"Information security policy and topic-specific policies shall be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur."[1]

"Information security roles and responsibilities shall be defined and allocated according to the organization needs."[1]

"Conflicting duties and conflicting areas of responsibility shall be segregated."[1]

"Management shall require all personnel to apply information security in accordance with the established information security policy, topic-specific policies and procedures of the organization."[1]

"The organization shall establish and maintain contact with relevant authorities."[1]

"The organization shall establish and maintain contact with special interest groups or other specialist security forums and professional associations."[1]

"Information relating to information security threats shall be collected and analysed to produce threat intelligence."[1]

"Information security shall be integrated into project management."[1]

"An inventory of information and other associated assets, including owners, shall be developed and maintained."[1]

"Rules for the acceptable use and procedures for handling information and other associated assets shall be identified, documented and implemented."[1]

"Personnel and other interested parties as appropriate shall return all the organization’s assets in their possession upon change or termination of their employment, contract or agreement."[1]

"Information shall be classified according to the information security needs of the organization based on confidentiality, integrity, availability and relevant interested party requirements."[1]

"An appropriate set of procedures for information labelling shall be developed and implemented in accordance with the information classification scheme adopted by the organization."[1]

"Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties."[1]

"Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements."[1]

"The full life cycle of identities shall be managed."[1]

"Allocation and management of authentication information shall be controlled by a management process, including advising personnel on appropriate handling of authentication information."[1]

"Access rights to information and other associated assets shall be provisioned, reviewed, modified and removed in accordance with the organization’s topic-specific policy on and rules for access control."[1]

"Processes and procedures shall be defined and implemented to manage the information security risks associated with the use of supplier’s products or services."[1]

"Relevant information security requirements shall be established and agreed with each supplier based on the type of supplier relationship."[1]

"Processes and procedures shall be defined and implemented to manage the information security risks associated with the ICT products and services supply chain."[1]

"The organization shall regularly monitor, review, evaluate and manage change in supplier information security practices and service delivery."[1]

"Processes for acquisition, use, management and exit from cloud services shall be established in accordance with the organization’s information security requirements."[1]

"The organization shall plan and prepare for managing information security incidents by defining, establishing and communicating information security incident management processes, roles and responsibilities."[1]

"The organization shall assess information security events and decide if they are to be categorized as information security incidents."[1]

"Information security incidents shall be responded to in accordance with the documented procedures."[1]

"Knowledge gained from information security incidents shall be used to strengthen and improve the information security controls."[1]

"The organization shall establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events."[1]

"The organization shall plan how to maintain information security at an appropriate level during disruption"[1]

"ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements."[1]

"Legal, statutory, regulatory and contractual requirements relevant to information security and the organization’s approach to meet these requirements shall be identified, documented and kept up to date."[1]

"The organization shall implement appropriate procedures to protect intellectual property rights."[1]

"Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release."[1]

"The organization shall identify and meet the requirements regarding the preservation of privacy and protection of PII according to applicable laws and regulations and contractual requirements."[1]

"The organization’s approach to managing information security and its implementation including people, processes and technologies shall be reviewed independently at planned intervals, or when significant changes occur."[1]

"Compliance with the organization’s information security policy, topic-specific policies, rules and standards shall be regularly reviewed."[1]

"Operating procedures for information processing facilities shall be documented and made available to personnel who need them."[1]