Module 5: Control Implementation

Tech Controls Part 1 (A.8)

25 min
+75 XP

Implementation Checklist

This comprehensive checklist covers all 93 Annex A controls, organized by category, with implementation guidance, evidence requirements, and typical timelines.

How to Use This Checklist

Status Indicators:

  • Not Started
  • [P] Planning
  • [I] In Progress
  • [T] Testing/Validation
  • [C] Complete
  • [N/A] Not Applicable (document justification)

Priority Levels:

  • Critical: Required for basic security, compliance deadlines
  • High: Important for risk mitigation, certification requirements
  • Medium: Enhances security posture, best practice
  • Low: Nice-to-have, can defer to post-certification

Timeline Estimates:

  • Quick wins: 1-2 weeks
  • Short-term: 1-3 months
  • Medium-term: 3-6 months
  • Long-term: 6-12 months

Organizational Controls (A.5) - 37 Controls

A.5.1 - Policies for Information Security

  • Status: _____ Priority: Critical Timeline: 2-4 weeks
  • Tasks:
    • Draft Information Security Policy
    • Identify required topic-specific policies
    • Obtain management review and approval
    • Publish and communicate to all personnel
    • Obtain acknowledgment from personnel
    • Establish annual review schedule
  • Evidence:
    • Approved Information Security Policy (signed by CEO/management)
    • List of topic-specific policies
    • Communication records (emails, training completion)
    • Policy acknowledgment records
    • Review schedule documentation

A.5.2 - Information Security Roles and Responsibilities

  • Status: _____ Priority: Critical Timeline: 2-3 weeks
  • Tasks:
    • Define key security roles (CISO, asset owners, process owners)
    • Document responsibilities in RACI matrix
    • Update job descriptions with security responsibilities
    • Communicate roles to organization
    • Obtain acknowledgment of responsibilities
  • Evidence:
    • Roles and responsibilities document
    • RACI matrix
    • Updated job descriptions
    • Organizational chart showing security roles
    • Communication and acknowledgment records

A.5.3 - Segregation of Duties

  • Status: _____ Priority: High Timeline: 4-6 weeks
  • Tasks:
    • Identify conflicting duties
    • Document segregation requirements
    • Implement technical controls (RBAC, approval workflows)
    • Document compensating controls where separation not possible
    • Review access rights for conflicts
  • Evidence:
    • Segregation of duties policy/requirements
    • Access control configuration
    • Conflicting duties analysis
    • Compensating controls documentation
    • Regular access reviews showing no conflicts

A.5.4 - Management Responsibilities

  • Status: _____ Priority: Critical Timeline: Ongoing
  • Tasks:
    • Document management security responsibilities
    • Obtain management commitment
    • Establish management review process
    • Define reporting structure to management
    • Schedule regular management reviews
  • Evidence:
    • Management commitment statement
    • Management responsibilities documented in policy
    • Management review meeting minutes
    • Management decision records

A.5.5 - Contact with Authorities

  • Status: _____ Priority: Medium Timeline: 1-2 weeks
  • Tasks:
    • Identify relevant authorities (regulators, law enforcement)
    • Document contact information
    • Establish communication protocols
    • Test notification procedures
  • Evidence:
    • Contact list with details
    • Communication protocols
    • Test records (tabletop exercise)

A.5.6 - Contact with Special Interest Groups

  • Status: _____ Priority: Low Timeline: 2-4 weeks
  • Tasks:
    • Identify relevant security groups and forums
    • Join relevant organizations (ISACs, professional groups)
    • Document contacts and membership
    • Participate in information sharing
  • Evidence:
    • List of memberships and contacts
    • Membership confirmation
    • Information sharing records

A.5.7 - Threat Intelligence

  • Status: _____ Priority: High Timeline: 4-8 weeks
  • Tasks:
    • Identify threat intelligence sources
    • Subscribe to relevant feeds
    • Implement threat intelligence platform (if needed)
    • Establish analysis and dissemination process
    • Integrate threat intelligence into security operations
  • Evidence:
    • List of threat intelligence sources
    • Threat intelligence reports
    • Integration with security tools (SIEM, IDS)
    • Threat briefings to stakeholders

A.5.8 - Information Security in Project Management

  • Status: _____ Priority: High Timeline: 4-6 weeks
  • Tasks:
    • Integrate security into project methodology
    • Define security checkpoints in project lifecycle
    • Create security requirements templates
    • Train project managers on security integration
    • Establish project security review process
  • Evidence:
    • Updated project management methodology
    • Security checkpoint templates
    • Project documentation showing security integration
    • Training records

A.5.9 - Inventory of Information and Assets

  • Status: _____ Priority: Critical Timeline: 6-12 weeks
  • Tasks:
    • Define asset categories
    • Create asset inventory template
    • Conduct asset discovery and inventory
    • Assign asset owners
    • Classify assets
    • Establish inventory update process
  • Evidence:
    • Comprehensive asset inventory
    • Asset ownership assignments
    • Asset classification records
    • Inventory maintenance procedures

A.5.10 - Acceptable Use of Information and Assets

  • Status: _____ Priority: Critical Timeline: 2-3 weeks
  • Tasks:
    • Draft Acceptable Use Policy
    • Define permitted and prohibited uses
    • Obtain management approval
    • Communicate to all personnel
    • Obtain acknowledgment
    • Implement monitoring controls
  • Evidence:
    • Approved Acceptable Use Policy
    • Communication records
    • Acknowledgment records (signed or electronic)
    • Monitoring logs

A.5.11 - Return of Assets

  • Status: _____ Priority: High Timeline: 2-3 weeks
  • Tasks:
    • Create asset return checklist
    • Integrate into termination process
    • Define asset return procedures
    • Implement tracking mechanism
    • Train HR on procedures
  • Evidence:
    • Asset return procedures
    • Return checklists (template)
    • Completed checklists from terminations
    • HR process documentation

A.5.12 - Classification of Information

  • Status: _____ Priority: Critical Timeline: 3-4 weeks
  • Tasks:
    • Define classification scheme (Public, Internal, Confidential, Restricted)
    • Create classification policy
    • Define handling requirements for each level
    • Train personnel on classification
    • Implement classification tools (if needed)
  • Evidence:
    • Information classification policy
    • Classification handling matrix
    • Training records
    • Classified documents showing labels

A.5.13 - Labelling of Information

  • Status: _____ Priority: Medium Timeline: 2-4 weeks
  • Tasks:
    • Define labeling procedures
    • Create labeling templates (headers, footers, watermarks)
    • Implement in document templates
    • Train personnel on labeling
    • Audit for compliance
  • Evidence:
    • Labeling procedures
    • Document templates with labels
    • Training records
    • Sample labeled documents

A.5.14 - Information Transfer

  • Status: _____ Priority: High Timeline: 3-4 weeks
  • Tasks:
    • Define information transfer policy
    • Identify approved transfer methods
    • Implement secure transfer mechanisms (encryption, secure file transfer)
    • Train personnel on secure transfer
    • Monitor transfers for compliance
  • Evidence:
    • Information transfer policy
    • Approved transfer methods list
    • Secure transfer tool configuration
    • Transfer logs

A.5.15 - Access Control

  • Status: _____ Priority: Critical Timeline: 4-6 weeks
  • Tasks:
    • Develop Access Control Policy
    • Define access control principles (least privilege, need-to-know)
    • Establish access request/approval process
    • Implement access review process
    • Document access control rules
  • Evidence:
    • Access Control Policy
    • Access request/approval procedures
    • Access review schedules and results
    • Access control matrix

A.5.16 - Identity Management

  • Status: _____ Priority: Critical Timeline: 6-12 weeks
  • Tasks:
    • Implement identity lifecycle management
    • Define provisioning/deprovisioning procedures
    • Implement identity management system (if needed)
    • Establish identity verification process
    • Integrate with HR processes
  • Evidence:
    • Identity management procedures
    • Identity lifecycle documentation
    • Provisioning/deprovisioning records
    • Identity management system configuration

A.5.17 - Authentication Information

  • Status: _____ Priority: Critical Timeline: 3-4 weeks
  • Tasks:
    • Define password policy (complexity, expiration, history)
    • Implement technical password controls
    • Define MFA requirements
    • Establish credential issuance/revocation process
    • Implement password management best practices
  • Evidence:
    • Password policy
    • System configuration showing policy enforcement
    • MFA implementation documentation
    • Authentication logs

A.5.18 - Access Rights

  • Status: _____ Priority: Critical Timeline: Ongoing
  • Tasks:
    • Document access rights procedures
    • Implement access request workflow
    • Establish regular access reviews (quarterly)
    • Define access modification/removal process
    • Implement automated provisioning (if possible)
  • Evidence:
    • Access rights procedures
    • Access request/approval records
    • Access review reports
    • Audit logs showing access changes

A.5.19-23 - Supplier Controls

  • Status: _____ Priority: High Timeline: 8-12 weeks
  • Tasks:
    • Identify critical suppliers
    • Define supplier security requirements
    • Update supplier contracts with security clauses
    • Conduct supplier risk assessments
    • Monitor supplier performance
    • Define cloud service security requirements
  • Evidence:
    • Supplier security policy
    • Supplier agreements with security clauses
    • Supplier risk assessments
    • Supplier performance reviews
    • Cloud service security documentation

A.5.24-28 - Incident Management Controls

  • Status: _____ Priority: Critical Timeline: 6-8 weeks
  • Tasks:
    • Develop Incident Response Policy and Plan
    • Define incident categories and severity levels
    • Establish incident response team
    • Implement incident logging and tracking system
    • Define incident response procedures
    • Establish evidence collection procedures
    • Conduct incident response training and testing
  • Evidence:
    • Incident Response Policy and Plan
    • Incident response procedures
    • Incident response team roster
    • Incident logging system
    • Incident records (if any incidents occurred)
    • Tabletop exercise results
    • Evidence collection procedures

A.5.29-30 - Business Continuity Controls

  • Status: _____ Priority: Critical Timeline: 8-12 weeks
  • Tasks:
    • Conduct Business Impact Analysis (BIA)
    • Define RTO/RPO requirements
    • Develop Business Continuity Plans
    • Develop Disaster Recovery Plans
    • Ensure ICT continuity readiness
    • Test BC/DR plans
    • Document lessons learned from tests
  • Evidence:
    • Business Impact Analysis
    • Business Continuity Policy
    • Business Continuity Plans
    • Disaster Recovery Plans
    • BC/DR test results
    • Post-test review reports

A.5.31-34 - Compliance Controls

  • Status: _____ Priority: Critical Timeline: 4-6 weeks
  • Tasks:
    • Identify legal, regulatory, contractual requirements
    • Document compliance requirements
    • Implement intellectual property protection
    • Establish records management
    • Implement privacy controls (GDPR, etc.)
    • Define compliance monitoring process
  • Evidence:
    • Legal requirements register
    • Compliance documentation
    • IP protection procedures
    • Records management policy
    • Privacy impact assessments
    • Compliance audit reports

A.5.35-37 - Review and Documentation Controls

  • Status: _____ Priority: High Timeline: Ongoing
  • Tasks:
    • Establish independent review process
    • Define review schedule (annual minimum)
    • Conduct compliance reviews
    • Document operating procedures
    • Maintain documented information
  • Evidence:
    • Independent review reports
    • Review schedule
    • Compliance review results
    • Documented operating procedures
    • Document control records

People Controls (A.6) - 8 Controls

A.6.1 - Screening

  • Status: _____ Priority: Critical Timeline: 2-3 weeks
  • Tasks:
    • Define screening requirements by role
    • Establish background check procedures
    • Partner with screening vendor
    • Integrate into hiring process
    • Document screening results (securely)
  • Evidence:
    • Screening policy and procedures
    • Background check records (stored securely)
    • Vendor agreement
    • HR process documentation

A.6.2 - Terms and Conditions of Employment

  • Status: _____ Priority: Critical Timeline: 2-4 weeks
  • Tasks:
    • Update employment agreements with security clauses
    • Include confidentiality obligations
    • Define security responsibilities
    • Include acceptable use acknowledgment
    • Update contractor agreements similarly
  • Evidence:
    • Updated employment agreement template
    • Signed employment agreements
    • Contractor agreement templates
    • New hire acknowledgment records

A.6.3 - Information Security Awareness, Education and Training

  • Status: _____ Priority: Critical Timeline: 6-8 weeks
  • Tasks:
    • Develop security awareness program
    • Create new hire security training
    • Develop annual security refresher training
    • Implement phishing simulation program
    • Define role-specific training requirements
    • Implement training tracking system
    • Measure training effectiveness
  • Evidence:
    • Security awareness program plan
    • Training materials
    • Training completion records
    • Phishing simulation results
    • Training effectiveness metrics

A.6.4 - Disciplinary Process

  • Status: _____ Priority: Medium Timeline: 2-3 weeks
  • Tasks:
    • Define disciplinary process for security violations
    • Document violation categories and consequences
    • Train managers on process
    • Integrate with HR disciplinary procedures
    • Ensure legal compliance
  • Evidence:
    • Disciplinary process documentation
    • Integration with HR procedures
    • Training records for managers
    • Disciplinary records (anonymized examples if available)

A.6.5 - Responsibilities After Termination

  • Status: _____ Priority: High Timeline: 2-3 weeks
  • Tasks:
    • Document post-employment obligations
    • Update employment agreements
    • Include in exit process
    • Define enforcement mechanisms
    • Train HR on post-employment obligations
  • Evidence:
    • Post-employment obligations documentation
    • Updated employment agreements
    • Exit checklist including obligations review
    • HR training records

A.6.6 - Confidentiality or Non-Disclosure Agreements

  • Status: _____ Priority: Critical Timeline: 2-3 weeks
  • Tasks:
    • Create NDA templates (employee, contractor, third-party)
    • Implement NDA signing process
    • Maintain NDA registry
    • Define NDA renewal process
    • Establish NDA enforcement procedures
  • Evidence:
    • NDA templates
    • Signed NDAs
    • NDA registry/tracking system
    • Process documentation

A.6.7 - Remote Working

  • Status: _____ Priority: High Timeline: 4-6 weeks
  • Tasks:
    • Develop Remote Working Policy
    • Define remote access security requirements
    • Implement VPN with MFA
    • Establish endpoint security requirements
    • Define home network security guidelines
    • Train remote workers on security
  • Evidence:
    • Remote Working Policy
    • VPN configuration and logs
    • Endpoint security compliance reports
    • Remote worker training records

A.6.8 - Information Security Event Reporting

  • Status: _____ Priority: Critical Timeline: 2-4 weeks
  • Tasks:
    • Establish event reporting channels
    • Define what to report
    • Create reporting procedures
    • Implement reporting mechanism (email, hotline, portal)
    • Train personnel on reporting
    • Promote reporting culture
  • Evidence:
    • Event reporting procedures
    • Reporting channel documentation
    • Training materials and records
    • Event reports received

Physical Controls (A.7) - 14 Controls

A.7.1 - Physical Security Perimeters

  • Status: _____ Priority: High Timeline: Varies by facility
  • Tasks:
    • Define security perimeters
    • Implement physical barriers (fences, walls)
    • Install access control at entry points
    • Implement perimeter monitoring (CCTV)
    • Define different security zones
  • Evidence:
    • Facility security plan
    • Perimeter security photos/diagrams
    • Access control system configuration
    • CCTV system documentation

A.7.2 - Physical Entry

  • Status: _____ Priority: Critical Timeline: 4-8 weeks
  • Tasks:
    • Implement badge access system
    • Define access levels
    • Establish visitor management process
    • Implement entry logging
    • Train security/reception staff
  • Evidence:
    • Badge access system configuration
    • Access level definitions
    • Visitor management procedures
    • Visitor logs
    • Entry/exit logs

A.7.3 - Securing Offices, Rooms and Facilities

  • Status: _____ Priority: High Timeline: 4-8 weeks
  • Tasks:
    • Secure server rooms and data centers
    • Lock network equipment closets
    • Secure backup media storage
    • Implement office security measures
    • Control access to sensitive areas
  • Evidence:
    • Facility security assessment
    • Lock inventory
    • Access control configuration
    • Photos of secured areas
    • Key/access card distribution records

A.7.4 - Physical Security Monitoring

  • Status: _____ Priority: High Timeline: 6-12 weeks
  • Tasks:
    • Install CCTV system
    • Implement intrusion detection
    • Configure access logging
    • Establish monitoring procedures
    • Define incident response for physical security
  • Evidence:
    • CCTV system documentation
    • Intrusion detection system configuration
    • Access logs
    • Monitoring procedures
    • Physical security incident records

A.7.5 - Protecting Against Physical and Environmental Threats

  • Status: _____ Priority: Critical Timeline: Varies
  • Tasks:
    • Conduct facility risk assessment
    • Implement fire detection and suppression
    • Install environmental monitoring (temperature, humidity, water)
    • Implement power protection (UPS, generator)
    • Establish emergency procedures
  • Evidence:
    • Facility risk assessment
    • Fire suppression system documentation
    • Environmental monitoring reports
    • UPS/generator test records
    • Emergency procedures

A.7.6 - Working in Secure Areas

  • Status: _____ Priority: Medium Timeline: 2-3 weeks
  • Tasks:
    • Define secure area procedures
    • Implement access logging for secure areas
    • Train personnel on secure area rules
    • Establish escort requirements
    • Monitor compliance
  • Evidence:
    • Secure area procedures
    • Access logs for secure areas
    • Training records
    • Compliance audit results

A.7.7 - Clear Desk and Clear Screen

  • Status: _____ Priority: Medium Timeline: 2-4 weeks
  • Tasks:
    • Develop Clear Desk and Clear Screen Policy
    • Implement automatic screen lock
    • Provide secure storage (locked drawers, cabinets)
    • Provide shred bins
    • Train personnel on policy
    • Conduct compliance checks
  • Evidence:
    • Clear Desk and Clear Screen Policy
    • Screen lock configuration (GPO or MDM)
    • Photos of compliant workspaces
    • Training records
    • Compliance check results

A.7.8 - Equipment Siting and Protection

  • Status: _____ Priority: Medium Timeline: 2-4 weeks
  • Tasks:
    • Assess equipment placement
    • Secure critical equipment
    • Implement cable management
    • Provide equipment locks
    • Protect against environmental threats
  • Evidence:
    • Equipment placement guidelines
    • Photos of properly sited equipment
    • Cable management documentation
    • Equipment lock inventory

A.7.9 - Security of Assets Off-Premises

  • Status: _____ Priority: High Timeline: 3-4 weeks
  • Tasks:
    • Define off-premises asset security requirements
    • Implement full disk encryption on mobile devices
    • Establish asset tracking (check-out/check-in)
    • Train personnel on securing off-premises assets
    • Implement remote wipe capability
  • Evidence:
    • Off-premises asset policy
    • Encryption compliance reports
    • Asset tracking records
    • Training records
    • MDM configuration

A.7.10 - Storage Media

  • Status: _____ Priority: High Timeline: 3-4 weeks
  • Tasks:
    • Define storage media handling procedures
    • Implement media classification and labeling
    • Establish secure media storage
    • Define media transportation procedures
    • Establish media disposal procedures
  • Evidence:
    • Media handling procedures
    • Media inventory
    • Storage facility documentation
    • Transportation records
    • Disposal records/certificates

A.7.11 - Supporting Utilities

  • Status: _____ Priority: Critical Timeline: Varies
  • Tasks:
    • Ensure UPS protection for critical systems
    • Install and test generator
    • Implement redundant HVAC
    • Ensure redundant network connectivity
    • Test utility failover procedures
  • Evidence:
    • UPS documentation and test records
    • Generator test logs
    • HVAC maintenance records
    • Network redundancy documentation
    • Failover test results

A.7.12 - Cabling Security

  • Status: _____ Priority: Medium Timeline: Varies
  • Tasks:
    • Assess cabling security
    • Protect data cables from interception
    • Separate power and data cables
    • Label cables appropriately
    • Secure cable access points
  • Evidence:
    • Cabling security assessment
    • Cable routing documentation
    • Photos of cable protection measures
    • Cable labeling standards

A.7.13 - Equipment Maintenance

  • Status: _____ Priority: High Timeline: Ongoing
  • Tasks:
    • Establish maintenance schedules
    • Define maintenance procedures
    • Vet maintenance vendors
    • Require NDAs from vendors
    • Supervise maintenance activities
    • Document all maintenance
  • Evidence:
    • Maintenance schedule
    • Maintenance procedures
    • Vendor agreements
    • Maintenance logs
    • Vendor NDA records

A.7.14 - Secure Disposal or Re-use of Equipment

  • Status: _____ Priority: Critical Timeline: 2-3 weeks
  • Tasks:
    • Define disposal procedures
    • Implement data wiping for reuse
    • Partner with certified disposal vendor
    • Establish media destruction requirements
    • Obtain certificates of destruction
  • Evidence:
    • Disposal procedures
    • Data wiping procedures/software
    • Disposal vendor certification
    • Certificates of destruction
    • Disposal logs

Technological Controls (A.8) - 34 Controls

A.8.1 - User Endpoint Devices

  • Status: _____ Priority: Critical Timeline: 8-12 weeks
  • Tasks:
    • Deploy endpoint protection (AV/EDR)
    • Implement full disk encryption
    • Configure automatic updates
    • Implement mobile device management (MDM/MAM)
    • Establish endpoint security baseline
    • Monitor endpoint compliance
  • Evidence:
    • Endpoint protection deployment reports
    • Encryption compliance reports
    • MDM configuration and enrollment reports
    • Endpoint security baseline documentation
    • Compliance monitoring reports

A.8.2 - Privileged Access Rights

  • Status: _____ Priority: Critical Timeline: 6-10 weeks
  • Tasks:
    • Implement privileged access management (PAM)
    • Require separate privileged accounts
    • Implement credential vaulting
    • Enable privileged session recording
    • Conduct regular privileged access reviews
  • Evidence:
    • PAM system configuration
    • Privileged account inventory
    • Session recordings
    • Privileged access review reports

A.8.3 - Information Access Restriction

  • Status: _____ Priority: Critical Timeline: Ongoing
  • Tasks:
    • Implement role-based access control
    • Configure network access control (NAC)
    • Establish least privilege access
    • Implement application access controls
    • Regular access reviews
  • Evidence:
    • RBAC configuration
    • NAC system documentation
    • Access control matrices
    • Access review reports

A.8.4 - Access to Source Code

  • Status: _____ Priority: High Timeline: 4-6 weeks
  • Tasks:
    • Implement source code repository access controls
    • Require code review/approval for production
    • Restrict access to production deployment
    • Enable audit logging for code repositories
    • Protect source code backups
  • Evidence:
    • Repository access control configuration
    • Code review workflow
    • Deployment approval records
    • Repository audit logs

A.8.5 - Secure Authentication

  • Status: _____ Priority: Critical Timeline: 6-12 weeks
  • Tasks:
    • Implement multi-factor authentication (MFA)
    • Enforce strong password policy
    • Implement single sign-on (SSO) where appropriate
    • Use secure password storage (hashing, salting)
    • Monitor authentication logs
  • Evidence:
    • MFA deployment reports
    • Password policy configuration
    • SSO implementation documentation
    • Authentication logs

A.8.6 - Capacity Management

  • Status: _____ Priority: High Timeline: 4-6 weeks
  • Tasks:
    • Implement resource monitoring
    • Define capacity thresholds and alerts
    • Conduct capacity planning
    • Document capacity trends
    • Plan for capacity expansion
  • Evidence:
    • Monitoring system configuration
    • Capacity reports and trends
    • Capacity planning documents
    • Alert configurations

A.8.7 - Protection Against Malware

  • Status: _____ Priority: Critical Timeline: 4-8 weeks
  • Tasks:
    • Deploy antivirus/anti-malware on all endpoints
    • Implement email security gateway
    • Enable web filtering
    • Configure automatic updates for malware signatures
    • Establish malware response procedures
  • Evidence:
    • Antivirus deployment and update reports
    • Email security gateway configuration
    • Web filtering policy
    • Malware incident records

A.8.8 - Management of Technical Vulnerabilities

  • Status: _____ Priority: Critical Timeline: 6-10 weeks
  • Tasks:
    • Implement vulnerability scanning
    • Subscribe to vulnerability notifications
    • Define patch management process
    • Establish patch deployment timelines
    • Test patches before production deployment
    • Track patching compliance
  • Evidence:
    • Vulnerability scan reports
    • Patch management procedures
    • Patch deployment records
    • Patching compliance reports

A.8.9 - Configuration Management

  • Status: _____ Priority: High Timeline: 8-12 weeks
  • Tasks:
    • Define configuration baselines
    • Implement configuration management tools
    • Monitor configuration drift
    • Establish configuration change control
    • Document configuration standards
  • Evidence:
    • Configuration baseline documentation
    • Configuration management system documentation
    • Drift detection reports
    • Configuration change records

A.8.10 - Information Deletion

  • Status: _____ Priority: Medium Timeline: 3-4 weeks
  • Tasks:
    • Define data retention requirements
    • Implement secure deletion procedures
    • Establish deletion schedules
    • Verify deletion effectiveness
    • Document deletion activities
  • Evidence:
    • Data retention policy
    • Deletion procedures
    • Deletion logs
    • Verification test results

A.8.11 - Data Masking

  • Status: _____ Priority: Medium Timeline: 6-10 weeks
  • Tasks:
    • Identify data requiring masking
    • Implement data masking for non-production environments
    • Establish masking rules and procedures
    • Validate masking effectiveness
  • Evidence:
    • Data masking policy
    • Masking tool configuration
    • Masked data samples
    • Validation test results

A.8.12 - Data Leakage Prevention

  • Status: _____ Priority: High Timeline: 8-16 weeks
  • Tasks:
    • Implement DLP solution
    • Define DLP policies
    • Deploy DLP agents to endpoints
    • Configure network DLP
    • Monitor and tune DLP alerts
  • Evidence:
    • DLP system configuration
    • DLP policies
    • DLP deployment reports
    • DLP alert and incident logs

A.8.13 - Information Backup

  • Status: _____ Priority: Critical Timeline: 6-10 weeks
  • Tasks:
    • Define backup requirements (what, when, how often)
    • Implement backup solution
    • Configure backup schedules
    • Encrypt backups
    • Store backups off-site
    • Test restore procedures regularly
  • Evidence:
    • Backup policy
    • Backup configuration
    • Backup logs
    • Restore test results
    • Off-site storage documentation

A.8.14 - Redundancy of Information Processing Facilities

  • Status: _____ Priority: High Timeline: 12-24 weeks
  • Tasks:
    • Identify critical systems requiring redundancy
    • Implement server redundancy (clustering, failover)
    • Implement storage redundancy (RAID, replication)
    • Implement network redundancy
    • Test failover procedures
  • Evidence:
    • Redundancy architecture documentation
    • Redundancy configuration
    • Failover test results
    • RTO/RPO documentation

A.8.15 - Logging

  • Status: _____ Priority: Critical Timeline: 6-10 weeks
  • Tasks:
    • Define logging requirements
    • Enable logging on all critical systems
    • Implement centralized log collection (SIEM)
    • Protect log integrity
    • Define log retention periods
    • Establish log review process
  • Evidence:
    • Logging policy
    • System logging configurations
    • SIEM configuration
    • Log retention documentation
    • Log review reports

A.8.16 - Monitoring Activities

  • Status: _____ Priority: Critical Timeline: 8-16 weeks
  • Tasks:
    • Implement security monitoring (SIEM, IDS/IPS)
    • Define monitoring use cases and alerts
    • Establish SOC or monitoring procedures
    • Integrate threat intelligence
    • Respond to alerts
  • Evidence:
    • Monitoring system configuration
    • Use cases and alert rules
    • SOC procedures
    • Alert and incident logs
    • Threat intelligence integration

A.8.17 - Clock Synchronization

  • Status: _____ Priority: Medium Timeline: 2-3 weeks
  • Tasks:
    • Implement NTP infrastructure
    • Configure all systems to use NTP
    • Verify time synchronization
    • Monitor time drift
  • Evidence:
    • NTP configuration
    • Time synchronization reports
    • System time logs

A.8.18 - Use of Privileged Utility Programs

  • Status: _____ Priority: Medium Timeline: 3-4 weeks
  • Tasks:
    • Identify privileged utility programs
    • Restrict access to utilities
    • Log use of utilities
    • Review utility usage
  • Evidence:
    • Privileged utility inventory
    • Access restrictions configuration
    • Utility usage logs
    • Usage review reports

A.8.19 - Installation of Software on Operational Systems

  • Status: _____ Priority: High Timeline: 4-6 weeks
  • Tasks:
    • Define software installation policy
    • Restrict installation privileges
    • Implement application whitelisting/control
    • Require approval for software installation
    • Maintain software inventory
  • Evidence:
    • Software installation policy
    • Application control configuration
    • Software approval records
    • Software inventory

A.8.20 - Networks Security

  • Status: _____ Priority: Critical Timeline: 8-12 weeks
  • Tasks:
    • Implement network segmentation
    • Deploy firewalls between segments
    • Configure network access control
    • Implement intrusion detection/prevention
    • Harden network devices
  • Evidence:
    • Network architecture diagrams
    • Firewall configurations and rule sets
    • IDS/IPS configuration
    • Network device hardening standards

A.8.21 - Security of Network Services

  • Status: _____ Priority: High Timeline: 6-10 weeks
  • Tasks:
    • Identify network services
    • Define security requirements for each service
    • Implement service-level agreements
    • Monitor network service security
    • Review and update regularly
  • Evidence:
    • Network services inventory
    • Service security requirements
    • SLAs with security provisions
    • Monitoring reports

A.8.22 - Segregation of Networks

  • Status: _____ Priority: High Timeline: 8-12 weeks
  • Tasks:
    • Design network segregation architecture
    • Implement VLANs or physical separation
    • Configure inter-segment firewalls
    • Test network segregation
    • Document network zones
  • Evidence:
    • Network segregation architecture
    • VLAN configuration
    • Firewall rules between segments
    • Network zone documentation
    • Segregation test results

A.8.23 - Web Filtering

  • Status: _____ Priority: Medium Timeline: 4-6 weeks
  • Tasks:
    • Implement web filtering solution
    • Define acceptable use categories
    • Configure filtering policies
    • Monitor web usage
    • Review and update filters
  • Evidence:
    • Web filtering configuration
    • Filtering policy
    • Web usage reports
    • Policy update records

A.8.24 - Use of Cryptography

  • Status: _____ Priority: Critical Timeline: 6-10 weeks
  • Tasks:
    • Develop cryptography policy
    • Define approved algorithms and key lengths
    • Implement encryption for data in transit (TLS)
    • Implement encryption for data at rest
    • Establish key management procedures
  • Evidence:
    • Cryptography policy
    • Encryption configuration
    • Certificate management records
    • Key management procedures

A.8.25 - Secure Development Lifecycle

  • Status: _____ Priority: High Timeline: 8-16 weeks
  • Tasks:
    • Define secure SDLC
    • Integrate security into each SDLC phase
    • Establish security requirements gathering
    • Implement threat modeling
    • Define secure coding standards
    • Establish code review process
  • Evidence:
    • Secure SDLC documentation
    • Security requirements templates
    • Threat modeling records
    • Secure coding standards
    • Code review records

A.8.26 - Application Security Requirements

  • Status: _____ Priority: High Timeline: 4-6 weeks
  • Tasks:
    • Define application security requirements
    • Create security requirements checklist
    • Incorporate into project initiation
    • Validate requirements during development
    • Test requirements before deployment
  • Evidence:
    • Application security requirements document
    • Security requirements checklist
    • Project documentation showing requirements
    • Security testing results

A.8.27 - Secure System Architecture and Engineering

  • Status: _____ Priority: High Timeline: Ongoing
  • Tasks:
    • Define secure architecture principles
    • Conduct architecture reviews
    • Implement defense in depth
    • Document security architecture
    • Review architecture regularly
  • Evidence:
    • Secure architecture principles
    • Architecture review records
    • Architecture diagrams
    • Security architecture documentation

A.8.28 - Secure Coding

  • Status: _____ Priority: High Timeline: 4-8 weeks
  • Tasks:
    • Develop secure coding standards
    • Train developers on secure coding
    • Implement SAST tools
    • Conduct security code reviews
    • Track and remediate vulnerabilities
  • Evidence:
    • Secure coding standards
    • Developer training records
    • SAST tool configuration and reports
    • Code review records
    • Vulnerability remediation tracking

A.8.29 - Security Testing in Development and Acceptance

  • Status: _____ Priority: High Timeline: 6-10 weeks
  • Tasks:
    • Define security testing requirements
    • Implement SAST/DAST tools
    • Conduct penetration testing
    • Define security acceptance criteria
    • Verify security testing before production
  • Evidence:
    • Security testing procedures
    • SAST/DAST tool reports
    • Penetration test reports
    • Security acceptance test results

A.8.30 - Outsourced Development

  • Status: _____ Priority: Medium Timeline: Ongoing
  • Tasks:
    • Define security requirements for outsourced development
    • Include security in vendor contracts
    • Conduct security reviews of outsourced code
    • Require security testing
    • Verify vendor compliance
  • Evidence:
    • Vendor security requirements
    • Vendor contracts with security clauses
    • Code review results
    • Vendor security test reports

A.8.31 - Separation of Development, Test and Production

  • Status: _____ Priority: High Timeline: 4-8 weeks
  • Tasks:
    • Separate development, test, and production environments
    • Implement different access controls for each
    • Use non-production data in dev/test
    • Establish promotion procedures
    • Document environment separation
  • Evidence:
    • Environment architecture documentation
    • Access control separation
    • Data masking for non-production
    • Promotion procedures
    • Environment diagrams

A.8.32 - Change Management

  • Status: _____ Priority: Critical Timeline: 6-10 weeks
  • Tasks:
    • Define change management process
    • Implement change request/approval workflow
    • Establish change advisory board (CAB)
    • Require testing before production changes
    • Document all changes
  • Evidence:
    • Change management procedures
    • Change request/approval records
    • CAB meeting minutes
    • Change logs
    • Post-implementation reviews

A.8.33 - Test Information

  • Status: _____ Priority: Medium Timeline: 4-6 weeks
  • Tasks:
    • Define test data requirements
    • Prohibit production data in test (unless masked)
    • Implement data masking for test data
    • Protect test data appropriately
    • Delete test data when no longer needed
  • Evidence:
    • Test data policy
    • Data masking procedures
    • Test data protection controls
    • Test data deletion records

A.8.34 - Protection of Information Systems During Audit Testing

  • Status: _____ Priority: Medium Timeline: 2-3 weeks
  • Tasks:
    • Define audit testing procedures
    • Minimize audit impact on production
    • Require audit planning and approval
    • Monitor audit activities
    • Document audit test results
  • Evidence:
    • Audit testing procedures
    • Audit test plans and approvals
    • Audit activity logs
    • Audit test reports

Implementation Timeline Summary

Months 1-3: Critical Foundation

Focus: Governance, policies, access control, endpoint protection, backups

Week 1-4:

  • Information Security Policy
  • Roles and responsibilities
  • Asset inventory (start)
  • Acceptable Use Policy
  • Data classification policy

Week 5-8:

  • Access Control Policy
  • Identity management
  • Password policy and MFA (start)
  • Employment agreements
  • NDA templates

Week 9-12:

  • Endpoint protection deployment
  • Disk encryption
  • Security awareness program (develop and launch)
  • Backup implementation
  • Incident Response Policy

Months 4-6: Core Security Controls

Focus: Physical security, network security, monitoring

Week 13-16:

  • Physical access control
  • Network segmentation
  • Firewall configuration
  • Logging and monitoring (SIEM deployment start)

Week 17-20:

  • Vulnerability management
  • Patch management
  • Remote access security (VPN, MFA)
  • Business continuity planning (BIA, plans)

Week 21-24:

  • DLP implementation (start)
  • Secure development procedures
  • Change management process
  • Compliance documentation

Months 7-9: Advanced Controls and Testing

Focus: Advanced technical controls, testing, optimization

Week 25-28:

  • PAM implementation
  • Advanced threat detection
  • Security testing (SAST/DAST)
  • Penetration testing

Week 29-32:

  • BC/DR testing
  • Incident response testing
  • Security awareness reinforcement
  • Control effectiveness testing

Week 33-36:

  • Gap analysis
  • Remediation of gaps
  • Documentation review
  • Internal audit preparation

Months 10-12: Audit Preparation and Certification

Focus: Internal audit, remediation, certification audit

Week 37-40:

  • Internal audit
  • Gap remediation
  • Evidence collection and organization
  • Management review

Week 41-44:

  • Final documentation review
  • Process testing and validation
  • Staff interviews preparation
  • Certification body selection

Week 45-48:

  • Stage 1 audit
  • Stage 1 findings remediation
  • Stage 2 audit preparation
  • Stage 2 audit

Week 49-52:

  • Final remediation (if needed)
  • Certification awarded
  • Celebration!
  • Plan for continuous improvement

Evidence Collection and Organization

Evidence Repository Structure

/ISO27001-Evidence
  /Policies
  /Procedures
  /Risk-Assessment
  /Asset-Inventory
  /Training-Records
  /Access-Reviews
  /Incident-Records
  /BC-DR-Testing
  /Audit-Logs
  /System-Configurations
  /Vendor-Agreements
  /Management-Reviews
  /Internal-Audits
  /Certifications

Evidence Best Practices

  • Maintain version control
  • Use consistent naming conventions
  • Store in secure, access-controlled location
  • Regular backups of evidence
  • Index for easy retrieval
  • Protect sensitive evidence appropriately
  • Keep evidence current
  • Document evidence collection dates

Pre-Audit Checklist

30 Days Before Audit:

  • All policies approved and published
  • All procedures documented
  • Evidence organized and indexed
  • Access reviews completed
  • Training records up to date
  • Risk assessment current
  • Incident log reviewed
  • Management review completed

14 Days Before Audit:

  • Conduct internal audit
  • Remediate any findings
  • Confirm all controls operational
  • Test key processes
  • Prepare staff for interviews
  • Review Statement of Applicability
  • Ensure evidence accessibility

7 Days Before Audit:

  • Final evidence review
  • Confirm audit schedule with auditor
  • Prepare facilities and equipment
  • Brief all interviewees
  • Final management review
  • Resolve any last-minute issues

Success Factors

Critical Success Factors:

  1. Strong management support and commitment
  2. Adequate resources (budget, people, time)
  3. Clear project plan and timeline
  4. Experienced ISMS project manager
  5. Effective communication and training
  6. Focus on business alignment
  7. Pragmatic, risk-based approach
  8. Regular progress monitoring
  9. Early and frequent testing
  10. Continuous improvement mindset

Common Pitfalls to Avoid:

  1. Treating as IT project (it's organization-wide)
  2. Over-complicating processes
  3. Copying policies without customization
  4. Insufficient training and awareness
  5. Inadequate documentation
  6. Waiting until last minute for audit prep
  7. Ignoring operational realities
  8. Insufficient testing
  9. Poor evidence management
  10. Losing momentum after certification

Congratulations! You've completed Module 5: Control Implementation. You now have comprehensive guidance for implementing all 93 Annex A controls, from organizational policies to technical security measures. The next module will cover operational security and continuous improvement.

Complete this lesson

Earn +75 XP and progress to the next lesson

Previous

Physical Security Checklist

Next

Tech Controls Part 2 (A.8)