Framework FAQs

ISO 27001, SOC 2 and many more framework questions answered.

• How do I make a Control compliant?
• How do I make a Check compliant?
• How do I review a register?
• How do I create a new Check?
• What are good information security objectives?
• What Information Security KPIs should I set?
• How do I collate evidence for my SOC 2 Audit?
• ISO 27001: 2022 A.5.1 Policies for information security
• ISO 27001: 2022 A.5.2 Information security roles and responsibilities
• ISO 27001: 2022 A.5.3 Segregation of duties
• ISO 27001: 2022 A.5.4 Management responsibilities
• ISO 27001: 2022 A.5.5 Contact with authorities
• ISO 27001: 2022 A.5.6 Contact with special interest groups
• ISO 27001: 2022 A.5.7 Threat intelligence
• ISO 27001: 2022 A.5.8 Information security in project management
• ISO 27001: 2022 A.5.9 Inventory of information and other associated assets
• ISO 27001: 2022 A.5.10 Acceptable use of information and other associated asset
• ISO 27001: 2022 A.5.11 Return of assets
• ISO 27001: 2022 A.5.12 Classification of information
• ISO 27001: 2022 A.5.13 Labelling of information
• ISO 27001: 2022 A.5.14 Information transfer
• ISO 27001: 2022 A.5.15 Access control
• ISO 27001: 2022 A.5.16 Identity management
• ISO 27001: 2022 A.5.17 Authentication information
• ISO 27001: 2022 A.5.18 Access rights
• ISO 27001: 2022 A.5.19 Information security in supplier relationships
• ISO 27001: 2022 A.5.20 Addressing information security within supplier agreements
• ISO 27001: 2022 A.5.21 Managing information security in the ICT supply chain
• ISO 27001: 2022 A.5.22 Monitoring, review and change management of supplier services
• ISO 27001: 2022 A.5.23 Information security for use of cloud services
• ISO 27001: 2022 A.5.24 Information security incident management planning and preparation
• ISO 27001: 2022 A.5.25 Assessment and decision on information security events
• ISO 27001: 2022 A.5.26 Response to information security incidents
• ISO 27001: 2022 A.5.27 Learning from information security incidents
• ISO 27001: 2022 A.5.28 Collection of evidence
• ISO 27001: 2022 A.5.29 Information security during disruption
• ISO 27001: 2022 A.5.30 ICT readiness for business continuity
• ISO 27001: 2022 A.5.31 Legal, statutory, regulatory and contractual requirements
• ISO 27001: 2022 A.5.32 Intellectual property rights
• ISO 27001: 2022 A.5.33 Protection of records
• ISO 27001: 2022 A.5.34 Privacy and protection of PII
• ISO 27001: 2022 A.5.35 Independent review of information security
• ISO 27001: 2022 A.5.36 Compliance with policies, rules and standards for information security
• ISO 27001: 2022 A.5.37 Documented operating procedures
• ISO 27001: 2022 A.6.1 Screening
• ISO 27001: 2022 A.6.2 Terms and conditions of employment
• ISO 27001: 2022 A.6.3 Information security awareness, education and training
• ISO 27001: 2022 A.6.4 Disciplinary process
• ISO 27001: 2022 A.6.5 Responsibilities after termination or change of employment
• ISO 27001: 2022 A.6.6 Confidentiality or non-disclosure agreements
• ISO 27001: 2022 A.6.7 Remote working
• ISO 27001: 2022 A.6.8 Information security event reporting
• ISO 27001: 2022 A.7.1 Physical security perimeters
• ISO 27001: 2022 A.7.2 Physical entry
• ISO 27001: 2022 A.7.3 Securing offices, rooms and facilities
• ISO 27001: 2022 A.7.4 Physical security monitoring
• ISO 27001: 2022 A.7.5 Protecting against physical and environmental threats
• ISO 27001: 2022 A.7.6 Working in secure areas
• ISO 27001: 2022 A.7.7 Clear desk and clear screen
• ISO 27001: 2022 A.7.8 Equipment siting and protection
• ISO 27001: 2022 A.7.9 Security of assets off-premises
• ISO 27001: 2022 A.7.10 Storage media
• ISO 27001: 2022 A.7.11 Supporting utilities
• ISO 27001: 2022 A.7.12 Cabling security
• ISO 27001: 2022 A.7.13 Equipment maintenance
• ISO 27001: 2022 A.7.14 Secure disposal or re-use of equipment
• ISO 27001: 2022 A.8.1 User endpoint devices
• ISO 27001: 2022 A.8.2 Privileged access rights
• ISO 27001: 2022 A.8.33 Test information
• ISO 27001: 2022 A.8.3 Information access restriction
• ISO 27001: 2022 A.8.4 Access to source code
• ISO 27001: 2022 A.8.5 Secure authentication
• ISO 27001: 2022 A.8.6 Capacity management
• ISO 27001: 2022 A.8.7 Protection against malware
• ISO 27001: 2022 A.8.8 Management of technical vulnerabilities
• ISO 27001 A.8.9 Configuration management
• ISO 27001: 2022 A.8.10 Information deletion
• ISO 27001: 2022 A.8.11 Data masking
• ISO 27001: 2022 A.8.12 Data leakage prevention
• ISO 27001: 2022 A.8.13 Information backup
• ISO 27001: 2022 A.8.14 Redundancy of information processing facilities
• ISO 27001: 2022 A.8.15 Logging
• ISO 27001: 2022 A.8.16 Monitoring activities
• ISO 27001: 2022 A.8.17 Clock synchronization
• ISO 27001: 2022 A.8.18 Use of privileged utility programs
• ISO 27001: 2022 A.8.19 Installation of software on operational systems
• ISO 27001: 2022 A.8.20 Networks security
• ISO 27001: 2022 A.8.21 Security of network services
• ISO 27001: 2022 A.8.22 Segregation of networks
• ISO 27001: 2022 A.8.23 Web filtering
• ISO 27001: 2022 A.8.24 Use of cryptography
• ISO 27001: 2022 A.8.25 Secure development life cycle
• ISO 27001: 2022 A.8.26 Application security requirements
• ISO 27001: 2022 A.8.27 Secure system architecture and engineering principles
• ISO 27001: 2022 8.28 Secure coding
• ISO 27001: 2022 A.8.29 Security testing in development and acceptance
• ISO 27001: 2022 A.8.30 Outsourced development
• ISO 27001: 2022 A.8.32 Change management
• ISO 27001: 2022 A.8.34 Protection of information systems during audit testing
• ISO 27001: 2022 A.8.31 Separation of development, test and production environments
• How do I create a report?
• How do I mark a control as out of scope