CONTROL NUMERAL

Policies for information security A.5.1.1 A5

Review of the policies for information security A.5.1.2
Information security roles and responsibilities A.6.1.1
Segregation of duties A.6.1.2
Contact with authorities A.6.1.3 A6
Contact with special interest groups A.6.1.4
Information security in project management A.6.1.5
Mobile device policy A.6.2.1
Teleworking A.6.2.2
Screening A.7.1.1
Terms and conditions of employment A.7.1.2
Management responsibilities A.7.2.1
A7
Information security awareness, education and training A.7.2.2
Disciplinary process A.7.2.3
Termination or change of employment responsibilities A.7.3.1
Inventory of assets A.8.1.1 A8
Ownership of assets A.8.1.2
Acceptable use of assets A.8.1.3
Return of assets A.8.1.4
Classification of information A.8.2.1
Labelling of information A.8.2.2
Handling of assets A.8.2.3
Management of removable media A.8.3.1 A8
Disposal of media A.8.3.2
Physical media transfer A.8.3.3
Access control policy A.9.1.1 A9
Access to networks and netwok services A.9.1.2
User registration and de-registration A.9.2.1
User access provisioning A.9.2.2
Privilege management A.9.2.3
Management of secret authentication information of users A.9.2.4
Review of user access rights A.9.2.5
Removal or adjustment of access rights A.9.2.6
Use of secret authentication information A.9.3.1
Use of secret authentication information A.9.4.1
Secure log-on procedures A.9.4.2
Password management system A.9.4.3
Use of privileged utility programs A.9.4.4
Access control to program source code A.9.4.5
Policy on the use of cryptographic controls A.10.1.1 A10
Key management A.10.1.2
Physical security perimeter A.11.1.1
Physical entry controls A.11.1.2
Securing office, rooms and facilities A.11.1.3
Protecting against external end environmental threats A.11.1.4
Working in secure areas A.11.1.5
Delivery and loading areas A.11.1.6
Equipment siting and protection A.11.2.1
Supporting utilities A.11.2.2
 Cabling security A.11.2.3
Equipment maintenance A.11.2.4
Removal of assets A.11.2.5
Security of equipment and assets off-premises A.11.2.6
Security disposal or re-use of equipment A.11.2.7
Unattended user equipment A.11.2.8 A11
Clear desk and clear screen policy A.11.2.9
Documented operating procedures A.12.1.1
Change management A.12.1.2
Capacity management A.12.1.3
Separation of development, test and operational environments A.12.1.4 A12
Controls against malware A.12.2.1
Information backup A.12.3.1
Event logging A.12.4.1
Protection of log information A.12.4.2
Administrator and operator logs A.12.4.3
Clock synchronisation A.12.4.4
Installation of software on operational systems A.12.5.1
Management of technical vulnerabilities A.12.6.1
Restrictions on software installation A.12.6.2
Information systems audit controls A.12.7.1
Network controls A.13.1.1 A13
Security of network services A.13.1.2
Segregation in networks A.13.1.3 A13
Information transfer policies and procedures A.13.2.1
Agreements on information transfer A.13.2.2
Electronic messaging A.13.2.3
Confidentiality or non-disclosure agreements A.13.2.4
Security requirements analysis and specification A.14.1.1
Securing applications services on public networks A.14.1.2 A14
Protecting application services transactions A.14.1.3
Secure development policy A.14.2.1 A14
System change control procedures A.14.2.2
Technical review of applications after operating platform changes A.14.2.3
Restrictions on changes to software packages A.14.2.4 A14
Secure system engineering principles A.14.2.5
Secure development environment A.14.2.6 A14
Outsourced development A.14.2.7 A14
System security testing A.14.2.8 A14
System acceptance testing A.14.2.9
Protection of test data A.14.3.1
Information security policy for supplier relationships A.15.1.1 A15
Addressing security within supplier agreements A.15.1.2
Information and communication technology supply chain A.15.1.3
Monitoring and review of supplier services A.15.2.1
Managing changes to supplier services A.15.2.2
Responsibilities and procedures A.16.1.1
Reporting information security events A.16.1.2 A16
Reporting information security weaknesses A.16.1.3
Assessment and decision on information security events A.16.1.4 A16
 Response to information security incidents A.16.1.5 A16
Learning from information security incidents A.16.1.6 A16
Collection of evidence A.16.1.7 A16
Planning information security continuity A.17.1.1 A17
Implementing information security continuity A.17.1.2
Verify, review and evaluate information security continuity A.17.1.3
Availability of information processing facilities A.17.2.1
Identification of applicable legislation and contractual A.18.1.1
requirements
Intellectual property rights (IPR) A.18.1.2
Protection of records A.18.1.3
Privacy and protection of personally identifiable information A.18.1.4
Regulation of cryptographic controls A.18.1.5 A18
Independent review of information security A.18.2.1 A18
Compliance with security policies and standards A.18.2.2
Technical compliance review A.18.2.3 A18
EXISTENTES 53
FALTANTES 61

IG 1 8
IG 2 28 CO
IG 3 16 MAPEADOS

DOMINIOS ISO 27001 NO MAPEADOS EN CISv7.1 A5

A15
A17

DOMINIOS ISO 27001 MAPEADOS EN CISv7.1 A6

A7
 A8
A9
A10
A11
A12
A13
A14
A16
A18

CONTORLES ISO 114

CONTROLES ISO INCLUIDOS EN CIS v7.1 52
CONTROLES ISO NO INCLUIDOS EN CIS v7.1 62
 Políticas de seguridad de la información

Organización de la seguridad de la información

Seguridad relativa a los recursos humanos

Gestión de activos

Gestión de activos

Control de acceso

Criptografía
 Seguridad física y del entorno

Seguridad de las operaciones

Seguridad de las comunicaciones

Seguridad de las comunicaciones

Adquisición, desarrollo y mantenimiento de los sistemas de información

Adquisición, desarrollo y mantenimiento de los sistemas de información

Adquisición, desarrollo y mantenimiento de los sistemas de información

Adquisición, desarrollo y mantenimiento de los sistemas de información

Adquisición, desarrollo y mantenimiento de los sistemas de información
Adquisición, desarrollo y mantenimiento de los sistemas de información

Relación con proveedores

Gestión de incidentes de seguridad de la información

Gestión de incidentes de seguridad de la información

 Gestión de incidentes de seguridad de la información
Gestión de incidentes de seguridad de la información
Gestión de incidentes de seguridad de la información
Aspectos de seguridad de la información para la gestión de la continuidad de negocio

Cumplimiento
Cumplimiento

Cumplimiento

CONTROLES ISO 27001 IMPLEMENTADOS

MAPEADOS A GRUPOS DE IMPLEMENTACION (IG) CISV7.1

16

28

IG 1 IG 2 IG 3

Políticas de seguridad de la información

Relación con proveedores
Aspectos de seguridad de la información para la gestión de la continuidad de negocio

Organización de la seguridad de la información

Seguridad relativa a los recursos humanos
Gestión de activos
Control de acceso
Criptografía
Seguridad física y del entorno
Seguridad de las operaciones
Seguridad de las comunicaciones
Adquisición, desarrollo y mantenimiento de los sistemas de información
Gestión de incidentes de seguridad de la información
Cumplimiento

ISO 27001 vs CISv7.1

D
114

62

CONTROLES ISO INCLUIDOS E

CONTROLES ISO INCLUIDOS E
Critical Security Control #19: Incident Response and Management

Critical Security Control #19: Incident Response and Management

Critical Security Control #17: Implement a Security Awareness and Training Program

Critical Security Control #1: Inventory of Authorized and Unauthorized Devices

Critical Security Control #8: Malware Defenses

Critical Security Control #4: Controlled Use of Administrative Privileges

Critical Security Control #1: Inventory of Authorized and Unauthorized Devices
Critical Security Control #16: Account Monitoring and Control
Critical Security Control #4: Controlled Use of Administrative Privileges
Critical Security Control #4: Controlled Use of Administrative Privileges
Critical Security Control #4: Controlled Use of Administrative Privileges
Critical Security Control #4: Controlled Use of Administrative Privileges
Critical Security Control #4: Controlled Use of Administrative Privileges
Critical Security Control #4: Controlled Use of Administrative Privileges
Critical Security Control #4: Controlled Use of Administrative Privileges
Critical Security Control #4: Controlled Use of Administrative Privileges
Critical Security Control #4: Controlled Use of Administrative Privileges
Critical Security Control #4: Controlled Use of Administrative Privileges
Critical Security Control #18: Application Software Security
Critical Security Control #10: Data Recovery Capabilities
Critical Security Control #13: Data Protection
Critical Security Control #16: Account Monitoring and Control

Critical Security Control #18: Application Software Security

Critical Security Control #8: Malware Defenses
Critical Security Control #10: Data Recovery Capabilities
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
Critical Security Control #2: Inventory of Authorized and Unauthorized Software
Critical Security Control #3: Continuous Vulnerability Assessment and Remediation
Critical Security Control #2: Inventory of Authorized and Unauthorized Software
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
Critical Security Control #1: Inventory of Authorized and Unauthorized Devices

Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
Critical Security Control #9: Limitation and Control of Network Ports
Critical Security Control #9: Limitation and Control of Network Ports
Critical Security Control #7: Email and Web Browser Protections

Critical Security Control #9: Limitation and Control of Network Ports

Critical Security Control #18: Application Software Security

Critical Security Control #5: Secure Configurations for Hardware and Software

Critical Security Control #18: Application Software Security

Critical Security Control #18: Application Software Security
Critical Security Control #3: Continuous Vulnerability Assessment and Remediation

Critical Security Control #19: Incident Response and Management

Critical Security Control #19: Incident Response and Management

 Critical Security Control #19: Incident Response and Management
Critical Security Control #19: Incident Response and Management
Critical Security Control #19: Incident Response and Management

Critical Security Control #13: Data Protection

Critical Security Control #20: Penetration Tests and Red Team Exercises

Critical Security Control #5: Secure Configurations for Hardware and Software

) CISV7.1
01 vs CISv7.1

DISTRIBUCIÓN
114

52
62

CONTROLES ISO INCLUIDOS EN CIS v7.1 CONTROLES ISO NO INCLUIDOS EN CIS v7.1
CONTROLES ISO INCLUIDOS EN CIS v7.1 CONTROLES ISO NO INCLUIDOS EN CIS v7.1
Critical Security Control #13: Data Protection

Critical Security Control #14: Controlled Access Based on the Need to Know
Critical Security Control #9: Limitation and Control of Network Ports

Critical Security Control #16: Account Monitoring and Control

Critical Security Control #16: Account Monitoring and Control
Critical Security Control #16: Account Monitoring and Control
Critical Security Control #16: Account Monitoring and Control
Critical Security Control #16: Account Monitoring and Control
Critical Security Control #16: Account Monitoring and Control
Critical Security Control #16: Account Monitoring and Control
Critical Security Control #16: Account Monitoring and Control
Critical Security Control #16: Account Monitoring and Control

Critical Security Control #13: Data Protection

Critical Security Control #12: Boundary Defense

Critical Security Control #12: Boundary Defense

Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches

Critical Security Control #12: Boundary Defense

Critical Security Control #8: Malware Defenses

Critical Security Control #7: Email and Web Browser Protections

Critical Security Control #5: Secure Configurations for Hardware and Software
Critical Security Control #7: Email and Web Browser Protections
Critical Security Control #14: Controlled Access Based on the Need to Know

Critical Security Control #16: Account Monitoring and Control

Critical Security Control #11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches

Critical Security Control #14: Controlled Access Based on the Need to Know
Critical Security Control #15: Wireless Access Control

Critical Security Control #15: Wireless Access Control

Critical Security Control #12: Boundary Defense

Critical Security Control #12: Boundary Defense

Critical Security Control #7: Email and Web Browser Protections

Critical Security Control #20: Penetration Tests and Red Team Exercises
Critical Security Control #12: Boundary Defense

Critical Security Control #15: Wireless Access Control

Critical Security Control #13: Data Protection

Critical Security Control #18: Application Software Security

Critical Security Control #20: Penetration Tests and Red Team Exercises