Capabilities and Requirements

Capabilities & Requirements

(see Notes for additional information)

C1: Data is only accessible to users that should have access to it.

R1: Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements. (ISO 27001 5.15 Access control)

R2: The full life cycle of identities shall be managed. (ISO 27001 5.16 Identity management)

R3: Allocation and management of authentication information shall be controlled by a management process, including advising personnel on appropriate handling of authentication information. (ISO 27001 5.17: Authentication information)

R4: Access rights to information and other associated assets shall be provisioned, reviewed, modified and removed in accordance with the organization’s topic-specific policy on and rules for access control. (ISO 27001 5.18: Access rights)

C2: Data accessed by users has not been altered.

R5: Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. (ISO 27001 8.24 Use of cryptography)

C3: Data accessed by users originates from a verified source.

R3: See above

R5: Se above

R6: Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control. (ISO 27001 8.5 Secure authentication)