Security Controls Catalog
Synergy of Processes and Controls
Controls
Security controls play a foundational role in shaping the actions cyber security professionals take to protect an organization.
There are 93 Controls grouped into four categories , which ISO refers to as “themes”:
See the list of all controls with its attributes
The primary goal for implementing a security control can be preventative, detective, corrective, compensatory, or act as a deterrent.
The lack of security controls places the confidentiality, integrity, and availability of information at risk. These risks also extend to the safety of people and assets within an organization.
Processes
A Structured actions or steps taken to achieve a specific outcome. They are essentially the "how" of getting things done. In the context of information security, a process might refer to steps taken to review and grant access permissions to users or how incidents are detected and responded to. Read more
Controls Processes
Threat and Vulnerability Management
Asset Management
Continuity
Legal and Compliance
Human_resource_security
Physical Security
Information_security_assurance
Information_security_event_management
Governance
Secure_configuration
System_and_network_security
Supplier_relationships_security
Application_security
Information Protection
Identity_and_access_management
ISMS Processes
ISMS Core Processes
Information Security Governance/Management Interface Process:
Security Policy Management Process:
Requirements Management Process:
Risk Assessment Process:
Risk Treatment Process:
Security Implementation Management Process:
Process to Control Outsourced Services:
Awareness Process:
Incident Management Process:
Change Management Process:
Performance Evaluation Process:
Improvement Process:
ISMS Support Processes
Records Control Process:
Resource Management Process:
Communication Process:
Customer Relationship Management Process:
Correlation between Processes and Controls
Controls Safeguard Processes: Controls are often embedded within processes to ensure the process runs as intended. For example, a process might involve transferring data between servers, and a control within that process might ensure data encryption during the transfer.
Feedback Loop: Controls can provide feedback on processes. If a control (like a monitoring tool) detects a deviation or failure in a process, it can trigger corrective actions.
Processes can Enhance Controls: While controls safeguard processes, processes can also be designed to test, assess, and improve controls. For instance, a regular audit process can evaluate the effectiveness of certain controls and suggest improvements.
Both Drive Compliance and Security: Many regulatory requirements specify both processes (what you need to do) and controls (safeguards you need to have in place). An effective information security program incorporates both.
Mutual Dependencies: For a control to be effective, the process within which it is embedded must be sound. Conversely, for a process to run smoothly and safely, effective controls are essential.
Key Characteristics of Processes:
Structured and Repeatable: Processes are typically designed to be carried out the same way every time.
Outcome-focused: Every process is designed with a specific goal in mind.
Involves Multiple Steps: Processes usually have multiple stages or steps to reach the desired outcome.
Key Characteristics of Controls:
Purpose-specific: Each control is designed for a specific risk or to address a particular requirement.
Measurement and Evaluation: Controls should be regularly assessed to ensure they are effective.
The Integrated Controls Management
In the ecosystem of information security, processes provide the roadmap, and controls ensure that the journey along that roadmap is safe and compliant. When designed and implemented correctly, they work together to ensure that an organization's information assets are well-protected against threats, errors, and inefficiencies.