ISO 27001 Compliance Skill
Purpose
Ensures systems and processes comply with ISO 27001:2022 Information Security Management System (ISMS) requirements.
Rules
Key Controls for Web Applications
A.8.24 Use of Cryptography:
- •TLS 1.2+ for all communications
- •AES-256 for data at rest
- •Secure key management
A.8.25 Secure Development Life Cycle:
- •Security requirements in design
- •Code review processes
- •Security testing (SAST/DAST)
A.8.26 Application Security Requirements:
- •Input validation
- •Output encoding
- •Authentication and authorization
- •Session management
A.8.16 Monitoring Activities:
- •Security event logging
- •Log retention (90 days minimum)
- •Monitoring for anomalies
A.5.7 Threat Intelligence:
- •Vulnerability scanning
- •Threat intelligence feeds
- •Incident tracking
Documentation Requirements
MUST MAINTAIN:
- •Information Security Policy
- •Risk Assessment and Treatment Plan
- •Statement of Applicability (SoA)
- •Access Control Policy
- •Cryptographic Controls Policy
- •Incident Response Plan
- •Business Continuity Plan
- •Acceptable Use Policy
- •Data Classification Policy
Audit Preparation
MUST PROVIDE:
- •Evidence of control implementation
- •Logs and monitoring records
- •Incident records
- •Change management records
- •Risk assessments
- •Management review minutes
Related Policies
All ISMS policies at: https://github.com/Hack23/ISMS-PUBLIC