130n@calvinlai.com
  • About Calvin Lai (fkclai)
  • My Work
  • Cyber Security
    • Cyber Security Centre (CSC)
      • Why we need a CSC
      • CSC Team Structure: Roles, Functions, and Tools
        • Key Function & Role
        • Tools & Platforms
        • People
        • Outsource Strategy
      • HRMC Executive Paper
  • Detection and Response
    • Playbook: Threat Prioritization & Automated Response Strategies
      • Scenario: Detecting and Mitigating a Ransomware Attack
      • Scenario: DC Sync Attack Detected and Mitigated
      • Scenario: Pass-the-Hash (PtH) Attack Detected and Contained
      • Scenario: Phishing Campaign with Malware / Credential Theft Detected and Mitigated
  • Application Architecture
    • Comparison of MVC , N-tier and Microservice Architecture
  • Application Security
    • OAuth, SAML, and OpenID Connect: Key Differences and Use Cases
    • Secure Coding Principles
    • HTTP Header Security Principles
    • Mitigating Broken Object Level Authorization (BOLA)
    • Spring Boot Validation
    • Output Encoding in JavaServer Faces (JSF)
    • Session Management Security Issues
    • Common API Security Problems
      • Broken Authentication
      • Excessive Data Exposure
      • Lack of Resources & Rate Limiting
      • Broken Function Level Authorization
      • Unsafe Consumption of APIs
    • JAVA Exception Handling
    • File Upload Validation
    • OAuth 2.0 Security
      • Insecure Storage of Access Tokens
    • Microservice Security
      • Sample Coding Demo
        • Service Implementation
        • Client Interaction
      • Security Solution for Microservices Architecture
    • Modifying and Protecting Java Class Files
      • Modify a Class File Inside a WAR File
      • Direct Bytecode Editing
        • Steps to Directly Edit a Java Class File
          • Update: Java Bytecode Editing Tools
      • Techniques to Protect Java Class Files
        • Runtime Decryption in WebLogic
    • JAVA Program
      • Secure, Concurrent Web Access Using Java and Tor
      • Creating a Maven Java project in Visual Studio Code
  • Exploit/CVE PoC
    • ZeroLogon Exploit
    • Remote Retrieved Chrome saved Encrypted Password
    • Twitter Control an RCE attack
  • Hacking Report (HTB)
    • Hits & Summary
      • Tools & Cheat Sheet
    • Windows Machine
      • Love 10.10.10.239
      • Blackfield 10.10.10.192
      • Remote 10.10.10.180
      • Sauna 10.10.10.175
      • Forest 10.10.10.161
      • Sniper
      • Json
      • Heist
      • Blue
      • Legacy
      • Resolute
      • Cascade
    • Linux Machine
      • Photobomb 10.10.11.182
      • Pandora 10.10.11.136
      • BountyHunter 10.10.11.100
      • CAP 10.10.10.245
      • Spectra 10.10.10.229
      • Ready 10.10.10.220
      • Doctor 10.10.10.209
      • Bucket 10.10.10.212
      • Blunder 10.10.10.191
      • Registry 10.10.10.159
      • Magic
      • Tabby
  • Penetration Testing
    • Web Application PenTest
    • Network/System PenTest
    • Mobile Penetration Test
      • Certificate Pinning
        • Certificate Pinning Bypass (Android)
          • Root a Android Device
          • Setup Proxy Tool - Burp Suite
      • Checklist
  • Threat Intelligence
    • Advanced Persistent Threat (APT) groups
      • North Korean APT Groups
      • Chinese APT Groups
      • Russian APT Groups
      • Other APT
  • Red Team (Windows)
    • 01 Reconnaissance
    • 02 Privileges Escalation
    • 03 Lateral Movement
    • 04 AD Attacks
      • DCSync
    • 05 Bypass-Evasion
    • 06 Kerberos Attack
    • 99 Basic Command
  • Exploitation Guide
    • 01 Reconnaissance
    • 02 Port Enumeration
    • 03 Web Enumeration
    • 04 Windows Enum & Exploit
      • Windows Credential Dumping
        • Credential Dumping: SAM
        • Credential Dumping: DCSync
      • Kerberos Attack
      • RDP
    • 05 File Enumeration
    • 06 Reverse Shell Cheat Sheet
      • Windows Reverse Shell
      • Linux Reverse Shell
    • 07 SQL Injection
    • 08 BruteForce
    • 09 XSS Bypass Checklist
    • 10 Spring Boot
    • 11 WPA
    • 12 Payload list
  • Vuln Hub (Writeup)
    • MrRobot
    • CYBERRY
    • MATRIX 1
    • Node-1
    • DPwwn-1
    • DC7
    • AiWeb-2
    • AiWeb-1
    • BrainPan
  • CTF (Writeup & Tips)
    • CTF Tools & Tips
    • Hacker One
    • CTF Learn
    • P.W.N. University - CTF 2018
    • HITCON
    • Pwnable
      • 01 Start
  • Useful Command/Tools
    • Kali
    • Windows
    • Linux
  • Offensive Security Lab & Exam
    • Lab
    • Tools for an Offensive Certification
      • Strategy for an Offensive Exam Certification
        • CVEs
        • Privilege Escalation
        • Commands
        • Impacket
  • ISO 27001
    • Disclaimer
    • What is ISO 27001
      • Implementation
    • Documentation
    • Common Mistake
    • Q&A
      • Can internal audit to replace the risk assessment
      • Is it sufficient for only the IT department head to support the ISO 27001 program
      • Does the Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP) are the same?
    • ISO 27001 Controls and Domains
      • 1. Information Security Policies
      • 2. Organization of Information Security
      • 3. Human Resource Security
      • 4. Asset Management
      • 5. Access Control
      • 6. Cryptographic Controls
      • 7. Physical and Environmental Security
      • 8: Operational Security
      • 9. Communications Security
      • 10. System Acquisition, Development, and Maintenance
      • 11. Supplier Relationships
      • 12: Information Security Incident Management
      • 13. Information Security Aspects of Business Continuity Management
      • 14. Compliance
Powered by GitBook
On this page
  • Controls (A.18):
  • Control A.18.1.1: Identification of Applicable Legislation and Contractual Requirements
  • Control A.18.1.2: Intellectual Property Rights
  • Control A.18.1.3: Protection of Records
  • Control A.18.1.4: Privacy and Protection of Personally Identifiable Information (PII)
  • Control A.18.1.5: Regulation of Cryptographic Controls
  • Control A.18.2.1: Independent Review of Information Security
  • Control A.18.2.2: Compliance with Security Policies and Standards
  • Control A.18.2.3: Technical Compliance Review

Was this helpful?

  1. ISO 27001
  2. ISO 27001 Controls and Domains

14. Compliance

This category ensures that the organization complies with legal, regulatory, and contractual requirements related to information security. It includes implementing measures to avoid breaches of legal, statutory, regulatory, or contractual obligations and security requirements.

Controls (A.18):

  • A.18.1.1: Identification of Applicable Legislation and Contractual Requirements

  • A.18.1.2: Intellectual Property Rights

  • A.18.1.3: Protection of Records

  • A.18.1.4: Privacy and Protection of Personally Identifiable Information (PII)

  • A.18.1.5: Regulation of Cryptographic Controls

  • A.18.2.1: Independent Review of Information Security

  • A.18.2.2: Compliance with Security Policies and Standards

  • A.18.2.3: Technical Compliance Review

Control A.18.1.1: Identification of Applicable Legislation and Contractual Requirements

Audit Questions:

  • How does the organization identify applicable legal, regulatory, and contractual requirements?

  • Are there documented procedures to ensure compliance with these requirements?

Common Non-Conformities (NC):

  • Lack of a formal process to identify applicable requirements.

  • Incomplete or outdated documentation of requirements.

Control A.18.1.2: Intellectual Property Rights

Audit Questions:

  • How does the organization ensure compliance with intellectual property rights (IPR) regulations?

  • Are there measures to protect and manage IPR?

Common Non-Conformities (NC):

  • Inadequate measures to comply with IPR regulations.

  • Lack of protection and management of IPR.

Control A.18.1.3: Protection of Records

Audit Questions:

  • What controls are in place to protect records from loss, destruction, and falsification?

  • How are records maintained and stored securely?

Common Non-Conformities (NC):

  • Inadequate controls to protect records.

  • Poor maintenance and storage of records.

Control A.18.1.4: Privacy and Protection of Personally Identifiable Information (PII)

Audit Questions:

  • How does the organization ensure the privacy and protection of PII?

  • Are there policies and procedures to handle PII securely?

Common Non-Conformities (NC):

  • Lack of measures to protect PII.

  • Poor handling of PII, leading to potential breaches.

Control A.18.1.5: Regulation of Cryptographic Controls

Audit Questions:

  • How does the organization comply with regulations related to cryptographic controls?

  • Are cryptographic controls used in accordance with legal requirements?

Common Non-Conformities (NC):

  • Non-compliance with cryptographic control regulations.

  • Improper use of cryptographic controls.

Control A.18.2.1: Independent Review of Information Security

Audit Questions:

  • Are independent reviews of information security conducted regularly?

  • How are findings from independent reviews addressed and resolved?

Common Non-Conformities (NC):

  • No independent reviews of information security.

  • Findings from reviews not addressed or resolved.

Control A.18.2.2: Compliance with Security Policies and Standards

Audit Questions:

  • How does the organization ensure compliance with its security policies and standards?

  • Are there regular assessments to verify compliance?

Common Non-Conformities (NC):

  • Poor compliance with security policies and standards.

  • Lack of regular compliance assessments.

Control A.18.2.3: Technical Compliance Review

Audit Questions:

  • Are technical compliance reviews conducted regularly to ensure adherence to security standards?

  • How are non-compliances identified and rectified?

Common Non-Conformities (NC):

  • No regular technical compliance reviews.

  • Non-compliances not identified or rectified.

Previous13. Information Security Aspects of Business Continuity Management

Last updated 4 months ago

Was this helpful?