This section describes 34 controls that are mainly related to the security of IT:
- Control 8.1 – User endpoint devices
- Control 8.2 – Privileged access rights
- Control 8.3 – Information access restriction
- Control 8.4 – Access to source code
- Control 8.5 – Secure authentication
- Control 8.6 – Capacity management
- Control 8.7 – Protection against malware
- Control 8.8 – Management of technical vulnerabilities
- Control 8.9 – Configuration management
- Control 8.10 – Information deletion
- Control 8.11 – Data masking
- Control 8.12 – Data leakage prevention
- Control 8.13 – Information backup
- Control 8.14 – Redundancy of information processing facilities
- Control 8.15 – Logging
- Control 8.16 – Monitoring activities
- Control 8.17 – Clock synchronization
- Control 8.18 – Use of privileged utility programs
- Control 8.19 – Installation of software on operational systems
- Control 8.20 – Networks security
- Control 8.21 – Security of network services
- Control 8.22 – Segregation of networks
- Control 8.23 – Web filtering
- Control 8.24 – Use of cryptography
- Control 8.25 – Secure development life cycle
- Control 8.26 – Application security requirements
- Control 8.27 – Secure system architecture and engineering principles
- Control 8.28 – Secure coding
- Control 8.29 – Security testing in development and acceptance
- Control 8.30 – Outsourced development
- Control 8.31 – Separation of development, test and production environments
- Control 8.32 – Change management
- Control 8.33 – Test information
- Control 8.34 – Protection of information systems during audit testing
