1 Scope
2 References
3 Definitions and abbreviations
3.1 Definitions
3.2 Abbreviations
4 Overview
4.1 Background
4.2
Structure
5 Security
policy
6 Organization of information
security
6.1 Internal organization
6.2
External parties
7 Asset management
7.1 Responsibility for assets
7.2
Information classification
8 Human resources security
8.1 Prior to employment
8.2
During employment
8.3
Termination or change of employment
9 Physical and environmental
security
9.1 Security areas
9.2
Equipment security
10 Communications and operations
management
10.1 Operational procedures and responsibilities
10.2
Third party service delivery management
10.3
System planning and acceptance
10.4
Protection against malicious and mobile code
10.5
Back-up
10.6
Network security management
10.7
Media handling
10.8
Exchange of information
10.9
Electronic commerce services
10.10
Monitoring
11 Access control
11.1 Business requirement for access control
11.2
User access management
11.3
User responsibilities
11.4
Network access control
11.5
Operating system access control
11.6
Application and information access control
11.7
Mobile computing and teleworking
12 Information systems
acquisition, development and maintenance
12.1
Security requirements of information systems
12.2
Correct processing in applications
12.3
Cryptographic controls
12.4
Security of system files
12.5
Security in development and support processes
12.6
Technical vulnerability management
13 Information security incident management
13.1
Reporting information security events and weaknesses
13.2
Management of information security incidents and improvements
14 Business continuity management
14.1
Information security aspects of business continuity management
15 Compliance
Annex A – Telecommunications extended control set
A.9 Physical and
environmental security
A.10 Communications and
operations management
A.11 Access control
Bibliography