1 Scope
2 References
3 Definitions and
abbreviations
3.1 Definitions
3.2 Abbreviations
4 Overview
4.1 Background
4.2 Structure
5 Information security
policies
6 Organization of
information security
6.1 Internal organization
6.2 Mobile devices and teleworking
7 Human resources
security
7.1 Prior to employment
7.2 During employment
7.3 Termination
or change of employment
8 Asset management
8.1 Responsibility for assets
8.2 Information classification
8.3 Media handling
9 Access control
9.1 Business requirement for access
control
9.2 User access management
9.3 User responsibilities
9.4 Systems and application access
control
10 Cryptography
11 Physical and environmental security
11.1 Security areas
11.2 Equipment
12 Operations security
12.1 Operational procedures and
responsibilities
12.2 Protection from malware
12.3 Back-up
12.4 Logging and monitoring
12.5 Control of operational software
12.6 Technical vulnerability
management
12.7 Information systems audit
considerations
13 Communication security
13.1 Network security management
13.2 Information transfer
14 Systems acquisition, development and
maintenance
14.1 Security requirements of
information systems
14.2 Security in development and
support processes
14.3 Test data
15 Supplier relationships
15.1 Information security in supplier
relationships
15.2 Supplier service delivery
management
16 Information security incident management
16.1 Management of information
security incidents and improvements
17 Information security aspects of business
continuity management
17.1 Information security continuity
17.2 Redundancies
18 Compliance
Appendix I – Telecommunications extended control set
Bibliography