PRIORITY 1 Security Controls

80% of analyzed information security breaches could have been mitigated by the P1 controls. List of threats is here

An information security strategy shall be defined and operating model developed to adhere to the strategy. In addition, information security plans shall be developed for each major service to identify and mitigate the risks corresponding to each service

M2 Information Security Risk Management

An information security risk management process shall be implemented to conduct risk assessments, statements of applicability, security testing and evaluations of information security controls on applicable services

M3 Awareness and Training

An awareness and training program shall be implemented to inform entities of risks associated with their activities and to ensure that entities are adequately trained to carry out their assigned information security responsibilities

M3.3.1 - P1 - TRAINING NEEDS

M4 Human Resources Security

Human resources security requirements and security responsibilities shall be addressed prior employment, during employment, and after termination or change of employment

T1 Asset Management

Assets shall be managed and information shall be classified and labeled to ensure that assets including information receives an appropriate level of information security

T1.4.1 - P1 - MANAGEMENT OF REMOVABLE MEDIA

T3 Operations Management

Operational procedures and responsibilities shall be developed, to ensure an adequate level of information security. In addition, backup, media handling, e-services security and monitoring shall be addressed to ensure protection against malicious code and spyware

T3.4.1 - P1 - CONTROLS AGAINST MALWARE

Detection, prevention, and recovery controls to protect against malicious code and appropriate user awareness procedures should be implemented

T3.5.1 - P1 - INFORMATION BACKUP

Backup copies of information and software should be taken and tested regularly in accordance with the agreed backup policy.

T3.6.3 - P1 - MONITORING SYSTEM USE

Procedures for monitoring use of information systems should be established and the results of the monitoring activities reviewed regularly.

T4 Communications

Network security and information sharing shall be addressed to ensure protection of information in transit

T5 Access Control

Access control processes shall be developed to control access to information, to manage user access, control access to both internal and external network services, control access to operating systems, control access to applications and to apply appropriate protection when using mobile computing and teleworking services

T7 - INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE

T7 Information System Acquisition, Development & Maintenance

An information systems acquisition, development and maintenance process shall be implemented to prevent unauthorized modification or misuse of information in applications, to ensure that a cryptographic control policy is in place, to maintain security in development and support processes and to manage technical vulnerabilities

T7.7.1 - P1 - CONTROL OF TECHNICAL VULNERABILITIES

Release Notes

PRIORITY 1 Security Controls

Related Pages

M1.1.1 - UNDERSTANDING THE ENTITY AND ITS CONTEXT Implementation Guidance

M1.1.2 - LEADERSHIP MANAGEMENT COMMITMENT Implementation Guidance

M1.1.3 - ROLES AND RESPONSABILITIES FOR INFORMATION SECURITY Implementation Guidance

M1.2.1 - INFORMATION SECURITY POLICY Implementation Guidance

M1.3.5 - INDENTIFICATION OF RISKS RELATED TO EXTERNAL PARTIES Implementation Guidance

M1.4.1 - RESOURCES Implementation Guidance

M2.1.1 - INFORMATION SECURITY RISK MANAGEMENT POLICY Implementation Guidance

M2.2.1 - INFORMATION SECURITY RISK INDENTIFICATION Implementation Guidance

M2.2.2 - INFORMATION SECURITY RISK ANALYSIS Impementation Guidance

M2.2.3 - INFORMATION SECURITY RISK EVALUATION ANALYSIS Implementation Guidance

M2.3.1 - INFORMATION SECURITY RISK TREATMENT OPTIONS Implementation Guidance

M2.3.2 - INDENTIFICATION OF CONTROLS Implementation Guidance

M2.3.3 - RISK TREATMENT PLAN Implementation Guidance

M2.3.4 - STATEMENT OF APPLICABILITY Implementation Guidance

M2.4.1 - RISK MONITORING AND REVIEW Implementattion Guidance

M2.4.2 - RISK COMMUNICATION AND CONSULATION Implementation Guidance

M3.3.1 - TRAINNING NEEDS Implementation Guidance

M4.4.1 - TERMINATION RESPONSIBILITIES Implementation Guidance

M4.4.2 - RETURN OF ASSETS Implementation Guidance

M4.4.3 - REMOVAL OF ACCESS RIGHTS Implementation Guidance

T1.4.1 - MANAGMENT OF REMOVABLE MEDIA Implementation Guidance

T3.4.1- CONTROL AGAINST MALWARE Implementation Guidance

T3.5.1 - INFORMATION BACKUP Implementation Guidance

T3.6.3 - MONITORING SYSTEM USE Implementation Guidance

T4.5.1 - NETWORK CONTROLS Implementation Guidance

T4.5.3 - SEGREGATION IN NETWORK Implementation Guidance

T5.2.1 - USER REGISTRATION Implementation Guidance

T5.2.2 PRIVILEGE MANAGEMENT Implementation Guidance

T5.2.3 - USER SECURITY CREDENTIALS MANAGEMENT Implementation Guidance

T5.2.4 - REVIEW OF USER ACCESS RIGHTS Implementation Guidance

T5.3.1 - USE OF SECURITY CREDENTIALS Implementation Guidance

T5.4.2 - USER AUTHENTICATION FOR EXTERNAL CONNECTIONS Implementation Guidance

T5.4.3 - EQUIPMENT IDENTIFICATION NETWORKS Implementation Guidance

T5.4.5 - NETWORK CONNECTIONS CONTROL Implementation Guidance

T5.5.1 SECURE LOGON PROCEDURES Implementation guidance

T5.5.1 - SECURE LOG-ON PROCEDURES Implementation Guidance

T5.5.2 - USER INDENTIFICATION AND AUTHENTIFICATION Implementation Guidance

T5.5.3 - USER CREDENTIALS MANAGEMENT SYSTEM Implementation Guidance

T5.6.1 - INFORMATION ACCESS RESTRITION Implementation Guidance

T7.7.1 - CONTROL OF TECHNICAL VULNERABILITIES Implementation Guidance

Priority P1 Controls

M1 - STRATEGY AND PLANNING

M2 - INFORMATION SECURITY RISK MANAGEMENT

M3 - AWARENESS AND TRAINING

M4 - HUMAN RESOURCES SECURITY

T1 - ASSET MANAGEMENT

T3 - OPERATIONS MANAGEMENT

T4 -COMMUNICATIONS

T5 - ACCESS CONTROL

T7 - INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE