Pre- and Post-Requisites

Introduction

Here, we describe pre- and post-requisites that this MIM on Securing Data is dependent upon. They are based on ISO 27001 and the numbers below refer to the numbers found in the ISO 27001 Annex A tables.

We assume that most of these will be handled by other foundational MIMs. This needs to be further explored in summer/fall 2025.

Pre-Requisites

5.10 Acceptable use of information and other associated assets Control Rules for the acceptable use and procedures for handling information and other associated assets shall be identified, documented and implemented.

5.12 Classification of information Control Information shall be classified according to the information security needs of the organization based on confidentiality, integrity, availability and relevant interested party requirements.

5.14 Information transfer Control Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties.

8.3 Information access restriction Control Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control.

8.12 Data leakage prevention Control Data leakage prevention measures shall be applied to systems, networks and any

8.15 Logging Control Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed.

8.16 Monitoring activities Control Networks, systems and applications shall be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents.

8.21 Security of network services Control Security mechanisms, service levels and service requirements of network services shall be identified, implemented and monitored.

8.27 Secure system architecture and engineering principles Control Principles for engineering secure systems shall be established, documented, maintained and applied to any information system development activities.

Post-Requisites

5.28 Collection of evidence Control The organization shall establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events.