Table of Contents

 1     Scope          
 2     References
 3     Definitions and abbreviations           
        3.1     Definitions    
        3.2     Abbreviations and acronyms 
 4     Overview  
        4.1     Characteristics of the SMTO   
        4.2     Implementation of information security management for SMTOs         
        4.3     Structure of the guidance       
 5     Security policy         
        5.1     Management direction for information security         
 6     Organization of information security             
        6.1     Internal organization 
        6.2     Mobile devices and teleworking          
 7     Human resource security    
        7.1     Prior to employment
        7.2     During employment 
        7.3     Termination and change of employment       
 8     Asset management
        8.1     Responsibility for assets      
        8.2     Information classification        
        8.3     Media handling           
 9     Access control         
        9.1     Business requirements of access control          
        9.2     User access management       
        9.3     User responsibilities  
        9.4     System and application access control               
10     Cryptography         
       10.1     Cryptographic controls       
11     Physical and environmental security            
       11.1     Secure areas
       11.2     Equipment   
12     Operations security             
       12.1     Operational procedures and responsibilities 
       12.2     Protection from malware      
       12.3     Backup      
       12.4     Logging and monitoring      
       12.5     Control of operational software       
       12.6     Technical vulnerability management
       12.7     Information systems audit considerations     
13     Communications security  
       13.1     Network security management        
       13.2     Information transfer
14     System acquisition, development and maintenance              
       14.1     Security requirements of information systems          
       14.2     Security in development and support processes        
       14.3     Test data    
15     Supplier relationships         
       15.1     Information security in supplier relationships
       15.2     Supplier service delivery management         
16     Information security incident management
       16.1     Management of information security incidents         
17     Information security aspects of business continuity management   
       17.1     Information security continuity        
       17.2     Redundancies         
18     Compliance             
       18.1     Compliance with legal and contractual requirements 
       18.2     Information security reviews
Annex A – Telecommunication extended control set    
      TEL.9      Access control          
                  TEL.9.5     Network access control        
     TEL.11      Physical and environmental security             
                  TEL.11.1 Secure areas    
                  TEL.11.3 Security under the control of other party    
     TEL.13      Communications security   
                  TEL.13.1 Network security management    
     TEL.18      Compliance              
                  TEL.18.1 Compliance with legal and contractual requirements    
Bibliography