SOGP 2020

SOGP 2020

SOGP 2020		
Reference	Topic	Topic: Principle and Objective
SG1.1	Security Governance Framework	"Principle: A framework for information security governance should be established, and commitment demonstrated by the organisation’s governing body.

Objective: To ensure that the organisation’s overall approach to information security supports high standards of governance."
SG1.2	Security Direction	"Principle: Control over information security should be provided by a high-level working group, committee or equivalent body, and managed by a board-level executive (or equivalent).

Objective: To provide a top-down management structure and mechanism for coordinating security activity (e.g. an information security programme) and supporting the information security governance approach."
SG2.1	Information Security Strategy	"Principle: An information security strategy should be maintained that is demonstrably integrated with the organisation’s strategic objectives.

Objective: To ensure that the information security programme and related security projects contribute to the organisation’s success."
SG2.2	Risk Appetite	"Principle: The organisation should implement processes to measure the value delivered by information security initiatives and report the results to all stakeholders.

Objective: To ensure that the information security programme delivers value to stakeholders."
IR1.1	Information Risk Assessment - Management Approach	"Principle: Information risk assessments should be performed for target environments (e.g. critical business environments, processes and applications (including those under development); and supporting technical infrastructure) on a regular basis.

Objective: To enable individuals who are responsible for target environments to identify key information risks, evaluate them and determine the treatment required to keep those risks within acceptable limits."
IR1.2	Information Risk Assessment - Methodology	"Principle: Information risk assessments should be undertaken using systematic and structured methodologies.

Objective: To make information risk assessments effective, easy to conduct and consistent throughout the organisation and to produce a clear picture of key information risks."
IR1.3	Information Risk Assessment - Supporting Material	"Principle: Important material required to support each stage of information risk assessments should be developed, approved and made available throughout the organisation.

Objective: To ensure that all phases of risk assessments are performed correctly, provide practical results and enable effective decisions about risk to be made."
IR2.1	Risk Assessment Scope	"Principle: The scope of information risk assessments should be clearly defined, covering business and technical elements of the target environment and relevant external factors, before assessments are started.

Objective: To establish clear limits for information risk assessments (including what is out of scope) and ensure that subsequent activities are appropriate for the profile of the target environment."
IR2.2	Business Impact Assessment	"Principle: The potential realistic and worst-case business impact (should critical or sensitive information in the target environment be compromised) should be determined for different categories of impact (e.g. financial, operational, legal and regulatory compliance, reputational and health and safety).

Objective: To determine the business impact that business owners are willing to accept in the event information in the target environments is compromised; and agree the requirements for protecting the confidentiality, integrity and availability of that information."
IR2.3	Business Impact Assessment - Confidentiality Requirements	"Principle: The business impact of unauthorised disclosure of sensitive information associated with target environments should be assessed.

Objective: To document and agree the confidentiality requirements (the need for information to be kept secret or private within a predetermined group) for information associated with target environments (e.g. critical business environments, processes, applications (including those under development) and supporting systems/networks)."
IR2.4	Business Impact Assessment - Integrity Requirements	"Principle: The business impact of the accidental corruption or deliberate manipulation of critical information associated with target environments should be assessed.

Objective: To document and agree the integrity requirements (the need for information to be valid, accurate and complete) for information associated with target environments (e.g. critical business environments, processes, applications (including those under development) and supporting systems/networks)."
IR2.5	Business Impact Assessment - Availability Requirements	"Principle: The business impact of critical information associated with target environments being unavailable for any length of time should be assessed.

Objective: To document and agree the availability requirements (the need for information to be accessible when required) for information associated with target environments (e.g. critical business environments, processes, applications (including those under development) and supporting systems/networks)."
IR2.6	Threat Profiling	"Principle: Threats and related threat events to target environments should be identified, profiled, prioritised and recorded.

Objective: To identify threats, prioritise them (e.g. based on threat strength), determine related threat events and assess the likelihood of threat events occurring in the target environment (i.e. likelihood of initiation)."
IR2.7	Vulnerability Assessment	"Principle: A process should be established to identify and assess the vulnerabilities and related controls in the target environment.

Objective: To evaluate the degree to which the assets in scope are vulnerable to threat events."
IR2.8	Risk Evaluation	"Principle: Information risk should be evaluated based on analysis of threats, vulnerabilities, controls and business impact.

Objective: To determine the risk to assets in the target environment."
IR2.9	Risk Treatment	"Principle: Risk treatment options for each individual risk should be identified, reviewed and agreed; and associated risk treatment plans approved by executive management.

Objective: To ensure information risks are treated in a suitable manner (e.g. mitigated, avoided, transferred or accepted), in line with risk appetite."
SM1.1	Information Security Policy	"Principle: A comprehensive, documented information security policy should be produced and communicated to all individuals with access to the organisation's information and systems.

Objective: To document the governing body's direction on and commitment to information security, and communicate it to all relevant individuals."
SM1.2	Acceptable Use Policies	"Principle: Acceptable use policies (AUPs) should be established, which define the organisation's rules on how each individual (e.g. an employee or contractor) can use information and systems, including software, computer equipment and connectivity.

Objective: To prevent individuals from inadvertently increasing risk to information and systems."
SM2.1	Security Workforce	"Principle: An information security workforce should be defined, which covers all parts of the organisation, allocated clear roles and responsibilities and equipped with the appropriate skills, processes and tools to support security management effectively.

Objective: To ensure that security activities are properly performed throughout the organisation, reducing information risk in a cohesive manner."
SM2.2	Information Security Function	"Principle: A specialist information security function should be established, which has responsibility for promoting information security throughout the organisation.

Objective: To ensure good practice in information security is applied effectively and consistently throughout the organisation."
SM2.3	Security Operations Centre (SOC)	"Principle: One or more Security Operations Centres (SOCs) should be established that have the required operating model and core capabilities to perform sufficient collection, monitoring, investigation and remediation of security-related events.

Objective: To detect, investigate and respond to potential or actual information security incidents in a fast, effective manner."
SM2.3	Security Operations Centre (SOC)	"Principle: One or more Security Operations Centres (SOCs) should be established that have the required operating model and core capabilities to perform sufficient collection, monitoring, investigation and remediation of security-related events.

Objective: To detect, investigate and respond to potential or actual information security incidents in a fast, effective manner."
SM2.3	Security Operations Centre (SOC)	"Principle: One or more Security Operations Centres (SOCs) should be established that have the required operating model and core capabilities to perform sufficient collection, monitoring, investigation and remediation of security-related events.

Objective: To detect, investigate and respond to potential or actual information security incidents in a fast, effective manner."
SM2.3	Security Operations Centre (SOC)	"Principle: One or more Security Operations Centres (SOCs) should be established that have the required operating model and core capabilities to perform sufficient collection, monitoring, investigation and remediation of security-related events.

Objective: To detect, investigate and respond to potential or actual information security incidents in a fast, effective manner."
SM2.3	Security Operations Centre (SOC)	"Principle: One or more Security Operations Centres (SOCs) should be established that have the required operating model and core capabilities to perform sufficient collection, monitoring, investigation and remediation of security-related events.

Objective: To detect, investigate and respond to potential or actual information security incidents in a fast, effective manner."
SM2.3	Security Operations Centre (SOC)	"Principle: One or more Security Operations Centres (SOCs) should be established that have the required operating model and core capabilities to perform sufficient collection, monitoring, investigation and remediation of security-related events.

Objective: To detect, investigate and respond to potential or actual information security incidents in a fast, effective manner."
SM2.3	Security Operations Centre (SOC)	"Principle: One or more Security Operations Centres (SOCs) should be established that have the required operating model and core capabilities to perform sufficient collection, monitoring, investigation and remediation of security-related events.

Objective: To detect, investigate and respond to potential or actual information security incidents in a fast, effective manner."
SM2.3	Security Operations Centre (SOC)	"Principle: One or more Security Operations Centres (SOCs) should be established that have the required operating model and core capabilities to perform sufficient collection, monitoring, investigation and remediation of security-related events.

Objective: To detect, investigate and respond to potential or actual information security incidents in a fast, effective manner."
SM2.4	Information Security Projects	"Principle: Information security projects (and security-related initiatives) should align with the organisation's project management process, take into account security requirements and be run in a systematic and structured manner.

Objective: To ensure that all information security projects apply common project management practices, meet security requirements and are aligned with the organisation's business objectives."
SM2.5	Legal And Regulatory Compliance	"Principle: A security compliance management process should be established to identify, interpret and comply with the information security requirements of relevant laws and regulations.

Objective: To comply with laws and regulations affecting information security. To ensure information security controls are consistently prioritised and addressed according to information security obligations associated with legislation, regulations, contracts, industry standards and organisational policies."
SM2.6	Asset Registers	"Principle: Important assets should be recorded in accurate and up-to-date asset registers.

Objective: To help support risk-based decisions regarding the provision or use of assets (e.g. hardware, software, information, suppliers or operating environments), reduce the risk of information security being compromised by weaknesses in assets, protect them against loss, support development of contracts and meet compliance requirements for licensing."
SM2.6	Asset Registers	"Principle: Important assets should be recorded in accurate and up-to-date asset registers.

Objective: To help support risk-based decisions regarding the provision or use of assets (e.g. hardware, software, information, suppliers or operating environments), reduce the risk of information security being compromised by weaknesses in assets, protect them against loss, support development of contracts and meet compliance requirements for licensing."
SM2.6	Asset Registers	"Principle: Important assets should be recorded in accurate and up-to-date asset registers.

Objective: To help support risk-based decisions regarding the provision or use of assets (e.g. hardware, software, information, suppliers or operating environments), reduce the risk of information security being compromised by weaknesses in assets, protect them against loss, support development of contracts and meet compliance requirements for licensing."
SM2.6	Asset Registers	"Principle: Important assets should be recorded in accurate and up-to-date asset registers.

Objective: To help support risk-based decisions regarding the provision or use of assets (e.g. hardware, software, information, suppliers or operating environments), reduce the risk of information security being compromised by weaknesses in assets, protect them against loss, support development of contracts and meet compliance requirements for licensing."
SM2.6	Asset Registers	"Principle: Important assets should be recorded in accurate and up-to-date asset registers.

Objective: To help support risk-based decisions regarding the provision or use of assets (e.g. hardware, software, information, suppliers or operating environments), reduce the risk of information security being compromised by weaknesses in assets, protect them against loss, support development of contracts and meet compliance requirements for licensing."
SM2.6	Asset Registers	"Principle: Important assets should be recorded in accurate and up-to-date asset registers.

Objective: To help support risk-based decisions regarding the provision or use of assets (e.g. hardware, software, information, suppliers or operating environments), reduce the risk of information security being compromised by weaknesses in assets, protect them against loss, support development of contracts and meet compliance requirements for licensing."
SM2.6	Asset Registers	"Principle: Important assets should be recorded in accurate and up-to-date asset registers.

Objective: To help support risk-based decisions regarding the provision or use of assets (e.g. hardware, software, information, suppliers or operating environments), reduce the risk of information security being compromised by weaknesses in assets, protect them against loss, support development of contracts and meet compliance requirements for licensing."
SM2.6	Asset Registers	"Principle: Important assets should be recorded in accurate and up-to-date asset registers.

Objective: To help support risk-based decisions regarding the provision or use of assets (e.g. hardware, software, information, suppliers or operating environments), reduce the risk of information security being compromised by weaknesses in assets, protect them against loss, support development of contracts and meet compliance requirements for licensing."
SM2.6	Asset Registers	"Principle: Important assets should be recorded in accurate and up-to-date asset registers.

Objective: To help support risk-based decisions regarding the provision or use of assets (e.g. hardware, software, information, suppliers or operating environments), reduce the risk of information security being compromised by weaknesses in assets, protect them against loss, support development of contracts and meet compliance requirements for licensing."
SM2.6	Asset Registers	"Principle: Important assets should be recorded in accurate and up-to-date asset registers.

Objective: To help support risk-based decisions regarding the provision or use of assets (e.g. hardware, software, information, suppliers or operating environments), reduce the risk of information security being compromised by weaknesses in assets, protect them against loss, support development of contracts and meet compliance requirements for licensing."
SM2.6	Asset Registers	"Principle: Important assets should be recorded in accurate and up-to-date asset registers.

Objective: To help support risk-based decisions regarding the provision or use of assets (e.g. hardware, software, information, suppliers or operating environments), reduce the risk of information security being compromised by weaknesses in assets, protect them against loss, support development of contracts and meet compliance requirements for licensing."
SM2.6	Asset Registers	"Principle: Important assets should be recorded in accurate and up-to-date asset registers.

Objective: To help support risk-based decisions regarding the provision or use of assets (e.g. hardware, software, information, suppliers or operating environments), reduce the risk of information security being compromised by weaknesses in assets, protect them against loss, support development of contracts and meet compliance requirements for licensing."
SM2.6	Asset Registers	"Principle: Important assets should be recorded in accurate and up-to-date asset registers.

Objective: To help support risk-based decisions regarding the provision or use of assets (e.g. hardware, software, information, suppliers or operating environments), reduce the risk of information security being compromised by weaknesses in assets, protect them against loss, support development of contracts and meet compliance requirements for licensing."
SM2.6	Asset Registers	"Principle: Important assets should be recorded in accurate and up-to-date asset registers.

Objective: To help support risk-based decisions regarding the provision or use of assets (e.g. hardware, software, information, suppliers or operating environments), reduce the risk of information security being compromised by weaknesses in assets, protect them against loss, support development of contracts and meet compliance requirements for licensing."
SM2.6	Asset Registers	"Principle: Important assets should be recorded in accurate and up-to-date asset registers.

Objective: To help support risk-based decisions regarding the provision or use of assets (e.g. hardware, software, information, suppliers or operating environments), reduce the risk of information security being compromised by weaknesses in assets, protect them against loss, support development of contracts and meet compliance requirements for licensing."
SM2.6	Asset Registers	"Principle: Important assets should be recorded in accurate and up-to-date asset registers.

Objective: To help support risk-based decisions regarding the provision or use of assets (e.g. hardware, software, information, suppliers or operating environments), reduce the risk of information security being compromised by weaknesses in assets, protect them against loss, support development of contracts and meet compliance requirements for licensing."
SM2.6	Asset Registers	"Principle: Important assets should be recorded in accurate and up-to-date asset registers.

Objective: To help support risk-based decisions regarding the provision or use of assets (e.g. hardware, software, information, suppliers or operating environments), reduce the risk of information security being compromised by weaknesses in assets, protect them against loss, support development of contracts and meet compliance requirements for licensing."
SM2.6	Asset Registers	"Principle: Important assets should be recorded in accurate and up-to-date asset registers.

Objective: To help support risk-based decisions regarding the provision or use of assets (e.g. hardware, software, information, suppliers or operating environments), reduce the risk of information security being compromised by weaknesses in assets, protect them against loss, support development of contracts and meet compliance requirements for licensing."
PM1.1	Employment Lifecycle	"Principle: Information security requirements should be embedded into each stage of the employment lifecycle, specifying security related actions required during the induction of each individual, their ongoing management and termination of their employment.

Objective: To ensure that employees are equipped with the skills, knowledge and tools to support the organisation's values and adhere to information security policies."
PM1.2	Ownership and Responsibilities	"Principle: Ownership of critical business environments, processes, applications (including supporting technical infrastructure) and information should be assigned to capable individuals, supported by responsibilities for protecting them that are clearly defined and accepted.

Objective: To achieve individual accountability for information and systems, provide a sound management structure for individuals running or using them and give their owners a vested interest in their protection."
PM1.3	Employee-owned Devices	"Principle: Where an organisation allows the use of employee-owned devices for business purposes (including smartphones, tablets and laptops), this should be supported by documented agreements with employees and technical security controls to protect information.

Objective: To ensure that critical and sensitive information handled on employee-owned devices receives the same level of protection as that typically provided for corporate-owned devices."
PM1.3	Employee-owned Devices	"Principle: Where an organisation allows the use of employee-owned devices for business purposes (including smartphones, tablets and laptops), this should be supported by documented agreements with employees and technical security controls to protect information.

Objective: To ensure that critical and sensitive information handled on employee-owned devices receives the same level of protection as that typically provided for corporate-owned devices."
PM1.3	Employee-owned Devices	"Principle: Where an organisation allows the use of employee-owned devices for business purposes (including smartphones, tablets and laptops), this should be supported by documented agreements with employees and technical security controls to protect information.

Objective: To ensure that critical and sensitive information handled on employee-owned devices receives the same level of protection as that typically provided for corporate-owned devices."
PM1.3	Employee-owned Devices	"Principle: Where an organisation allows the use of employee-owned devices for business purposes (including smartphones, tablets and laptops), this should be supported by documented agreements with employees and technical security controls to protect information.

Objective: To ensure that critical and sensitive information handled on employee-owned devices receives the same level of protection as that typically provided for corporate-owned devices."
PM1.3	Employee-owned Devices	"Principle: Where an organisation allows the use of employee-owned devices for business purposes (including smartphones, tablets and laptops), this should be supported by documented agreements with employees and technical security controls to protect information.

Objective: To ensure that critical and sensitive information handled on employee-owned devices receives the same level of protection as that typically provided for corporate-owned devices."
PM1.3	Employee-owned Devices	"Principle: Where an organisation allows the use of employee-owned devices for business purposes (including smartphones, tablets and laptops), this should be supported by documented agreements with employees and technical security controls to protect information.

Objective: To ensure that critical and sensitive information handled on employee-owned devices receives the same level of protection as that typically provided for corporate-owned devices."
PM1.3	Employee-owned Devices	"Principle: Where an organisation allows the use of employee-owned devices for business purposes (including smartphones, tablets and laptops), this should be supported by documented agreements with employees and technical security controls to protect information.

Objective: To ensure that critical and sensitive information handled on employee-owned devices receives the same level of protection as that typically provided for corporate-owned devices."
PM1.3	Employee-owned Devices	"Principle: Where an organisation allows the use of employee-owned devices for business purposes (including smartphones, tablets and laptops), this should be supported by documented agreements with employees and technical security controls to protect information.

Objective: To ensure that critical and sensitive information handled on employee-owned devices receives the same level of protection as that typically provided for corporate-owned devices."
PM1.3	Employee-owned Devices	"Principle: Where an organisation allows the use of employee-owned devices for business purposes (including smartphones, tablets and laptops), this should be supported by documented agreements with employees and technical security controls to protect information.

Objective: To ensure that critical and sensitive information handled on employee-owned devices receives the same level of protection as that typically provided for corporate-owned devices."
PM1.3	Employee-owned Devices	"Principle: Where an organisation allows the use of employee-owned devices for business purposes (including smartphones, tablets and laptops), this should be supported by documented agreements with employees and technical security controls to protect information.

Objective: To ensure that critical and sensitive information handled on employee-owned devices receives the same level of protection as that typically provided for corporate-owned devices."
PM1.4	Remote Working	"Principle: Individuals working in remote environments (e.g. in locations other than the organisation's premises) should: be subject to authorisation; protect computing devices and the information they handle against loss, theft and cyber attack; be supported by security awareness material; and employ additional security controls when travelling to high-risk countries or regions.

Objective: To ensure that critical and sensitive information handled by individuals working in remote environments is protected against the full range of threats to that information."
PM2.1	Security Awareness Programme	"Principle: Specific activities should be undertaken, such as a security awareness programme, to promote and embed expected security behaviour in all individuals who have access to the organisation's information and systems.

Objective: To create a culture where expected security behaviour is embedded into regular day-to-day activities and where all relevant individuals make effective risk-based decisions and protect critical and sensitive information used throughout the organisation from being compromised."
PM2.1	Security Awareness Programme	"Principle: Specific activities should be undertaken, such as a security awareness programme, to promote and embed expected security behaviour in all individuals who have access to the organisation's information and systems.

Objective: To create a culture where expected security behaviour is embedded into regular day-to-day activities and where all relevant individuals make effective risk-based decisions and protect critical and sensitive information used throughout the organisation from being compromised."
PM2.1	Security Awareness Programme	"Principle: Specific activities should be undertaken, such as a security awareness programme, to promote and embed expected security behaviour in all individuals who have access to the organisation's information and systems.

Objective: To create a culture where expected security behaviour is embedded into regular day-to-day activities and where all relevant individuals make effective risk-based decisions and protect critical and sensitive information used throughout the organisation from being compromised."
PM2.1	Security Awareness Programme	"Principle: Specific activities should be undertaken, such as a security awareness programme, to promote and embed expected security behaviour in all individuals who have access to the organisation's information and systems.

Objective: To create a culture where expected security behaviour is embedded into regular day-to-day activities and where all relevant individuals make effective risk-based decisions and protect critical and sensitive information used throughout the organisation from being compromised."
PM2.1	Security Awareness Programme	"Principle: Specific activities should be undertaken, such as a security awareness programme, to promote and embed expected security behaviour in all individuals who have access to the organisation's information and systems.

Objective: To create a culture where expected security behaviour is embedded into regular day-to-day activities and where all relevant individuals make effective risk-based decisions and protect critical and sensitive information used throughout the organisation from being compromised."
PM2.1	Security Awareness Programme	"Principle: Specific activities should be undertaken, such as a security awareness programme, to promote and embed expected security behaviour in all individuals who have access to the organisation's information and systems.

Objective: To create a culture where expected security behaviour is embedded into regular day-to-day activities and where all relevant individuals make effective risk-based decisions and protect critical and sensitive information used throughout the organisation from being compromised."
PM2.1	Security Awareness Programme	"Principle: Specific activities should be undertaken, such as a security awareness programme, to promote and embed expected security behaviour in all individuals who have access to the organisation's information and systems.

Objective: To create a culture where expected security behaviour is embedded into regular day-to-day activities and where all relevant individuals make effective risk-based decisions and protect critical and sensitive information used throughout the organisation from being compromised."
PM2.1	Security Awareness Programme	"Principle: Specific activities should be undertaken, such as a security awareness programme, to promote and embed expected security behaviour in all individuals who have access to the organisation's information and systems.

Objective: To create a culture where expected security behaviour is embedded into regular day-to-day activities and where all relevant individuals make effective risk-based decisions and protect critical and sensitive information used throughout the organisation from being compromised."
PM2.2	Security Awareness Messages	"Principle: Individuals who have access to the information and systems of the organisation should have tailored and appropriate security messages communicated to them on a regular basis.

Objective: To ensure individuals remain aware of the importance and need for information security on an ongoing basis and maintain a security-positive culture throughout the organisation."
PM2.2	Security Awareness Messages	"Principle: Individuals who have access to the information and systems of the organisation should have tailored and appropriate security messages communicated to them on a regular basis.

Objective: To ensure individuals remain aware of the importance and need for information security on an ongoing basis and maintain a security-positive culture throughout the organisation."
PM2.2	Security Awareness Messages	"Principle: Individuals who have access to the information and systems of the organisation should have tailored and appropriate security messages communicated to them on a regular basis.

Objective: To ensure individuals remain aware of the importance and need for information security on an ongoing basis and maintain a security-positive culture throughout the organisation."
PM2.2	Security Awareness Messages	"Principle: Individuals who have access to the information and systems of the organisation should have tailored and appropriate security messages communicated to them on a regular basis.

Objective: To ensure individuals remain aware of the importance and need for information security on an ongoing basis and maintain a security-positive culture throughout the organisation."
PM2.2	Security Awareness Messages	"Principle: Individuals who have access to the information and systems of the organisation should have tailored and appropriate security messages communicated to them on a regular basis.

Objective: To ensure individuals remain aware of the importance and need for information security on an ongoing basis and maintain a security-positive culture throughout the organisation."
PM2.2	Security Awareness Messages	"Principle: Individuals who have access to the information and systems of the organisation should have tailored and appropriate security messages communicated to them on a regular basis.

Objective: To ensure individuals remain aware of the importance and need for information security on an ongoing basis and maintain a security-positive culture throughout the organisation."
PM2.2	Security Awareness Messages	"Principle: Individuals who have access to the information and systems of the organisation should have tailored and appropriate security messages communicated to them on a regular basis.

Objective: To ensure individuals remain aware of the importance and need for information security on an ongoing basis and maintain a security-positive culture throughout the organisation."
PM2.2	Security Awareness Messages	"Principle: Individuals who have access to the information and systems of the organisation should have tailored and appropriate security messages communicated to them on a regular basis.

Objective: To ensure individuals remain aware of the importance and need for information security on an ongoing basis and maintain a security-positive culture throughout the organisation."
PM2.2	Security Awareness Messages	"Principle: Individuals who have access to the information and systems of the organisation should have tailored and appropriate security messages communicated to them on a regular basis.

Objective: To ensure individuals remain aware of the importance and need for information security on an ongoing basis and maintain a security-positive culture throughout the organisation."
PM2.3	Security Education/Training	"Principle: Individuals should be educated/trained in how to run systems and applications correctly and how to develop and apply information security controls.

Objective: To provide individuals with the skills required to protect information and systems effectively and fulfil their information security responsibilities."
PM2.3	Security Education/Training	"Principle: Individuals should be educated/trained in how to run systems and applications correctly and how to develop and apply information security controls.

Objective: To provide individuals with the skills required to protect information and systems effectively and fulfil their information security responsibilities."
PM2.3	Security Education/Training	"Principle: Individuals should be educated/trained in how to run systems and applications correctly and how to develop and apply information security controls.

Objective: To provide individuals with the skills required to protect information and systems effectively and fulfil their information security responsibilities."
PM2.3	Security Education/Training	"Principle: Individuals should be educated/trained in how to run systems and applications correctly and how to develop and apply information security controls.

Objective: To provide individuals with the skills required to protect information and systems effectively and fulfil their information security responsibilities."
PM2.3	Security Education/Training	"Principle: Individuals should be educated/trained in how to run systems and applications correctly and how to develop and apply information security controls.

Objective: To provide individuals with the skills required to protect information and systems effectively and fulfil their information security responsibilities."
PM2.3	Security Education/Training	"Principle: Individuals should be educated/trained in how to run systems and applications correctly and how to develop and apply information security controls.

Objective: To provide individuals with the skills required to protect information and systems effectively and fulfil their information security responsibilities."
PM2.3	Security Education/Training	"Principle: Individuals should be educated/trained in how to run systems and applications correctly and how to develop and apply information security controls.

Objective: To provide individuals with the skills required to protect information and systems effectively and fulfil their information security responsibilities."
PM2.3	Security Education/Training	"Principle: Individuals should be educated/trained in how to run systems and applications correctly and how to develop and apply information security controls.

Objective: To provide individuals with the skills required to protect information and systems effectively and fulfil their information security responsibilities."
PM2.3	Security Education/Training	"Principle: Individuals should be educated/trained in how to run systems and applications correctly and how to develop and apply information security controls.

Objective: To provide individuals with the skills required to protect information and systems effectively and fulfil their information security responsibilities."
PM2.3	Security Education/Training	"Principle: Individuals should be educated/trained in how to run systems and applications correctly and how to develop and apply information security controls.

Objective: To provide individuals with the skills required to protect information and systems effectively and fulfil their information security responsibilities."
IM1.1	Information Classification and Handling	"Principle: An information classification scheme should be established (supported by information handling guidelines) that applies throughout the organisation, based on the confidentiality of information.

Objective: To ensure that information is protected in line with its assigned level of classification."
IM1.1	Information Classification and Handling	"Principle: An information classification scheme should be established (supported by information handling guidelines) that applies throughout the organisation, based on the confidentiality of information.

Objective: To ensure that information is protected in line with its assigned level of classification."
IM1.2	Information Privacy	"Principle Responsibility for managing information privacy should be established and information security controls applied for handling personally identifiable information (i.e. information that can be used to identify an individual person).

Objective: To prevent personal information about individuals being used in an inappropriate manner and ensure compliance with legal and regulatory requirements for information privacy."
IM2.1	Document Management	"Principle: Documents should be managed in a systematic, structured manner, and information security requirements met throughout the document lifecycle.

Objective: To protect information contained in documents in accordance with legal requirements, ensure critical information remains available when required, preserve the integrity of critical information and protect sensitive information from unauthorised disclosure."
IM2.2	Sensitive Physical Information	"Principle: Sensitive information held in physical form (sensitive physical information) should be identified, documented, classified and protected throughout its lifecycle.

Objective: To protect sensitive physical information in accordance with information security and regulatory requirements, preserve the integrity of sensitive physical information and protect it from corruption, loss and unauthorised disclosure."
PA1.1	Hardware Lifecycle Management	"Principle: Robust, reliable hardware should only be acquired (e.g. purchased or leased) following consideration of security requirements and identification of security deficiencies.

Objective: To ensure that hardware provides the required functionality and does not compromise the security of critical or sensitive information and systems."
PA1.1	Hardware Lifecycle Management	"Principle: Robust, reliable hardware should only be acquired (e.g. purchased or leased) following consideration of security requirements and identification of security deficiencies.

Objective: To ensure that hardware provides the required functionality and does not compromise the security of critical or sensitive information and systems."
PA1.1	Hardware Lifecycle Management	"Principle: Robust, reliable hardware should only be acquired (e.g. purchased or leased) following consideration of security requirements and identification of security deficiencies.

Objective: To ensure that hardware provides the required functionality and does not compromise the security of critical or sensitive information and systems."
PA1.1	Hardware Lifecycle Management	"Principle: Robust, reliable hardware should only be acquired (e.g. purchased or leased) following consideration of security requirements and identification of security deficiencies.

Objective: To ensure that hardware provides the required functionality and does not compromise the security of critical or sensitive information and systems."
PA1.1	Hardware Lifecycle Management	"Principle: Robust, reliable hardware should only be acquired (e.g. purchased or leased) following consideration of security requirements and identification of security deficiencies.

Objective: To ensure that hardware provides the required functionality and does not compromise the security of critical or sensitive information and systems."
PA1.1	Hardware Lifecycle Management	"Principle: Robust, reliable hardware should only be acquired (e.g. purchased or leased) following consideration of security requirements and identification of security deficiencies.

Objective: To ensure that hardware provides the required functionality and does not compromise the security of critical or sensitive information and systems."
PA1.1	Hardware Lifecycle Management	"Principle: Robust, reliable hardware should only be acquired (e.g. purchased or leased) following consideration of security requirements and identification of security deficiencies.

Objective: To ensure that hardware provides the required functionality and does not compromise the security of critical or sensitive information and systems."
PA1.1	Hardware Lifecycle Management	"Principle: Robust, reliable hardware should only be acquired (e.g. purchased or leased) following consideration of security requirements and identification of security deficiencies.

Objective: To ensure that hardware provides the required functionality and does not compromise the security of critical or sensitive information and systems."
PA1.1	Hardware Lifecycle Management	"Principle: Robust, reliable hardware should only be acquired (e.g. purchased or leased) following consideration of security requirements and identification of security deficiencies.

Objective: To ensure that hardware provides the required functionality and does not compromise the security of critical or sensitive information and systems."
PA1.1	Hardware Lifecycle Management	"Principle: Robust, reliable hardware should only be acquired (e.g. purchased or leased) following consideration of security requirements and identification of security deficiencies.

Objective: To ensure that hardware provides the required functionality and does not compromise the security of critical or sensitive information and systems."
PA1.1	Hardware Lifecycle Management	"Principle: Robust, reliable hardware should only be acquired (e.g. purchased or leased) following consideration of security requirements and identification of security deficiencies.

Objective: To ensure that hardware provides the required functionality and does not compromise the security of critical or sensitive information and systems."
PA1.1	Hardware Lifecycle Management	"Principle: Robust, reliable hardware should only be acquired (e.g. purchased or leased) following consideration of security requirements and identification of security deficiencies.

Objective: To ensure that hardware provides the required functionality and does not compromise the security of critical or sensitive information and systems."
PA1.1	Hardware Lifecycle Management	"Principle: Robust, reliable hardware should only be acquired (e.g. purchased or leased) following consideration of security requirements and identification of security deficiencies.

Objective: To ensure that hardware provides the required functionality and does not compromise the security of critical or sensitive information and systems."
PA1.1	Hardware Lifecycle Management	"Principle: Robust, reliable hardware should only be acquired (e.g. purchased or leased) following consideration of security requirements and identification of security deficiencies.

Objective: To ensure that hardware provides the required functionality and does not compromise the security of critical or sensitive information and systems."
PA1.1	Hardware Lifecycle Management	"Principle: Robust, reliable hardware should only be acquired (e.g. purchased or leased) following consideration of security requirements and identification of security deficiencies.

Objective: To ensure that hardware provides the required functionality and does not compromise the security of critical or sensitive information and systems."
PA1.2	Workstation Configuration	"Principle: Workstation computers should be built using standard technical configurations and subject to security management practices to protect information against loss, theft and unauthorised disclosure.

Objective: To ensure workstation computers do not impact the security of information stored on them or processed by them, and prevent unauthorised access to information in the event they are compromised, lost or stolen."
PA1.2	Workstation Configuration	"Principle: Workstation computers should be built using standard technical configurations and subject to security management practices to protect information against loss, theft and unauthorised disclosure.

Objective: To ensure workstation computers do not impact the security of information stored on them or processed by them, and prevent unauthorised access to information in the event they are compromised, lost or stolen."
PA1.2	Workstation Configuration	"Principle: Workstation computers should be built using standard technical configurations and subject to security management practices to protect information against loss, theft and unauthorised disclosure.

Objective: To ensure workstation computers do not impact the security of information stored on them or processed by them, and prevent unauthorised access to information in the event they are compromised, lost or stolen."
PA1.2	Workstation Configuration	"Principle: Workstation computers should be built using standard technical configurations and subject to security management practices to protect information against loss, theft and unauthorised disclosure.

Objective: To ensure workstation computers do not impact the security of information stored on them or processed by them, and prevent unauthorised access to information in the event they are compromised, lost or stolen."
PA1.2	Workstation Configuration	"Principle: Workstation computers should be built using standard technical configurations and subject to security management practices to protect information against loss, theft and unauthorised disclosure.

Objective: To ensure workstation computers do not impact the security of information stored on them or processed by them, and prevent unauthorised access to information in the event they are compromised, lost or stolen."
PA1.2	Workstation Configuration	"Principle: Workstation computers should be built using standard technical configurations and subject to security management practices to protect information against loss, theft and unauthorised disclosure.

Objective: To ensure workstation computers do not impact the security of information stored on them or processed by them, and prevent unauthorised access to information in the event they are compromised, lost or stolen."
PA1.2	Workstation Configuration	"Principle: Workstation computers should be built using standard technical configurations and subject to security management practices to protect information against loss, theft and unauthorised disclosure.

Objective: To ensure workstation computers do not impact the security of information stored on them or processed by them, and prevent unauthorised access to information in the event they are compromised, lost or stolen."
PA1.2	Workstation Configuration	"Principle: Workstation computers should be built using standard technical configurations and subject to security management practices to protect information against loss, theft and unauthorised disclosure.

Objective: To ensure workstation computers do not impact the security of information stored on them or processed by them, and prevent unauthorised access to information in the event they are compromised, lost or stolen."
PA1.2	Workstation Configuration	"Principle: Workstation computers should be built using standard technical configurations and subject to security management practices to protect information against loss, theft and unauthorised disclosure.

Objective: To ensure workstation computers do not impact the security of information stored on them or processed by them, and prevent unauthorised access to information in the event they are compromised, lost or stolen."
PA1.2	Workstation Configuration	"Principle: Workstation computers should be built using standard technical configurations and subject to security management practices to protect information against loss, theft and unauthorised disclosure.

Objective: To ensure workstation computers do not impact the security of information stored on them or processed by them, and prevent unauthorised access to information in the event they are compromised, lost or stolen."
PA1.2	Workstation Configuration	"Principle: Workstation computers should be built using standard technical configurations and subject to security management practices to protect information against loss, theft and unauthorised disclosure.

Objective: To ensure workstation computers do not impact the security of information stored on them or processed by them, and prevent unauthorised access to information in the event they are compromised, lost or stolen."
PA1.2	Workstation Configuration	"Principle: Workstation computers should be built using standard technical configurations and subject to security management practices to protect information against loss, theft and unauthorised disclosure.

Objective: To ensure workstation computers do not impact the security of information stored on them or processed by them, and prevent unauthorised access to information in the event they are compromised, lost or stolen."
PA1.2	Workstation Configuration	"Principle: Workstation computers should be built using standard technical configurations and subject to security management practices to protect information against loss, theft and unauthorised disclosure.

Objective: To ensure workstation computers do not impact the security of information stored on them or processed by them, and prevent unauthorised access to information in the event they are compromised, lost or stolen."
PA1.2	Workstation Configuration	"Principle: Workstation computers should be built using standard technical configurations and subject to security management practices to protect information against loss, theft and unauthorised disclosure.

Objective: To ensure workstation computers do not impact the security of information stored on them or processed by them, and prevent unauthorised access to information in the event they are compromised, lost or stolen."
PA1.2	Workstation Configuration	"Principle: Workstation computers should be built using standard technical configurations and subject to security management practices to protect information against loss, theft and unauthorised disclosure.

Objective: To ensure workstation computers do not impact the security of information stored on them or processed by them, and prevent unauthorised access to information in the event they are compromised, lost or stolen."
PA1.2	Workstation Configuration	"Principle: Workstation computers should be built using standard technical configurations and subject to security management practices to protect information against loss, theft and unauthorised disclosure.

Objective: To ensure workstation computers do not impact the security of information stored on them or processed by them, and prevent unauthorised access to information in the event they are compromised, lost or stolen."
PA1.2	Workstation Configuration	"Principle: Workstation computers should be built using standard technical configurations and subject to security management practices to protect information against loss, theft and unauthorised disclosure.

Objective: To ensure workstation computers do not impact the security of information stored on them or processed by them, and prevent unauthorised access to information in the event they are compromised, lost or stolen."
PA1.2	Workstation Configuration	"Principle: Workstation computers should be built using standard technical configurations and subject to security management practices to protect information against loss, theft and unauthorised disclosure.

Objective: To ensure workstation computers do not impact the security of information stored on them or processed by them, and prevent unauthorised access to information in the event they are compromised, lost or stolen."
PA1.2	Workstation Configuration	"Principle: Workstation computers should be built using standard technical configurations and subject to security management practices to protect information against loss, theft and unauthorised disclosure.

Objective: To ensure workstation computers do not impact the security of information stored on them or processed by them, and prevent unauthorised access to information in the event they are compromised, lost or stolen."
PA1.2	Workstation Configuration	"Principle: Workstation computers should be built using standard technical configurations and subject to security management practices to protect information against loss, theft and unauthorised disclosure.

Objective: To ensure workstation computers do not impact the security of information stored on them or processed by them, and prevent unauthorised access to information in the event they are compromised, lost or stolen."
PA1.2	Workstation Configuration	"Principle: Workstation computers should be built using standard technical configurations and subject to security management practices to protect information against loss, theft and unauthorised disclosure.

Objective: To ensure workstation computers do not impact the security of information stored on them or processed by them, and prevent unauthorised access to information in the event they are compromised, lost or stolen."
PA1.3	Office Equipment	"Principle: Office equipment (e.g. printers, photocopiers and multi-function devices) should be approved, protected by software controls and located in physically secure locations.

Objective: To ensure information stored in or processed by office equipment is not disclosed to unauthorised individuals."
PA1.3	Office Equipment	"Principle: Office equipment (e.g. printers, photocopiers and multi-function devices) should be approved, protected by software controls and located in physically secure locations.

Objective: To ensure information stored in or processed by office equipment is not disclosed to unauthorised individuals."
PA1.3	Office Equipment	"Principle: Office equipment (e.g. printers, photocopiers and multi-function devices) should be approved, protected by software controls and located in physically secure locations.

Objective: To ensure information stored in or processed by office equipment is not disclosed to unauthorised individuals."
PA1.3	Office Equipment	"Principle: Office equipment (e.g. printers, photocopiers and multi-function devices) should be approved, protected by software controls and located in physically secure locations.

Objective: To ensure information stored in or processed by office equipment is not disclosed to unauthorised individuals."
PA1.3	Office Equipment	"Principle: Office equipment (e.g. printers, photocopiers and multi-function devices) should be approved, protected by software controls and located in physically secure locations.

Objective: To ensure information stored in or processed by office equipment is not disclosed to unauthorised individuals."
PA1.3	Office Equipment	"Principle: Office equipment (e.g. printers, photocopiers and multi-function devices) should be approved, protected by software controls and located in physically secure locations.

Objective: To ensure information stored in or processed by office equipment is not disclosed to unauthorised individuals."
PA1.3	Office Equipment	"Principle: Office equipment (e.g. printers, photocopiers and multi-function devices) should be approved, protected by software controls and located in physically secure locations.

Objective: To ensure information stored in or processed by office equipment is not disclosed to unauthorised individuals."
PA1.4	Portable Storage Devices	"Principle: The use of portable storage devices (e.g. USB memory sticks, external hard disk drives, media players and e-book readers) should be subject to approval, access to them restricted, and information stored on them protected.

Objective: To ensure that sensitive information stored on portable storage devices is protected from unauthorised disclosure."
PA1.4	Portable Storage Devices	"Principle: The use of portable storage devices (e.g. USB memory sticks, external hard disk drives, media players and e-book readers) should be subject to approval, access to them restricted, and information stored on them protected.

Objective: To ensure that sensitive information stored on portable storage devices is protected from unauthorised disclosure."
PA1.4	Portable Storage Devices	"Principle: The use of portable storage devices (e.g. USB memory sticks, external hard disk drives, media players and e-book readers) should be subject to approval, access to them restricted, and information stored on them protected.

Objective: To ensure that sensitive information stored on portable storage devices is protected from unauthorised disclosure."
PA1.4	Portable Storage Devices	"Principle: The use of portable storage devices (e.g. USB memory sticks, external hard disk drives, media players and e-book readers) should be subject to approval, access to them restricted, and information stored on them protected.

Objective: To ensure that sensitive information stored on portable storage devices is protected from unauthorised disclosure."
PA1.4	Portable Storage Devices	"Principle: The use of portable storage devices (e.g. USB memory sticks, external hard disk drives, media players and e-book readers) should be subject to approval, access to them restricted, and information stored on them protected.

Objective: To ensure that sensitive information stored on portable storage devices is protected from unauthorised disclosure."
PA1.4	Portable Storage Devices	"Principle: The use of portable storage devices (e.g. USB memory sticks, external hard disk drives, media players and e-book readers) should be subject to approval, access to them restricted, and information stored on them protected.

Objective: To ensure that sensitive information stored on portable storage devices is protected from unauthorised disclosure."
PA1.4	Portable Storage Devices	"Principle: The use of portable storage devices (e.g. USB memory sticks, external hard disk drives, media players and e-book readers) should be subject to approval, access to them restricted, and information stored on them protected.

Objective: To ensure that sensitive information stored on portable storage devices is protected from unauthorised disclosure."
PA1.5	Specialised Computing Equipment and Devices	"Principle: Specialised computing equipment and devices should be identified, categorised and protected by security arrangements that are tailored to these devices.

Objective: To ensure specialised computing equipment and devices do not impact the security of information stored on them or processed by them, and prevent unauthorised access to information in the event they are compromised, lost or stolen."
PA1.5	Specialised Computing Equipment and Devices	"Principle: Specialised computing equipment and devices should be identified, categorised and protected by security arrangements that are tailored to these devices.

Objective: To ensure specialised computing equipment and devices do not impact the security of information stored on them or processed by them, and prevent unauthorised access to information in the event they are compromised, lost or stolen."
PA1.5	Specialised Computing Equipment and Devices	"Principle: Specialised computing equipment and devices should be identified, categorised and protected by security arrangements that are tailored to these devices.

Objective: To ensure specialised computing equipment and devices do not impact the security of information stored on them or processed by them, and prevent unauthorised access to information in the event they are compromised, lost or stolen."
PA1.6	Industrial Control Systems	"Principle: Information systems that monitor or control physical activities should be identified, categorised and protected by security arrangements that are tailored to operate in those environments.

Objective: To enable an organisation to manage information risks to industrial control systems (ICS)."
PA1.6	Industrial Control Systems	"Principle: Information systems that monitor or control physical activities should be identified, categorised and protected by security arrangements that are tailored to operate in those environments.

Objective: To enable an organisation to manage information risks to industrial control systems (ICS)."
PA2.1	Mobile Device Protection	"Principle: Mobile devices (including smartphones, tablets and smartwatches) should be built using standard technical configurations and subject to security management practices to protect information against loss, theft and unauthorised disclosure.

Objective: To ensure mobile devices do not compromise the security of information stored on them or processed by them, and prevent unauthorised access to information in the event they are lost or stolen."
PA2.1	Mobile Device Protection	"Principle: Mobile devices (including smartphones, tablets and smartwatches) should be built using standard technical configurations and subject to security management practices to protect information against loss, theft and unauthorised disclosure.

Objective: To ensure mobile devices do not compromise the security of information stored on them or processed by them, and prevent unauthorised access to information in the event they are lost or stolen."
PA2.1	Mobile Device Protection	"Principle: Mobile devices (including smartphones, tablets and smartwatches) should be built using standard technical configurations and subject to security management practices to protect information against loss, theft and unauthorised disclosure.

Objective: To ensure mobile devices do not compromise the security of information stored on them or processed by them, and prevent unauthorised access to information in the event they are lost or stolen."
PA2.1	Mobile Device Protection	"Principle: Mobile devices (including smartphones, tablets and smartwatches) should be built using standard technical configurations and subject to security management practices to protect information against loss, theft and unauthorised disclosure.

Objective: To ensure mobile devices do not compromise the security of information stored on them or processed by them, and prevent unauthorised access to information in the event they are lost or stolen."
PA2.1	Mobile Device Protection	"Principle: Mobile devices (including smartphones, tablets and smartwatches) should be built using standard technical configurations and subject to security management practices to protect information against loss, theft and unauthorised disclosure.

Objective: To ensure mobile devices do not compromise the security of information stored on them or processed by them, and prevent unauthorised access to information in the event they are lost or stolen."
PA2.1	Mobile Device Protection	"Principle: Mobile devices (including smartphones, tablets and smartwatches) should be built using standard technical configurations and subject to security management practices to protect information against loss, theft and unauthorised disclosure.

Objective: To ensure mobile devices do not compromise the security of information stored on them or processed by them, and prevent unauthorised access to information in the event they are lost or stolen."
PA2.1	Mobile Device Protection	"Principle: Mobile devices (including smartphones, tablets and smartwatches) should be built using standard technical configurations and subject to security management practices to protect information against loss, theft and unauthorised disclosure.

Objective: To ensure mobile devices do not compromise the security of information stored on them or processed by them, and prevent unauthorised access to information in the event they are lost or stolen."
PA2.1	Mobile Device Protection	"Principle: Mobile devices (including smartphones, tablets and smartwatches) should be built using standard technical configurations and subject to security management practices to protect information against loss, theft and unauthorised disclosure.

Objective: To ensure mobile devices do not compromise the security of information stored on them or processed by them, and prevent unauthorised access to information in the event they are lost or stolen."
PA2.1	Mobile Device Protection	"Principle: Mobile devices (including smartphones, tablets and smartwatches) should be built using standard technical configurations and subject to security management practices to protect information against loss, theft and unauthorised disclosure.

Objective: To ensure mobile devices do not compromise the security of information stored on them or processed by them, and prevent unauthorised access to information in the event they are lost or stolen."
PA2.1	Mobile Device Protection	"Principle: Mobile devices (including smartphones, tablets and smartwatches) should be built using standard technical configurations and subject to security management practices to protect information against loss, theft and unauthorised disclosure.

Objective: To ensure mobile devices do not compromise the security of information stored on them or processed by them, and prevent unauthorised access to information in the event they are lost or stolen."
PA2.1	Mobile Device Protection	"Principle: Mobile devices (including smartphones, tablets and smartwatches) should be built using standard technical configurations and subject to security management practices to protect information against loss, theft and unauthorised disclosure.

Objective: To ensure mobile devices do not compromise the security of information stored on them or processed by them, and prevent unauthorised access to information in the event they are lost or stolen."
PA2.1	Mobile Device Protection	"Principle: Mobile devices (including smartphones, tablets and smartwatches) should be built using standard technical configurations and subject to security management practices to protect information against loss, theft and unauthorised disclosure.

Objective: To ensure mobile devices do not compromise the security of information stored on them or processed by them, and prevent unauthorised access to information in the event they are lost or stolen."
PA2.1	Mobile Device Protection	"Principle: Mobile devices (including smartphones, tablets and smartwatches) should be built using standard technical configurations and subject to security management practices to protect information against loss, theft and unauthorised disclosure.

Objective: To ensure mobile devices do not compromise the security of information stored on them or processed by them, and prevent unauthorised access to information in the event they are lost or stolen."
PA2.1	Mobile Device Protection	"Principle: Mobile devices (including smartphones, tablets and smartwatches) should be built using standard technical configurations and subject to security management practices to protect information against loss, theft and unauthorised disclosure.

Objective: To ensure mobile devices do not compromise the security of information stored on them or processed by them, and prevent unauthorised access to information in the event they are lost or stolen."
PA2.1	Mobile Device Protection	"Principle: Mobile devices (including smartphones, tablets and smartwatches) should be built using standard technical configurations and subject to security management practices to protect information against loss, theft and unauthorised disclosure.

Objective: To ensure mobile devices do not compromise the security of information stored on them or processed by them, and prevent unauthorised access to information in the event they are lost or stolen."
PA2.1	Mobile Device Protection	"Principle: Mobile devices (including smartphones, tablets and smartwatches) should be built using standard technical configurations and subject to security management practices to protect information against loss, theft and unauthorised disclosure.

Objective: To ensure mobile devices do not compromise the security of information stored on them or processed by them, and prevent unauthorised access to information in the event they are lost or stolen."
PA2.2	Enterprise Mobility Management	"Principle: Mobile devices (including smartphones, tablets and smartwatches) and the applications ('apps') that run on them, should be protected in the event of loss, theft or cyber attack by deploying an Enterprise Mobility Management (EMM) system.

Objective: To ensure that critical and sensitive information handled by individuals working with mobile devices is adequately protected."
PA2.2	Enterprise Mobility Management	"Principle: Mobile devices (including smartphones, tablets and smartwatches) and the applications ('apps') that run on them, should be protected in the event of loss, theft or cyber attack by deploying an Enterprise Mobility Management (EMM) system.

Objective: To ensure that critical and sensitive information handled by individuals working with mobile devices is adequately protected."
PA2.2	Enterprise Mobility Management	"Principle: Mobile devices (including smartphones, tablets and smartwatches) and the applications ('apps') that run on them, should be protected in the event of loss, theft or cyber attack by deploying an Enterprise Mobility Management (EMM) system.

Objective: To ensure that critical and sensitive information handled by individuals working with mobile devices is adequately protected."
PA2.3	Mobile Applications Management	"Principle: Applications that run on smartphones, tablets and other devices running mobile operating systems (e.g. iOS and Android), and the information they handle, should be protected against unauthorised modification or disclosure.

Objective: To ensure that information handled by individuals working with smartphones, tablets and other mobile devices is adequately protected."
PA2.3	Mobile Applications Management	"Principle: Applications that run on smartphones, tablets and other devices running mobile operating systems (e.g. iOS and Android), and the information they handle, should be protected against unauthorised modification or disclosure.

Objective: To ensure that information handled by individuals working with smartphones, tablets and other mobile devices is adequately protected."
PA2.3	Mobile Applications Management	"Principle: Applications that run on smartphones, tablets and other devices running mobile operating systems (e.g. iOS and Android), and the information they handle, should be protected against unauthorised modification or disclosure.

Objective: To ensure that information handled by individuals working with smartphones, tablets and other mobile devices is adequately protected."
PA2.3	Mobile Applications Management	"Principle: Applications that run on smartphones, tablets and other devices running mobile operating systems (e.g. iOS and Android), and the information they handle, should be protected against unauthorised modification or disclosure.

Objective: To ensure that information handled by individuals working with smartphones, tablets and other mobile devices is adequately protected."
PA2.3	Mobile Applications Management	"Principle: Applications that run on smartphones, tablets and other devices running mobile operating systems (e.g. iOS and Android), and the information they handle, should be protected against unauthorised modification or disclosure.

Objective: To ensure that information handled by individuals working with smartphones, tablets and other mobile devices is adequately protected."
PA2.3	Mobile Applications Management	"Principle: Applications that run on smartphones, tablets and other devices running mobile operating systems (e.g. iOS and Android), and the information they handle, should be protected against unauthorised modification or disclosure.

Objective: To ensure that information handled by individuals working with smartphones, tablets and other mobile devices is adequately protected."
PA2.3	Mobile Applications Management	"Principle: Applications that run on smartphones, tablets and other devices running mobile operating systems (e.g. iOS and Android), and the information they handle, should be protected against unauthorised modification or disclosure.

Objective: To ensure that information handled by individuals working with smartphones, tablets and other mobile devices is adequately protected."
PA2.3	Mobile Applications Management	"Principle: Applications that run on smartphones, tablets and other devices running mobile operating systems (e.g. iOS and Android), and the information they handle, should be protected against unauthorised modification or disclosure.

Objective: To ensure that information handled by individuals working with smartphones, tablets and other mobile devices is adequately protected."
PA2.3	Mobile Applications Management	"Principle: Applications that run on smartphones, tablets and other devices running mobile operating systems (e.g. iOS and Android), and the information they handle, should be protected against unauthorised modification or disclosure.

Objective: To ensure that information handled by individuals working with smartphones, tablets and other mobile devices is adequately protected."
PA2.3	Mobile Applications Management	"Principle: Applications that run on smartphones, tablets and other devices running mobile operating systems (e.g. iOS and Android), and the information they handle, should be protected against unauthorised modification or disclosure.

Objective: To ensure that information handled by individuals working with smartphones, tablets and other mobile devices is adequately protected."
PA2.3	Mobile Applications Management	"Principle: Applications that run on smartphones, tablets and other devices running mobile operating systems (e.g. iOS and Android), and the information they handle, should be protected against unauthorised modification or disclosure.

Objective: To ensure that information handled by individuals working with smartphones, tablets and other mobile devices is adequately protected."
PA2.3	Mobile Applications Management	"Principle: Applications that run on smartphones, tablets and other devices running mobile operating systems (e.g. iOS and Android), and the information they handle, should be protected against unauthorised modification or disclosure.

Objective: To ensure that information handled by individuals working with smartphones, tablets and other mobile devices is adequately protected."
SD1.1	System Development Methodology	"Principle: Development activities should be conducted in accordance with a documented system development methodology.

Objective: To ensure that systems (including those under development) meet business and information security requirements."
SD1.2	System Development Environments	"Principle: System development activities should be performed in specialised development environments, which are isolated from the live and testing environments, and protected against unauthorised access.

Objective: To provide a secure environment for system development activities, and avoid any disruption to business activity."
SD1.2	System Development Environments	"Principle: System development activities should be performed in specialised development environments, which are isolated from the live and testing environments, and protected against unauthorised access.

Objective: To provide a secure environment for system development activities, and avoid any disruption to business activity."
SD1.2	System Development Environments	"Principle: System development activities should be performed in specialised development environments, which are isolated from the live and testing environments, and protected against unauthorised access.

Objective: To provide a secure environment for system development activities, and avoid any disruption to business activity."
SD1.3	Quality Assurance	"Principle: Quality assurance of key security activities should be performed at each stage of the system development lifecycle.

Objective: To provide assurance that security requirements are defined adequately, agreed security controls are developed, and security requirements are met."
SD2.1	Specifications of Requirements	"Principle: System requirements (including those for information security) should be documented in the business requirements and agreed before detailed design commences.

Objective: To ensure that information security requirements are treated as an integral part of business requirements, fully considered and approved."
SD2.2	System Design	"Principle: Information security requirements for systems under development should be considered when designing systems.

Objective: To produce live systems based on sound design principles which have security functionality built in, enable controls to be incorporated easily, are able to withstand malicious attacks, and help ensure that no security weaknesses are introduced during the build process."
SD2.2	System Design	"Principle: Information security requirements for systems under development should be considered when designing systems.

Objective: To produce live systems based on sound design principles which have security functionality built in, enable controls to be incorporated easily, are able to withstand malicious attacks, and help ensure that no security weaknesses are introduced during the build process."
SD2.3	Software Acquisition	"Principle: Robust, reliable software should be acquired (e.g. purchased or leased) following consideration of security requirements and identification of any security deficiencies.

Objective: To ensure that software acquired from external suppliers provides the required functionality and does not compromise the security of critical or sensitive information and systems."
SD2.3	Software Acquisition	"Principle: Robust, reliable software should be acquired (e.g. purchased or leased) following consideration of security requirements and identification of any security deficiencies.

Objective: To ensure that software acquired from external suppliers provides the required functionality and does not compromise the security of critical or sensitive information and systems."
SD2.3	Software Acquisition	"Principle: Robust, reliable software should be acquired (e.g. purchased or leased) following consideration of security requirements and identification of any security deficiencies.

Objective: To ensure that software acquired from external suppliers provides the required functionality and does not compromise the security of critical or sensitive information and systems."
SD2.3	Software Acquisition	"Principle: Robust, reliable software should be acquired (e.g. purchased or leased) following consideration of security requirements and identification of any security deficiencies.

Objective: To ensure that software acquired from external suppliers provides the required functionality and does not compromise the security of critical or sensitive information and systems."
SD2.3	Software Acquisition	"Principle: Robust, reliable software should be acquired (e.g. purchased or leased) following consideration of security requirements and identification of any security deficiencies.

Objective: To ensure that software acquired from external suppliers provides the required functionality and does not compromise the security of critical or sensitive information and systems."
SD2.3	Software Acquisition	"Principle: Robust, reliable software should be acquired (e.g. purchased or leased) following consideration of security requirements and identification of any security deficiencies.

Objective: To ensure that software acquired from external suppliers provides the required functionality and does not compromise the security of critical or sensitive information and systems."
SD2.3	Software Acquisition	"Principle: Robust, reliable software should be acquired (e.g. purchased or leased) following consideration of security requirements and identification of any security deficiencies.

Objective: To ensure that software acquired from external suppliers provides the required functionality and does not compromise the security of critical or sensitive information and systems."
SD2.3	Software Acquisition	"Principle: Robust, reliable software should be acquired (e.g. purchased or leased) following consideration of security requirements and identification of any security deficiencies.

Objective: To ensure that software acquired from external suppliers provides the required functionality and does not compromise the security of critical or sensitive information and systems."
SD2.3	Software Acquisition	"Principle: Robust, reliable software should be acquired (e.g. purchased or leased) following consideration of security requirements and identification of any security deficiencies.

Objective: To ensure that software acquired from external suppliers provides the required functionality and does not compromise the security of critical or sensitive information and systems."
SD2.3	Software Acquisition	"Principle: Robust, reliable software should be acquired (e.g. purchased or leased) following consideration of security requirements and identification of any security deficiencies.

Objective: To ensure that software acquired from external suppliers provides the required functionality and does not compromise the security of critical or sensitive information and systems."
SD2.3	Software Acquisition	"Principle: Robust, reliable software should be acquired (e.g. purchased or leased) following consideration of security requirements and identification of any security deficiencies.

Objective: To ensure that software acquired from external suppliers provides the required functionality and does not compromise the security of critical or sensitive information and systems."
SD2.4	System Build	"Principle: System build activities (including program coding and software package customisation) should be carried out in accordance with industry good practice, performed by individuals provided with adequate skills/tools, and inspected to identify unauthorised modifications or changes.

Objective: To ensure that systems are built correctly, able to withstand malicious attacks, and help ensure that no security weaknesses are introduced during the build process."
SD2.4	System Build	"Principle: System build activities (including program coding and software package customisation) should be carried out in accordance with industry good practice, performed by individuals provided with adequate skills/tools, and inspected to identify unauthorised modifications or changes.

Objective: To ensure that systems are built correctly, able to withstand malicious attacks, and help ensure that no security weaknesses are introduced during the build process."
SD2.4	System Build	"Principle: System build activities (including program coding and software package customisation) should be carried out in accordance with industry good practice, performed by individuals provided with adequate skills/tools, and inspected to identify unauthorised modifications or changes.

Objective: To ensure that systems are built correctly, able to withstand malicious attacks, and help ensure that no security weaknesses are introduced during the build process."
SD2.4	System Build	"Principle: System build activities (including program coding and software package customisation) should be carried out in accordance with industry good practice, performed by individuals provided with adequate skills/tools, and inspected to identify unauthorised modifications or changes.

Objective: To ensure that systems are built correctly, able to withstand malicious attacks, and help ensure that no security weaknesses are introduced during the build process."
SD2.4	System Build	"Principle: System build activities (including program coding and software package customisation) should be carried out in accordance with industry good practice, performed by individuals provided with adequate skills/tools, and inspected to identify unauthorised modifications or changes.

Objective: To ensure that systems are built correctly, able to withstand malicious attacks, and help ensure that no security weaknesses are introduced during the build process."
SD2.5	System Testing	"Principle: Systems under development (including application software packages, system software, hardware, communications and services) should be tested in a dedicated testing area that simulates the live environment, before the system is promoted to the live environment.

Objective: To ensure systems function as intended, meet predefined security requirements and do not compromise information security."
SD2.5	System Testing	"Principle: Systems under development (including application software packages, system software, hardware, communications and services) should be tested in a dedicated testing area that simulates the live environment, before the system is promoted to the live environment.

Objective: To ensure systems function as intended, meet predefined security requirements and do not compromise information security."
SD2.6	Code Review	"Principle: A comprehensive review of the application code to identify any vulnerabilities introduced as a result of coding errors.

Objective: To ensure any coding vulnerabilities that may exist in the code are remedied accordingly."
SD2.6	Code Review	"Principle: A comprehensive review of the application code to identify any vulnerabilities introduced as a result of coding errors.

Objective: To ensure any coding vulnerabilities that may exist in the code are remedied accordingly."
SD2.6	Code Review	"Principle: A comprehensive review of the application code to identify any vulnerabilities introduced as a result of coding errors.

Objective: To ensure any coding vulnerabilities that may exist in the code are remedied accordingly."
SD2.7	System Promotion Criteria	"Principle: Rigorous criteria (including security requirements) should be met before new systems are promoted into the live environment.

Objective: To ensure that only security tested and approved versions of the system are promoted into the live environment."
SD2.7	System Promotion Criteria	"Principle: Rigorous criteria (including security requirements) should be met before new systems are promoted into the live environment.

Objective: To ensure that only security tested and approved versions of the system are promoted into the live environment."
SD2.8	Installation Process	"Principle: New systems should be installed in the live environment in accordance with a documented installation process.

Objective: To minimise disruption to the organisation when new systems are installed in the live environment."
SD2.9	Post-implementation Review	"Principle: Post-implementation reviews (including coverage of information security), should be conducted for all new systems.

Objective: To provide assurance that information security was considered and addressed throughout each stage of the system development lifecycle (SDLC) and security controls are working as expected."
SD2.10	System Decommission	"Principle: Systems that are no longer required should be evaluated and subject to a decommissioning process (where required), taking account of relevant information, software, services, equipment and devices.

Objective: To keep information risk associated with systems that are no longer required within acceptable limits."
BA1.1	Business Application Protection	"Principle: Business applications should be recorded in a register, subject to secure architecture principles, validating connections and applying access controls.

Objective: To protect business applications against unapproved access, invalid connections and unauthorised disclosure of sensitive information."
BA1.1	Business Application Protection	"Principle: Business applications should be recorded in a register, subject to secure architecture principles, validating connections and applying access controls.

Objective: To protect business applications against unapproved access, invalid connections and unauthorised disclosure of sensitive information."
BA1.1	Business Application Protection	"Principle: Business applications should be recorded in a register, subject to secure architecture principles, validating connections and applying access controls.

Objective: To protect business applications against unapproved access, invalid connections and unauthorised disclosure of sensitive information."
BA1.1	Business Application Protection	"Principle: Business applications should be recorded in a register, subject to secure architecture principles, validating connections and applying access controls.

Objective: To protect business applications against unapproved access, invalid connections and unauthorised disclosure of sensitive information."
BA1.1	Business Application Protection	"Principle: Business applications should be recorded in a register, subject to secure architecture principles, validating connections and applying access controls.

Objective: To protect business applications against unapproved access, invalid connections and unauthorised disclosure of sensitive information."
BA1.1	Business Application Protection	"Principle: Business applications should be recorded in a register, subject to secure architecture principles, validating connections and applying access controls.

Objective: To protect business applications against unapproved access, invalid connections and unauthorised disclosure of sensitive information."
BA1.1	Business Application Protection	"Principle: Business applications should be recorded in a register, subject to secure architecture principles, validating connections and applying access controls.

Objective: To protect business applications against unapproved access, invalid connections and unauthorised disclosure of sensitive information."
BA1.1	Business Application Protection	"Principle: Business applications should be recorded in a register, subject to secure architecture principles, validating connections and applying access controls.

Objective: To protect business applications against unapproved access, invalid connections and unauthorised disclosure of sensitive information."
BA1.1	Business Application Protection	"Principle: Business applications should be recorded in a register, subject to secure architecture principles, validating connections and applying access controls.

Objective: To protect business applications against unapproved access, invalid connections and unauthorised disclosure of sensitive information."
BA1.1	Business Application Protection	"Principle: Business applications should be recorded in a register, subject to secure architecture principles, validating connections and applying access controls.

Objective: To protect business applications against unapproved access, invalid connections and unauthorised disclosure of sensitive information."
BA1.1	Business Application Protection	"Principle: Business applications should be recorded in a register, subject to secure architecture principles, validating connections and applying access controls.

Objective: To protect business applications against unapproved access, invalid connections and unauthorised disclosure of sensitive information."
BA1.1	Business Application Protection	"Principle: Business applications should be recorded in a register, subject to secure architecture principles, validating connections and applying access controls.

Objective: To protect business applications against unapproved access, invalid connections and unauthorised disclosure of sensitive information."
BA1.1	Business Application Protection	"Principle: Business applications should be recorded in a register, subject to secure architecture principles, validating connections and applying access controls.

Objective: To protect business applications against unapproved access, invalid connections and unauthorised disclosure of sensitive information."
BA1.1	Business Application Protection	"Principle: Business applications should be recorded in a register, subject to secure architecture principles, validating connections and applying access controls.

Objective: To protect business applications against unapproved access, invalid connections and unauthorised disclosure of sensitive information."
BA1.1	Business Application Protection	"Principle: Business applications should be recorded in a register, subject to secure architecture principles, validating connections and applying access controls.

Objective: To protect business applications against unapproved access, invalid connections and unauthorised disclosure of sensitive information."
BA1.2	Web Application Protection	"Principle: Specialised procedural and technical controls should be applied to web applications, web content and websites.

Objective: To ensure that the increased risks associated with web applications are minimised."
BA1.2	Web Application Protection	"Principle: Specialised procedural and technical controls should be applied to web applications, web content and websites.

Objective: To ensure that the increased risks associated with web applications are minimised."
BA1.2	Web Application Protection	"Principle: Specialised procedural and technical controls should be applied to web applications, web content and websites.

Objective: To ensure that the increased risks associated with web applications are minimised."
BA1.2	Web Application Protection	"Principle: Specialised procedural and technical controls should be applied to web applications, web content and websites.

Objective: To ensure that the increased risks associated with web applications are minimised."
BA1.2	Web Application Protection	"Principle: Specialised procedural and technical controls should be applied to web applications, web content and websites.

Objective: To ensure that the increased risks associated with web applications are minimised."
BA1.2	Web Application Protection	"Principle: Specialised procedural and technical controls should be applied to web applications, web content and websites.

Objective: To ensure that the increased risks associated with web applications are minimised."
BA1.2	Web Application Protection	"Principle: Specialised procedural and technical controls should be applied to web applications, web content and websites.

Objective: To ensure that the increased risks associated with web applications are minimised."
BA1.3	Information Validation	"Principle: Business applications should incorporate security controls that protect the confidentiality and integrity of information when it is input into, processed by and output from these applications.

Objective: To protect the integrity (validity, accuracy, completeness and timeliness) of critical information, stored in or processed by business applications."
BA2.1	EUDA Development	"Principle: Development of End User Developed Applications (EUDA) should be carried out in accordance with a documented development methodology.

Objective: To ensure EUDA function correctly and meet security requirements."
BA2.1	EUDA Development	"Principle: Development of End User Developed Applications (EUDA) should be carried out in accordance with a documented development methodology.

Objective: To ensure EUDA function correctly and meet security requirements."
BA2.1	EUDA Development	"Principle: Development of End User Developed Applications (EUDA) should be carried out in accordance with a documented development methodology.

Objective: To ensure EUDA function correctly and meet security requirements."
BA2.1	EUDA Development	"Principle: Development of End User Developed Applications (EUDA) should be carried out in accordance with a documented development methodology.

Objective: To ensure EUDA function correctly and meet security requirements."
BA2.2	Protection of Spreadsheets	"Principle: Critical End User Developed Applications (EUDA) created using spreadsheet programs should be protected by validating input, implementing access control and restricting user access to powerful functionality.

Objective: To assure the accuracy of information processed by critical spreadsheets, and protect that information from disclosure to unauthorised individuals."
BA2.2	Protection of Spreadsheets	"Principle: Critical End User Developed Applications (EUDA) created using spreadsheet programs should be protected by validating input, implementing access control and restricting user access to powerful functionality.

Objective: To assure the accuracy of information processed by critical spreadsheets, and protect that information from disclosure to unauthorised individuals."
BA2.2	Protection of Spreadsheets	"Principle: Critical End User Developed Applications (EUDA) created using spreadsheet programs should be protected by validating input, implementing access control and restricting user access to powerful functionality.

Objective: To assure the accuracy of information processed by critical spreadsheets, and protect that information from disclosure to unauthorised individuals."
BA2.3	Protection of Databases	"Principle: Critical End User Developed Applications (EUDA) created using database programs should be protected by validating input, implementing access control, and restricting user access to powerful functionality.

Objective: To assure the accuracy of information processed by critical databases, and protect that information from disclosure to unauthorised individuals."
SA1.1	Access Control	"Principle: Access control arrangements should be established to restrict access to business applications, systems, networks and computing devices by all types of user, who should be assigned specific privileges to restrict them to particular information or systems.

Objective: To ensure that only authorised individuals gain access to business applications, information systems, networks and computing devices, that individual accountability is assured and to provide authorised users with access privileges that are sufficient to enable them to perform their duties but do not permit them to exceed their authority."
SA1.1	Access Control	"Principle: Access control arrangements should be established to restrict access to business applications, systems, networks and computing devices by all types of user, who should be assigned specific privileges to restrict them to particular information or systems.

Objective: To ensure that only authorised individuals gain access to business applications, information systems, networks and computing devices, that individual accountability is assured and to provide authorised users with access privileges that are sufficient to enable them to perform their duties but do not permit them to exceed their authority."
SA1.1	Access Control	"Principle: Access control arrangements should be established to restrict access to business applications, systems, networks and computing devices by all types of user, who should be assigned specific privileges to restrict them to particular information or systems.

Objective: To ensure that only authorised individuals gain access to business applications, information systems, networks and computing devices, that individual accountability is assured and to provide authorised users with access privileges that are sufficient to enable them to perform their duties but do not permit them to exceed their authority."
SA1.1	Access Control	"Principle: Access control arrangements should be established to restrict access to business applications, systems, networks and computing devices by all types of user, who should be assigned specific privileges to restrict them to particular information or systems.

Objective: To ensure that only authorised individuals gain access to business applications, information systems, networks and computing devices, that individual accountability is assured and to provide authorised users with access privileges that are sufficient to enable them to perform their duties but do not permit them to exceed their authority."
SA1.1	Access Control	"Principle: Access control arrangements should be established to restrict access to business applications, systems, networks and computing devices by all types of user, who should be assigned specific privileges to restrict them to particular information or systems.

Objective: To ensure that only authorised individuals gain access to business applications, information systems, networks and computing devices, that individual accountability is assured and to provide authorised users with access privileges that are sufficient to enable them to perform their duties but do not permit them to exceed their authority."
SA1.1	Access Control	"Principle: Access control arrangements should be established to restrict access to business applications, systems, networks and computing devices by all types of user, who should be assigned specific privileges to restrict them to particular information or systems.

Objective: To ensure that only authorised individuals gain access to business applications, information systems, networks and computing devices, that individual accountability is assured and to provide authorised users with access privileges that are sufficient to enable them to perform their duties but do not permit them to exceed their authority."
SA1.1	Access Control	"Principle: Access control arrangements should be established to restrict access to business applications, systems, networks and computing devices by all types of user, who should be assigned specific privileges to restrict them to particular information or systems.

Objective: To ensure that only authorised individuals gain access to business applications, information systems, networks and computing devices, that individual accountability is assured and to provide authorised users with access privileges that are sufficient to enable them to perform their duties but do not permit them to exceed their authority."
SA1.1	Access Control	"Principle: Access control arrangements should be established to restrict access to business applications, systems, networks and computing devices by all types of user, who should be assigned specific privileges to restrict them to particular information or systems.

Objective: To ensure that only authorised individuals gain access to business applications, information systems, networks and computing devices, that individual accountability is assured and to provide authorised users with access privileges that are sufficient to enable them to perform their duties but do not permit them to exceed their authority."
SA1.1	Access Control	"Principle: Access control arrangements should be established to restrict access to business applications, systems, networks and computing devices by all types of user, who should be assigned specific privileges to restrict them to particular information or systems.

Objective: To ensure that only authorised individuals gain access to business applications, information systems, networks and computing devices, that individual accountability is assured and to provide authorised users with access privileges that are sufficient to enable them to perform their duties but do not permit them to exceed their authority."
SA1.1	Access Control	"Principle: Access control arrangements should be established to restrict access to business applications, systems, networks and computing devices by all types of user, who should be assigned specific privileges to restrict them to particular information or systems.

Objective: To ensure that only authorised individuals gain access to business applications, information systems, networks and computing devices, that individual accountability is assured and to provide authorised users with access privileges that are sufficient to enable them to perform their duties but do not permit them to exceed their authority."
SA1.1	Access Control	"Principle: Access control arrangements should be established to restrict access to business applications, systems, networks and computing devices by all types of user, who should be assigned specific privileges to restrict them to particular information or systems.

Objective: To ensure that only authorised individuals gain access to business applications, information systems, networks and computing devices, that individual accountability is assured and to provide authorised users with access privileges that are sufficient to enable them to perform their duties but do not permit them to exceed their authority."
SA1.1	Access Control	"Principle: Access control arrangements should be established to restrict access to business applications, systems, networks and computing devices by all types of user, who should be assigned specific privileges to restrict them to particular information or systems.

Objective: To ensure that only authorised individuals gain access to business applications, information systems, networks and computing devices, that individual accountability is assured and to provide authorised users with access privileges that are sufficient to enable them to perform their duties but do not permit them to exceed their authority."
SA1.1	Access Control	"Principle: Access control arrangements should be established to restrict access to business applications, systems, networks and computing devices by all types of user, who should be assigned specific privileges to restrict them to particular information or systems.

Objective: To ensure that only authorised individuals gain access to business applications, information systems, networks and computing devices, that individual accountability is assured and to provide authorised users with access privileges that are sufficient to enable them to perform their duties but do not permit them to exceed their authority."
SA1.1	Access Control	"Principle: Access control arrangements should be established to restrict access to business applications, systems, networks and computing devices by all types of user, who should be assigned specific privileges to restrict them to particular information or systems.

Objective: To ensure that only authorised individuals gain access to business applications, information systems, networks and computing devices, that individual accountability is assured and to provide authorised users with access privileges that are sufficient to enable them to perform their duties but do not permit them to exceed their authority."
SA1.1	Access Control	"Principle: Access control arrangements should be established to restrict access to business applications, systems, networks and computing devices by all types of user, who should be assigned specific privileges to restrict them to particular information or systems.

Objective: To ensure that only authorised individuals gain access to business applications, information systems, networks and computing devices, that individual accountability is assured and to provide authorised users with access privileges that are sufficient to enable them to perform their duties but do not permit them to exceed their authority."
SA1.1	Access Control	"Principle: Access control arrangements should be established to restrict access to business applications, systems, networks and computing devices by all types of user, who should be assigned specific privileges to restrict them to particular information or systems.

Objective: To ensure that only authorised individuals gain access to business applications, information systems, networks and computing devices, that individual accountability is assured and to provide authorised users with access privileges that are sufficient to enable them to perform their duties but do not permit them to exceed their authority."
SA1.2	User Authorisation	"Principle: Individuals with access to business applications, systems, networks and computing devices should be authorised before they are granted access privileges.

Objective: To restrict access to business applications, information, networks and computing devices to authorised users."
SA1.2	User Authorisation	"Principle: Individuals with access to business applications, systems, networks and computing devices should be authorised before they are granted access privileges.

Objective: To restrict access to business applications, information, networks and computing devices to authorised users."
SA1.2	User Authorisation	"Principle: Individuals with access to business applications, systems, networks and computing devices should be authorised before they are granted access privileges.

Objective: To restrict access to business applications, information, networks and computing devices to authorised users."
SA1.2	User Authorisation	"Principle: Individuals with access to business applications, systems, networks and computing devices should be authorised before they are granted access privileges.

Objective: To restrict access to business applications, information, networks and computing devices to authorised users."
SA1.2	User Authorisation	"Principle: Individuals with access to business applications, systems, networks and computing devices should be authorised before they are granted access privileges.

Objective: To restrict access to business applications, information, networks and computing devices to authorised users."
SA1.2	User Authorisation	"Principle: Individuals with access to business applications, systems, networks and computing devices should be authorised before they are granted access privileges.

Objective: To restrict access to business applications, information, networks and computing devices to authorised users."
SA1.2	User Authorisation	"Principle: Individuals with access to business applications, systems, networks and computing devices should be authorised before they are granted access privileges.

Objective: To restrict access to business applications, information, networks and computing devices to authorised users."
SA1.3	Access Control Mechanisms	"Principle: Access to business applications, systems, networks and computing devices should be restricted to authorised individuals by the use of access control mechanisms.

Objective: To limit access to only authorised individuals."
SA1.3	Access Control Mechanisms	"Principle: Access to business applications, systems, networks and computing devices should be restricted to authorised individuals by the use of access control mechanisms.

Objective: To limit access to only authorised individuals."
SA1.3	Access Control Mechanisms	"Principle: Access to business applications, systems, networks and computing devices should be restricted to authorised individuals by the use of access control mechanisms.

Objective: To limit access to only authorised individuals."
SA1.3	Access Control Mechanisms	"Principle: Access to business applications, systems, networks and computing devices should be restricted to authorised individuals by the use of access control mechanisms.

Objective: To limit access to only authorised individuals."
SA1.3	Access Control Mechanisms	"Principle: Access to business applications, systems, networks and computing devices should be restricted to authorised individuals by the use of access control mechanisms.

Objective: To limit access to only authorised individuals."
SA1.4	Access Control Mechanisms – Password	"Principle: Target environments (e.g. business applications, systems or network devices) that are configured with access control mechanisms based on passwords, should require users to provide a valid User ID and password before they can gain access to them.

Objective: To prevent unauthorised users from gaining access to password-protected critical or sensitive information, business applications, information systems, networks or computing devices."
SA1.4	Access Control Mechanisms – Password	"Principle: Target environments (e.g. business applications, systems or network devices) that are configured with access control mechanisms based on passwords, should require users to provide a valid User ID and password before they can gain access to them.

Objective: To prevent unauthorised users from gaining access to password-protected critical or sensitive information, business applications, information systems, networks or computing devices."
SA1.4	Access Control Mechanisms – Password	"Principle: Target environments (e.g. business applications, systems or network devices) that are configured with access control mechanisms based on passwords, should require users to provide a valid User ID and password before they can gain access to them.

Objective: To prevent unauthorised users from gaining access to password-protected critical or sensitive information, business applications, information systems, networks or computing devices."
SA1.4	Access Control Mechanisms – Password	"Principle: Target environments (e.g. business applications, systems or network devices) that are configured with access control mechanisms based on passwords, should require users to provide a valid User ID and password before they can gain access to them.

Objective: To prevent unauthorised users from gaining access to password-protected critical or sensitive information, business applications, information systems, networks or computing devices."
SA1.5	Access Control Mechanisms – Token	"Principle: Target environments (e.g. business applications, systems or network devices) that are configured with access control mechanisms based on tokens, should require users to provide a valid token (e.g. physical token, soft token or smartcard) and any related authentication information before they can gain access to these environments.

Objective: To prevent unauthorised users from gaining access to token-protected critical or sensitive information, business applications, information systems, networks or computing devices."
SA1.5	Access Control Mechanisms – Token	"Principle: Target environments (e.g. business applications, systems or network devices) that are configured with access control mechanisms based on tokens, should require users to provide a valid token (e.g. physical token, soft token or smartcard) and any related authentication information before they can gain access to these environments.

Objective: To prevent unauthorised users from gaining access to token-protected critical or sensitive information, business applications, information systems, networks or computing devices."
SA1.5	Access Control Mechanisms – Token	"Principle: Target environments (e.g. business applications, systems or network devices) that are configured with access control mechanisms based on tokens, should require users to provide a valid token (e.g. physical token, soft token or smartcard) and any related authentication information before they can gain access to these environments.

Objective: To prevent unauthorised users from gaining access to token-protected critical or sensitive information, business applications, information systems, networks or computing devices."
SA1.5	Access Control Mechanisms – Token	"Principle: Target environments (e.g. business applications, systems or network devices) that are configured with access control mechanisms based on tokens, should require users to provide a valid token (e.g. physical token, soft token or smartcard) and any related authentication information before they can gain access to these environments.

Objective: To prevent unauthorised users from gaining access to token-protected critical or sensitive information, business applications, information systems, networks or computing devices."
SA1.5	Access Control Mechanisms – Token	"Principle: Target environments (e.g. business applications, systems or network devices) that are configured with access control mechanisms based on tokens, should require users to provide a valid token (e.g. physical token, soft token or smartcard) and any related authentication information before they can gain access to these environments.

Objective: To prevent unauthorised users from gaining access to token-protected critical or sensitive information, business applications, information systems, networks or computing devices."
SA1.6	Access Control Mechanisms – Biometric	"Principle: Target environments (e.g. business applications, systems or networks and computing devices) that are configured with access control mechanisms based on biometrics, should require users to provide a valid biometric (e.g. fingerprint/vein recognition, iris/retina patterns or voice characteristics) and any related authentication information before they can gain access to these environments.

Objective: To prevent unauthorised users from gaining access to biometric-protected critical or sensitive information, business applications, information systems, networks or computing devices."
SA1.6	Access Control Mechanisms – Biometric	"Principle: Target environments (e.g. business applications, systems or networks and computing devices) that are configured with access control mechanisms based on biometrics, should require users to provide a valid biometric (e.g. fingerprint/vein recognition, iris/retina patterns or voice characteristics) and any related authentication information before they can gain access to these environments.

Objective: To prevent unauthorised users from gaining access to biometric-protected critical or sensitive information, business applications, information systems, networks or computing devices."
SA1.7	Sign-on Process	"Principle: Users should be subject to a rigorous sign-on process before being provided with access to business applications, systems, networks and computing devices.

Objective: To ensure that only authorised users can gain access to business applications, information systems, networks and computing devices."
SA1.7	Sign-on Process	"Principle: Users should be subject to a rigorous sign-on process before being provided with access to business applications, systems, networks and computing devices.

Objective: To ensure that only authorised users can gain access to business applications, information systems, networks and computing devices."
SA1.7	Sign-on Process	"Principle: Users should be subject to a rigorous sign-on process before being provided with access to business applications, systems, networks and computing devices.

Objective: To ensure that only authorised users can gain access to business applications, information systems, networks and computing devices."
SA1.7	Sign-on Process	"Principle: Users should be subject to a rigorous sign-on process before being provided with access to business applications, systems, networks and computing devices.

Objective: To ensure that only authorised users can gain access to business applications, information systems, networks and computing devices."
SA2.1	Customer Access Arrangements	"Principle: Access to business applications by customers should be established according to business requirements, subject to an information risk assessment and approved by application owners.

Objective: To ensure that all aspects of customer access to the organisation's business applications meet security requirements."
SA2.2	Customer Contracts	"Principle: All customer access to the organisation's business applications should be supported by agreed, approved contracts, which cover security arrangements.

Objective: To ensure customers are legally and contractually bound to protect the organisation's information, business applications and systems, and the organisation's security obligations are met."
SA2.3	Customer Connections	"Principle: Access to business applications by customers should be uniquely identified, recorded in an inventory of connections, protected using access control mechanisms and monitored.

Objective: To protect the confidentiality, integrity and availability of critical or sensitive information relating to either the organisation or the customer."
SA2.3	Customer Connections	"Principle: Access to business applications by customers should be uniquely identified, recorded in an inventory of connections, protected using access control mechanisms and monitored.

Objective: To protect the confidentiality, integrity and availability of critical or sensitive information relating to either the organisation or the customer."
SA2.3	Customer Connections	"Principle: Access to business applications by customers should be uniquely identified, recorded in an inventory of connections, protected using access control mechanisms and monitored.

Objective: To protect the confidentiality, integrity and availability of critical or sensitive information relating to either the organisation or the customer."
SY1.1	Computer and Network Installations	"Principle: Computer system, network and telecommunication installations (e.g. data centres) should be designed to cope with current and predicted information processing requirements, and be protected using a range of in built security controls.

Objective: To ensure computer system, network and telecommunication installations can meet the security requirements of the critical business applications they support (i.e. protect them against a compromise of confidentiality, integrity or availability of information they process)."
SY1.1	Computer and Network Installations	"Principle: Computer system, network and telecommunication installations (e.g. data centres) should be designed to cope with current and predicted information processing requirements, and be protected using a range of in built security controls.

Objective: To ensure computer system, network and telecommunication installations can meet the security requirements of the critical business applications they support (i.e. protect them against a compromise of confidentiality, integrity or availability of information they process)."
SY1.1	Computer and Network Installations	"Principle: Computer system, network and telecommunication installations (e.g. data centres) should be designed to cope with current and predicted information processing requirements, and be protected using a range of in built security controls.

Objective: To ensure computer system, network and telecommunication installations can meet the security requirements of the critical business applications they support (i.e. protect them against a compromise of confidentiality, integrity or availability of information they process)."
SY1.1	Computer and Network Installations	"Principle: Computer system, network and telecommunication installations (e.g. data centres) should be designed to cope with current and predicted information processing requirements, and be protected using a range of in built security controls.

Objective: To ensure computer system, network and telecommunication installations can meet the security requirements of the critical business applications they support (i.e. protect them against a compromise of confidentiality, integrity or availability of information they process)."
SY1.1	Computer and Network Installations	"Principle: Computer system, network and telecommunication installations (e.g. data centres) should be designed to cope with current and predicted information processing requirements, and be protected using a range of in built security controls.

Objective: To ensure computer system, network and telecommunication installations can meet the security requirements of the critical business applications they support (i.e. protect them against a compromise of confidentiality, integrity or availability of information they process)."
SY1.1	Computer and Network Installations	"Principle: Computer system, network and telecommunication installations (e.g. data centres) should be designed to cope with current and predicted information processing requirements, and be protected using a range of in built security controls.

Objective: To ensure computer system, network and telecommunication installations can meet the security requirements of the critical business applications they support (i.e. protect them against a compromise of confidentiality, integrity or availability of information they process)."
SY1.1	Computer and Network Installations	"Principle: Computer system, network and telecommunication installations (e.g. data centres) should be designed to cope with current and predicted information processing requirements, and be protected using a range of in built security controls.

Objective: To ensure computer system, network and telecommunication installations can meet the security requirements of the critical business applications they support (i.e. protect them against a compromise of confidentiality, integrity or availability of information they process)."
SY1.1	Computer and Network Installations	"Principle: Computer system, network and telecommunication installations (e.g. data centres) should be designed to cope with current and predicted information processing requirements, and be protected using a range of in built security controls.

Objective: To ensure computer system, network and telecommunication installations can meet the security requirements of the critical business applications they support (i.e. protect them against a compromise of confidentiality, integrity or availability of information they process)."
SY1.1	Computer and Network Installations	"Principle: Computer system, network and telecommunication installations (e.g. data centres) should be designed to cope with current and predicted information processing requirements, and be protected using a range of in built security controls.

Objective: To ensure computer system, network and telecommunication installations can meet the security requirements of the critical business applications they support (i.e. protect them against a compromise of confidentiality, integrity or availability of information they process)."
SY1.1	Computer and Network Installations	"Principle: Computer system, network and telecommunication installations (e.g. data centres) should be designed to cope with current and predicted information processing requirements, and be protected using a range of in built security controls.

Objective: To ensure computer system, network and telecommunication installations can meet the security requirements of the critical business applications they support (i.e. protect them against a compromise of confidentiality, integrity or availability of information they process)."
SY1.1	Computer and Network Installations	"Principle: Computer system, network and telecommunication installations (e.g. data centres) should be designed to cope with current and predicted information processing requirements, and be protected using a range of in built security controls.

Objective: To ensure computer system, network and telecommunication installations can meet the security requirements of the critical business applications they support (i.e. protect them against a compromise of confidentiality, integrity or availability of information they process)."
SY1.1	Computer and Network Installations	"Principle: Computer system, network and telecommunication installations (e.g. data centres) should be designed to cope with current and predicted information processing requirements, and be protected using a range of in built security controls.

Objective: To ensure computer system, network and telecommunication installations can meet the security requirements of the critical business applications they support (i.e. protect them against a compromise of confidentiality, integrity or availability of information they process)."
SY1.1	Computer and Network Installations	"Principle: Computer system, network and telecommunication installations (e.g. data centres) should be designed to cope with current and predicted information processing requirements, and be protected using a range of in built security controls.

Objective: To ensure computer system, network and telecommunication installations can meet the security requirements of the critical business applications they support (i.e. protect them against a compromise of confidentiality, integrity or availability of information they process)."
SY1.1	Computer and Network Installations	"Principle: Computer system, network and telecommunication installations (e.g. data centres) should be designed to cope with current and predicted information processing requirements, and be protected using a range of in built security controls.

Objective: To ensure computer system, network and telecommunication installations can meet the security requirements of the critical business applications they support (i.e. protect them against a compromise of confidentiality, integrity or availability of information they process)."
SY1.1	Computer and Network Installations	"Principle: Computer system, network and telecommunication installations (e.g. data centres) should be designed to cope with current and predicted information processing requirements, and be protected using a range of in built security controls.

Objective: To ensure computer system, network and telecommunication installations can meet the security requirements of the critical business applications they support (i.e. protect them against a compromise of confidentiality, integrity or availability of information they process)."
SY1.1	Computer and Network Installations	"Principle: Computer system, network and telecommunication installations (e.g. data centres) should be designed to cope with current and predicted information processing requirements, and be protected using a range of in built security controls.

Objective: To ensure computer system, network and telecommunication installations can meet the security requirements of the critical business applications they support (i.e. protect them against a compromise of confidentiality, integrity or availability of information they process)."
SY1.1	Computer and Network Installations	"Principle: Computer system, network and telecommunication installations (e.g. data centres) should be designed to cope with current and predicted information processing requirements, and be protected using a range of in built security controls.

Objective: To ensure computer system, network and telecommunication installations can meet the security requirements of the critical business applications they support (i.e. protect them against a compromise of confidentiality, integrity or availability of information they process)."
SY1.1	Computer and Network Installations	"Principle: Computer system, network and telecommunication installations (e.g. data centres) should be designed to cope with current and predicted information processing requirements, and be protected using a range of in built security controls.

Objective: To ensure computer system, network and telecommunication installations can meet the security requirements of the critical business applications they support (i.e. protect them against a compromise of confidentiality, integrity or availability of information they process)."
SY1.2	Server Configuration	"Principle: Servers should be configured to function as required, and to prevent unauthorised or incorrect updates.

Objective: To ensure servers operate as intended and do not compromise the security of computer installations or other environments."
SY1.2	Server Configuration	"Principle: Servers should be configured to function as required, and to prevent unauthorised or incorrect updates.

Objective: To ensure servers operate as intended and do not compromise the security of computer installations or other environments."
SY1.2	Server Configuration	"Principle: Servers should be configured to function as required, and to prevent unauthorised or incorrect updates.

Objective: To ensure servers operate as intended and do not compromise the security of computer installations or other environments."
SY1.2	Server Configuration	"Principle: Servers should be configured to function as required, and to prevent unauthorised or incorrect updates.

Objective: To ensure servers operate as intended and do not compromise the security of computer installations or other environments."
SY1.2	Server Configuration	"Principle: Servers should be configured to function as required, and to prevent unauthorised or incorrect updates.

Objective: To ensure servers operate as intended and do not compromise the security of computer installations or other environments."
SY1.2	Server Configuration	"Principle: Servers should be configured to function as required, and to prevent unauthorised or incorrect updates.

Objective: To ensure servers operate as intended and do not compromise the security of computer installations or other environments."
SY1.2	Server Configuration	"Principle: Servers should be configured to function as required, and to prevent unauthorised or incorrect updates.

Objective: To ensure servers operate as intended and do not compromise the security of computer installations or other environments."
SY1.2	Server Configuration	"Principle: Servers should be configured to function as required, and to prevent unauthorised or incorrect updates.

Objective: To ensure servers operate as intended and do not compromise the security of computer installations or other environments."
SY1.2	Server Configuration	"Principle: Servers should be configured to function as required, and to prevent unauthorised or incorrect updates.

Objective: To ensure servers operate as intended and do not compromise the security of computer installations or other environments."
SY1.2	Server Configuration	"Principle: Servers should be configured to function as required, and to prevent unauthorised or incorrect updates.

Objective: To ensure servers operate as intended and do not compromise the security of computer installations or other environments."
SY1.2	Server Configuration	"Principle: Servers should be configured to function as required, and to prevent unauthorised or incorrect updates.

Objective: To ensure servers operate as intended and do not compromise the security of computer installations or other environments."
SY1.2	Server Configuration	"Principle: Servers should be configured to function as required, and to prevent unauthorised or incorrect updates.

Objective: To ensure servers operate as intended and do not compromise the security of computer installations or other environments."
SY1.2	Server Configuration	"Principle: Servers should be configured to function as required, and to prevent unauthorised or incorrect updates.

Objective: To ensure servers operate as intended and do not compromise the security of computer installations or other environments."
SY1.2	Server Configuration	"Principle: Servers should be configured to function as required, and to prevent unauthorised or incorrect updates.

Objective: To ensure servers operate as intended and do not compromise the security of computer installations or other environments."
SY1.2	Server Configuration	"Principle: Servers should be configured to function as required, and to prevent unauthorised or incorrect updates.

Objective: To ensure servers operate as intended and do not compromise the security of computer installations or other environments."
SY1.2	Server Configuration	"Principle: Servers should be configured to function as required, and to prevent unauthorised or incorrect updates.

Objective: To ensure servers operate as intended and do not compromise the security of computer installations or other environments."
SY1.2	Server Configuration	"Principle: Servers should be configured to function as required, and to prevent unauthorised or incorrect updates.

Objective: To ensure servers operate as intended and do not compromise the security of computer installations or other environments."
SY1.2	Server Configuration	"Principle: Servers should be configured to function as required, and to prevent unauthorised or incorrect updates.

Objective: To ensure servers operate as intended and do not compromise the security of computer installations or other environments."
SY1.2	Server Configuration	"Principle: Servers should be configured to function as required, and to prevent unauthorised or incorrect updates.

Objective: To ensure servers operate as intended and do not compromise the security of computer installations or other environments."
SY1.3	Virtualisation	"Principle: Virtual instances should be subject to approval, deployed on robust, secure physical hardware and configured to segregate sensitive information.

Objective: To prevent business disruption as a result of system overload or disclosure of sensitive information to unauthorised individuals."
SY1.3	Virtualisation	"Principle: Virtual instances should be subject to approval, deployed on robust, secure physical hardware and configured to segregate sensitive information.

Objective: To prevent business disruption as a result of system overload or disclosure of sensitive information to unauthorised individuals."
SY1.3	Virtualisation	"Principle: Virtual instances should be subject to approval, deployed on robust, secure physical hardware and configured to segregate sensitive information.

Objective: To prevent business disruption as a result of system overload or disclosure of sensitive information to unauthorised individuals."
SY1.3	Virtualisation	"Principle: Virtual instances should be subject to approval, deployed on robust, secure physical hardware and configured to segregate sensitive information.

Objective: To prevent business disruption as a result of system overload or disclosure of sensitive information to unauthorised individuals."
SY1.4	Network Storage Systems	"Principle: Network storage systems should be protected using system and network controls.

Objective: To ensure network storage systems operate as intended, are available when required and do not compromise the security of information they store."
SY1.4	Network Storage Systems	"Principle: Network storage systems should be protected using system and network controls.

Objective: To ensure network storage systems operate as intended, are available when required and do not compromise the security of information they store."
SY1.4	Network Storage Systems	"Principle: Network storage systems should be protected using system and network controls.

Objective: To ensure network storage systems operate as intended, are available when required and do not compromise the security of information they store."
SY1.4	Network Storage Systems	"Principle: Network storage systems should be protected using system and network controls.

Objective: To ensure network storage systems operate as intended, are available when required and do not compromise the security of information they store."
SY1.4	Network Storage Systems	"Principle: Network storage systems should be protected using system and network controls.

Objective: To ensure network storage systems operate as intended, are available when required and do not compromise the security of information they store."
SY1.4	Network Storage Systems	"Principle: Network storage systems should be protected using system and network controls.

Objective: To ensure network storage systems operate as intended, are available when required and do not compromise the security of information they store."
SY2.1	Service Level Agreements	"Principle: Computer and network services that support critical business processes and applications should only be obtained from service providers capable of providing required security controls, and be supported by documented contracts or service level agreements.

Objective: To define the business requirements for providers of any computer or network services, including those for information security, and to ensure they are met."
SY2.1	Service Level Agreements	"Principle: Computer and network services that support critical business processes and applications should only be obtained from service providers capable of providing required security controls, and be supported by documented contracts or service level agreements.

Objective: To define the business requirements for providers of any computer or network services, including those for information security, and to ensure they are met."
SY2.1	Service Level Agreements	"Principle: Computer and network services that support critical business processes and applications should only be obtained from service providers capable of providing required security controls, and be supported by documented contracts or service level agreements.

Objective: To define the business requirements for providers of any computer or network services, including those for information security, and to ensure they are met."
SY2.1	Service Level Agreements	"Principle: Computer and network services that support critical business processes and applications should only be obtained from service providers capable of providing required security controls, and be supported by documented contracts or service level agreements.

Objective: To define the business requirements for providers of any computer or network services, including those for information security, and to ensure they are met."
SY2.1	Service Level Agreements	"Principle: Computer and network services that support critical business processes and applications should only be obtained from service providers capable of providing required security controls, and be supported by documented contracts or service level agreements.

Objective: To define the business requirements for providers of any computer or network services, including those for information security, and to ensure they are met."
SY2.2	Performance Monitoring	"Principle: The performance of business applications, systems and networks should be monitored continuously, and reviewed by business owners.

Objective: To reduce the likelihood of degraded system performance or unavailability having a negative impact on business operations."
SY2.3	Backup	"Principle: Backups of information and software should be performed according to backup schedules (in predefined regular cycles) or on a continuous basis (each time data is modified) and tested to ensure they can be restored quickly and effectively.

Objective: To ensure that in the event of an emergency, and to comply with legal and regulations requirements or other business requirements, information or systems can be restored within critical timescales."
SY2.3	Backup	"Principle: Backups of information and software should be performed according to backup schedules (in predefined regular cycles) or on a continuous basis (each time data is modified) and tested to ensure they can be restored quickly and effectively.

Objective: To ensure that in the event of an emergency, and to comply with legal and regulations requirements or other business requirements, information or systems can be restored within critical timescales."
SY2.3	Backup	"Principle: Backups of information and software should be performed according to backup schedules (in predefined regular cycles) or on a continuous basis (each time data is modified) and tested to ensure they can be restored quickly and effectively.

Objective: To ensure that in the event of an emergency, and to comply with legal and regulations requirements or other business requirements, information or systems can be restored within critical timescales."
SY2.3	Backup	"Principle: Backups of information and software should be performed according to backup schedules (in predefined regular cycles) or on a continuous basis (each time data is modified) and tested to ensure they can be restored quickly and effectively.

Objective: To ensure that in the event of an emergency, and to comply with legal and regulations requirements or other business requirements, information or systems can be restored within critical timescales."
SY2.3	Backup	"Principle: Backups of information and software should be performed according to backup schedules (in predefined regular cycles) or on a continuous basis (each time data is modified) and tested to ensure they can be restored quickly and effectively.

Objective: To ensure that in the event of an emergency, and to comply with legal and regulations requirements or other business requirements, information or systems can be restored within critical timescales."
SY2.3	Backup	"Principle: Backups of information and software should be performed according to backup schedules (in predefined regular cycles) or on a continuous basis (each time data is modified) and tested to ensure they can be restored quickly and effectively.

Objective: To ensure that in the event of an emergency, and to comply with legal and regulations requirements or other business requirements, information or systems can be restored within critical timescales."
SY2.3	Backup	"Principle: Backups of information and software should be performed according to backup schedules (in predefined regular cycles) or on a continuous basis (each time data is modified) and tested to ensure they can be restored quickly and effectively.

Objective: To ensure that in the event of an emergency, and to comply with legal and regulations requirements or other business requirements, information or systems can be restored within critical timescales."
SY2.4	Change Management	"Principle: Changes to business applications, information systems and network devices should be tested, reviewed and applied using a change management process.

Objective: To ensure that changes are applied correctly and do not compromise the security of business applications, computer systems or networks."
SY2.4	Change Management	"Principle: Changes to business applications, information systems and network devices should be tested, reviewed and applied using a change management process.

Objective: To ensure that changes are applied correctly and do not compromise the security of business applications, computer systems or networks."
SY2.4	Change Management	"Principle: Changes to business applications, information systems and network devices should be tested, reviewed and applied using a change management process.

Objective: To ensure that changes are applied correctly and do not compromise the security of business applications, computer systems or networks."
SY2.4	Change Management	"Principle: Changes to business applications, information systems and network devices should be tested, reviewed and applied using a change management process.

Objective: To ensure that changes are applied correctly and do not compromise the security of business applications, computer systems or networks."
SY2.4	Change Management	"Principle: Changes to business applications, information systems and network devices should be tested, reviewed and applied using a change management process.

Objective: To ensure that changes are applied correctly and do not compromise the security of business applications, computer systems or networks."
SY2.4	Change Management	"Principle: Changes to business applications, information systems and network devices should be tested, reviewed and applied using a change management process.

Objective: To ensure that changes are applied correctly and do not compromise the security of business applications, computer systems or networks."
SY2.4	Change Management	"Principle: Changes to business applications, information systems and network devices should be tested, reviewed and applied using a change management process.

Objective: To ensure that changes are applied correctly and do not compromise the security of business applications, computer systems or networks."
NC1.1	Network Device Configuration	"Principle: Network devices should be configured to function as required, and to prevent unauthorised or incorrect updates.

Objective: To ensure that the configuration of network devices is accurate and does not compromise the security of the network."
NC1.1	Network Device Configuration	"Principle: Network devices should be configured to function as required, and to prevent unauthorised or incorrect updates.

Objective: To ensure that the configuration of network devices is accurate and does not compromise the security of the network."
NC1.1	Network Device Configuration	"Principle: Network devices should be configured to function as required, and to prevent unauthorised or incorrect updates.

Objective: To ensure that the configuration of network devices is accurate and does not compromise the security of the network."
NC1.1	Network Device Configuration	"Principle: Network devices should be configured to function as required, and to prevent unauthorised or incorrect updates.

Objective: To ensure that the configuration of network devices is accurate and does not compromise the security of the network."
NC1.1	Network Device Configuration	"Principle: Network devices should be configured to function as required, and to prevent unauthorised or incorrect updates.

Objective: To ensure that the configuration of network devices is accurate and does not compromise the security of the network."
NC1.1	Network Device Configuration	"Principle: Network devices should be configured to function as required, and to prevent unauthorised or incorrect updates.

Objective: To ensure that the configuration of network devices is accurate and does not compromise the security of the network."
NC1.1	Network Device Configuration	"Principle: Network devices should be configured to function as required, and to prevent unauthorised or incorrect updates.

Objective: To ensure that the configuration of network devices is accurate and does not compromise the security of the network."
NC1.1	Network Device Configuration	"Principle: Network devices should be configured to function as required, and to prevent unauthorised or incorrect updates.

Objective: To ensure that the configuration of network devices is accurate and does not compromise the security of the network."
NC1.1	Network Device Configuration	"Principle: Network devices should be configured to function as required, and to prevent unauthorised or incorrect updates.

Objective: To ensure that the configuration of network devices is accurate and does not compromise the security of the network."
NC1.1	Network Device Configuration	"Principle: Network devices should be configured to function as required, and to prevent unauthorised or incorrect updates.

Objective: To ensure that the configuration of network devices is accurate and does not compromise the security of the network."
NC1.1	Network Device Configuration	"Principle: Network devices should be configured to function as required, and to prevent unauthorised or incorrect updates.

Objective: To ensure that the configuration of network devices is accurate and does not compromise the security of the network."
NC1.1	Network Device Configuration	"Principle: Network devices should be configured to function as required, and to prevent unauthorised or incorrect updates.

Objective: To ensure that the configuration of network devices is accurate and does not compromise the security of the network."
NC1.1	Network Device Configuration	"Principle: Network devices should be configured to function as required, and to prevent unauthorised or incorrect updates.

Objective: To ensure that the configuration of network devices is accurate and does not compromise the security of the network."
NC1.1	Network Device Configuration	"Principle: Network devices should be configured to function as required, and to prevent unauthorised or incorrect updates.

Objective: To ensure that the configuration of network devices is accurate and does not compromise the security of the network."
NC1.1	Network Device Configuration	"Principle: Network devices should be configured to function as required, and to prevent unauthorised or incorrect updates.

Objective: To ensure that the configuration of network devices is accurate and does not compromise the security of the network."
NC1.1	Network Device Configuration	"Principle: Network devices should be configured to function as required, and to prevent unauthorised or incorrect updates.

Objective: To ensure that the configuration of network devices is accurate and does not compromise the security of the network."
NC1.1	Network Device Configuration	"Principle: Network devices should be configured to function as required, and to prevent unauthorised or incorrect updates.

Objective: To ensure that the configuration of network devices is accurate and does not compromise the security of the network."
NC1.2	Physical Network Management	"Principle: Networks (including voice networks) should be protected by physical controls and supported by accurate, up-to-date documentation and labelling of essential components.

Objective: To ensure that networks (including voice networks) are configured accurately and securely and provide employees with a clear statement of the security disciplines they are expected to follow."
NC1.3	Wireless Access	"Principle: Wireless access should be subject to authorisation, authentication of users and computing devices, and encryption of wireless traffic.

Objective: To ensure that only authorised individuals and computing devices gain wireless access to networks and minimise the risk of wireless transmissions being monitored, intercepted or modified."
NC1.3	Wireless Access	"Principle: Wireless access should be subject to authorisation, authentication of users and computing devices, and encryption of wireless traffic.

Objective: To ensure that only authorised individuals and computing devices gain wireless access to networks and minimise the risk of wireless transmissions being monitored, intercepted or modified."
NC1.3	Wireless Access	"Principle: Wireless access should be subject to authorisation, authentication of users and computing devices, and encryption of wireless traffic.

Objective: To ensure that only authorised individuals and computing devices gain wireless access to networks and minimise the risk of wireless transmissions being monitored, intercepted or modified."
NC1.3	Wireless Access	"Principle: Wireless access should be subject to authorisation, authentication of users and computing devices, and encryption of wireless traffic.

Objective: To ensure that only authorised individuals and computing devices gain wireless access to networks and minimise the risk of wireless transmissions being monitored, intercepted or modified."
NC1.3	Wireless Access	"Principle: Wireless access should be subject to authorisation, authentication of users and computing devices, and encryption of wireless traffic.

Objective: To ensure that only authorised individuals and computing devices gain wireless access to networks and minimise the risk of wireless transmissions being monitored, intercepted or modified."
NC1.3	Wireless Access	"Principle: Wireless access should be subject to authorisation, authentication of users and computing devices, and encryption of wireless traffic.

Objective: To ensure that only authorised individuals and computing devices gain wireless access to networks and minimise the risk of wireless transmissions being monitored, intercepted or modified."
NC1.3	Wireless Access	"Principle: Wireless access should be subject to authorisation, authentication of users and computing devices, and encryption of wireless traffic.

Objective: To ensure that only authorised individuals and computing devices gain wireless access to networks and minimise the risk of wireless transmissions being monitored, intercepted or modified."
NC1.3	Wireless Access	"Principle: Wireless access should be subject to authorisation, authentication of users and computing devices, and encryption of wireless traffic.

Objective: To ensure that only authorised individuals and computing devices gain wireless access to networks and minimise the risk of wireless transmissions being monitored, intercepted or modified."
NC1.3	Wireless Access	"Principle: Wireless access should be subject to authorisation, authentication of users and computing devices, and encryption of wireless traffic.

Objective: To ensure that only authorised individuals and computing devices gain wireless access to networks and minimise the risk of wireless transmissions being monitored, intercepted or modified."
NC1.4	External Network Connections	"Principle: All external network connections to systems and networks should be individually identified, verified, recorded, and approved by the system or network owner.

Objective: To prevent unauthorised external users from gaining access to information systems and networks."
NC1.4	External Network Connections	"Principle: All external network connections to systems and networks should be individually identified, verified, recorded, and approved by the system or network owner.

Objective: To prevent unauthorised external users from gaining access to information systems and networks."
NC1.4	External Network Connections	"Principle: All external network connections to systems and networks should be individually identified, verified, recorded, and approved by the system or network owner.

Objective: To prevent unauthorised external users from gaining access to information systems and networks."
NC1.4	External Network Connections	"Principle: All external network connections to systems and networks should be individually identified, verified, recorded, and approved by the system or network owner.

Objective: To prevent unauthorised external users from gaining access to information systems and networks."
NC1.4	External Network Connections	"Principle: All external network connections to systems and networks should be individually identified, verified, recorded, and approved by the system or network owner.

Objective: To prevent unauthorised external users from gaining access to information systems and networks."
NC1.4	External Network Connections	"Principle: All external network connections to systems and networks should be individually identified, verified, recorded, and approved by the system or network owner.

Objective: To prevent unauthorised external users from gaining access to information systems and networks."
NC1.4	External Network Connections	"Principle: All external network connections to systems and networks should be individually identified, verified, recorded, and approved by the system or network owner.

Objective: To prevent unauthorised external users from gaining access to information systems and networks."
NC1.4	External Network Connections	"Principle: All external network connections to systems and networks should be individually identified, verified, recorded, and approved by the system or network owner.

Objective: To prevent unauthorised external users from gaining access to information systems and networks."
NC1.4	External Network Connections	"Principle: All external network connections to systems and networks should be individually identified, verified, recorded, and approved by the system or network owner.

Objective: To prevent unauthorised external users from gaining access to information systems and networks."
NC1.4	External Network Connections	"Principle: All external network connections to systems and networks should be individually identified, verified, recorded, and approved by the system or network owner.

Objective: To prevent unauthorised external users from gaining access to information systems and networks."
NC1.4	External Network Connections	"Principle: All external network connections to systems and networks should be individually identified, verified, recorded, and approved by the system or network owner.

Objective: To prevent unauthorised external users from gaining access to information systems and networks."
NC1.4	External Network Connections	"Principle: All external network connections to systems and networks should be individually identified, verified, recorded, and approved by the system or network owner.

Objective: To prevent unauthorised external users from gaining access to information systems and networks."
NC1.4	External Network Connections	"Principle: All external network connections to systems and networks should be individually identified, verified, recorded, and approved by the system or network owner.

Objective: To prevent unauthorised external users from gaining access to information systems and networks."
NC1.5	Firewalls	"Principle: Network traffic should be routed through well-configured firewalls prior to being allowed access to networks, or before leaving networks.

Objective: To prevent unauthorised network connections, both inbound and outbound."
NC1.5	Firewalls	"Principle: Network traffic should be routed through well-configured firewalls prior to being allowed access to networks, or before leaving networks.

Objective: To prevent unauthorised network connections, both inbound and outbound."
NC1.5	Firewalls	"Principle: Network traffic should be routed through well-configured firewalls prior to being allowed access to networks, or before leaving networks.

Objective: To prevent unauthorised network connections, both inbound and outbound."
NC1.5	Firewalls	"Principle: Network traffic should be routed through well-configured firewalls prior to being allowed access to networks, or before leaving networks.

Objective: To prevent unauthorised network connections, both inbound and outbound."
NC1.5	Firewalls	"Principle: Network traffic should be routed through well-configured firewalls prior to being allowed access to networks, or before leaving networks.

Objective: To prevent unauthorised network connections, both inbound and outbound."
NC1.5	Firewalls	"Principle: Network traffic should be routed through well-configured firewalls prior to being allowed access to networks, or before leaving networks.

Objective: To prevent unauthorised network connections, both inbound and outbound."
NC1.5	Firewalls	"Principle: Network traffic should be routed through well-configured firewalls prior to being allowed access to networks, or before leaving networks.

Objective: To prevent unauthorised network connections, both inbound and outbound."
NC1.5	Firewalls	"Principle: Network traffic should be routed through well-configured firewalls prior to being allowed access to networks, or before leaving networks.

Objective: To prevent unauthorised network connections, both inbound and outbound."
NC1.5	Firewalls	"Principle: Network traffic should be routed through well-configured firewalls prior to being allowed access to networks, or before leaving networks.

Objective: To prevent unauthorised network connections, both inbound and outbound."
NC1.5	Firewalls	"Principle: Network traffic should be routed through well-configured firewalls prior to being allowed access to networks, or before leaving networks.

Objective: To prevent unauthorised network connections, both inbound and outbound."
NC1.5	Firewalls	"Principle: Network traffic should be routed through well-configured firewalls prior to being allowed access to networks, or before leaving networks.

Objective: To prevent unauthorised network connections, both inbound and outbound."
NC1.5	Firewalls	"Principle: Network traffic should be routed through well-configured firewalls prior to being allowed access to networks, or before leaving networks.

Objective: To prevent unauthorised network connections, both inbound and outbound."
NC1.5	Firewalls	"Principle: Network traffic should be routed through well-configured firewalls prior to being allowed access to networks, or before leaving networks.

Objective: To prevent unauthorised network connections, both inbound and outbound."
NC1.5	Firewalls	"Principle: Network traffic should be routed through well-configured firewalls prior to being allowed access to networks, or before leaving networks.

Objective: To prevent unauthorised network connections, both inbound and outbound."
NC1.5	Firewalls	"Principle: Network traffic should be routed through well-configured firewalls prior to being allowed access to networks, or before leaving networks.

Objective: To prevent unauthorised network connections, both inbound and outbound."
NC1.5	Firewalls	"Principle: Network traffic should be routed through well-configured firewalls prior to being allowed access to networks, or before leaving networks.

Objective: To prevent unauthorised network connections, both inbound and outbound."
NC1.6	Remote Maintenance	"Principle: Remote maintenance of critical systems and networks should be restricted to authorised individuals, confined to individual sessions, and subject to review.

Objective: To prevent unauthorised access to critical systems and networks through the misuse of remote maintenance facilities."
NC1.6	Remote Maintenance	"Principle: Remote maintenance of critical systems and networks should be restricted to authorised individuals, confined to individual sessions, and subject to review.

Objective: To prevent unauthorised access to critical systems and networks through the misuse of remote maintenance facilities."
NC1.6	Remote Maintenance	"Principle: Remote maintenance of critical systems and networks should be restricted to authorised individuals, confined to individual sessions, and subject to review.

Objective: To prevent unauthorised access to critical systems and networks through the misuse of remote maintenance facilities."
NC1.6	Remote Maintenance	"Principle: Remote maintenance of critical systems and networks should be restricted to authorised individuals, confined to individual sessions, and subject to review.

Objective: To prevent unauthorised access to critical systems and networks through the misuse of remote maintenance facilities."
NC2.1	Email	"Principle: Email systems should be protected by a combination of policy, awareness, procedural and technical security controls.

Objective: To ensure that email services are available when required, the confidentiality and integrity of messages is protected in transit, and the risk of misuse is minimised."
NC2.1	Email	"Principle: Email systems should be protected by a combination of policy, awareness, procedural and technical security controls.

Objective: To ensure that email services are available when required, the confidentiality and integrity of messages is protected in transit, and the risk of misuse is minimised."
NC2.1	Email	"Principle: Email systems should be protected by a combination of policy, awareness, procedural and technical security controls.

Objective: To ensure that email services are available when required, the confidentiality and integrity of messages is protected in transit, and the risk of misuse is minimised."
NC2.1	Email	"Principle: Email systems should be protected by a combination of policy, awareness, procedural and technical security controls.

Objective: To ensure that email services are available when required, the confidentiality and integrity of messages is protected in transit, and the risk of misuse is minimised."
NC2.1	Email	"Principle: Email systems should be protected by a combination of policy, awareness, procedural and technical security controls.

Objective: To ensure that email services are available when required, the confidentiality and integrity of messages is protected in transit, and the risk of misuse is minimised."
NC2.1	Email	"Principle: Email systems should be protected by a combination of policy, awareness, procedural and technical security controls.

Objective: To ensure that email services are available when required, the confidentiality and integrity of messages is protected in transit, and the risk of misuse is minimised."
NC2.2	Collaboration Platforms	"Principle: Collaboration platforms should be protected by setting management policy, deploying application controls, configuring the security settings of each platform and improving the security of supporting technical infrastructure.

Objective: To ensure that collaboration platforms are available when required, the confidentiality and integrity of information is protected in transit, and the risk of misuse is minimised."
NC2.2	Collaboration Platforms	"Principle: Collaboration platforms should be protected by setting management policy, deploying application controls, configuring the security settings of each platform and improving the security of supporting technical infrastructure.

Objective: To ensure that collaboration platforms are available when required, the confidentiality and integrity of information is protected in transit, and the risk of misuse is minimised."
NC2.2	Collaboration Platforms	"Principle: Collaboration platforms should be protected by setting management policy, deploying application controls, configuring the security settings of each platform and improving the security of supporting technical infrastructure.

Objective: To ensure that collaboration platforms are available when required, the confidentiality and integrity of information is protected in transit, and the risk of misuse is minimised."
NC2.3	Voice Communication Services	"Principle: Voice communication services should be approved, protected by a combination of general network and technology-specific controls, monitored regularly and supported by access restrictions.

Objective: To ensure the availability of voice communication services, and protect the confidentiality and integrity of sensitive information (e.g. the content of calls) in transit."
NC2.3	Voice Communication Services	"Principle: Voice communication services should be approved, protected by a combination of general network and technology-specific controls, monitored regularly and supported by access restrictions.

Objective: To ensure the availability of voice communication services, and protect the confidentiality and integrity of sensitive information (e.g. the content of calls) in transit."
NC2.3	Voice Communication Services	"Principle: Voice communication services should be approved, protected by a combination of general network and technology-specific controls, monitored regularly and supported by access restrictions.

Objective: To ensure the availability of voice communication services, and protect the confidentiality and integrity of sensitive information (e.g. the content of calls) in transit."
NC2.3	Voice Communication Services	"Principle: Voice communication services should be approved, protected by a combination of general network and technology-specific controls, monitored regularly and supported by access restrictions.

Objective: To ensure the availability of voice communication services, and protect the confidentiality and integrity of sensitive information (e.g. the content of calls) in transit."
SC1.1	Supplier Management Framework	"Principle: A security management framework should be established that includes appropriate external supplier security steering groups, policies, processes, registers and information risk assessments and security arrangements.

Objective: To ensure information risks are identified and managed effectively throughout all stages of the relationship with external suppliers (including organisations in the supply chain)."
SC1.2	Supplier Procurement	"Principle: A process should be established to integrate security into the procurement of products and services from external suppliers.

Objective: To provide assurance that security requirements are addressed effectively when products or services are delivered by external suppliers."
SC1.3	Supplier Contracts	"Principle: The use of products and services provided by external suppliers should be supported by contracts that include appropriate security requirements.

Objective: To define security requirements for products and services provided by external suppliers and specify how they will be met."
SC2.1	Cloud Security Management	"Principle: A comprehensive, documented security management approach for the acquisition and use of cloud services should be developed and communicated to all individuals who may purchase, develop, configure or use cloud services.

Objective: To ensure all necessary security arrangements are implemented for the use of cloud services, and that information risks are managed in cloud environments."
SC2.1	Cloud Security Management	"Principle: A comprehensive, documented security management approach for the acquisition and use of cloud services should be developed and communicated to all individuals who may purchase, develop, configure or use cloud services.

Objective: To ensure all necessary security arrangements are implemented for the use of cloud services, and that information risks are managed in cloud environments."
SC2.2	Core Cloud Security Controls	"Principle: A set of fundamental cloud security controls should be created and implemented effectively, tailored to the needs of the organisation, that cover a broad range of the most common cloud security issues.

Objective: To address weak or insufficient cloud security controls and help the organisation use cloud services securely in a heterogeneous, multi-cloud environment."
SC2.2	Core Cloud Security Controls	"Principle: A set of fundamental cloud security controls should be created and implemented effectively, tailored to the needs of the organisation, that cover a broad range of the most common cloud security issues.

Objective: To address weak or insufficient cloud security controls and help the organisation use cloud services securely in a heterogeneous, multi-cloud environment."
SC2.2	Core Cloud Security Controls	"Principle: A set of fundamental cloud security controls should be created and implemented effectively, tailored to the needs of the organisation, that cover a broad range of the most common cloud security issues.

Objective: To address weak or insufficient cloud security controls and help the organisation use cloud services securely in a heterogeneous, multi-cloud environment."
SC2.2	Core Cloud Security Controls	"Principle: A set of fundamental cloud security controls should be created and implemented effectively, tailored to the needs of the organisation, that cover a broad range of the most common cloud security issues.

Objective: To address weak or insufficient cloud security controls and help the organisation use cloud services securely in a heterogeneous, multi-cloud environment."
SC2.2	Core Cloud Security Controls	"Principle: A set of fundamental cloud security controls should be created and implemented effectively, tailored to the needs of the organisation, that cover a broad range of the most common cloud security issues.

Objective: To address weak or insufficient cloud security controls and help the organisation use cloud services securely in a heterogeneous, multi-cloud environment."
SC2.2	Core Cloud Security Controls	"Principle: A set of fundamental cloud security controls should be created and implemented effectively, tailored to the needs of the organisation, that cover a broad range of the most common cloud security issues.

Objective: To address weak or insufficient cloud security controls and help the organisation use cloud services securely in a heterogeneous, multi-cloud environment."
SC2.2	Core Cloud Security Controls	"Principle: A set of fundamental cloud security controls should be created and implemented effectively, tailored to the needs of the organisation, that cover a broad range of the most common cloud security issues.

Objective: To address weak or insufficient cloud security controls and help the organisation use cloud services securely in a heterogeneous, multi-cloud environment."
SC2.2	Core Cloud Security Controls	"Principle: A set of fundamental cloud security controls should be created and implemented effectively, tailored to the needs of the organisation, that cover a broad range of the most common cloud security issues.

Objective: To address weak or insufficient cloud security controls and help the organisation use cloud services securely in a heterogeneous, multi-cloud environment."
SC2.2	Core Cloud Security Controls	"Principle: A set of fundamental cloud security controls should be created and implemented effectively, tailored to the needs of the organisation, that cover a broad range of the most common cloud security issues.

Objective: To address weak or insufficient cloud security controls and help the organisation use cloud services securely in a heterogeneous, multi-cloud environment."
SC2.2	Core Cloud Security Controls	"Principle: A set of fundamental cloud security controls should be created and implemented effectively, tailored to the needs of the organisation, that cover a broad range of the most common cloud security issues.

Objective: To address weak or insufficient cloud security controls and help the organisation use cloud services securely in a heterogeneous, multi-cloud environment."
TS1.1	Security Architecture	"Principle: A security architecture should be established to help manage the complexity of providing information security at scale throughout the organisation.

Objective: To enable system developers and administrators to make more effective decisions and implement consistent, simple-to-use security functionality across multiple business applications and systems throughout the organisation."
TS1.1	Security Architecture	"Principle: A security architecture should be established to help manage the complexity of providing information security at scale throughout the organisation.

Objective: To enable system developers and administrators to make more effective decisions and implement consistent, simple-to-use security functionality across multiple business applications and systems throughout the organisation."
TS1.2	Malware Protection Activities	"Principle: Activities should be performed to make users aware of the risks from malware, and to specify the actions required to minimise those risks.

Objective: To ensure all relevant individuals understand the key elements of malware protection, why it is needed, and help to keep the impact of malware to a minimum."
TS1.2	Malware Protection Activities	"Principle: Activities should be performed to make users aware of the risks from malware, and to specify the actions required to minimise those risks.

Objective: To ensure all relevant individuals understand the key elements of malware protection, why it is needed, and help to keep the impact of malware to a minimum."
TS1.2	Malware Protection Activities	"Principle: Activities should be performed to make users aware of the risks from malware, and to specify the actions required to minimise those risks.

Objective: To ensure all relevant individuals understand the key elements of malware protection, why it is needed, and help to keep the impact of malware to a minimum."
TS1.2	Malware Protection Activities	"Principle: Activities should be performed to make users aware of the risks from malware, and to specify the actions required to minimise those risks.

Objective: To ensure all relevant individuals understand the key elements of malware protection, why it is needed, and help to keep the impact of malware to a minimum."
TS1.2	Malware Protection Activities	"Principle: Activities should be performed to make users aware of the risks from malware, and to specify the actions required to minimise those risks.

Objective: To ensure all relevant individuals understand the key elements of malware protection, why it is needed, and help to keep the impact of malware to a minimum."
TS1.2	Malware Protection Activities	"Principle: Activities should be performed to make users aware of the risks from malware, and to specify the actions required to minimise those risks.

Objective: To ensure all relevant individuals understand the key elements of malware protection, why it is needed, and help to keep the impact of malware to a minimum."
TS1.2	Malware Protection Activities	"Principle: Activities should be performed to make users aware of the risks from malware, and to specify the actions required to minimise those risks.

Objective: To ensure all relevant individuals understand the key elements of malware protection, why it is needed, and help to keep the impact of malware to a minimum."
TS1.2	Malware Protection Activities	"Principle: Activities should be performed to make users aware of the risks from malware, and to specify the actions required to minimise those risks.

Objective: To ensure all relevant individuals understand the key elements of malware protection, why it is needed, and help to keep the impact of malware to a minimum."
TS1.2	Malware Protection Activities	"Principle: Activities should be performed to make users aware of the risks from malware, and to specify the actions required to minimise those risks.

Objective: To ensure all relevant individuals understand the key elements of malware protection, why it is needed, and help to keep the impact of malware to a minimum."
TS1.2	Malware Protection Activities	"Principle: Activities should be performed to make users aware of the risks from malware, and to specify the actions required to minimise those risks.

Objective: To ensure all relevant individuals understand the key elements of malware protection, why it is needed, and help to keep the impact of malware to a minimum."
TS1.2	Malware Protection Activities	"Principle: Activities should be performed to make users aware of the risks from malware, and to specify the actions required to minimise those risks.

Objective: To ensure all relevant individuals understand the key elements of malware protection, why it is needed, and help to keep the impact of malware to a minimum."
TS1.3	Malware Protection Software	"Principle: Systems throughout the organisation should be safeguarded against all forms of malware by maintaining up-to-date malware protection software, which is supported by effective procedures for managing malware-related security incidents.

Objective: To protect the organisation against malware attacks and ensure malware infections can be addressed within defined timescales."
TS1.3	Malware Protection Software	"Principle: Systems throughout the organisation should be safeguarded against all forms of malware by maintaining up-to-date malware protection software, which is supported by effective procedures for managing malware-related security incidents.

Objective: To protect the organisation against malware attacks and ensure malware infections can be addressed within defined timescales."
TS1.3	Malware Protection Software	"Principle: Systems throughout the organisation should be safeguarded against all forms of malware by maintaining up-to-date malware protection software, which is supported by effective procedures for managing malware-related security incidents.

Objective: To protect the organisation against malware attacks and ensure malware infections can be addressed within defined timescales."
TS1.3	Malware Protection Software	"Principle: Systems throughout the organisation should be safeguarded against all forms of malware by maintaining up-to-date malware protection software, which is supported by effective procedures for managing malware-related security incidents.

Objective: To protect the organisation against malware attacks and ensure malware infections can be addressed within defined timescales."
TS1.3	Malware Protection Software	"Principle: Systems throughout the organisation should be safeguarded against all forms of malware by maintaining up-to-date malware protection software, which is supported by effective procedures for managing malware-related security incidents.

Objective: To protect the organisation against malware attacks and ensure malware infections can be addressed within defined timescales."
TS1.3	Malware Protection Software	"Principle: Systems throughout the organisation should be safeguarded against all forms of malware by maintaining up-to-date malware protection software, which is supported by effective procedures for managing malware-related security incidents.

Objective: To protect the organisation against malware attacks and ensure malware infections can be addressed within defined timescales."
TS1.3	Malware Protection Software	"Principle: Systems throughout the organisation should be safeguarded against all forms of malware by maintaining up-to-date malware protection software, which is supported by effective procedures for managing malware-related security incidents.

Objective: To protect the organisation against malware attacks and ensure malware infections can be addressed within defined timescales."
TS1.3	Malware Protection Software	"Principle: Systems throughout the organisation should be safeguarded against all forms of malware by maintaining up-to-date malware protection software, which is supported by effective procedures for managing malware-related security incidents.

Objective: To protect the organisation against malware attacks and ensure malware infections can be addressed within defined timescales."
TS1.3	Malware Protection Software	"Principle: Systems throughout the organisation should be safeguarded against all forms of malware by maintaining up-to-date malware protection software, which is supported by effective procedures for managing malware-related security incidents.

Objective: To protect the organisation against malware attacks and ensure malware infections can be addressed within defined timescales."
TS1.3	Malware Protection Software	"Principle: Systems throughout the organisation should be safeguarded against all forms of malware by maintaining up-to-date malware protection software, which is supported by effective procedures for managing malware-related security incidents.

Objective: To protect the organisation against malware attacks and ensure malware infections can be addressed within defined timescales."
TS1.4	Identity and Access Management	"Principle: Identity and access management arrangements should be established to provide effective and consistent user administration, identification, authentication and access control mechanisms across the organisation.

Objective: To restrict system access to authorised users and ensure the integrity of important information."
TS1.5	Intrusion Detection	"Principle: Intrusion detection mechanisms should be applied to critical systems and networks.

Objective: To identify suspected or actual malicious attacks and enable the organisation to respond in a timely manner."
TS1.5	Intrusion Detection	"Principle: Intrusion detection mechanisms should be applied to critical systems and networks.

Objective: To identify suspected or actual malicious attacks and enable the organisation to respond in a timely manner."
TS1.5	Intrusion Detection	"Principle: Intrusion detection mechanisms should be applied to critical systems and networks.

Objective: To identify suspected or actual malicious attacks and enable the organisation to respond in a timely manner."
TS1.5	Intrusion Detection	"Principle: Intrusion detection mechanisms should be applied to critical systems and networks.

Objective: To identify suspected or actual malicious attacks and enable the organisation to respond in a timely manner."
TS1.5	Intrusion Detection	"Principle: Intrusion detection mechanisms should be applied to critical systems and networks.

Objective: To identify suspected or actual malicious attacks and enable the organisation to respond in a timely manner."
TS1.5	Intrusion Detection	"Principle: Intrusion detection mechanisms should be applied to critical systems and networks.

Objective: To identify suspected or actual malicious attacks and enable the organisation to respond in a timely manner."
TS1.5	Intrusion Detection	"Principle: Intrusion detection mechanisms should be applied to critical systems and networks.

Objective: To identify suspected or actual malicious attacks and enable the organisation to respond in a timely manner."
TS1.5	Intrusion Detection	"Principle: Intrusion detection mechanisms should be applied to critical systems and networks.

Objective: To identify suspected or actual malicious attacks and enable the organisation to respond in a timely manner."
TS1.6	Data Leakage Prevention	"Principle: Data leakage prevention solutions should be applied to devices, systems and networks that process, store or transmit sensitive information.

Objective: To prevent sensitive information from being disclosed to unauthorised individuals or systems."
TS1.6	Data Leakage Prevention	"Principle: Data leakage prevention solutions should be applied to devices, systems and networks that process, store or transmit sensitive information.

Objective: To prevent sensitive information from being disclosed to unauthorised individuals or systems."
TS1.6	Data Leakage Prevention	"Principle: Data leakage prevention solutions should be applied to devices, systems and networks that process, store or transmit sensitive information.

Objective: To prevent sensitive information from being disclosed to unauthorised individuals or systems."
TS1.6	Data Leakage Prevention	"Principle: Data leakage prevention solutions should be applied to devices, systems and networks that process, store or transmit sensitive information.

Objective: To prevent sensitive information from being disclosed to unauthorised individuals or systems."
TS1.6	Data Leakage Prevention	"Principle: Data leakage prevention solutions should be applied to devices, systems and networks that process, store or transmit sensitive information.

Objective: To prevent sensitive information from being disclosed to unauthorised individuals or systems."
TS1.6	Data Leakage Prevention	"Principle: Data leakage prevention solutions should be applied to devices, systems and networks that process, store or transmit sensitive information.

Objective: To prevent sensitive information from being disclosed to unauthorised individuals or systems."
TS1.6	Data Leakage Prevention	"Principle: Data leakage prevention solutions should be applied to devices, systems and networks that process, store or transmit sensitive information.

Objective: To prevent sensitive information from being disclosed to unauthorised individuals or systems."
TS1.6	Data Leakage Prevention	"Principle: Data leakage prevention solutions should be applied to devices, systems and networks that process, store or transmit sensitive information.

Objective: To prevent sensitive information from being disclosed to unauthorised individuals or systems."
TS1.7	Digital Rights Management	"Principle: High-value sensitive information or software that is accessed and used outside of the control of the organisation should be protected by the use of digital rights management (DRM).

Objective: To ensure that the access to and processing of highly sensitive information is restricted to specific functions by a limited number of authorised individuals."
TS1.7	Digital Rights Management	"Principle: High-value sensitive information or software that is accessed and used outside of the control of the organisation should be protected by the use of digital rights management (DRM).

Objective: To ensure that the access to and processing of highly sensitive information is restricted to specific functions by a limited number of authorised individuals."
TS1.7	Digital Rights Management	"Principle: High-value sensitive information or software that is accessed and used outside of the control of the organisation should be protected by the use of digital rights management (DRM).

Objective: To ensure that the access to and processing of highly sensitive information is restricted to specific functions by a limited number of authorised individuals."
TS2.1	Cryptographic Solutions	"Principle: Cryptographic solutions should be subject to approval, documented and applied throughout the organisation.

Objective: To protect the confidentiality of sensitive information, preserve the integrity of critical information and confirm the identity of the originator of transactions or communications."
TS2.1	Cryptographic Solutions	"Principle: Cryptographic solutions should be subject to approval, documented and applied throughout the organisation.

Objective: To protect the confidentiality of sensitive information, preserve the integrity of critical information and confirm the identity of the originator of transactions or communications."
TS2.1	Cryptographic Solutions	"Principle: Cryptographic solutions should be subject to approval, documented and applied throughout the organisation.

Objective: To protect the confidentiality of sensitive information, preserve the integrity of critical information and confirm the identity of the originator of transactions or communications."
TS2.1	Cryptographic Solutions	"Principle: Cryptographic solutions should be subject to approval, documented and applied throughout the organisation.

Objective: To protect the confidentiality of sensitive information, preserve the integrity of critical information and confirm the identity of the originator of transactions or communications."
TS2.2	Cryptographic Key Management	"Principle: Cryptographic keys should be managed tightly, in accordance with documented standards/procedures, and protected against unauthorised access or destruction.

Objective: To ensure that cryptographic keys are not compromised (e.g. through loss, corruption or disclosure), thereby exposing critical or sensitive information to attack."
TS2.3	Public Key Infrastructure	"Principle: Where a Public Key Infrastructure (PKI) is used, one or more Certification Authorities (CAs) and Registration Authorities (RAs) should be established and protected.

Objective: To ensure that the PKI operates as intended, is available when required, provides adequate protection of related cryptographic keys and can be recovered in the event of an emergency."
TS2.3	Public Key Infrastructure	"Principle: Where a Public Key Infrastructure (PKI) is used, one or more Certification Authorities (CAs) and Registration Authorities (RAs) should be established and protected.

Objective: To ensure that the PKI operates as intended, is available when required, provides adequate protection of related cryptographic keys and can be recovered in the event of an emergency."
TS2.3	Public Key Infrastructure	"Principle: Where a Public Key Infrastructure (PKI) is used, one or more Certification Authorities (CAs) and Registration Authorities (RAs) should be established and protected.

Objective: To ensure that the PKI operates as intended, is available when required, provides adequate protection of related cryptographic keys and can be recovered in the event of an emergency."
TM1.1	Technical Vulnerability Management	"Principle: A process should be established for the identification and remediation of technical vulnerabilities in business applications, systems, equipment and devices.

Objective: To address technical vulnerabilities quickly and effectively, reducing the likelihood of them being exploited, which could result in serious security incidents."
TM1.1	Technical Vulnerability Management	"Principle: A process should be established for the identification and remediation of technical vulnerabilities in business applications, systems, equipment and devices.

Objective: To address technical vulnerabilities quickly and effectively, reducing the likelihood of them being exploited, which could result in serious security incidents."
TM1.1	Technical Vulnerability Management	"Principle: A process should be established for the identification and remediation of technical vulnerabilities in business applications, systems, equipment and devices.

Objective: To address technical vulnerabilities quickly and effectively, reducing the likelihood of them being exploited, which could result in serious security incidents."
TM1.1	Technical Vulnerability Management	"Principle: A process should be established for the identification and remediation of technical vulnerabilities in business applications, systems, equipment and devices.

Objective: To address technical vulnerabilities quickly and effectively, reducing the likelihood of them being exploited, which could result in serious security incidents."
TM1.1	Technical Vulnerability Management	"Principle: A process should be established for the identification and remediation of technical vulnerabilities in business applications, systems, equipment and devices.

Objective: To address technical vulnerabilities quickly and effectively, reducing the likelihood of them being exploited, which could result in serious security incidents."
TM1.1	Technical Vulnerability Management	"Principle: A process should be established for the identification and remediation of technical vulnerabilities in business applications, systems, equipment and devices.

Objective: To address technical vulnerabilities quickly and effectively, reducing the likelihood of them being exploited, which could result in serious security incidents."
TM1.1	Technical Vulnerability Management	"Principle: A process should be established for the identification and remediation of technical vulnerabilities in business applications, systems, equipment and devices.

Objective: To address technical vulnerabilities quickly and effectively, reducing the likelihood of them being exploited, which could result in serious security incidents."
TM1.1	Technical Vulnerability Management	"Principle: A process should be established for the identification and remediation of technical vulnerabilities in business applications, systems, equipment and devices.

Objective: To address technical vulnerabilities quickly and effectively, reducing the likelihood of them being exploited, which could result in serious security incidents."
TM1.1	Technical Vulnerability Management	"Principle: A process should be established for the identification and remediation of technical vulnerabilities in business applications, systems, equipment and devices.

Objective: To address technical vulnerabilities quickly and effectively, reducing the likelihood of them being exploited, which could result in serious security incidents."
TM1.1	Technical Vulnerability Management	"Principle: A process should be established for the identification and remediation of technical vulnerabilities in business applications, systems, equipment and devices.

Objective: To address technical vulnerabilities quickly and effectively, reducing the likelihood of them being exploited, which could result in serious security incidents."
TM1.1	Technical Vulnerability Management	"Principle: A process should be established for the identification and remediation of technical vulnerabilities in business applications, systems, equipment and devices.

Objective: To address technical vulnerabilities quickly and effectively, reducing the likelihood of them being exploited, which could result in serious security incidents."
TM1.2	Security Event Logging	"Principle: Important security-related events should be recorded in logs, stored centrally, protected against unauthorised change and analysed on a regular basis.

Objective: To help identify threats that may lead to an information security incident, maintain the integrity of important security-related information and support forensic investigations."
TM1.2	Security Event Logging	"Principle: Important security-related events should be recorded in logs, stored centrally, protected against unauthorised change and analysed on a regular basis.

Objective: To help identify threats that may lead to an information security incident, maintain the integrity of important security-related information and support forensic investigations."
TM1.2	Security Event Logging	"Principle: Important security-related events should be recorded in logs, stored centrally, protected against unauthorised change and analysed on a regular basis.

Objective: To help identify threats that may lead to an information security incident, maintain the integrity of important security-related information and support forensic investigations."
TM1.2	Security Event Logging	"Principle: Important security-related events should be recorded in logs, stored centrally, protected against unauthorised change and analysed on a regular basis.

Objective: To help identify threats that may lead to an information security incident, maintain the integrity of important security-related information and support forensic investigations."
TM1.2	Security Event Logging	"Principle: Important security-related events should be recorded in logs, stored centrally, protected against unauthorised change and analysed on a regular basis.

Objective: To help identify threats that may lead to an information security incident, maintain the integrity of important security-related information and support forensic investigations."
TM1.2	Security Event Logging	"Principle: Important security-related events should be recorded in logs, stored centrally, protected against unauthorised change and analysed on a regular basis.

Objective: To help identify threats that may lead to an information security incident, maintain the integrity of important security-related information and support forensic investigations."
TM1.2	Security Event Logging	"Principle: Important security-related events should be recorded in logs, stored centrally, protected against unauthorised change and analysed on a regular basis.

Objective: To help identify threats that may lead to an information security incident, maintain the integrity of important security-related information and support forensic investigations."
TM1.2	Security Event Logging	"Principle: Important security-related events should be recorded in logs, stored centrally, protected against unauthorised change and analysed on a regular basis.

Objective: To help identify threats that may lead to an information security incident, maintain the integrity of important security-related information and support forensic investigations."
TM1.2	Security Event Logging	"Principle: Important security-related events should be recorded in logs, stored centrally, protected against unauthorised change and analysed on a regular basis.

Objective: To help identify threats that may lead to an information security incident, maintain the integrity of important security-related information and support forensic investigations."
TM1.2	Security Event Logging	"Principle: Important security-related events should be recorded in logs, stored centrally, protected against unauthorised change and analysed on a regular basis.

Objective: To help identify threats that may lead to an information security incident, maintain the integrity of important security-related information and support forensic investigations."
TM1.2	Security Event Logging	"Principle: Important security-related events should be recorded in logs, stored centrally, protected against unauthorised change and analysed on a regular basis.

Objective: To help identify threats that may lead to an information security incident, maintain the integrity of important security-related information and support forensic investigations."
TM1.2	Security Event Logging	"Principle: Important security-related events should be recorded in logs, stored centrally, protected against unauthorised change and analysed on a regular basis.

Objective: To help identify threats that may lead to an information security incident, maintain the integrity of important security-related information and support forensic investigations."
TM1.2	Security Event Logging	"Principle: Important security-related events should be recorded in logs, stored centrally, protected against unauthorised change and analysed on a regular basis.

Objective: To help identify threats that may lead to an information security incident, maintain the integrity of important security-related information and support forensic investigations."
TM1.2	Security Event Logging	"Principle: Important security-related events should be recorded in logs, stored centrally, protected against unauthorised change and analysed on a regular basis.

Objective: To help identify threats that may lead to an information security incident, maintain the integrity of important security-related information and support forensic investigations."
TM1.2	Security Event Logging	"Principle: Important security-related events should be recorded in logs, stored centrally, protected against unauthorised change and analysed on a regular basis.

Objective: To help identify threats that may lead to an information security incident, maintain the integrity of important security-related information and support forensic investigations."
TM1.2	Security Event Logging	"Principle: Important security-related events should be recorded in logs, stored centrally, protected against unauthorised change and analysed on a regular basis.

Objective: To help identify threats that may lead to an information security incident, maintain the integrity of important security-related information and support forensic investigations."
TM1.3	Security Event Management	"Principle: Security-related data should be reviewed and analysed on a regular basis, by security specialists, using a combination of automated and manual methods.

Objective: To identify anomalous activity or behaviour, triage accordingly and report security incidents requiring response in a timely manner."
TM1.3	Security Event Management	"Principle: Security-related data should be reviewed and analysed on a regular basis, by security specialists, using a combination of automated and manual methods.

Objective: To identify anomalous activity or behaviour, triage accordingly and report security incidents requiring response in a timely manner."
TM1.3	Security Event Management	"Principle: Security-related data should be reviewed and analysed on a regular basis, by security specialists, using a combination of automated and manual methods.

Objective: To identify anomalous activity or behaviour, triage accordingly and report security incidents requiring response in a timely manner."
TM1.3	Security Event Management	"Principle: Security-related data should be reviewed and analysed on a regular basis, by security specialists, using a combination of automated and manual methods.

Objective: To identify anomalous activity or behaviour, triage accordingly and report security incidents requiring response in a timely manner."
TM1.3	Security Event Management	"Principle: Security-related data should be reviewed and analysed on a regular basis, by security specialists, using a combination of automated and manual methods.

Objective: To identify anomalous activity or behaviour, triage accordingly and report security incidents requiring response in a timely manner."
TM1.3	Security Event Management	"Principle: Security-related data should be reviewed and analysed on a regular basis, by security specialists, using a combination of automated and manual methods.

Objective: To identify anomalous activity or behaviour, triage accordingly and report security incidents requiring response in a timely manner."
TM1.3	Security Event Management	"Principle: Security-related data should be reviewed and analysed on a regular basis, by security specialists, using a combination of automated and manual methods.

Objective: To identify anomalous activity or behaviour, triage accordingly and report security incidents requiring response in a timely manner."
TM1.3	Security Event Management	"Principle: Security-related data should be reviewed and analysed on a regular basis, by security specialists, using a combination of automated and manual methods.

Objective: To identify anomalous activity or behaviour, triage accordingly and report security incidents requiring response in a timely manner."
TM1.3	Security Event Management	"Principle: Security-related data should be reviewed and analysed on a regular basis, by security specialists, using a combination of automated and manual methods.

Objective: To identify anomalous activity or behaviour, triage accordingly and report security incidents requiring response in a timely manner."
TM1.3	Security Event Management	"Principle: Security-related data should be reviewed and analysed on a regular basis, by security specialists, using a combination of automated and manual methods.

Objective: To identify anomalous activity or behaviour, triage accordingly and report security incidents requiring response in a timely manner."
TM1.3	Security Event Management	"Principle: Security-related data should be reviewed and analysed on a regular basis, by security specialists, using a combination of automated and manual methods.

Objective: To identify anomalous activity or behaviour, triage accordingly and report security incidents requiring response in a timely manner."
TM1.4	Threat Intelligence	"Principle: A threat intelligence capability should be established, supported by an intelligence cycle and analytical tools.

Objective: To provide information and situational awareness about past, present and predicted attacks, supporting information risk-related decisions and actions."
TM1.4	Threat Intelligence	"Principle: A threat intelligence capability should be established, supported by an intelligence cycle and analytical tools.

Objective: To provide information and situational awareness about past, present and predicted attacks, supporting information risk-related decisions and actions."
TM1.4	Threat Intelligence	"Principle: A threat intelligence capability should be established, supported by an intelligence cycle and analytical tools.

Objective: To provide information and situational awareness about past, present and predicted attacks, supporting information risk-related decisions and actions."
TM1.5	Cyber Attack Protection	"Principle: Arrangements should be made to protect the organisation's information and systems against sophisticated, targeted cyber attacks.

Objective: To reduce the frequency and impact of attempted and successful targeted cyber attacks."
TM1.5	Cyber Attack Protection	"Principle: Arrangements should be made to protect the organisation's information and systems against sophisticated, targeted cyber attacks.

Objective: To reduce the frequency and impact of attempted and successful targeted cyber attacks."
TM2.1	Security Incident Management Framework	"Principle: An information security incident management framework should be established, including relevant individuals, information and tools required by the organisation's information security incident management process.

Objective: To provide the resources required to help resolve information security incidents quickly and effectively."
TM2.1	Security Incident Management Framework	"Principle: An information security incident management framework should be established, including relevant individuals, information and tools required by the organisation's information security incident management process.

Objective: To provide the resources required to help resolve information security incidents quickly and effectively."
TM2.1	Security Incident Management Framework	"Principle: An information security incident management framework should be established, including relevant individuals, information and tools required by the organisation's information security incident management process.

Objective: To provide the resources required to help resolve information security incidents quickly and effectively."
TM2.1	Security Incident Management Framework	"Principle: An information security incident management framework should be established, including relevant individuals, information and tools required by the organisation's information security incident management process.

Objective: To provide the resources required to help resolve information security incidents quickly and effectively."
TM2.1	Security Incident Management Framework	"Principle: An information security incident management framework should be established, including relevant individuals, information and tools required by the organisation's information security incident management process.

Objective: To provide the resources required to help resolve information security incidents quickly and effectively."
TM2.1	Security Incident Management Framework	"Principle: An information security incident management framework should be established, including relevant individuals, information and tools required by the organisation's information security incident management process.

Objective: To provide the resources required to help resolve information security incidents quickly and effectively."
TM2.1	Security Incident Management Framework	"Principle: An information security incident management framework should be established, including relevant individuals, information and tools required by the organisation's information security incident management process.

Objective: To provide the resources required to help resolve information security incidents quickly and effectively."
TM2.2	Security Incident Management Process	"Principle: Information security incidents should be identified, responded to, recovered from, and followed up using an information security incident management process.

Objective: To identify and resolve information security incidents quickly and effectively, minimise their business impact and reduce the risk of similar incidents occurring."
TM2.2	Security Incident Management Process	"Principle: Information security incidents should be identified, responded to, recovered from, and followed up using an information security incident management process.

Objective: To identify and resolve information security incidents quickly and effectively, minimise their business impact and reduce the risk of similar incidents occurring."
TM2.2	Security Incident Management Process	"Principle: Information security incidents should be identified, responded to, recovered from, and followed up using an information security incident management process.

Objective: To identify and resolve information security incidents quickly and effectively, minimise their business impact and reduce the risk of similar incidents occurring."
TM2.2	Security Incident Management Process	"Principle: Information security incidents should be identified, responded to, recovered from, and followed up using an information security incident management process.

Objective: To identify and resolve information security incidents quickly and effectively, minimise their business impact and reduce the risk of similar incidents occurring."
TM2.2	Security Incident Management Process	"Principle: Information security incidents should be identified, responded to, recovered from, and followed up using an information security incident management process.

Objective: To identify and resolve information security incidents quickly and effectively, minimise their business impact and reduce the risk of similar incidents occurring."
TM2.2	Security Incident Management Process	"Principle: Information security incidents should be identified, responded to, recovered from, and followed up using an information security incident management process.

Objective: To identify and resolve information security incidents quickly and effectively, minimise their business impact and reduce the risk of similar incidents occurring."
TM2.2	Security Incident Management Process	"Principle: Information security incidents should be identified, responded to, recovered from, and followed up using an information security incident management process.

Objective: To identify and resolve information security incidents quickly and effectively, minimise their business impact and reduce the risk of similar incidents occurring."
TM2.3	Emergency Fixes	"Principle: Emergency fixes to information, business applications and technical infrastructure should be tested, reviewed and applied quickly and effectively, in accordance with documented standards/procedures.

Objective: To respond to emergencies in a timely and secure manner, while reducing disruption to the organisation."
TM2.4	Forensic Investigations	"Principle: A process should be established for dealing with information security incidents or other events (e.g. e-discovery requests) that require forensic investigation.

Objective: To identify perpetrators of malicious acts and preserve sufficient evidence to prosecute them if required."
LC1.1	Local Environment Profile	"Principle: A security profile for each local environment should be documented and maintained, which contains important business and security details about business users, information, business applications, equipment, technology and locations.

Objective: To provide a high-level picture of the type and importance of business conducted in the local environment, which helps support security decisions about activities relating to the local environment."
LC1.2	Local Security Coordination	"Principle: Arrangements should be made to coordinate information security activity in individual business units/departments.

Objective: To ensure that security activities are carried out in a timely and accurate manner, throughout the organisation, and that security issues are resolved effectively."
LC2.1	Physical Protection	"Principle: All critical facilities (including locations that house critical technical infrastructure, industrial control systems and specialised equipment) should be physically protected against accident or attack and unauthorised physical access.

Objective: To restrict physical access to authorised individuals, ensure that critical facilities are available when required and to prevent important services from being disrupted by loss of, or damage to, equipment or services."
LC2.2	Power Supplies	"Principle: Critical facilities (including locations that house critical technical infrastructure, industrial control systems and specialised equipment) should be protected against power outages.

Objective: To prevent critical services from being disrupted by loss of power."
LC2.3	Hazard Protection	"Principle: Critical facilities (including locations that house critical technical infrastructure, industrial control systems and specialised equipment) should be protected against fire, flood, environmental and other natural hazards.

Objective: To prevent services being disrupted by damage to critical facilities caused by fire, flood and other types of hazard."
BC1.1	Business Continuity Strategy	"Principle: A business continuity strategy covering the whole organisation should be established, which promotes the need for business continuity management, embeds business continuity management into the organisation's culture, and is implemented in the form of a business continuity programme.

Objective: To align business continuity goals with the organisation's business goals, provide resilience against disruption and minimise impact to the organisation in the event of a disaster or emergency."
BC1.2	Business Continuity Programme	"Principle: A business continuity programme should be established, which includes developing a resilient technical infrastructure, creating a crisis management capability, and coordinating and maintaining business continuity plans and arrangements across the organisation.

Objective: To enable the organisation to withstand the prolonged unavailability of critical information, business applications and related technical infrastructure, and provide individuals with a documented set of actions to perform in the event of a disaster or emergency."
BC1.3	Resilient Technical Environments	"Principle: Critical business applications and underlying technical infrastructure should be run on robust, reliable hardware and software, and be supported by alternative or duplicate facilities.

Objective: To ensure critical business processes that rely on business applications and technical infrastructure are available when required."
BC1.4	Crisis Management	"Principle: A crisis management process should be established, supported by a crisis management team, which details actions to be taken in the event of a major incident or serious attack.

Objective: To respond to major incidents and serious attacks quickly and effectively, reducing any potential business impact, including brand and reputational damage."
BC1.4	Crisis Management	"Principle: A crisis management process should be established, supported by a crisis management team, which details actions to be taken in the event of a major incident or serious attack.

Objective: To respond to major incidents and serious attacks quickly and effectively, reducing any potential business impact, including brand and reputational damage."
BC1.4	Crisis Management	"Principle: A crisis management process should be established, supported by a crisis management team, which details actions to be taken in the event of a major incident or serious attack.

Objective: To respond to major incidents and serious attacks quickly and effectively, reducing any potential business impact, including brand and reputational damage."
BC1.4	Crisis Management	"Principle: A crisis management process should be established, supported by a crisis management team, which details actions to be taken in the event of a major incident or serious attack.

Objective: To respond to major incidents and serious attacks quickly and effectively, reducing any potential business impact, including brand and reputational damage."
BC1.4	Crisis Management	"Principle: A crisis management process should be established, supported by a crisis management team, which details actions to be taken in the event of a major incident or serious attack.

Objective: To respond to major incidents and serious attacks quickly and effectively, reducing any potential business impact, including brand and reputational damage."
BC1.4	Crisis Management	"Principle: A crisis management process should be established, supported by a crisis management team, which details actions to be taken in the event of a major incident or serious attack.

Objective: To respond to major incidents and serious attacks quickly and effectively, reducing any potential business impact, including brand and reputational damage."
BC1.4	Crisis Management	"Principle: A crisis management process should be established, supported by a crisis management team, which details actions to be taken in the event of a major incident or serious attack.

Objective: To respond to major incidents and serious attacks quickly and effectively, reducing any potential business impact, including brand and reputational damage."
BC1.4	Crisis Management	"Principle: A crisis management process should be established, supported by a crisis management team, which details actions to be taken in the event of a major incident or serious attack.

Objective: To respond to major incidents and serious attacks quickly and effectively, reducing any potential business impact, including brand and reputational damage."
BC2.1	Business Continuity Planning	"Principle: Business continuity plans should be developed and documented to support critical business processes throughout the organisation.

Objective: To provide relevant individuals with a documented set of actions to perform in the event of a disaster or emergency affecting business applications and technical infrastructure, enabling critical business processes to be resumed within agreed timescales."
BC2.2	Business Continuity Arrangements	"Principle: Alternative business continuity arrangements (sometimes referred to as disaster recovery plans) should be established for individual business environments, and made available when required.

Objective: To enable critical business processes to be resumed to an agreed level, within an agreed time following a disruption, using alternative processing facilities."
BC2.3	Business Continuity Testing	"Principle: Business continuity plans and arrangements should be tested on a regular basis.

Objective: To provide assurance that business continuity plans and arrangements will work as required, so that critical business processes can resume within predefined timescales."
BC2.3	Business Continuity Testing	"Principle: Business continuity plans and arrangements should be tested on a regular basis.

Objective: To provide assurance that business continuity plans and arrangements will work as required, so that critical business processes can resume within predefined timescales."
BC2.3	Business Continuity Testing	"Principle: Business continuity plans and arrangements should be tested on a regular basis.

Objective: To provide assurance that business continuity plans and arrangements will work as required, so that critical business processes can resume within predefined timescales."
AS1.1	Security Assurance Programme	"Principle: The organisation should implement a consistent and structured information security assurance programme.

Objective: To provide evidence to stakeholders on the effectiveness of security controls that protect business processes, projects and supporting assets."
AS1.2	Security Testing	"Principle: Target environments should be subject to security testing, using a diverse range of assessments (e.g. penetration testing, vulnerability assessments and cyber security exercises).

Objective: To identify security weaknesses in target environments and determine the level of resilience under attack conditions."
AS1.2	Security Testing	"Principle: Target environments should be subject to security testing, using a diverse range of assessments (e.g. penetration testing, vulnerability assessments and cyber security exercises).

Objective: To identify security weaknesses in target environments and determine the level of resilience under attack conditions."
AS1.2	Security Testing	"Principle: Target environments should be subject to security testing, using a diverse range of assessments (e.g. penetration testing, vulnerability assessments and cyber security exercises).

Objective: To identify security weaknesses in target environments and determine the level of resilience under attack conditions."
AS1.2	Security Testing	"Principle: Target environments should be subject to security testing, using a diverse range of assessments (e.g. penetration testing, vulnerability assessments and cyber security exercises).

Objective: To identify security weaknesses in target environments and determine the level of resilience under attack conditions."
AS1.2	Security Testing	"Principle: Target environments should be subject to security testing, using a diverse range of assessments (e.g. penetration testing, vulnerability assessments and cyber security exercises).

Objective: To identify security weaknesses in target environments and determine the level of resilience under attack conditions."
AS1.2	Security Testing	"Principle: Target environments should be subject to security testing, using a diverse range of assessments (e.g. penetration testing, vulnerability assessments and cyber security exercises).

Objective: To identify security weaknesses in target environments and determine the level of resilience under attack conditions."
AS1.2	Security Testing	"Principle: Target environments should be subject to security testing, using a diverse range of assessments (e.g. penetration testing, vulnerability assessments and cyber security exercises).

Objective: To identify security weaknesses in target environments and determine the level of resilience under attack conditions."
AS1.3	Security Monitoring and Reporting	"Principle: Information security performance should be monitored regularly and reported to specific audiences, such as executive management.

Objective: To provide each audience with a relevant, accurate, comprehensive and coherent assessment of information security performance."
AS1.3	Security Monitoring and Reporting	"Principle: Information security performance should be monitored regularly and reported to specific audiences, such as executive management.

Objective: To provide each audience with a relevant, accurate, comprehensive and coherent assessment of information security performance."
AS1.4	Information Risk Reporting	"Principle: Reports relating to information risk should be produced and presented to executive management on a regular basis.

Objective: To provide executive management with an accurate, comprehensive and coherent view of information risk across the organisation."
AS2.1	Security Audit Management	"Principle: The information security status of target environments (e.g. critical business environments, processes, applications and supporting technical infrastructure) should be subject to thorough, independent and regular security audits.

Objective: To ensure that security controls have been implemented effectively, that risk is being adequately managed and to provide the owners of target environments and executive management with an independent assessment of their security status."
AS2.1	Security Audit Management	"Principle: The information security status of target environments (e.g. critical business environments, processes, applications and supporting technical infrastructure) should be subject to thorough, independent and regular security audits.

Objective: To ensure that security controls have been implemented effectively, that risk is being adequately managed and to provide the owners of target environments and executive management with an independent assessment of their security status."
AS2.1	Security Audit Management	"Principle: The information security status of target environments (e.g. critical business environments, processes, applications and supporting technical infrastructure) should be subject to thorough, independent and regular security audits.

Objective: To ensure that security controls have been implemented effectively, that risk is being adequately managed and to provide the owners of target environments and executive management with an independent assessment of their security status."
AS2.1	Security Audit Management	"Principle: The information security status of target environments (e.g. critical business environments, processes, applications and supporting technical infrastructure) should be subject to thorough, independent and regular security audits.

Objective: To ensure that security controls have been implemented effectively, that risk is being adequately managed and to provide the owners of target environments and executive management with an independent assessment of their security status."
AS2.1	Security Audit Management	"Principle: The information security status of target environments (e.g. critical business environments, processes, applications and supporting technical infrastructure) should be subject to thorough, independent and regular security audits.

Objective: To ensure that security controls have been implemented effectively, that risk is being adequately managed and to provide the owners of target environments and executive management with an independent assessment of their security status."
AS2.1	Security Audit Management	"Principle: The information security status of target environments (e.g. critical business environments, processes, applications and supporting technical infrastructure) should be subject to thorough, independent and regular security audits.

Objective: To ensure that security controls have been implemented effectively, that risk is being adequately managed and to provide the owners of target environments and executive management with an independent assessment of their security status."
AS2.1	Security Audit Management	"Principle: The information security status of target environments (e.g. critical business environments, processes, applications and supporting technical infrastructure) should be subject to thorough, independent and regular security audits.

Objective: To ensure that security controls have been implemented effectively, that risk is being adequately managed and to provide the owners of target environments and executive management with an independent assessment of their security status."
AS2.2	Security Audit Process - Planning	"Principle: Security audits of target environments should be subject to thorough planning, which includes identifying risks, determining audit objectives, defining the approach and scope of security audits, and preparing a security audit plan.

Objective: To ensure security audits are performed using an agreed methodology, can be completed within acceptable timescales and that no audit steps or activities are missed."
AS2.2	Security Audit Process - Planning	"Principle: Security audits of target environments should be subject to thorough planning, which includes identifying risks, determining audit objectives, defining the approach and scope of security audits, and preparing a security audit plan.

Objective: To ensure security audits are performed using an agreed methodology, can be completed within acceptable timescales and that no audit steps or activities are missed."
AS2.2	Security Audit Process - Planning	"Principle: Security audits of target environments should be subject to thorough planning, which includes identifying risks, determining audit objectives, defining the approach and scope of security audits, and preparing a security audit plan.

Objective: To ensure security audits are performed using an agreed methodology, can be completed within acceptable timescales and that no audit steps or activities are missed."
AS2.2	Security Audit Process - Planning	"Principle: Security audits of target environments should be subject to thorough planning, which includes identifying risks, determining audit objectives, defining the approach and scope of security audits, and preparing a security audit plan.

Objective: To ensure security audits are performed using an agreed methodology, can be completed within acceptable timescales and that no audit steps or activities are missed."
AS2.3	Security Audit Process - Fieldwork	"Principle: Security audit fieldwork conducted for target environments should include collecting relevant background material, performing security audit tests and recording the results of the tests.

Objective: To identify both non-compliances and information risks associated with target environments."
AS2.3	Security Audit Process - Fieldwork	"Principle: Security audit fieldwork conducted for target environments should include collecting relevant background material, performing security audit tests and recording the results of the tests.

Objective: To identify both non-compliances and information risks associated with target environments."
AS2.3	Security Audit Process - Fieldwork	"Principle: Security audit fieldwork conducted for target environments should include collecting relevant background material, performing security audit tests and recording the results of the tests.

Objective: To identify both non-compliances and information risks associated with target environments."
AS2.4	Security Audit Process - Reporting	"Principle: The results of security audits of target environments, including findings and recommendations, should be documented and reported to stakeholders.

Objective: To ensure stakeholders are informed about the risks associated with target environments and enable owners for remedial actions to be identified and agreed."
AS2.5	Security Audit Process - Monitoring	"Principle: Actions to address security audit findings should be incorporated into a programme of work and monitored continuously.

Objective: To ensure the risks identified during security audits are treated effectively, compliance requirements are being met, and agreed security controls are being implemented within agreed timescales."