S/N | IT security domain | Security controls measures | Information States | Controls category | ||||
According to nature | Controls relative to time | |||||||
Deterrent | Detective | Preventive | Corrective | |||||
i. 1 | Information security policy | Information Security Policy approved by the top executive or board of trustee; and operational. | Capturing, Processing, Storage, Transmission | Administrative control | √ | √ | √ | √ |
ii. 2 | Organisational of information security | Chief Information Security Officer (CISO) or equivalent job responsibilities assigned. | Capturing, Processing, Storage, Transmission | Administrative control | √ | √ | √ | √ |
ii (a) | Internal organisation | Roles and responsibilities allocated to individuals | Capturing, Processing, Storage, Transmission | Administrative control | √ | √ | √ | √ |
ii (b) | Mobile devices and teleworking | Policies and controls for mobile devices (such as laptops, tablet PCs, wearable) | Capturing, Processing, Storage, Transmission | Administrative control | √ | √ | √ | √ |
iii. 3 | Human resources security | Policy for human resources security in place. | Capturing, Processing, Storage, Transmission | Administrative control | √ | √ | √ | √ |
iv. 4 | Asset management | Asset management Policy in place. | Capturing, Processing, Storage, Transmission | Administrative control | √ | √ | √ | √ |
iv (a) | Information classification and labelling | Information classified and labelled according to the security protection needed, and handled appropriately. | Capturing, Processing, Storage, Transmission | Administrative control | √ | √ | √ | √ |