![Adoptech-logo-GreyWithoutStrapline-1.png]](https://knowledge.adoptech.co.uk/hs-fs/hubfs/Adoptech-logo-GreyWithoutStrapline-1.png?height=39&name=Adoptech-logo-GreyWithoutStrapline-1.png){kind=logo}
Framework FAQs
ISO 27001, SOC 2 and many more framework questions answered.
- How do I make a Control compliant?
- How do I make a Check compliant?
- How do I review a register?
- How do I create a new Check?
- What are good information security objectives?
- What Information Security KPIs should I set?
- How do I collate evidence for my SOC 2 Audit?
- ISO 27001: 2022 A.5.1 Policies for information security
- ISO 27001: 2022 A.5.2 Information security roles and responsibilities
- ISO 27001: 2022 A.5.3 Segregation of duties
- ISO 27001: 2022 A.5.4 Management responsibilities
- ISO 27001: 2022 A.5.5 Contact with authorities
- ISO 27001: 2022 A.5.6 Contact with special interest groups
- ISO 27001: 2022 A.5.7 Threat intelligence
- ISO 27001: 2022 A.5.8 Information security in project management
- ISO 27001: 2022 A.5.9 Inventory of information and other associated assets
- ISO 27001: 2022 A.5.10 Acceptable use of information and other associated asset
- ISO 27001: 2022 A.5.11 Return of assets
- ISO 27001: 2022 A.5.12 Classification of information
- ISO 27001: 2022 A.5.13 Labelling of information
- ISO 27001: 2022 A.5.14 Information transfer
- ISO 27001: 2022 A.5.15 Access control
- ISO 27001: 2022 A.5.16 Identity management
- ISO 27001: 2022 A.5.17 Authentication information
- ISO 27001: 2022 A.5.18 Access rights
- ISO 27001: 2022 A.5.19 Information security in supplier relationships
- ISO 27001: 2022 A.5.20 Addressing information security within supplier agreements
- ISO 27001: 2022 A.5.21 Managing information security in the ICT supply chain
- ISO 27001: 2022 A.5.22 Monitoring, review and change management of supplier services
- ISO 27001: 2022 A.5.23 Information security for use of cloud services
- ISO 27001: 2022 A.5.24 Information security incident management planning and preparation
- ISO 27001: 2022 A.5.25 Assessment and decision on information security events
- ISO 27001: 2022 A.5.26 Response to information security incidents
- ISO 27001: 2022 A.5.27 Learning from information security incidents
- ISO 27001: 2022 A.5.28 Collection of evidence
- ISO 27001: 2022 A.5.29 Information security during disruption
- ISO 27001: 2022 A.5.30 ICT readiness for business continuity
- ISO 27001: 2022 A.5.31 Legal, statutory, regulatory and contractual requirements
- ISO 27001: 2022 A.5.32 Intellectual property rights
- ISO 27001: 2022 A.5.33 Protection of records
- ISO 27001: 2022 A.5.34 Privacy and protection of PII
- ISO 27001: 2022 A.5.35 Independent review of information security
- ISO 27001: 2022 A.5.36 Compliance with policies, rules and standards for information security
- ISO 27001: 2022 A.5.37 Documented operating procedures
- ISO 27001: 2022 A.6.1 Screening
- ISO 27001: 2022 A.6.2 Terms and conditions of employment
- ISO 27001: 2022 A.6.3 Information security awareness, education and training
- ISO 27001: 2022 A.6.4 Disciplinary process
- ISO 27001: 2022 A.6.5 Responsibilities after termination or change of employment
- ISO 27001: 2022 A.6.6 Confidentiality or non-disclosure agreements
- ISO 27001: 2022 A.6.7 Remote working
- ISO 27001: 2022 A.6.8 Information security event reporting
- ISO 27001: 2022 A.7.1 Physical security perimeters
- ISO 27001: 2022 A.7.2 Physical entry
- ISO 27001: 2022 A.7.3 Securing offices, rooms and facilities
- ISO 27001: 2022 A.7.4 Physical security monitoring
- ISO 27001: 2022 A.7.5 Protecting against physical and environmental threats
- ISO 27001: 2022 A.7.6 Working in secure areas
- ISO 27001: 2022 A.7.7 Clear desk and clear screen
- ISO 27001: 2022 A.7.8 Equipment siting and protection
- ISO 27001: 2022 A.7.9 Security of assets off-premises
- ISO 27001: 2022 A.7.10 Storage media
- ISO 27001: 2022 A.7.11 Supporting utilities
- ISO 27001: 2022 A.7.12 Cabling security
- ISO 27001: 2022 A.7.13 Equipment maintenance
- ISO 27001: 2022 A.7.14 Secure disposal or re-use of equipment
- ISO 27001: 2022 A.8.1 User endpoint devices
- ISO 27001: 2022 A.8.2 Privileged access rights
- ISO 27001: 2022 A.8.33 Test information
- ISO 27001: 2022 A.8.3 Information access restriction
- ISO 27001: 2022 A.8.4 Access to source code
- ISO 27001: 2022 A.8.5 Secure authentication
- ISO 27001: 2022 A.8.6 Capacity management
- ISO 27001: 2022 A.8.7 Protection against malware
- ISO 27001: 2022 A.8.8 Management of technical vulnerabilities
- ISO 27001 A.8.9 Configuration management
- ISO 27001: 2022 A.8.10 Information deletion
- ISO 27001: 2022 A.8.11 Data masking
- ISO 27001: 2022 A.8.12 Data leakage prevention
- ISO 27001: 2022 A.8.13 Information backup
- ISO 27001: 2022 A.8.14 Redundancy of information processing facilities
- ISO 27001: 2022 A.8.15 Logging
- ISO 27001: 2022 A.8.16 Monitoring activities
- ISO 27001: 2022 A.8.17 Clock synchronization
- ISO 27001: 2022 A.8.18 Use of privileged utility programs
- ISO 27001: 2022 A.8.19 Installation of software on operational systems
- ISO 27001: 2022 A.8.20 Networks security
- ISO 27001: 2022 A.8.21 Security of network services
- ISO 27001: 2022 A.8.22 Segregation of networks
- ISO 27001: 2022 A.8.23 Web filtering
- ISO 27001: 2022 A.8.24 Use of cryptography
- ISO 27001: 2022 A.8.25 Secure development life cycle
- ISO 27001: 2022 A.8.26 Application security requirements
- ISO 27001: 2022 A.8.27 Secure system architecture and engineering principles
- ISO 27001: 2022 8.28 Secure coding
- ISO 27001: 2022 A.8.29 Security testing in development and acceptance
- ISO 27001: 2022 A.8.30 Outsourced development
- ISO 27001: 2022 A.8.32 Change management
- ISO 27001: 2022 A.8.34 Protection of information systems during audit testing
- ISO 27001: 2022 A.8.31 Separation of development, test and production environments
- How do I create a report?
- How do I mark a control as out of scope
- Which ISO 27001 controls can I put out of scope if I do not have an office?
- What is an Environmental Aspects and Impacts Register?
- What business processes need to be documented for ISO 9001?
- What are good quality objectives?
- What are good environmental objectives?
- What Quality KPIs should I set?
- What Environmental KPIs should I set?
- What is an Impact and Aspects Assessment?
- What can I expect on the day of an internal audit?
- What is the agenda for our ISO management review meeting?
- What are the incident reporting requirements under the Cyber Security and Resilience Bill?
- CAF - A1.a Board direction
- CAF - A1.b Roles and Responsibilities
- CAF - A1.c Decision-making and approval
- CAF A2.a Risk management process
- CAF - A2.b Understanding Threat
- CAF - A2.c Assurance
- CAF - A3.a Asset Management
- CAF - A4.a Supply Chain (third-party) risk management
- CAF - A4.b Secure Software Development and Support
- CAF - B1.b Policy, Process and Procedure Implementation
- CAF - B2.b Device Management
- CAF - B6.b Training
- CAF - B6.a Culture
- CAF - B5.c Backups
- CAF – B5.b Design for Resilience
- CAF – B5.a Resilience Preparation
- CAF – B4.d Vulnerability Management
- CAF – B4.c Secure Management
- CAF – B4.b Secure Configuration
- CAF – B4.a Secure by Design
- CAF – B3.e Media / Equipment Sanitisation
- CAF – B3.d Mobile Data
- CAF – B3.c Stored Data
- CAF – B3.b Data in Transit
- CAF – B3.a Understanding Data
- CAF – B2.d Identity and Access Management (IdAM)
- CAF – B2.c Privileged User Management
- CAF – C1.a Sources and Tools for Logging and Monitoring
- CAF – C1.b Securing Logs
- CAF – C1.c Generating Alerts
- CAF – C1.d Triage of Security Alerts
- CAF – C1.e Personnel Skills for Monitoring and Detection
- CAF – C1.f Interpreting User, System and Threat Intelligence
- CAF – C2.a Threat Hunting
- CAF – D1.a Response Plan
- CAF – D1.b Response and Recovery Capability
- CAF – D1.c Testing and Exercising
- CAF – D2.a Post-Incident Analysis
- CAF – D2.b Using Incidents to Drive Improvements
- CAF - B2.a Identity verification, authentication and authorisation
- CAF - B1.a Policies, processes, and procedure development