ISO 27001 2013 Appendix A
ISO 27001 2013 Appendix A
ISO 27001 2013 Appendix A
A set of policies for information security shall be defined, approved by management, published and communicated to emplo
Appropriate contacts with special interest groups or other specialist security forums and professional associations shall be m
A policy and supporting security measures shall be implemented to protect information accessed, processed or stored at tele
Background verification checks on all candidates for employment shall be carried out in accordance with relevant laws, reg
proportional to the business requirements, the classification of the information to be accessed and the perceived risks.
The contractual agreements with employees and contractors shall state their and the organization’s responsibilities for infor
7. 2. During employment
7. 2. 1. Management responsibilities
# Classification: Public
Management shall require all employees and contractors to apply information security in accordance with the established po
organization.
7. 2. 2. Information security awareness, education and training
All employees of the organization and, where relevant, contractors shall receive appropriate awareness education and trainin
organizational policies and procedures, as relevant for their job function.
7. 2. 3. Disciplinary process
There should be a formal and communicated disciplinary process in place to take action against employees who have comm
Assets associated with information and information processing facilities shall be identified and an inventory of these assets
8. 1. 2. Ownership of assets
Assets maintained in the inventory shall be owned.
8. 1. 3. Acceptable use of assets
Rules for the acceptable use of information and of assets associated with information and information processing facilities s
implemented.
8. 1. 4. Return of assets
All KPMG personnel and external party users should return all of the organizational assets in their possession upon termina
agreement.
8. 1. 5. Removal of cloud service customer assets
Assets of KPMG organizations consuming cloud services (IaaS, PaaS or SaaS) that are on the cloud service provider's prem
if necessary, in a timely manner upon termination of the cloud service agreement.
8. 2. Information classification
8. 2. 1. Classification of information
Information should be classified in terms of legal requirements, value, criticality and sensitivity to unauthorized disclosure
8. 2. 2. Labelling of information
An appropriate set of procedures for information labelling should be developed and implemented in accordance with the inf
adopted by the organization.
8. 2. 3. Handling of assets
Procedures for handling assets should be developed and implemented in accordance with the information classification sche
8. 3. Media handling
8. 3. 1. Management of removable media
Procedures shall be implemented for the management of removable media in accordance with the classification scheme ado
8. 3. 2. Disposal of media
Media should be disposed of securely when no longer required, using formal procedures.
# Classification: Public
8. 3. 3. Physical media transfer
Media containing information should be protected against unauthorized access, misuse or corruption during transportation.
9. Access control
9. 1. Business requirements of access control
9. 1. 1. Access control policy
An access control policy should be established, documented and reviewed based on business and information security requi
Users should only be provided with access to the network and network services that they have been specifically authorized
A formal user registration and de-registration process should be implemented to enable assignment of access rights.
A formal user access provisioning process should be implemented to assign or revoke access rights for all user types to all s
The access rights of all employees and external party users to information and information processing facilities should be re
employment, contract or agreement, or adjusted upon change.
9. 3. User responsibilities
9. 3. 1. Use of secret authentication information
Users should be required to follow the organization’s practices in the use of secret authentication information.
9. 4. System and application access control
9. 4. 1. Information access restriction
Access to information and application system functions should be restricted in accordance with the access control policy.
# Classification: Public
Where required by the access control policy, access to systems and applications should be controlled by a secure log-on pro
The use of utility programs that might be capable of overriding system and application controls should be restricted and tigh
A virtual environment running on a cloud service should be protected from other cloud service customers and unauthorized
A policy on the use, protection and lifetime of cryptographic keys should be developed and implemented through their who
Security perimeters should be defined and used to protect areas that contain either sensitive or critical information and infor
Secure areas should be protected by appropriate entry controls to ensure that only authorized personnel are allowed access.
# Classification: Public
Physical protection against natural disasters, malicious attack or accidents should be designed and applied.
11. 1. 5. Working in secure areas
Procedures for working in secure areas should be designed and applied.
11. 1. 6. Delivery and loading areas
Access points such as delivery and loading areas and other points where unauthorized persons could enter the premises shou
isolated from information processing facilities to avoid unauthorized access.
11. 2. Equipment
11. 2. 1. Equipment siting and protection
Equipment should be sited and protected to reduce the risks from environmental threats and hazards, and opportunities for u
Power and telecommunications cabling carrying data or supporting information services should be protected from intercept
Security should be applied to off-site assets, taking into account the different risks of working outside the organization’s pre
Equipment containing storage media should be verified to ensure that any sensitive data and licensed software has been rem
disposal or re-use.
A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities s
12. Operations security
12. 1. Operational procedures and responsibilities
# Classification: Public
12. 1. 1. Documented operating procedures
Operating procedures should be documented and made available to all users who need them.
12. 1. 2. Change management
Changes to the organization, business processes, information processing facilities and systems that affect information secur
The use of resources should be monitored, tuned and projections made of future capacity requirements to ensure the require
Development, testing, and operational environments should be separated to reduce the risks of unauthorized access or chang
Procedures for administrative operations of a cloud computing environment should be defined, documented and monitored.
Detection, prevention and recovery controls to protect against malware should be implemented, combined with appropriate
12. 3. Backup
12. 3. 1. Information backup
Backup copies of information, software and system images should be taken and tested regularly in accordance with an agree
Event logs recording user activities, exceptions, faults and information security events should be produced, kept and regular
System administrator and system operator activities should be logged, and the logs protected and regularly reviewed.
# Classification: Public
The clocks of all relevant information processing systems within an organization or security domain should be synchronized
The cloud service customer should have the capability to monitor specified aspects of the operation of the cloud services th
Information about technical vulnerabilities of information systems being used should be obtained in a timely fashion, the or
vulnerabilities evaluated and appropriate measures taken to address the associated risk.
Audit requirements and activities involving verification of operational systems should be carefully planned and agreed to m
processes.
13. Communications security
13. 1. Network security management
13. 1. 1. Network controls
Networks should be managed and controlled to protect information in systems and applications.
13. 1. 2. Security of network services
Security mechanisms, service levels and management requirements of all network services should be identified and include
whether these services are provided in-house or outsourced.
Upon configuration of virtual networks, consistency of configurations between virtual and physical networks should be veri
provider's network security policy.
# Classification: Public
Formal transfer policies, procedures and controls should be in place to protect the transfer of information through the use of
facilities.
Agreements should address the secure transfer of business information between the organization and external parties.
Requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of infor
regularly reviewed and documented.
The information security related requirements should be included in the requirements for new information systems or enhan
systems.
Information involved in application services passing over public networks should be protected from fraudulent activity, con
disclosure and modification.
Information involved in application service transactions should be protected to prevent incomplete transmission, mis-routin
unauthorized disclosure, unauthorized message duplication or replay.
Rules for the development of software and systems should be established and applied to developments within the organizati
Changes to systems within the development lifecycle should be controlled by the use of formal change control procedures.
When operating platforms are changed, business critical applications should be reviewed and tested to ensure there is no ad
operations or security.
# Classification: Public
Modifications to software packages should be discouraged, limited to necessary changes and all changes should be strictly c
Principles for engineering secure systems should be established, documented, maintained and applied to any information sy
Organizations should establish and appropriately protect secure development environments for system development and int
system development lifecycle.
Acceptance testing programs and related criteria should be established for new information systems, upgrades and new vers
Information security requirements for mitigating the risks associated with suppliers’ access to the organization’s assets shou
documented.
All relevant information security requirements should be established and agreed with each supplier that may access, process
infrastructure components for, the organization’s information.
Agreements with suppliers should include requirements to address the information security risks associated with informatio
services and product supply chain.
# Classification: Public
Changes to the provision of services by suppliers, including maintaining and improving existing information security polici
be managed, taking account of the criticality of business information, systems and processes involved and re-assessment of
Management responsibilities and procedures should be established to ensure a quick, effective and orderly response to infor
KPMG Personnel and contractors using the organization’s information systems and services should be required to note and
information security weaknesses in systems or services.
Information security events should be assessed, and it should be decided if they are to be classified as information security i
Knowledge gained from analyzing and resolving information security incidents should be used to reduce the likelihood or im
The organization should define and apply procedures for the identification, collection, acquisition and preservation of inform
The organization should determine its requirements for information security and the continuity of information security man
during a crisis or disaster.
The organization should establish, document, implement and maintain processes, procedures and controls to ensure the requ
information security during an adverse situation.
# Classification: Public
The organization should verify the established and implemented information security continuity controls at regular intervals
valid and effective during adverse situations.
17. 2. Redundancies
17. 2. 1. Availability of information processing facilities
Information processing facilities should be implemented with redundancy sufficient to meet availability requirements.
18. Compliance
18. 1. Compliance with legal and contractual requirements
18. 1. 1. Identification of applicable legislation and contractual requirements
All relevant legislative statutory, regulatory, contractual requirements and the organization’s approach to meet these require
documented and kept up to date for each information system and the organization.
Appropriate procedures should be implemented to ensure compliance with legislative, regulatory and contractual requireme
rights and use of proprietary software products.
Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordan
contractual and business requirements.
Privacy and protection of personally identifiable information should be ensured, as required in relevant legislation and regu
The organization’s approach to managing information security and its implementation (i.e. control objectives, controls, poli
information security) should be reviewed independently at planned intervals or when significant changes occur.
Managers should regularly review the compliance of information processing and procedures within their area of responsibil
policies, standards and any other security requirements.
# Classification: Public
Information systems should be regularly reviewed for compliance with the organization’s information security policies and
# Classification: Public