|
The following list shows each of the reference controls and gives examples of the types of risks that they may be used to treat. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
You may use this table to help to identify relevant risks for your organization and to define where the controls from Annex A of ISO/IEC 27001 are applicable. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
REF |
EXAMPLE RISK(S) |
ANNEX A CONTROL |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1.0 |
It is not clear what the organization's rules are for managing information security. Employees and others aren't aware of what they should be doing to protect the organization |
A.5.1 Policies for information security |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2.0 |
New threats have emerged that need to be addressed in policies |
A.5.1 Policies for information security |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3.0 |
It is not clear who should be doing what with respect to information security |
A.5.2 Information security roles and responsibilities |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4.0 |
An individual is able to perform all of the steps required to perform a sensitive business process. Checks are insufficient to prevent accidental amendment or destruction of data |
A.5.3 Segregation of duties |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5.0 |
The organization is unaware of their legal or regulatory responsibilities and may break the law without realising it |
A.5.5 Contact with authorities |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6.0 |
The organization lacks up to date knowledge of information security issues such as current threats, new controls and other relevant information |
A.5.6 Contact with special interest groups |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7.0 |
Information gathered and created during projects is not adequately protected |
A.5.8 Information security in project management |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8.0 |
Data held on mobile devices is prone to loss or theft of the device, or unauthorised access |
A.8.1 User endpoint devices |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9.0 |
A teleworking site does not meet the information security standards ensured at main locations and data is exposed to loss or theft |
A.6.7 Remote working |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10.0 |
It is not clear who does what with respect to cloud security and one party (e.g. cloud service customer) is under the impression that the other (e.g. cloud service provider) is monitoring a particular aspect |
A.5.23 Information security for use of cloud services |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
11.0 |
An employee is recruited who could deliberately breach information security |
A.6.1 Screening |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
12.0 |
It is not clear to employees what their responsibilities for information security are |
A.6.2 Terms and conditions of employment |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
13.0 |
Employees do not follow security policies as they are regarded as irrelevant |
A.5.4 Management responsibilities |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14.0 |
Employees and contractors are not aware of information security policies and are unable to spot potential breaches |
A.6.3 Information security awareness, education and training |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
15.0 |
The consequences of committing an information security breach are not sufficiently clear to employees |
A.6.4 Disciplinary process |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
16.0 |
Ex-employees could breach information security after leaving e.g. making confidential information public |
A.6.5 Responsibilities after termination or change of employment |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
17.0 |
It is not clear what assets we are trying to protect and where they are located |
A.5.9 Inventory of information and other associated assets |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
18.0 |
No-one takes responsibility for protecting specific assets |
A.5.9 Inventory of information and other associated assets |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
19.0 |
Information and assets are used in ways that are not acceptable to the organization e.g. devices are physically abused and information left exposed |
A.5.10 Acceptable use of information and other associated assets |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
20.0 |
Assets are not returned when someone leaves the organization |
A.5.11 Return of assets |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
21.0 |
Assets that are stored with a cloud service provider are not returned |
A.5.23 Information security for use of cloud services |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
22.0 |
It is not clear how specific items of information should be protected |
A.5.12 Classification of information |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
23.0 |
Employees are unable to tell how information should be protected |
A.5.13 Labelling of information |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
24.0 |
Assets are handled inappropriately due to a lack of definition of how they should be addressed |
A.5.10 Acceptable use of information and other associated assets |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
25.0 |
Removable media is used without effective protection of the data held on it |
A.7.10 Storage media |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
26.0 |
The information stored on media is vulnerable to compromise when it is disposed of |
A.7.10 Storage media |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
27.0 |
Data held on media is not adequately protected whilst in transit e.g. by the use of encryption |
A.7.10 Storage media |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
28.0 |
Employees or third parties have access to information without authorisation or by mistake |
A.5.15 Access control |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
29.0 |
A user could gain unauthorised access to information via a network that they have no reason to legitimately use |
A.5.15 Access control |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
30.0 |
User accounts are created without authority or not removed when no longer needed |
A.5.16 Identity management |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
31.0 |
Users are given an inappropriate level of access within systems |
A.5.18 Access rights |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
32.0 |
Privileged access rights could be used by an unauthorised person to breach information security |
A.8.2 Privileged access rights |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
33.0 |
User passwords are known to someone other than the user to whom they relate |
A.5.17 Authentication information |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
34.0 |
Inappropriate levels of access remain in place long term and attempts to increase permissions are not spotted |
A.5.18 Access rights |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
35.0 |
Ex-users still have access even when they have left the organization |
A.5.18 Access rights |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
36.0 |
Users share user accounts and let others know their passwords |
A.5.17 Authentication information |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
37.0 |
Too much access is allowed to a user where their role does not require it |
A.8.3 Information access restriction |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
38.0 |
Logon to secure systems is possible by unauthorised users |
A.8.5 Secure authentication |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
39.0 |
Users do not set appropriately-strong passwords |
A.5.17 Authentication information |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
40.0 |
A privileged utility program could be used to bypass security controls and gain unauthorised access to information |
A.8.18 Use of privileged utility programs |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
41.0 |
Program source code could be destroyed or tampered with to benefit an attacker |
A.8.4 Access to source code |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
42.0 |
The use of encryption within the organization is haphazard and uncoordinated, resulting in a lack of effectiveness and possible illegal use |
A.8.24 Use of cryptography |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43.0 |
Cryptographic keys are often lost or compromised, potentially resulting in the loss of encrypted data |
A.8.24 Use of cryptography |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44.0 |
It is not clear where physical security has been, or needs to be, applied |
A.7.1 Physical security perimeters |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45.0 |
Unauthorised people are able to bypass entry controls |
A.11.1.2 Physical entry controls |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46.0 |
Unauthorised people are able to gain physical access to sensitive information |
A.7.2 Physical entry |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
47.0 |
An accident, attack or natural disaster could destroy or severely affect sensitive information and its processing |
A.7.5 Protecting against physical and environmental threats |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
48.0 |
People in secure areas leave the area open to attack or unauthorised access |
A.7.6 Working in secure areas |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
49.0 |
Access could be gained to secure areas via a publicly-accessible delivery area |
A.7.2 Physical entry |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
50.0 |
Screens showing sensitive information can be seen by unauthorised people |
A.7.8 Equipment siting and protection |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
51.0 |
Essential facilities are disabled due to a power outage |
A.7.11 Supporting utilities |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
52.0 |
Someone could listen in to sensitive information by tapping a cable |
A.7.12 Cabling security |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
53.0 |
Equipment often breaks down or fails to protect information due to a lack of appropriate care |
A.7.13 Equipment maintenance |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
54.0 |
Equipment, information or software is removed from a location without the knowledge or permission of the organization |
A.7.10 Storage media |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
55.0 |
Assets containing sensitive information are left unprotected whilst offsite |
A.7.9 Security of assets off-premises |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
56.0 |
Sensitive information can be read from storage media that has been disposed of or reused |
A.7.14 Secure disposal or re-use of equipment |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
57.0 |
Someone could access systems they are not authorised to using a device that has been left logged on |
A.8.1 User endpoint devices |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
58.0 |
Support staff, e.g. cleaners and security personnel, are able to read sensitive information left unattended on desks |
A.7.7 Clear desk and clear screen |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
59.0 |
Loss of data due to incorrect performance of operating procedures |
A.5.37 Documented operating procedures |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
60.0 |
Information security may become compromised when changes are made to the organization, business processes or information processing facilities and systems |
A.8.32 Change management |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
61.0 |
Systems run slowly or not at all because the resources required are not available |
A.8.6 Capacity management |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
62.0 |
A poorly-tested software change results in errors in a business-critical process |
A.8.31 Separation of development, test and production environments |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
63.0 |
An administrator of a cloud service makes a serious and unrecoverable error that affects service availability or security |
A.5.23 Information security for use of cloud services |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
64.0 |
Systems are affected by malware e.g. ransomware or spyware, having a serious effect on service delivery and security |
A.8.7 Protection against malware |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
65.0 |
Data is lost and cannot be recovered from backup |
A.8.13 Information backup |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
66.0 |
Suspicious events are not detected due to inadequate logs being kept |
A.8.15 Logging |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
67.0 |
Incriminating logs are wiped or altered by an attacker |
A.8.15 Logging |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
68.0 |
An insider with admin access views sensitive data |
A.8.15 Logging |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
69.0 |
The time sequence of an attack cannot be identified because each of the clocks involved tell a different time |
A.8.17 Clock synchronization |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
70.0 |
The organization can't tell if a cloud service has been compromised because no logs are kept |
A.5.23 Information security for use of cloud services |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
71.0 |
Software is installed on an operational system which causes an unwanted effect e.g. compatibility issues or the introduction of vulnerabilities |
A.8.19 Installation of software on operational systems |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
72.0 |
A hacker exploits an undetected vulnerability and steals information |
A.8.8 Management of technical vulnerabilities |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
73.0 |
A user installs some software that introduces vulnerabilities to the organization and its network |
A.8.19 Installation of software on operational systems |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
74.0 |
Penetration tests disrupt a live system during peak service hours |
A.8.34 Protection of information systems during audit testing |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
75.0 |
An external threat actor is able to gain access to the network |
A.8.20 Networks security |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
76.0 |
The required security mechanisms, service levels and management requirements for network services are not agreed with the supplier and so are not provided |
A.8.21 Security of network services |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
77.0 |
An external threat actor is able to gain access to a less critical network, and then use this access to enter more business-critical networks |
A.8.22 Segregation of networks |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
78.0 |
A hacker is able to exploit the weaknesses in virtual networking to carry out an attack |
A.8.20 Networks security |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
79.0 |
Information in transit is intercepted and compromised |
A.5.14 Information transfer |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
80.0 |
Information in transit to and from third parties is intercepted and compromised |
A.5.14 Information transfer |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
81.0 |
Confidential emails are intercepted and used as the basis for an attack e.g. fraudulent bank transfer |
A.5.14 Information transfer |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
82.0 |
Confidential information is shared with others by a third party because it was not agreed that this is not allowed |
A.6.6 Confidentiality or non-disclosure agreements |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
83.0 |
New or changed systems are open to attack in ways that could have been predicted |
A.5.8 Information security in project management |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
84.0 |
Information involved in application services is intercepted and modified in order to commit fraud |
A.8.26 Application security requirements |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
85.0 |
Application service transactions are used to mount an attack on the organization or its business partners |
A.8.26 Application security requirements |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
86.0 |
Software is written that has an unacceptable level of vulnerabilities |
A.8.25 Secure development life cycle |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
87.0 |
Changes are uncontrolled whilst in development leading to poor quality software and badly-defined releases |
A.8.32 Change management |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
88.0 |
Business critical applications are adversely affected when the underlying operating platform is changed |
A.8.32 Change management |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
89.0 |
Significant modifications to software packages introduce security vulnerabilities, functionality issues and support problems |
A.8.32 Change management |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
90.0 |
Systems are designed without adequate regard to, or knowledge of, information security |
A.8.27 Secure system architecture and engineering principles |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
91.0 |
Development environments are able to be accessed by unauthorised persons who could introduce code that makes future attacks easier |
A.8.31 Separation of development, test and production environments |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
92.0 |
Code developed by an outsourcing provider may contain security flaws that are not discovered by the organization |
A.8.30 Outsourced development |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
93.0 |
Security functionality doesn't work correctly in live software |
A.8.29 Security testing in development and acceptance |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
94.0 |
Newly-implemented systems don't work as intended |
A.8.29 Security testing in development and acceptance |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
95.0 |
Test data doesn't identify issues with the software being tested and is itself of value to an attacker (e.g. if copied from live data) |
A.8.33 Test information |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
96.0 |
An attacker gains access to the organization's network using logon credentials obtained from a supplier who has legitimate access |
A.5.19 Information security in supplier relationships |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
97.0 |
A supplier, who provides services to and has access to the organization's information, has inadequate security controls in place and suffers a breach involving the organization's data |
A.5.20 Addressing information security within supplier agreements |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
98.0 |
A supplier uses contractors who do not have adequate security controls in place |
A.5.21 Managing information security in the ICT supply chain |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
99.0 |
A supplier is not delivering the level of service that they should |
A.5.22 Monitoring, review and change management of supplier services |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
100.0 |
A supplier e.g. cloud service provider, makes a change that is not expected and which significantly affects the organization's business processes |
A.5.22 Monitoring, review and change management of supplier services |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
101.0 |
It is not clear who should do what when an information security incident occurs |
A.5.24 Information security incident management planning and preparation |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
102.0 |
Management is not aware that an information security event has been detected |
A.6.8 Information security event reporting |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
103.0 |
Weaknesses in information security do not get addressed because they are not reported |
A.6.8 Information security event reporting |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
104.0 |
No decisions are taken about whether events should be escalated to incidents |
A.5.25 Assessment and decision on information security events |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
105.0 |
The response to information security incidents is inadequate and procedures are not used |
A.5.26 Response to information security incidents |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
106.0 |
Nothing is learned from incidents and no improvements are made |
A.5.27 Learning from information security incidents |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
107.0 |
No usable or admissible evidence is collected as a result of a lack of awareness of how this must be done. Because of this, nobody can be prosecuted |
A.5.28 Collection of evidence |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
108.0 |
It is not known what level of information security must be provided during a disruptive event |
A.5.29 Information security during disruption |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
109.0 |
Information security controls become ineffective when a disruptive event happens |
A.5.29 Information security during disruption |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
110.0 |
The intended information security controls don't work during a disruptive event because they have never been tested |
A.5.29 Information security during disruption |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
111.0 |
Information processing facilities fail due to a lack of sufficient redundancy |
A.8.14 Redundancy of information processing facilities |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
112.0 |
It is not known what legislative, regulatory and contractual requirements each information system must meet and, as a result, such requirements are not met |
A.5.31 Legal, statutory, regulatory and contractual requirements |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
113.0 |
The organization is subject to legal action as a result of breaching intellectual property rights and licensing requirements |
A.5.32 Intellectual property rights |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
114.0 |
Records that are required to be kept are lost, falsified or accessed, resulting in legal or contractual issues |
A.5.33 Protection of records |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
115.0 |
Laws requiring the protection of personally identifiable information are breached, resulting in prosecution and fines |
A.5.34 Privacy and protection of PII |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
116.0 |
Cryptography is used inappropriately, resulting in prosecution |
A.5.31 Legal, statutory, regulatory and contractual requirements |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
117.0 |
The implementation of information security is never independently checked and many controls do not work as intended |
A.5.35 Independent review of information security |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
118.0 |
Management does not check that policies and procedures are being followed and people stop using them over time |
A.5.36 Compliance with policies, rules and standards for information security |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
119.0 |
As systems evolve, security controls become less effective and more vulnerable to attack |
A.5.36 Compliance with policies, rules and standards for information security |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|