Співставлення контролів з безпеки стандарту ISO 27001:2022 до стандарту OWASP ASVS та моделі OWASP SAMM
| ISO control | ISO control # | ASVS | SAMM |
|---|---|---|---|
Organizational controls |
|||
Policies for information security |
5.1 |
- |
|
Information security roles and responsibilities |
5.2 |
- |
|
Segregation of duties |
5.3 |
- |
- |
Management responsibilities |
5.4 |
- |
Governance:Education&Guidance:Trainning&Awareness: |
Contact with authorities |
5.5 |
- |
- |
Contact with special interest groups |
5.6 |
- |
- |
Threat intelligence |
5.7 |
- |
- |
Information security in project management |
5.8 |
- |
- |
Inventory of information and other associated assets |
5.9 |
14.2.5 |
|
Acceptable use of information and other associated assets |
5.10 |
- |
Operations:Operational Management:Data Protection |
Return of assets |
5.11 |
- |
Operations:Operational Management:System Decommissioning / Legacy Management |
Classification of information |
5.12 |
8.3.4 |
Operations:Operational Management:Data Protection |
Labelling of information |
5.13 |
- |
- |
Information transfer |
5.14 |
- |
- |
Access control |
5.15 |
|
|
Identity management |
5.16 |
- |
- |
Authentication information |
5.17 |
- |
Verification:Architecture Assessmen |
Access rights |
5.18 |
- |
- |
Information security in supplier relationships |
5.19 |
- |
Design:Security Requirements:Supplier Security |
Addressing information security within supplier agreements |
5.20 |
- |
Design:Security Requirements:Supplier Security |
Managing information security in the information and communication technology (ICT) supply chain |
5.21 |
- |
Design:Security Requirements:Supplier Security |
Monitoring, review and change management of supplier services |
5.22 |
- |
- |
Information security for use of cloud services |
5.23 |
- |
- |
Information security incident management planning and preparation |
5.24 |
- |
Operations:Incident Management |
Assessment and decision on information security events |
5.25 |
- |
Operations:Incident Management |
Response to information security incidents |
5.26 |
- |
Operations:Incident Management |
Learning from information security incidents |
5.27 |
- |
Operations:Incident Management |
Collection of evidence |
5.28 |
- |
Operations:Incident Management |
Information security during disruption |
5.29 |
- |
- |
ICT readiness for business continuity |
5.30 |
8.1.5 |
- |
Legal, statutory, regulatory and contractual requirements |
5.31 |
|
|
Intellectual property rights |
5.32 |
- |
- |
Protection of records |
5.33 |
- |
- |
Privacy and protection of personal identifiable information (PII) |
5.34 |
|
|
Independent review of information security |
5.35 |
- |
- |
Compliance with policies, rules and standarts for information security |
5.36 |
1.5.1 |
Governance:Policy & Compliance |
Design:Security Requirements |
|||
Documented operating procedures |
5.37 |
- |
Operations:Operational Management |
People controls |
|||
Screening |
6.1 |
- |
- |
Terms and conditions of employment |
6.2 |
- |
- |
Information security awareness, education and training |
6.3 |
- |
Governance:Education & Guidance |
Disciplinary process |
6.4 |
- |
- |
Responsibilities after termination or change of employment |
6.5 |
- |
- |
Confidentiality or non-disclosure agreements |
6.6 |
- |
- |
Remote working |
6.7 |
- |
- |
Information security event reporting |
6.8 |
- |
- |
Physical controls |
|||
Physical security perimeters |
7.1 |
- |
- |
Physical entry |
7.2 |
- |
- |
Securing offices, rooms and fa- cilities |
7.3 |
- |
- |
Physical security monitoring |
7.4 |
- |
- |
Protecting against physical and environmental threats |
7.5 |
- |
- |
Working in secure areas |
7.6 |
- |
- |
Clear desk and clear screen |
7.7 |
- |
- |
Equipment siting and protection |
7.8 |
- |
- |
Security of assets off-premises |
7.9 |
- |
- |
Storage media |
7.10 |
- |
- |
Supporting utilities |
7.11 |
- |
- |
Cabling security |
7.12 |
- |
- |
Equipment maintenance |
7.13 |
- |
- |
Secure disposal or re-use of equipment |
7.14 |
- |
- |
Technological controls |
|||
User end point devices |
8.1 |
- |
- |
Privileged access rights |
8.2 |
- |
- |
Information access restriction |
8.3 |
|
|
Access control section |
- |
||
Access to source code |
8.4 |
- |
- |
Secure authentication |
8.5 |
|
|
Capacity management |
8.6 |
- |
- |
Protection against malware |
8.7 |
12.4.2 |
- |
Management of technical vulnerabilities |
8.8 |
- |
|
Configuration management |
8.9 |
|
|
Information deletion |
8.10 |
|
|
Data masking |
8.11 |
Data Protection |
Operations:Operational Management:Data Protection |
Data leakage prevention |
8.12 |
- |
- |
Information backup |
8.13 |
|
- |
Redundancy of information processing facilities |
8.14 |
- |
- |
Logging |
8.15 |
|
Operations:Incident Management:Incident Detection |
Monitoring activities |
8.16 |
|
Operations:Incident Management:Incident Detection |
Clock synchronization |
8.17 |
7.3.4 |
- |
Use of privileged utility programs |
8.18 |
- |
- |
Installation of software on operational systems |
8.19 |
- |
Implementation:Secure Deployment:Deployment Process |
Networks security |
8.20 |
- |
- |
Security of network services |
8.21 |
- |
- |
Segregation of networks |
8.22 |
- |
- |
Web filtering |
8.23 |
- |
- |
Use of cryptography |
8.24 |
|
- |
Secure development life cycle |
8.25 |
|
|
Application security requirements |
8.26 |
|
Design:Security Requirements |
Secure system architecture and engineering principles |
8.27 |
|
-Design:Security Architecture - Verification:Architecture Assessment |
Secure coding |
8.28 |
|
Governance:Education & Guidance |
Security testing in development and acceptance |
8.29 |
10.1.1 |
Verification: Requirements-driven Testing |
Verification:Security Testing |
|||
Outsourced development |
8.30 |
- |
- |
Separation of development, test and production environments |
8.31 |
- |
- |
Change management |
8.32 |
- |
- |
Test information |
8.33 |
- |
- |
Protection of information systems during audit testing |
8.34 |
- |
Verification:Security Testing:Deep Understanding |