A set of information security policies must be defined, approved by management, disseminated and communicated to employees and third parties concerned. ...

Policies must be reviewed at scheduled intervals or in the event of major changes to ensure their relevance, adequacy and effectiveness over time. ...

Information security must be considered in project management, regardless of the type of project involved. ...

All information security responsibilities must be defined and assigned....

Incompatible tasks and areas of responsibility must be segregated to limit the possibility of unauthorized or unintentional modification or misuse of the organization’s assets....

Appropriate relations with the competent authorities must be maintained....

Appropriate relationships with interest groups, safety forums and professional associations must be maintained. ...

A complementary security policy and measures shall be adopted to manage the risks arising from the use of mobile devices. ...

A complementary security policy and measures shall be implemented to protect information accessed, processed or stored on telework sites. ...

Checks must be carried out on all candidates for employment in accordance with laws, regulations and ethics and be proportionate to the job requirements, the classification of accessible information and the risks identified. ...

Contractual agreements between employees and subcontractors must specify their responsibilities and those of the organization with respect to information security. ...

Management must instruct all employees and subcontractors to apply the security rules in accordance with the policies and procedures in effect in the organization. ...

All employees of the organisation and, where relevant, Subcontractors must receive appropriate awareness and training and receive regular updates to the organization’s policies and procedures that apply to their duties. ...

There must be a formal disciplinary process known to all to take action against employees who have violated information security rules. ...

The responsibilities and tasks related to the security of information which remain valid after the termination, term or modification of the employment contract, must be defined, communicated to the employee or to the sub-processing, and applied. ...

The assets associated with the information and the means of processing the information must be identified and an inventory of these assets must be drawn up and kept up to date....

The inventory assets must be assigned to an owner....

The rules for the correct use of information, the assets associated with the information and the means of processing the information must be identified, documented and implemented....

All employees, contractors and third party users must return all assets of the organization in their possession at the end of the period of employment, contract or agreement....

Information shall be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification....

An appropriate set of procedures for marking information must be developed and implemented in accordance with the classification plan adopted by the organization....

An appropriate set of procedures for marking information must be developed and implemented in accordance with the classification plan adopted by the organization....

An appropriate set of procedures for marking information must be developed and implemented in accordance with the classification plan adopted by the organization....

All hardware components containing storage media must be checked to ensure that any sensitive data has been removed and that any licensed software has been securely uninstalled or overwritten, prior to disposal or reuse....

Media containing information must be protected against unauthorized access, misuse and tampering during transport....

An access control policy shall be established, documented and reviewed based on business and information security requirements....

Users must have access only to the network and services for which they have been specifically authorised....

A formal user registration and de-registration process must be implemented to allow access rights to be granted....

A formal process for distributing user access must be implemented to allow access rights to all types of users across services and systems....

The assignment and use of privileges must be restricted and controlled....

The assignment of secret authentication information must be carried out as part of a formal management process....

The assignment of secret authentication information must be carried out as part of a formal management process....

The rights of access to information and the means of processing information of all employees and third-party users must be abolished at the end of their period of employment, or adapted in the event of a change in the contract or agreement....

Users must follow the organization’s practices for the use of secret authentication information....

Access to information and system application functions must be restricted in accordance with the access control policy....

Where required by access control policy, access to systems and applications must be controlled by a secure login procedure....

.Systems that manage passwords must be interactive and must ensure the quality of passwords....

The use of utility programs to circumvent the measures of a system or application should be limited and closely monitored....

Access to the program source code must be restricted....

A policy for the use of cryptographic measures to protect information must be developed and implemented....

A policy on the use, protection and life of cryptographic keys must be developed and implemented throughout their lifecycle....

Security perimeters shall be defined and used to protect areas containing sensitive or critical information and means of information processing....

Secure areas must be protected by adequate controls at the entrance to ensure that only authorized personnel are admitted....

Physical security measures at offices, rooms and equipment must be designed and applied....

Physical protection measures against natural disasters, malicious attacks or accidents must be designed and implemented....

Procedures for working in secure areas should be designed and applied....

Access points such as delivery and unloading areas and other points through which unauthorized persons may enter the premises shall be controlled and, if possible, isolated from the means of processing the information, so as to avoid unauthorized access....

The equipment must be located and protected in a manner that minimizes the risks of environmental threats and hazards and opportunities for unauthorized access....

Equipment must be protected from power outages and other disturbances due to a failure of the general services....

Electrical or telecommunications cables carrying data or supporting information services must be protected against interception or damage....

Equipment must be maintained properly to ensure its continued availability and integrity....

Equipment, information or software from the premises of the organisation must not be removed without prior authorisation....

Security measures must be applied to equipment used outside the premises of the organisation, taking into account the different risks associated with off-site work....

Users must ensure that unattended equipment is properly protected....

A clean office policy for paper documents and removable storage media, and a locked screen policy for information processing means must be adopted....

Operating procedures shall be documented and made available to all affected users....

Changes to the organization, business processes, systems and means of processing information that affect the security of information must be controlled....

Resource utilization shall be monitored and adjusted and projections of future design sizes shall be made to ensure the required system performance....

The development, testing and operating environments must be segregated to reduce the risk of unauthorized access or change in the operating environment....

Detection, prevention and recovery measures, together with appropriate user awareness, must be implemented to protect against malware....

Backup copies of information, software and system images must be made and tested regularly in accordance with an agreed backup policy....

Event logs recording user activities, exceptions, failures and security-related events must be created, maintained and verified regularly....

The means of logging and logged information must be protected against the risk of unauthorized falsification or access....

System Administrator and System Operator activities must be logged, protected and verified regularly....

The clocks of all relevant information processing systems of an organisation or security domain shall be synchronized using a single time reference source....

Procedures must be in place to control the installation of software on operating systems....

Information on technical vulnerabilities of operating information systems must be obtained in a timely manner, the organization’s exposure to these vulnerabilities must be assessed and appropriate actions taken to address the associated risk....

Rules governing the installation of software by users must be established and implemented....

Audit requirements and activities involving audits on operating systems must be carefully planned and validated to minimize disruptions to business processes....

Networks must be managed and controlled to protect information contained in systems and applications....

For all network services, security mechanisms, service levels and management requirements, must be identified and incorporated into network service agreements, whether these services are provided in-house or outsourced....

The groups of information services, users and information systems must be separated on the networks....

Formal policies, procedures and transfer measures must be in place to protect information transfers through all types of telecommunications equipment....

Agreements must address the secure transfer of activity-related information between the organization and third parties....

Information passing through electronic messaging must be appropriately protected....

Confidentiality or non-disclosure commitment requirements must be identified, verified regularly and documented in accordance with the needs of the organization....

Information security requirements must be incorporated into the requirements of new information systems or enhancements to existing information systems....

Information related to enforcement services transmitted on public networks must be protected against fraudulent activities, contractual disputes, and unauthorized disclosure and modification....

The information involved in transactions related to application services must be protected to prevent incomplete transmission, routing errors, unauthorized modification, unauthorized disclosure, unauthorized duplication of the message or its re-issue....

Software and system development rules must be established and applied to organizational developments....

System changes within the development cycle should be controlled through formal procedures....

When changes are made to the operating platforms, business critical applications must be verified and tested to ensure that there are no adverse effects on the activity or security....

Modifications to software packages should not be encouraged, limited to necessary changes and any changes should be strictly controlled....

System security engineering principles shall be established, documented, maintained and applied to all information system implementation work....

Organisations should establish secure development environments for system development and integration tasks that encompass the entire development life cycle of the system, and ensure appropriate protection...

The organization must supervise and control the development activity of the outsourced system....

Security functionality tests must be performed during development...

Compliance testing programs and associated criteria should be determined for new information systems, updates and releases....

Test data must be carefully selected, protected and controlled....

Information security requirements to mitigate risks resulting from suppliers accessing the organization’s assets must be accepted by the supplier and documented....

The applicable information security requirements must be established and agreed with each available provider, Process, store, communicate or provide components of the IT infrastructure for the information of the organization....

Supplier agreements must include requirements for the handling of information security risks associated with the supply chain of IT products and services....

Organizations must monitor, audit and regularly audit the provision of services by providers....

Changes in supplier service provision, including the maintenance and improvement of existing information security policies, procedures and measures, must be managed taking into account the critical nature of the relevant information, systems and processes and the recurrence of risks....

Responsibilities and procedures to ensure a timely, effective and relevant response must be established in the event of an information security incident....

Information security events must be reported, as soon as possible, through the appropriate reporting channels....

Information security events must be reported, as soon as possible, through the appropriate reporting channels....

Information security events must be assessed and decided if they are to be classified as information security incidents....

Information security incidents must be handled in accordance with documented procedures....

The knowledge gathered through the analysis and resolution of incidents should be used to reduce the likelihood or impact of subsequent incidents....

The organization must define and implement procedures for identifying, collecting, acquiring and protecting information that can be used as evidence....

The organization must determine its information security and information security management continuity requirements in adverse situations, such as during a crisis or disaster....

The organization shall establish, document, implement and maintain processes, procedures and measures to provide the required level of information security continuity during an adverse situation....

The organization should verify information security continuity measures implemented at regular intervals to ensure that they are valid and effective in adverse situations....

Means of processing information must be implemented with sufficient redundancy to meet availability requirements....

Information systems should be reviewed on a regular basis for compliance with the organization’s information security policies and standards....

All applicable legal, statutory, regulatory and contractual requirements, as well as the approach taken by the organization to meet those requirements, must be explicitly defined, documented and updated for each information system and for the organization itself....

Appropriate procedures shall be implemented to ensure compliance with legal, regulatory and contractual requirements relating to intellectual property and the use of proprietary software licenses....

Records must be protected from loss, destruction, tampering, unauthorized access and unauthorized releases, in accordance with legal, regulatory, contractual and business requirements....

The protection of privacy and the protection of personal data must be guaranteed as required by applicable legislation or regulations, and contractual clauses where appropriate...

Cryptographic measures must be taken in accordance with applicable agreements, laws and regulations....

Regular and independent reviews of the organization’s approach to managing and implementing information security (i.e., monitoring of security objectives, information security measures, policies, procedures and processes) must be carried out at defined intervals or when significant changes have oc...

Officials must regularly check the compliance of the processing of information and the procedures for which they are responsible with the relevant policies, security standards and other security requirements....

Media that are no longer needed must be disposed of securely, following formal procedures....