5 PROCEDURAL AND PEOPLE SECURITY CONTROLS

In this and subsequent chapters, ways of addressing the risks to information security are covered based on the three main categories of operational risk controls. This chapter discusses the controls involving procedures and people and how to manage them by use of the appropriate measures.

There are three main types of operational control:

  • Physical – for example, locks on doors and secure cabinets.
  • Product/technical – for example, passwords or encryption.
  • Procedural – for example, checking references for job applicants.

At the time of writing, the latest version of the ISO/IEC 27001 Annex A (Reference control objectives and controls) contains 114 controls within 13 functional groups, and this does ...

Get Information Security Management Principles, 3rd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.