Top 10 List of ISO 27001 information assets security controls

1. Information Classification
Owners of information shall classify all information under their control. The criteria set forth in State Administrative Manual (SAM) Section 5320.5 shall be utilized to classify [Company] information.

2. Critical Application Classification
For disaster recovery and business continuity planning purposes, owners of information shall determine which information technologies they utilize are critical applications. A critical application is defined as an information technology so important to the [Company]'s mission and business that its loss or unavailability is unacceptable. With a critical application, even short-term unavailability of the information or service provided by the application would have a significant negative impact on the health and safety of the public or state workers; on the business, fiscal or legal integrity of [Company] or state operations; or on the continuation of essential [Company] programs.

3. Security and Privacy Assessment
For all information technology projects that involve the processing of information classified as confidential or sensitive, or result in the development of a critical application, a security assessment must be conducted by the [Company] Information Security Office to determine the information security impact level of the project. As part of the assessment, the ISO will provide recommended appropriate information security controls (i.e., safeguards or countermeasures) for inclusion in the Project's System Security Plan (SSP) to ensure security objectives (e.g., privacy, confidentiality, integrity, and availability).

Download Free IT Service Level Agreement Templates. This SLA Templates is a simple templates that can be used for any type of organization whether using ISO 27001, ITIL/ITSM or ISO 20000 standard. Detail can be found below.

1 General Overview
This is a Service Level Agreement (“SLA”) between the [COMPANY] and the Information Technology Services Division (ITS) to document:
• The technology services ITS provides to the [COMPANY]

Below simple comparison of international recognized security standard such as:
- ISO 15048 (The Common Criteria for IT Security Evaluation)
- ISO 27002 Information System Security Management System
- NIST 800-33 Technical Models for Information Technology Security
- HIPAA (Health Insurance Portability and Accountability Act)

The comparison limited to the security category such below:
- Availability
- Data Integrity
- System Integrity
- Confidentiality
- Accountability
- Assurance

ISO 15048 for The Common Criteria for IT Security Evaluation is a set of functional and assurance security requirements internationally developed to provide a
common baseline. Applied by accredited independent test labs (CCTLs) around the world, which The National Information Assurance Partnership (NIAP) is the governing body for all CCTLs in the U.S.
Certificates issued by NIAP will be recognized around the world.

NSTISSP #11
As of July 2002, all new IT product purchases for use in national security systems must be evaluated and validated under the Common Criteria.

DoD 8500.1 & DoD 8500.2
- All IA ... components ... incorporated into DoD information systems must comply with ... [NSTISSP #11] ...

There are two parts to the continuity planning section of the audit: the plans for a disaster and the backups necessary to prevent the loss of information. The auditor will look to see how the organization will maintain operations for itself and its customers should a serious event occur. This means that the organization needs to have good plans as well as good backups. The following items will be examined for disaster recovery:
- The formal disaster recovery plan
- Timelines for recovery matched against various types of disasters
- The availability of redundant facilities and systems
- The testing of the plan

The following items will be examined with regard to backups: