InfoSecRequirements.txt

1. "+ The requirements for information security have been determined and documented.
2. - The requirements are adapted to the goals of the organization.
3. - A policy has been created and approved by the organization's management.
4. + The policy includes objectives and the significance of information security within the organization."
5.  
6. "+ The scope of the ISMS (the organization managed by the ISMS) is defined.
7. + The organization's requirements for the ISMS are determined.
8. + The organizational management has commissioned and approved the ISMS.
9. + The ISMS provides the organizational management with suitable monitoring and control means (e.g. management review).
10. + Applicable controls have been identified (e.g. ISO 27001 Statement of Applicability, completed ISA Questionary).
11. + The effectiveness of the ISMS is regularly reviewed by the management."
12. "+ Responsibilities for information security within the organization are defined, documented and assigned.
13. + The responsible employees are defined and qualified for their task.
14. + The required resources are available.
15. + The contact persons are known within the organization and to relevant business partners."
16. + Projects are classified considering their information security requirements.
17. "+ The concerned services and IT services used are identified.
18. + The security requirements relevant to the IT service are determined:
19. + The organization responsible for implementing each individual requirement is defined and aware of its responsibility.
20. + Mechanisms for shared responsibilities are specified and implemented.
21. + The responsible organization fulfils its respective responsibilities."
22.  
23. "i'+ nformation assets of critical value to the organization are identified and recorded.
24. - A person responsible for these information assets is assigned.
25. + The supporting assets processing the information assets are identified and recorded.
26. - A person responsible for these supporting assets is assigned."
27. "+ A consistent scheme for the classification of information assets with regard to the protection objective of confidentiality is available.
28. + Evaluation of the identified information assets is carried out according to the defined criteria and assigned to the existing classification scheme.
29. + Requirements for the handling of supporting assets (e.g. marking, correct handling, transport, storage, return, deletion/disposal) depending on the classification of the information assets exist and are applied."
30. "+ External IT services are not used without explicit evaluation and implementation of the information security requirements
31. - A risk assessment of the external IT services exists
32. - Legal, regulatory and contractual requirements are taken into account
33. + The external IT services are aligned with the protection needs of the information assets to be processed"
34.  
35. "+ Risk assessments are carried out both at regular intervals and in response to events.
36. + Information security risks are assessed in a suitable manner according to e.g. probability of occurrence and potential damage.
37. + Information security risks are documented.
38. + A responsible person (risk owner) is assigned to each information security risk. This person is responsible for the assessment and handling of the information security risks."
39.  
40. "+ Observation of policies is verified throughout the organization.
41. + Information security policies and procedures are reviewed at regular intervals.
42. + Measures for correcting potential non-conformities (deviations) are initiated and pursued.
43. + Compliance with information security requirements (e.g. technical specifications) is verified at regular intervals.
44. + The results of the conducted reviews are recorded and retained."
45. "+ Information security reviews are carried out by an independent and competent body at regular intervals and in case of significant changes.
46. + Measures for correcting potential deviations are initiated and tracked."
47.  
48. "+ A definition of information security events/vulnerabilities exists.
49. + A procedure for reporting and recording information security events/vulnerabilities is defined and implemented.
50. + The following aspects are considered:
51. - Reaction to information security events/vulnerabilities
52. - Reporting form and reporting channel
53. - processing station
54. - feedback procedure
55. - references to technical and organisational measures (e.g. disciplinary measures).
56. + Procedures for ensuring traceability in case of information security events/vulnerabilities are established and documented.
57. + Information security events/vulnerabilities are assessed and documented in order to ensure traceability.
58. + An adequate reaction to information security events/vulnerabilities is given.
59. + A strategy for an adequate reaction to events of information security violations exists.
60. - This includes escalation procedures, remedial actions and communication to relevant internal and external bodies as well as a procedure for deciding whether a cybercriminal attack will be legally prosecuted. "
61.  
62. "+ Sensitive work fields and positions are identified.
63. + The requirements for employees regarding their job profile are determined and fulfilled.
64. + The identity of potential employees is verified (e.g. checking identity documents)."
65. "+ A non-disclosure obligation is in effect.
66. + An obligation to comply with the information security policies is in effect."
67. + Employees are trained and made aware.
68. "+ The requirements for teleworking are determined and fulfilled. The following aspects are considered:
69. - Secure handling of and access to information (both electronically and physically) while taking into account the protection needs and any contractual requirements in private (e.g. home office) and public areas (e.g. when travelling)
70. - Conduct in private areas
71. - Conduct in public areas
72. - Protective measures against theft (e.g. in public areas)
73. + Access to the organization’s network is gained via a secure connection (e.g. VPN) and strong authentication."
74.  
75. "+ A security zone concept including the associated protective measures based on the requirements for handling information assets is defined and documented.
76. + Security zones are specified and documented under consideration of terrains/buildings/rooms. This also includes delivery and shipping areas.
77. + The defined protective measures are implemented.
78. + The code of conduct for security zones is known to all persons affected."
79. "+ Possible exceptional situations are identified and recorded.
80. + Potentially endangered infrastructure components (e.g. access points, IT systems) are identified and recorded.
81. + Measures for limiting the impact of threats are identified and implemented.
82. + For exceptional situations, information security aspects are taken into consideration in methods, processes and procedures."
83. + The requirements for handling supporting assets (e.g. transport, storage, repair, loss, return, disposal) are determined and fulfilled.
84. "+ The requirements for mobile IT devices and mobile data storage devices are determined and fulfilled. The following aspects are considered:
85. - Encryption
86. - Access protection (e.g. PIN, password)
87. - Labelling (taking into account requirements regarding e.g. use within customer sites)"
88.  
89.  
90. "+ The requirements for the handling of identification means over the entire lifecycle are determined and fulfilled. The following aspects are considered:
91. - Creation, transfer, return and destruction
92. - Validity periods
93. - Handling of loss"
94. "+ The procedures for user authentication have been selected based on a risk assessment. Potential attack scenarios have been considered (e.g. direct access via the internet)
95. + The procedures used for user authentication are according to the state of the art."
96. "+ The creation, modification and deletion (lifecycle) of user accounts is performed.
97. + Unique and personalized user accounts are used.
98. + The use of “collective accounts” is regulated (e.g. restricted to cases where traceability of actions is dispensable).
99. + User accounts are disabled immediately after the user has resigned from or left the organization (e.g. upon termination of the employment contract).
100. + User accounts are regularly reviewed.
101. + The login information is provided to the user in a secure manner.
102. + A policy for handling login information is defined and implemented. The following aspects are considered:
103. - No disclosure of login information to third parties – not even persons of authority – under consideration of legal restrictions
104. - no writing down or unencrypted storing of login information
105. - immediate changing of login information whenever potential compromise is suspected
106. - no use of identical login information for business and non-business purposes
107. - changing of temporary or initial login information following the 1st login
108. - requirements for the quality of login information (e.g. length of password, types of characters to be used).
109. + The login information (e.g. passwords) of a personalized user account must be known to the assigned user only. "
110.  
111. "+ The requirements for the management of access rights (authorization) are determined and fulfilled. The following aspects are considered:
112. - Procedures for application, verification and approval
113. - Application of the “need-to-know” principle
114. + Access rights granted to normal and privileged user accounts and technical accounts, including those in customer IT systems, are reviewed at regular intervals."
115.  
116.  
117. "+ All cryptographic procedures used (e.g. encryption, signature, and hash algorithms, protocols, applications) provide the security required by the respective application according to the state of the art.
118. + The legal parameters for the use of cryptography are taken into account."
119. "+ The network services used to transfer information are identified and documented.
120. + Policies and procedures in accordance with the classification requirements for the use of network services are defined and implemented.
121. + Measures for the protection of transferred contents against unauthorized access are implemented."
122.  
123. + Information security requirements for changes to the organization, business processes, IT systems are determined and applied.
124. "+ The IT systems have been subjected to risk assessment in order to determine the necessity of their separation into development and productive systems.
125. + A separation is implemented based on the results of risk analysis."
126. "+ Requirements for protection against malware are identified.
127. + Technical and organizational measures for protection against malware are defined and implemented."
128. "+ Information security requirements regarding the handling of event logs are determined and fulfilled.
129. + Security-relevant requirements regarding the logging of activities of system administrators and users are determined and fulfilled.
130. + The IT systems used are assessed regarding the necessity of logging.
131. + Where externally operated services (particularly cloud services) are used, information on monitoring options are obtained and considered in the evaluation.
132. + Event logs are checked regularly for rule violations and noticeable problems in compliance with the permissible legal and organizational provisions.
133. + Procedures for handling rule violations are specified (e.g. reporting to authorized bodies). "
134. "+ Information on technical vulnerabilities for the IT systems in use is gathered (e.g. information from the manufacturer, system audits, CVS database) and evaluated (e.g. Common Vulnerability Scoring System CVSS)
135. + Potentially affected IT systems and software are identified, assessed and any vulnerabilities are addressed."
136. "+ Requirements for auditing of IT systems are determined.
137. + The scope of the system audit is specified in a timely manner.
138. + System audits are coordinated with the operator and users of the IT systems.
139. + The results of system audits are stored in a traceable manner and reported to the relevant management.
140. + Measures are derived from the results."
141. "+ Requirements for the management and control of networks are determined and fulfilled.
142. + Requirements regarding network segmentation are determined and fulfilled."
143.  
144. "+ The information security requirements associated with the design and development of IT systems are determined and taken into account.
145. + The information security requirements associated with the acquisition or extension of IT systems and IT components are determined and taken into account.
146. + Information security requirements associated with changes to IT systems are taken into account.
147. + System approval tests are carried out under consideration of the information security requirements."
148. + Requirements regarding the information security of network services are determined and fulfilled.
149. + A procedure for returning and securely removing information assets from any external IT service is defined and implemented.
150. + Effective segregation (e.g. segregation of tenants) prevents access to own information by unauthorized users of other organizations.
151.  
152. "+ Suppliers and cooperation partners are subjected to a risk assessment with regard to information security.
153. + An appropriate level of information security is ensured by contractual agreements with suppliers and cooperation partners.
154. + Where applicable, contractual agreements with customers are passed on to suppliers and cooperation partners.
155. + Compliance with contractual agreements is verified."
156. "+ The non-disclosure requirements are determined and fulfilled.
157. + Requirements and procedures for applying non-disclosure agreements are known to all persons passing on information in need of protection.
158. + Valid non-disclosure agreements are concluded prior to forwarding sensitive information.
159. + The requirements and procedures for applying non-disclosure agreements and handling sensitive information are regularly reviewed."
160.  
161. "+ Legal, regulatory and contractual requirements and specifications of relevance to information security (see examples) are regularly determined.
162. + Policies regarding compliance with the requirements are defined, implemented and communicated to the responsible persons."
163. "+ Legal and contractual information security requirements regarding the procedures and processes in the processing of personal data are determined.
164. + Regulations regarding the compliance with legal and contractual requirements for the protection of personal data are defined and known to the entrusted persons.
165. + Processes and procedures for the protection of personal data are taken into account in the information security management system."
166.