bmad-plus 0.4.3 → 0.5.0

package/src/bmad-plus/packs/pack-shield/references/ism/control-applicability.md

@@ -0,0 +1,181 @@
+# ISM — Control Applicability Framework
+
+Source: Australian Information Security Manual, March 2026 edition  
+Published by: Australian Signals Directorate (ASD)
+
+---
+
+## Classification Levels & Applicability Markings
+
+Each ISM control carries applicability markings indicating which system classification levels require that control.
+
+| Marking | Classification Level | Description |
+|---------|---------------------|-------------|
+| **NC** | Non-Classified | General government information; no formal protective marking required |
+| **OS** | OFFICIAL: Sensitive | Sensitive but unclassified; default baseline for most federal agency systems |
+| **P** | PROTECTED | Classified information; compromise could damage national/organisational interests |
+| **S** | SECRET | Highly sensitive; serious damage to national security if compromised |
+| **TS** | TOP SECRET | Exceptionally sensitive; grave damage to national security if compromised |
+
+### Stacking Rule
+Higher classification systems must implement **all controls for lower levels plus their own level**:
+- NC system → NC controls only
+- OS system → NC + OS controls
+- PROTECTED system → NC + OS + P controls
+- SECRET system → NC + OS + P + S controls
+- TOP SECRET system → NC + OS + P + S + TS controls
+
+---
+
+## Risk-Based Control Selection Process
+
+The ISM does not mandate a one-size-fits-all approach. The selection process:
+
+1. **Determine system classification** based on the highest sensitivity of information the system stores, processes, or communicates
+2. **Define security objectives** — identify CIA (Confidentiality, Integrity, Availability) requirements
+3. **Select baseline controls** using applicability markings
+4. **Tailor controls** — add controls for specific threats; document exclusions with risk justification
+5. **Document in SSP** — all selected controls, exclusions, and justifications must be recorded in the System Security Plan
+
+---
+
+## System Security Plan (SSP) — Required Content
+
+The SSP is the primary authorisation artefact. It must include:
+
+| Section | Content |
+|---------|---------|
+| System overview | Name, owner, purpose, environment |
+| System boundary | What is in scope (hardware, software, interfaces) |
+| Classification level | Highest classification handled |
+| Security objectives | Confidentiality, Integrity, Availability ratings (High/Medium/Low) |
+| Control selection | All applicable ISM controls with applicability justification |
+| Implemented controls | Evidence of implementation for each control |
+| Excluded controls | Controls not implemented with documented risk acceptance |
+| Risk register | Identified risks, likelihood, impact, treatment |
+| Authorisation | Authorising Official signature and date |
+| Review schedule | Next review date (minimum: every 24 months or after significant change) |
+
+---
+
+## IRAP Assessment Requirements
+
+### Who Needs an IRAP Assessment?
+- **Mandatory**: Systems handling PROTECTED and above
+- **Strongly recommended**: Systems handling OFFICIAL: Sensitive
+- **Government policy**: Any system used to deliver government services to citizens
+
+### IRAP Assessor Requirements
+- Must be listed on the ASD IRAP Assessors Register
+- Must be independent of the system being assessed
+- Must have current ASD-recognised qualifications
+- Find assessors: https://www.cyber.gov.au/resources-business-and-government/assessment-and-evaluation-programs/irap/irap-assessors
+
+### Assessment Cycle
+- Initial assessment before system authorisation
+- Re-assessment every **24 months** (minimum)
+- Re-assessment required after **significant change** (major architecture change, new classification level, major new functionality)
+
+### IRAP Assessment Artefact Checklist
+- [ ] Current System Security Plan (SSP)
+- [ ] Network architecture diagrams
+- [ ] Asset register (hardware and software)
+- [ ] Risk register with current risk ratings
+- [ ] Policy suite (all security policies referenced in SSP)
+- [ ] Evidence of implemented controls (configuration screenshots, logs, test results)
+- [ ] Previous IRAP assessment report (if re-assessment)
+- [ ] Plan of Action & Milestones (POA&M) for any outstanding findings
+- [ ] Incident register (last 12 months)
+- [ ] Patch management reports
+
+---
+
+## Essential Eight — ISM Relationship
+
+The Essential Eight are **eight priority mitigation strategies** extracted from the broader ISM control set. They are not a separate standard but a prioritised subset.
+
+| Essential Eight Strategy | Primary ISM Chapter(s) | Notes |
+|-------------------------|----------------------|-------|
+| Application control (allow-listing) | Ch. 13 System Hardening | Prevents execution of unapproved software |
+| Patch applications | Ch. 14 System Management | Critical patches ≤14 days |
+| Configure Microsoft Office macros | Ch. 13 System Hardening | Restrict macro execution |
+| User application hardening | Ch. 13 System Hardening | Browser, Office, PDF hardening |
+| Restrict administrative privileges | Ch. 13 System Hardening, Ch. 6 Personnel | Least privilege, PAM |
+| Patch operating systems | Ch. 14 System Management | Critical OS patches ≤14 days |
+| Multi-factor authentication (MFA) | Ch. 6, Ch. 9, Ch. 19 | MFA for all remote access, privileged accounts |
+| Regular backups | Ch. 14 System Management | Tested, offline/offsite, 3-2-1 rule |
+
+### Essential Eight Maturity Levels
+
+| Level | Description | Who It Applies To |
+|-------|-------------|------------------|
+| **ML0** | Incomplete or ineffective implementation | Non-compliant |
+| **ML1** | Partially aligned; addresses targeted attacks | Minimum for small/low-risk organisations |
+| **ML2** | Mostly aligned; addresses sophisticated threats | ASD-recommended baseline for all government entities (2026 target) |
+| **ML3** | Fully aligned; addresses advanced persistent threats | Required for critical infrastructure and high-risk sectors |
+
+---
+
+## Patch Management SLAs (Chapter 14)
+
+| Patch Criticality | Maximum Remediation Timeframe |
+|------------------|------------------------------|
+| Critical (CVSS 9–10) | 48 hours for internet-facing; 14 days for internal |
+| High (CVSS 7–8.9) | 14 days |
+| Medium (CVSS 4–6.9) | 30 days |
+| Low (CVSS < 4) | Within next maintenance window |
+
+---
+
+## Approved Cryptographic Algorithms (Chapter 20)
+
+The ISM mandates ASD-approved algorithms. Key requirements for March 2026:
+
+| Use Case | Approved Algorithm(s) | Notes |
+|----------|----------------------|-------|
+| Symmetric encryption | AES-128 minimum (AES-256 for PROTECTED+) | |
+| Asymmetric encryption | RSA-2048 minimum; EC P-256 or above | RSA-4096 / P-384 for PROTECTED+ |
+| Hashing | SHA-256 minimum (SHA-384 for PROTECTED+) | MD5 and SHA-1 prohibited |
+| TLS | TLS 1.2 minimum; TLS 1.3 preferred | SSL and TLS 1.0/1.1 prohibited |
+| Key exchange | ECDH or DHE (2048-bit minimum) | Static DH prohibited |
+| SSH | SSH2 only; ED25519 or RSA-4096 | SSH1 prohibited |
+
+---
+
+## Log Retention Requirements (Chapter 15)
+
+| System Classification | Minimum Log Retention |
+|----------------------|----------------------|
+| NC | 12 months |
+| OFFICIAL: Sensitive | 18 months |
+| PROTECTED | 18 months |
+| SECRET / TOP SECRET | As directed by agency security policy (typically 7 years) |
+
+Logs must be stored in a tamper-evident manner, separate from the system being monitored.
+
+---
+
+## Key Differences: ISM vs ISO 27001
+
+| Aspect | ISM (ASD) | ISO 27001 |
+|--------|-----------|-----------|
+| Jurisdiction | Australia (government mandatory) | International (voluntary certification) |
+| Structure | 22 guideline chapters + individual controls | 10 clauses + 93 Annex A controls (2022) |
+| Assessment | IRAP (ASD-certified assessors) | Third-party certification bodies |
+| Classification | NC / OS / P / S / TS markings | Not classification-based |
+| Update cycle | Typically annually (March edition) | Major revision every ~7 years |
+| Audience | Government entities + supply chain | Any organisation |
+| Essential Eight | Subset of ISM; ASD-mandated for government | No direct equivalent |
+
+---
+
+## Useful Official References
+
+| Resource | URL |
+|----------|-----|
+| ISM (March 2026 PDF) | https://www.cyber.gov.au/sites/default/files/2026-03/Information%20security%20manual%20(March%202026).pdf |
+| ISM OSCAL releases | https://www.cyber.gov.au/business-government/asds-cyber-security-frameworks/ism/ism-oscal-releases |
+| IRAP Assessors Register | https://www.cyber.gov.au/resources-business-and-government/assessment-and-evaluation-programs/irap/irap-assessors |
+| Essential Eight | https://www.cyber.gov.au/business-government/asds-cyber-security-frameworks/essential-eight |
+| Essential Eight to ISM mapping | https://www.cyber.gov.au/business-government/asds-cyber-security-frameworks/essential-eight/essential-eight-maturity-model-and-ism-mapping |
+| ISM GitHub (OSCAL) | https://github.com/AustralianCyberSecurityCentre/ism-oscal |

package/src/bmad-plus/packs/pack-shield/references/ism/guidelines-overview.md

@@ -0,0 +1,183 @@
+# ISM — 22 Guideline Chapters Overview
+
+Source: Australian Information Security Manual, March 2026 edition  
+Published by: Australian Signals Directorate (ASD)  
+URL: https://www.cyber.gov.au/business-government/asds-cyber-security-frameworks/ism
+
+---
+
+## Chapter Summary Table
+
+| # | Chapter | Domain | Key Control Areas |
+|---|---------|--------|------------------|
+| 1 | Cyber Security Roles | Governance | CISO appointment, security responsibilities, accountability structures, security culture |
+| 2 | Cyber Security Incidents | Detect/Respond | Incident definition, reporting obligations, response procedures, ASD notification |
+| 3 | Procurement & Outsourcing | Governance | Supply chain security, vendor assessment, cloud service security requirements |
+| 4 | Cyber Security Documentation | Governance | SSP, risk register, security policies, document classification and review |
+| 5 | Physical Security | Protect | Secure areas, physical access controls, equipment security, clean desk |
+| 6 | Personnel Security | Protect | Personnel screening, security clearances, user awareness, termination procedures |
+| 7 | Communications Infrastructure | Protect | Cabling, network zoning, physical comms protection, signal security |
+| 8 | Communications Systems | Protect | Voice systems, video conferencing, fax and messaging security |
+| 9 | Enterprise Mobility | Protect | Mobile devices, BYOD, remote access, mobile device management (MDM) |
+| 10 | Evaluated Products | Protect | Use of evaluated/certified products (Common Criteria, FIPS), cryptographic modules |
+| 11 | IT Equipment | Protect | Hardware procurement, asset register, equipment disposal, TEMPEST |
+| 12 | Media | Protect | Removable media controls, media sanitisation, media destruction |
+| 13 | System Hardening | Protect | OS hardening, application hardening, firmware security, least privilege |
+| 14 | System Management | Protect | Patch management, change management, backups, configuration management |
+| 15 | System Monitoring | Detect | Logging requirements, SIEM, anomaly detection, audit log retention |
+| 16 | Software Development | Protect | Secure SDLC, code review, dependency management, vulnerability disclosure |
+| 17 | Database Systems | Protect | Database hardening, access controls, encryption at rest, query controls |
+| 18 | Email | Protect | Email filtering, DMARC/SPF/DKIM, email content security, phishing controls |
+| 19 | Networking | Protect | Network segmentation, firewall rules, DNS security, VPN standards |
+| 20 | Cryptography | Protect | Approved algorithms, key management, PKI, TLS standards |
+| 21 | Gateways | Protect | Content filtering, data diodes, cross-domain solutions, proxy security |
+| 22 | Data Transfers | Protect | Approved transfer methods, data labelling, transfer logging |
+
+---
+
+## Chapter Detail
+
+### Chapter 1 — Cyber Security Roles
+- Organisations must appoint a Chief Information Security Officer (CISO) with appropriate authority
+- Security responsibilities must be defined across all levels of the organisation
+- A system owner must be designated for each ICT system
+- Key controls cover: CISO role definition, security advisor appointments, escalation paths
+
+### Chapter 2 — Cyber Security Incidents
+- Defines a cyber security incident as any actual or suspected compromise of a system's confidentiality, integrity, or availability
+- ASD must be notified of significant incidents — especially for systems handling PROTECTED and above
+- Response procedures must be documented and tested
+- Incident evidence must be preserved; post-incident reviews required
+- Key controls: incident categorisation, notification timelines, forensic preservation, lessons learned
+
+### Chapter 3 — Procurement & Outsourcing
+- All ICT procurement must consider cyber security requirements before purchase
+- Cloud services must be assessed for compliance with the ISM and ASD Cloud Security Guidance
+- Outsourced services must contractually require ISM-aligned security controls
+- Supply chain risks must be assessed and managed
+- Key controls: vendor security assessments, contract clauses, cloud service provider evaluation
+
+### Chapter 4 — Cyber Security Documentation
+- Every system must have a current System Security Plan (SSP) — the primary authorisation document
+- Risk registers must be maintained and reviewed
+- Security policies and procedures must be version-controlled, approved by management, and reviewed at least annually
+- Key documents: SSP, risk register, incident response plan, change management plan, business continuity plan
+
+### Chapter 5 — Physical Security
+- Secure areas must be established and access controlled
+- Visitors must be escorted in secure areas
+- Equipment must be protected from physical tampering
+- Clean desk and clear screen policies required
+- Key controls: physical access logs, secure area classifications, equipment labelling
+
+### Chapter 6 — Personnel Security
+- Personnel must be screened before access to sensitive systems
+- Security clearances must match the classification level of systems accessed
+- Security awareness training must be provided at onboarding and annually
+- Access must be revoked promptly on termination
+- Key controls: background checks, clearance validation, training records, offboarding checklist
+
+### Chapter 7 — Communications Infrastructure
+- Cabling must be protected from interception and damage
+- Network zones must be established with appropriate separation
+- Physical communications infrastructure in secure areas must be physically protected
+- Key controls: cable labelling, conduit requirements, zone separation
+
+### Chapter 8 — Communications Systems
+- Voice over IP (VoIP) and video conferencing systems must be secured
+- PSTN systems connected to secure networks require additional controls
+- Fax and messaging systems handling sensitive information must use approved encryption
+- Key controls: VoIP hardening, conferencing system security, messaging encryption
+
+### Chapter 9 — Enterprise Mobility
+- Mobile devices accessing government systems must be enrolled in an approved MDM solution
+- BYOD must be managed through containerisation or equivalent
+- Remote access must use approved VPN with MFA
+- Lost or stolen devices must be remotely wipeable
+- Key controls: MDM enrolment, remote wipe capability, MFA for remote access, mobile app vetting
+
+### Chapter 10 — Evaluated Products
+- Systems handling PROTECTED and above must use cryptographic products evaluated or approved by ASD
+- Common Criteria evaluated products are preferred for high-assurance environments
+- FIPS 140-2/3 validated modules required for classified cryptographic operations
+- Key controls: product evaluation requirements, cryptographic module validation
+
+### Chapter 11 — IT Equipment
+- All ICT equipment must be recorded in an asset register
+- Equipment must be disposed of securely (data sanitisation before disposal)
+- Equipment in sensitive areas may require TEMPEST certification
+- Key controls: asset register, equipment disposal procedures, TEMPEST assessment
+
+### Chapter 12 — Media
+- Removable media must be controlled and authorised
+- Media used in classified environments must be treated at the classification level of the system
+- Media must be sanitised (overwrite/degauss) or destroyed before disposal
+- Key controls: removable media register, sanitisation procedures, destruction certificates
+
+### Chapter 13 — System Hardening
+- Operating systems must be hardened before deployment (remove unnecessary services, disable default accounts)
+- Applications must be hardened (disable unused features, apply vendor hardening guides)
+- Firmware security settings must be configured (Secure Boot, BIOS passwords)
+- Least privilege must be enforced — no standing administrative access
+- Key controls: OS hardening checklists, application allow-listing, firmware configuration, privileged access management
+
+### Chapter 14 — System Management
+- Critical patches must be applied within defined timeframes (14 days for critical, 30 days for non-critical)
+- Change management must follow a documented and approved process
+- Backups must be tested regularly; backup media must be stored securely
+- Configuration management must track all changes to system baseline
+- Key controls: patch management SLAs, backup testing schedule, change approval process
+
+### Chapter 15 — System Monitoring
+- Centralised event logging must be implemented (SIEM or equivalent)
+- Log retention: minimum 18 months for systems handling PROTECTED and above
+- Anomalous events must trigger alerts and investigation
+- Privileged access and system changes must be logged
+- Key controls: log collection scope, retention periods, alerting thresholds, log integrity
+
+### Chapter 16 — Software Development
+- Software development must follow a secure Software Development Life Cycle (SDLC)
+- Code reviews and vulnerability testing required before deployment
+- Third-party dependencies must be tracked and patched
+- Vulnerability disclosure policy required for externally facing systems
+- Key controls: SDLC documentation, code review evidence, dependency scanning, pen testing
+
+### Chapter 17 — Database Systems
+- Databases must be hardened (remove default accounts, disable unnecessary features)
+- Access to databases must follow least privilege
+- Sensitive data at rest must be encrypted
+- Database activity must be logged
+- Key controls: database hardening checklist, access control matrix, encryption at rest, query logging
+
+### Chapter 18 — Email
+- Email gateways must implement DMARC, DKIM, and SPF
+- Email filtering must block malicious attachments and phishing content
+- Outbound emails containing sensitive information must be controlled
+- Key controls: DMARC policy (reject), DKIM signing, SPF records, gateway filtering logs
+
+### Chapter 19 — Networking
+- Network segmentation must separate sensitive systems from general-purpose networks
+- Firewall rule sets must be documented, reviewed, and audited
+- DNS security extensions (DNSSEC) recommended
+- VPNs must use approved encryption standards
+- Key controls: network architecture diagram, firewall rule review schedule, DNSSEC configuration
+
+### Chapter 20 — Cryptography
+- Only ASD-approved cryptographic algorithms must be used
+- TLS 1.2 minimum (TLS 1.3 preferred) for data in transit
+- Key management must follow documented procedures (generation, storage, rotation, destruction)
+- PKI must be underpinned by a trusted root CA
+- Key controls: algorithm approval list, key management procedures, TLS version configuration, CA management
+
+### Chapter 21 — Gateways
+- Internet gateways must implement web content filtering
+- Cross-domain solutions (CDS) required for moving information between classification levels
+- Data diodes used for one-way transfers in high-security environments
+- Gateway security must be regularly assessed
+- Key controls: content filtering policy, CDS accreditation, gateway security assessments
+
+### Chapter 22 — Data Transfers
+- Data transfers between different classification domains must use approved methods
+- All transfers of classified data must be logged
+- Data must be labelled with its protective marking before transfer
+- Key controls: approved transfer mechanisms, transfer logs, label verification procedures

package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2013.md

@@ -0,0 +1,203 @@
+# ISO 27001:2013 Annex A — All 114 Controls
+
+## Table of Contents
+- [A.5 Information Security Policies (2)](#a5-information-security-policies)
+- [A.6 Organisation of Information Security (7)](#a6-organisation-of-information-security)
+- [A.7 Human Resource Security (6)](#a7-human-resource-security)
+- [A.8 Asset Management (10)](#a8-asset-management)
+- [A.9 Access Control (14)](#a9-access-control)
+- [A.10 Cryptography (2)](#a10-cryptography)
+- [A.11 Physical and Environmental Security (15)](#a11-physical-and-environmental-security)
+- [A.12 Operations Security (14)](#a12-operations-security)
+- [A.13 Communications Security (7)](#a13-communications-security)
+- [A.14 System Acquisition, Development and Maintenance (13)](#a14-system-acquisition)
+- [A.15 Supplier Relationships (5)](#a15-supplier-relationships)
+- [A.16 Information Security Incident Management (7)](#a16-information-security-incident-management)
+- [A.17 IS Aspects of Business Continuity Management (4)](#a17-business-continuity)
+- [A.18 Compliance (8)](#a18-compliance)
+
+---
+
+## A.5 Information Security Policies
+
+| ID | Control Name |
+|----|-------------|
+| A.5.1.1 | Policies for information security |
+| A.5.1.2 | Review of the policies for information security |
+
+## A.6 Organisation of Information Security
+
+| ID | Control Name |
+|----|-------------|
+| A.6.1.1 | Information security roles and responsibilities |
+| A.6.1.2 | Segregation of duties |
+| A.6.1.3 | Contact with authorities |
+| A.6.1.4 | Contact with special interest groups |
+| A.6.1.5 | Information security in project management |
+| A.6.2.1 | Mobile device policy |
+| A.6.2.2 | Teleworking |
+
+## A.7 Human Resource Security
+
+| ID | Control Name |
+|----|-------------|
+| A.7.1.1 | Screening |
+| A.7.1.2 | Terms and conditions of employment |
+| A.7.2.1 | Management responsibilities |
+| A.7.2.2 | Information security awareness, education and training |
+| A.7.2.3 | Disciplinary process |
+| A.7.3.1 | Termination or change of employment responsibilities |
+
+## A.8 Asset Management
+
+| ID | Control Name |
+|----|-------------|
+| A.8.1.1 | Inventory of assets |
+| A.8.1.2 | Ownership of assets |
+| A.8.1.3 | Acceptable use of assets |
+| A.8.1.4 | Return of assets |
+| A.8.2.1 | Classification of information |
+| A.8.2.2 | Labelling of information |
+| A.8.2.3 | Handling of assets |
+| A.8.3.1 | Management of removable media |
+| A.8.3.2 | Disposal of media |
+| A.8.3.3 | Physical media transfer |
+
+## A.9 Access Control
+
+| ID | Control Name |
+|----|-------------|
+| A.9.1.1 | Access control policy |
+| A.9.1.2 | Access to networks and network services |
+| A.9.2.1 | User registration and de-registration |
+| A.9.2.2 | User access provisioning |
+| A.9.2.3 | Management of privileged access rights |
+| A.9.2.4 | Management of secret authentication information of users |
+| A.9.2.5 | Review of user access rights |
+| A.9.2.6 | Removal or adjustment of access rights |
+| A.9.3.1 | Use of secret authentication information |
+| A.9.4.1 | Information access restriction |
+| A.9.4.2 | Secure log-on procedures |
+| A.9.4.3 | Password management system |
+| A.9.4.4 | Use of privileged utility programs |
+| A.9.4.5 | Access control to program source code |
+
+## A.10 Cryptography
+
+| ID | Control Name |
+|----|-------------|
+| A.10.1.1 | Policy on the use of cryptographic controls |
+| A.10.1.2 | Key management |
+
+## A.11 Physical and Environmental Security
+
+| ID | Control Name |
+|----|-------------|
+| A.11.1.1 | Physical security perimeter |
+| A.11.1.2 | Physical entry controls |
+| A.11.1.3 | Securing offices, rooms and facilities |
+| A.11.1.4 | Protecting against external and environmental threats |
+| A.11.1.5 | Working in secure areas |
+| A.11.1.6 | Delivery and loading areas |
+| A.11.2.1 | Equipment siting and protection |
+| A.11.2.2 | Supporting utilities |
+| A.11.2.3 | Cabling security |
+| A.11.2.4 | Equipment maintenance |
+| A.11.2.5 | Removal of assets |
+| A.11.2.6 | Security of equipment and assets off-premises |
+| A.11.2.7 | Secure disposal or re-use of equipment |
+| A.11.2.8 | Unattended user equipment |
+| A.11.2.9 | Clear desk and clear screen policy |
+
+## A.12 Operations Security
+
+| ID | Control Name |
+|----|-------------|
+| A.12.1.1 | Documented operating procedures |
+| A.12.1.2 | Change management |
+| A.12.1.3 | Capacity management |
+| A.12.1.4 | Separation of development, testing and operational environments |
+| A.12.2.1 | Controls against malware |
+| A.12.3.1 | Information backup |
+| A.12.4.1 | Event logging |
+| A.12.4.2 | Protection of log information |
+| A.12.4.3 | Administrator and operator logs |
+| A.12.4.4 | Clock synchronisation |
+| A.12.5.1 | Installation of software on operational systems |
+| A.12.6.1 | Management of technical vulnerabilities |
+| A.12.6.2 | Restrictions on software installation |
+| A.12.7.1 | Information systems audit controls |
+
+## A.13 Communications Security
+
+| ID | Control Name |
+|----|-------------|
+| A.13.1.1 | Network controls |
+| A.13.1.2 | Security of network services |
+| A.13.1.3 | Segregation in networks |
+| A.13.2.1 | Information transfer policies and procedures |
+| A.13.2.2 | Agreements on information transfer |
+| A.13.2.3 | Electronic messaging |
+| A.13.2.4 | Confidentiality or non-disclosure agreements |
+
+## A.14 System Acquisition, Development and Maintenance
+
+| ID | Control Name |
+|----|-------------|
+| A.14.1.1 | Information security requirements analysis and specification |
+| A.14.1.2 | Securing application services on public networks |
+| A.14.1.3 | Protecting application services transactions |
+| A.14.2.1 | Secure development policy |
+| A.14.2.2 | System change control procedures |
+| A.14.2.3 | Technical review of applications after operating platform changes |
+| A.14.2.4 | Restrictions on changes to software packages |
+| A.14.2.5 | Secure system engineering principles |
+| A.14.2.6 | Secure development environment |
+| A.14.2.7 | Outsourced development |
+| A.14.2.8 | System security testing |
+| A.14.2.9 | System acceptance testing |
+| A.14.3.1 | Protection of test data |
+
+## A.15 Supplier Relationships
+
+| ID | Control Name |
+|----|-------------|
+| A.15.1.1 | Information security policy for supplier relationships |
+| A.15.1.2 | Addressing security within supplier agreements |
+| A.15.1.3 | Information and communication technology supply chain |
+| A.15.2.1 | Monitoring and review of supplier services |
+| A.15.2.2 | Managing changes to supplier services |
+
+## A.16 Information Security Incident Management
+
+| ID | Control Name |
+|----|-------------|
+| A.16.1.1 | Responsibilities and procedures |
+| A.16.1.2 | Reporting information security events |
+| A.16.1.3 | Reporting information security weaknesses |
+| A.16.1.4 | Assessment of and decision on information security events |
+| A.16.1.5 | Response to information security incidents |
+| A.16.1.6 | Learning from information security incidents |
+| A.16.1.7 | Collection of evidence |
+
+## A.17 IS Aspects of Business Continuity Management
+
+| ID | Control Name |
+|----|-------------|
+| A.17.1.1 | Planning information security continuity |
+| A.17.1.2 | Implementing information security continuity |
+| A.17.1.3 | Verify, review and evaluate information security continuity |
+| A.17.2.1 | Availability of information processing facilities |
+
+## A.18 Compliance
+
+| ID | Control Name |
+|----|-------------|
+| A.18.1.1 | Identification of applicable legislation and contractual requirements |
+| A.18.1.2 | Intellectual property rights |
+| A.18.1.3 | Protection of records |
+| A.18.1.4 | Privacy and protection of personally identifiable information |
+| A.18.1.5 | Regulation of cryptographic controls |
+| A.18.2.1 | Independent review of information security |
+| A.18.2.2 | Compliance with security policies and standards |
+| A.18.2.3 | Technical compliance review |