ISO 27001 - 8.1 User End Point Devices

"Information stored on, processed by or accessible via user end point devices shall be protected."[1]

ISO 27001 - 8.2 Privileged Access Rights

"The allocation and use of privileged access rights shall be restricted and managed."[1]

ISO 27001 - 8.3 Information Access Restriction

"Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control."[1]

ISO 27001 - 8.4 Access to Source Code

"Read and write access to source code, development tools and software libraries shall be appropriately managed."[1]

ISO 27001 - 8.5 Secure Authentication

"Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control."[1]

ISO 27001 - 8.6 Capacity Management

"The use of resources shall be monitored and adjusted in line with current and expected capacity requirements."[1]

ISO 27001 - 8.7 Protection Against Malware

"Protection against malware shall be implemented and supported by appropriate user awareness."[1]

ISO 27001 - 8.8 Management of Technical Vulnerabilities

"Information about technical vulnerabilities of information systems in use shall be obtained, the organization’s exposure to such vulnerabilities shall be evaluated and appropriate measures shall be taken."[1]

ISO 27001 - 8.9 Configuration Management

"Configurations, including security configurations, of hardware, software, services and networks shall be established, documented, implemented, monitored and reviewed."[1]

ISO 27001 - 8.10 Information Deletion

"Information stored in information systems, devices or in any other storage media shall be deleted when no longer required."[1]

ISO 27001 - 8.11 Data Masking

"Data masking shall be used in accordance with the organization’s topic-specific policy on access control and other related topic-specific policies, and business requirements, taking applicable legislation into consideration."[1]

ISO 27001 - 8.12 Data Leakage Prevention

"Data leakage prevention measures shall be applied to systems, networks and any other devices that process, store or transmit sensitive information."[1]

ISO 27001 - 8.13 Information Backup

"Backup copies of information, software and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup."[1]

ISO 27001 - 8.14 Redundancy of Information Processing Facilities

"Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements."[1]

ISO 27001 - 8.15 Logging

"Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed."[1]

ISO 27001 - 8.16 Monitoring Activities

"Networks, systems and applications shall be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents."[1]

ISO 27001 - 8.17 Clock Synchronization

"The clocks of information processing systems used by the organization shall be synchronized to approved time sources."[1]

ISO 27001 - 8.18 Use of Privileged Utility Programs

"The use of utility programs that can be capable of overriding system and application controls shall be restricted and tightly controlled."[1]

ISO 27001 - 8.19 Installation of Software on Operational Systems

"Procedures and measures shall be implemented to securely manage software installation on operational systems."[1]

ISO 27001 - 8.20 Networks Security

"Networks and network devices shall be secured, managed and controlled to protect information in systems and applications."[1]

ISO 27001 - 8.21 Security of Network Services

"Security mechanisms, service levels and service requirements of network services shall be identified, implemented and monitored."[1]

ISO 27001 - 8.22 Segregation of Networks

"Groups of information services, users and information systems shall be segregated in the organization’s networks."[1]

ISO 27001 - 8.23 Web Filtering

"Access to external websites shall be managed to reduce exposure to malicious content."[1]

ISO 27001 - 8.24 Use of Cryptography

"Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented."[1]

ISO 27001 - 8.25 Secure Development Life Cycle

"Rules for the secure development of software and systems shall be established and applied."[1]

ISO 27001 - 8.26 Application Security Requirements

"Information security requirements shall be identified, specified and approved when developing or acquiring applications."[1]

ISO 27001 - 8.27 Secure System Architecture and Engineering Principles

"Principles for engineering secure systems shall be established, documented, maintained and applied to any information system development activities."[1]

ISO 27001 - 8.28 Secure Coding

"Secure coding principles shall be applied to software development."[1]

ISO 27001 - 8.29 Security Testing In Development and Acceptance

"Security testing processes shall be defined and implemented in the development life cycle."[1]

ISO 27001 - 8.30 Outsourced Development

"The organization shall direct, monitor and review the activities related to outsourced system development."[1]

ISO 27001 - 8.31 Separation of Development, Test and Production Environments

"Development, testing and production environments shall be separated and secured."[1]

ISO 27001 - 8.32 Change Management

"Changes to information processing facilities and information systems shall be subject to change management procedures."[1]

ISO 27001 - 8.33 Test Information

"Test information shall be appropriately selected, protected and managed."[1]

ISO 27001 - 8.34 Protection of Information Systems During Audit Testing

"Audit tests and other assurance activities involving assessment of operational systems shall be planned and agreed between the tester and appropriate management."[1]