ISO 27001 - 5.1 Policies for Information Security

"Information security policy and topic-specific policies shall be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur."[1]

ISO 27001 - 5.2 Information Security Roles and Responsibilities

"Information security roles and responsibilities shall be defined and allocated according to the organization needs."[1]

ISO 27001 - 5.3 Segregation of Duties

"Conflicting duties and conflicting areas of responsibility shall be segregated."[1]

ISO 27001 - 5.4 Management Responsibilities

"Management shall require all personnel to apply information security in accordance with the established information security policy, topic-specific policies and procedures of the organization."[1]

ISO 27001 - 5.5 Contact With Authorities

"The organization shall establish and maintain contact with relevant authorities."[1]

ISO 27001 - 5.6 Contact With Special Interest Groups

"The organization shall establish and maintain contact with special interest groups or other specialist security forums and professional associations."[1]

ISO 27001 - 5.7 Threat Intelligence

"Information relating to information security threats shall be collected and analysed to produce threat intelligence."[1]

ISO 27001 - 5.8 Information Security In Project Management

"Information security shall be integrated into project management."[1]

ISO 27001 - 5.9 Inventory of Information and Other Associated Assets

"An inventory of information and other associated assets, including owners, shall be developed and maintained."[1]

ISO 27001 - 5.10 Acceptable Use of Information and Other Associated Assets

"Rules for the acceptable use and procedures for handling information and other associated assets shall be identified, documented and implemented."[1]

ISO 27001 - 5.11 Return of Assets

"Personnel and other interested parties as appropriate shall return all the organization’s assets in their possession upon change or termination of their employment, contract or agreement."[1]

ISO 27001 - 5.12 Classification of Information

"Information shall be classified according to the information security needs of the organization based on confidentiality, integrity, availability and relevant interested party requirements."[1]

ISO 27001 - 5.13 Labelling of Information

"An appropriate set of procedures for information labelling shall be developed and implemented in accordance with the information classification scheme adopted by the organization."[1]

ISO 27001 - 5.14 Information Transfer

"Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties."[1]

ISO 27001 - 5.15 Access Control

"Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements."[1]

ISO 27001 - 5.16 Identity Management

"The full life cycle of identities shall be managed."[1]

ISO 27001 - 5.17 Authentication Information

"Allocation and management of authentication information shall be controlled by a management process, including advising personnel on appropriate handling of authentication information."[1]

ISO 27001 - 5.18 Access Rights

"Access rights to information and other associated assets shall be provisioned, reviewed, modified and removed in accordance with the organization’s topic-specific policy on and rules for access control."[1]

ISO 27001 - 5.19 Information Security in Supplier Relationships

"Processes and procedures shall be defined and implemented to manage the information security risks associated with the use of supplier’s products or services."[1]

ISO 27001 - 5.20 Addressing Information Security Within Supplier Agreements

"Relevant information security requirements shall be established and agreed with each supplier based on the type of supplier relationship."[1]

ISO 27001 - 5.21 Managing Information Security In The Information and Communication Technology (ICT) Supply Chain

"Processes and procedures shall be defined and implemented to manage the information security risks associated with the ICT products and services supply chain."[1]

ISO 27001 - 5.22 Monitoring, Review and Change Management of Supplier Services

"The organization shall regularly monitor, review, evaluate and manage change in supplier information security practices and service delivery."[1]

ISO 27001 - 5.23 Information Security for Use of Cloud Services

"Processes for acquisition, use, management and exit from cloud services shall be established in accordance with the organization’s information security requirements."[1]

ISO 27001 - 5.24 Information Security Incident Management Planning and Preparation

"The organization shall plan and prepare for managing information security incidents by defining, establishing and communicating information security incident management processes, roles and responsibilities."[1]

ISO 27001 - 5.25 Assessment and Decision On Information Security Events

"The organization shall assess information security events and decide if they are to be categorized as information security incidents."[1]

ISO 27001 - 5.26 Response to Information Security Incidents

"Information security incidents shall be responded to in accordance with the documented procedures."[1]

ISO 27001 - 5.27 Learning From Information Security Incidents

"Knowledge gained from information security incidents shall be used to strengthen and improve the information security controls."[1]

ISO 27001 - 5.28 Collection of Evidence

"The organization shall establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events."[1]

ISO 27001 - 5.29 Information Security During Disruption

"The organization shall plan how to maintain information security at an appropriate level during disruption"[1]

ISO 27001 - 5.30 ICT Readiness for Business Continuity

"ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements."[1]

ISO 27001 - 5.31 Legal, Statutory, Regulatory and Contractual Requirements

"Legal, statutory, regulatory and contractual requirements relevant to information security and the organization’s approach to meet these requirements shall be identified, documented and kept up to date."[1]

ISO 27001 - 5.32 Intellectual Property Rights

"The organization shall implement appropriate procedures to protect intellectual property rights."[1]

ISO 27001 - 5.33 Protection of Records

"Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release."[1]

ISO 27001 - 5.34 Privacy and Protection of Personal Identifiable Information (PII)

"The organization shall identify and meet the requirements regarding the preservation of privacy and protection of PII according to applicable laws and regulations and contractual requirements."[1]

ISO 27001 - 5.35 Independent Review of Information Security

"The organization’s approach to managing information security and its implementation including people, processes and technologies shall be reviewed independently at planned intervals, or when significant changes occur."[1]

ISO 27001 - 5.36 Compliance with Policies, Rules and Standards for Information security

"Compliance with the organization’s information security policy, topic-specific policies, rules and standards shall be regularly reviewed."[1]

ISO 27001 - 5.37 Documented Operating Procedures

"Operating procedures for information processing facilities shall be documented and made available to personnel who need them."[1]