relevant legislative, regulatory, and contractual requirements for the use of cryptographic controls.
A.18.1.4: Privacy and Protection of Personally Identifiable Information
Ensure compliance with relevant legislative, regulatory, and contractual requirements for privacy and the protection of personally identifiable information.
A.18.1.3: Protection of Records
Ensure that records are protected from loss, destruction, falsification, unauthorized access, and unauthorized release.
A.18.1.2: Intellectual Property Rights
Ensure compliance with all relevant legislative, regulatory, and contractual requirements for the use of intellectual property.
A.18.1.1: Identification of Applicable Legislation and Contractual Requirements
Identify and document the legislative, regulatory, and contractual requirements related to information security and the organization’s approach to meet these requirements.
A.17.2.1: Availability of Information Processing Facilities
Implement redundancy and ensure the availability of information processing facilities.
A.17.1.3: Verify, Review and Evaluate Information Security Continuity
Verify the established and implemented information security continuity controls at regular intervals to ensure they are effective during adverse situations.
A.17.1.2: Implementing Information Security Continuity
Establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation.
A.17.1.1: Planning Information Security Continuity
Include information security continuity in the organization’s business continuity management systems.
A.16.1.7: Collection of Evidence
Define and apply procedures for the identification, collection, acquisition, and preservation of information, which can serve as evidence.
A.16.1.6: Learning from Information Security Incidents
Collect and use information about information security incidents to improve the response process.
A.16.1.5: Response to Information Security Incidents
Respond to information security incidents in accordance with the documented procedures.
A.16.1.4: Assessment of and Decision on Information Security Events
Assess information security events and decide if they are to be classified as information security incidents.
A.16.1.2: Reporting Information Security Events
Ensure that information security events are reported through appropriate management channels as quickly as possible.
A.16.1.1: Responsibilities and Procedures
Establish responsibilities and procedures to ensure a quick, effective, and orderly response to information security incidents.
A.15.2.2: Managing Changes to Supplier Services
Manage changes to supplier services, including maintaining and improving existing information security policies, procedures, and controls.
A.15.2.1: Monitoring and Review of Supplier Services
Regularly monitor, review, and audit supplier service delivery to ensure information security requirements are being met.