| #5.1 | Policies for information security | #preventive | #confidentiality#integrity#availability | #identify | #governance_and_Ecosystem#resilience |
| #5.2 | Information security roles and responsibilities | #preventive | #confidentiality#integrity#availability | #identify | #governance_and_Ecosystem#protection#resilience |
| 5.3 | Segregation of duties | #preventive | #confidentiality#integrity#availability | #protect | #governance_and_Ecosystem |
| 5.4 | Management responsibilities | #preventive | #confidentiality#integrity#availability | #identify | #governance_and_Ecosystem |
| 5.5 | Contact with authorities | #preventive#corrective | #confidentiality#integrity#availability | #identify#protect#respond#recover | #defence#resilience |
| 5.6 | Contact with special interest groups | #preventive#corrective | #confidentiality#integrity#availability | #protect#respond#recover | #defence |
| 5.7 | Threat intelligence | #preventive#detective#corrective | #confidentiality#integrity#availability | #identify#detect#respond | #defence#resilience |
| 5.8 | Information security in project management | #preventive | #confidentiality#integrity#availability | #identify#protect | #governance_and_Ecosystem#protection |
| 5.9 | Inventory of information and other associated assets | #preventive | #confidentiality#integrity#availability | #identify | #governance_and_Ecosystem#protection |
| 5.10 | Acceptable use of information and other associated assets | #preventive | #confidentiality#integrity#availability | #protect | #governance_and_Ecosystem#protection |
| 5.11 | Return of assets | #preventive | #confidentiality#integrity#availability | #protect | #protection |
| 5.12 | Classification of information | #preventive | #confidentiality#integrity#availability | #identify | #protection#defence |
| 5.13 | Labelling of information | #preventive | #confidentiality#integrity#availability | #protect | #defence#protection |
| 5.14 | Information transfer | #preventive | #confidentiality#integrity#availability | #protect | #protection |
| 5.15 | Access control | #preventive | #confidentiality#integrity#availability | #protect | #protection |
| 5.16 | Identity management | #preventive | #confidentiality#integrity#availability | #protect | #protection |
| 5.17 | Authentication information | #preventive | #confidentiality#integrity#availability | #protect | #protection |
| 5.18 | Access rights | #preventive | #confidentiality#integrity#availability | #protect | #protection |
| 5.19 | Information security in supplier relationships | #preventive | #confidentiality#integrity#availability | #identify | #governance_and_Ecosystem#protection |
| 5.20 | Addressing information security within supplier agreements | #preventive | #confidentiality#integrity#availability | #identify | #governance_and_Ecosystem#protection |
| 5.21 | Managing information security in the ICT supply chain | #preventive | #confidentiality#integrity#availability | #identify | #governance_and_Ecosystem#protection |
| 5.22 | Monitoring, review and change management of supplier services | #preventive | #confidentiality#integrity#availability | #identify | #governance_and_Ecosystem#protection#defence |
| 5.23 | Information security for use of cloud services | #preventive | #confidentiality#integrity#availability | #protect | #governance_and_Ecosystem#protection |
| 5.24 | Information security incident management planning and preparation | #corrective | #confidentiality#integrity#availability | #respond#recover | #defence |
| 5.25 | Assessment and decision on information security events | #detective | #confidentiality#integrity#availability | #detect#respond | #defence |
| 5.26 | Response to information security incidents | #corrective | #confidentiality#integrity#availability | #respond#recover | #defence |
| 5.27 | Learning from information security incidents | #preventive | #confidentiality#integrity#availability | #identify#protect | #defence |
| 5.28 | Collection of evidence | #corrective | #confidentiality#integrity#availability | #detect#respond | #defence |
| 5.29 | Information security during disruption | #preventive#corrective | #confidentiality#integrity#availability | #protect#respond | #protection#resilience |
| 5.30 | ICT readiness for business continuity | #corrective | #availability | #respond | #resilience |
| 5.31 | Legal, statutory, regulatory and contractual requirements | #preventive | #confidentiality#integrity#availability | #identify | #governance_and_Ecosystem#protection |
| 5.32 | Intellectual property rights | #preventive | #confidentiality#integrity#availability | #identify | #governance_and_Ecosystem |
| 5.33 | Protection of records | #preventive | #confidentiality#integrity#availability | #identify#protect | #defence |
| 5.34 | Privacy and protection of PII | #preventive | #confidentiality#integrity#availability | #identify#protect | #protection |
| 5.35 | Independent review of information security | #preventive#corrective | #confidentiality#integrity#availability | #identify#protect | #governance_and_Ecosystem |
| 5.36 | Compliance with policies, rules and standards for information security | #preventive | #confidentiality#integrity#availability | #identify#protect | #governance_and_Ecosystem |
| 5.37 | Documented operating procedures | #preventive#corrective | #confidentiality#integrity#availability | #protect#recover | #governance_and_Ecosystem#protection#defence |
| 6.1 | Screening | #preventive | #confidentiality#integrity#availability | #protect | #governance_and_Ecosystem |
| 6.2 | Terms and conditions of employment | #preventive | #confidentiality#integrity#availability | #protect | #governance_and_Ecosystem |
| 6.3 | Information security awareness, education and training | #preventive | #confidentiality#integrity#availability | #protect | #governance_and_Ecosystem |
| 6.4 | Disciplinary process | #preventive#corrective | #confidentiality#integrity#availability | #protect#respond | #governance_and_Ecosystem |
| 6.5 | Responsibilities after termination or change of employment | #preventive | #confidentiality#integrity#availability | #protect | #governance_and_Ecosystem |
| 6.6 | Confidentiality or non-disclosure agreements | #preventive | #confidentiality | #protect | #governance_and_Ecosystem |
| 6.7 | Remote working | #preventive | #confidentiality#integrity#availability | #protect | #protection |
| 6.8 | Information security event reporting | #detective | #confidentiality#integrity#availability | #detect | #defence |
| 7.1 | Physical security perimeters | #preventive | #confidentiality#integrity#availability | #protect | #protection |
| 7.2 | Physical entry | #preventive | #confidentiality#integrity#availability | #protect | #protection |
| 7.3 | Securing offices, rooms and facilities | #preventive | #confidentiality#integrity#availability | #protect | #protection |
| 7.4 | Physical security monitoring | #preventive#detective | #confidentiality#integrity#availability | #protect#detect | #protection#defence |
| 7.5 | Protecting against physical and environmental threats | #preventive | #confidentiality#integrity#availability | #protect | #protection |
| 7.6 | Working in secure areas | #preventive | #confidentiality#integrity#availability | #protect | #protection |
| 7.7 | Clear desk and clear screen | #preventive | #confidentiality | #protect | #protection |
| 7.8 | Equipment siting and protection | #preventive | #confidentiality#integrity#availability | #protect | #protection |
| 7.9 | Security of assets off-premises | #preventive | #confidentiality#integrity#availability | #protect | #protection |
| 7.10 | Storage media | #preventive | #confidentiality#integrity#availability | #protect | #protection |
| 7.11 | Supporting utilities | #preventive#detective | #integrity#availability | #protect#detect | #protection |
| 7.12 | Cabling security | #preventive | #confidentiality#availability | #protect | #protection |
| 7.13 | Equipment maintenance | #preventive | #confidentiality#integrity#availability | #protect | #protection#resilience |
| 7.14 | Secure disposal or re-use of equipment | #preventive | #confidentiality | #protect | #protection |
| 8.1 | User endpoint devices | #preventive | #confidentiality#integrity#availability | #protect | #protection |
| 8.2 | Privileged access rights | #preventive | #confidentiality#integrity#availability | #protect | #protection |
| 8.3 | Information access restriction | #preventive | #confidentiality#integrity#availability | #protect | #protection |
| 8.4 | Access to source code | #preventive | #confidentiality#integrity#availability | #protect | #protection |
| 8.5 | Secure authentication | #preventive | #confidentiality#integrity#availability | #protect | #protection |
| 8.6 | Capacity management | #preventive#detective | #integrity#availability | #identify#protect#detect | #governance_and_Ecosystem#protection |
| 8.7 | Protection against malware | #preventive#detective#corrective | #confidentiality#integrity#availability | #protect#detect | #protection#defence |
| 8.8 | Management of technical vulnerabilities | #preventive | #confidentiality#integrity#availability | #identify#protect | #governance_and_Ecosystem#protection#defence |
| 8.9 | Configuration management | #preventive | #confidentiality#integrity#availability | #protect | #protection |
| 8.10 | Information deletion | #preventive | #confidentiality | #protect | #protection |
| 8.11 | Data masking | #preventive | #confidentiality | #protect | #protection |
| 8.12 | Data leakage prevention | #preventive#detective | #confidentiality | #protect#detect | #protection#defence |
| 8.13 | Information backup | #corrective | #integrity#availability | #recover | #protection |
| 8.14 | Redundancy of information processing facilities | #preventive | #availability | #protect | #protection#resilience |
| 8.15 | Logging | #detective | #confidentiality#integrity#availability | #detect | #protection#defence |
| 8.16 | Monitoring activities | #detective#corrective | #confidentiality#integrity#availability | #detect#respond | #defence |
| 8.17 | Clock synchronization | #detective | #integrity | #protect#detect | #protection#defence |
| 8.18 | Use of privileged utility programs | #preventive | #confidentiality#integrity#availability | #protect | #protection |
| 8.19 | Installation of software on operational systems | #preventive | #confidentiality#integrity#availability | #protect | #protection |
| 8.20 | Networks security | #preventive#detective | #confidentiality#integrity#availability | #protect#detect | #protection |
| 8.21 | Security of network services | #preventive | #confidentiality#integrity#availability | #protect | #protection |
| 8.22 | Segregation of networks | #preventive | #confidentiality#integrity#availability | #protect | #protection |
| 8.23 | Web filtering | #preventive | #confidentiality#integrity#availability | #protect | #protection |
| 8.24 | Use of cryptography | #preventive | #confidentiality#integrity#availability | #protect | #protection |
| 8.25 | Secure development life cycle | #preventive | #confidentiality#integrity#availability | #protect | #protection |
| 8.26 | Application security requirements | #preventive | #confidentiality#integrity#availability | #protect | #protection#defence |
| 8.27 | Secure system architecture and engineering principles | #preventive | #confidentiality#integrity#availability | #protect | #protection |
| 8.28 | Secure coding | #preventive | #confidentiality#integrity#availability | #protect | #protection |
| 8.29 | Security testing in development and acceptance | #preventive | #confidentiality#integrity#availability | #identify | #protection |
| 8.30 | Outsourced development | #preventive#detective | #confidentiality#integrity#availability | #identify#protect#detect | #governance_and_Ecosystem#protection |
| 8.31 | Separation of development, test and production environments | #preventive | #confidentiality#integrity#availability | #protect | #protection |
| 8.32 | Change management | #preventive | #confidentiality#integrity#availability | #protect | #protection |
| 8.33 | Test information | #preventive | #confidentiality#integrity | #protect | #protection |
| 8.34 | Protection of information systems during audit testing | #preventive | #confidentiality#integrity#availability | #protect | #governance_and_Ecosystem#protection |