"Information stored on, processed by or accessible via user end point devices shall be protected."[1]

"The allocation and use of privileged access rights shall be restricted and managed."[1]

"Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control."[1]

"Read and write access to source code, development tools and software libraries shall be appropriately managed."[1]

"Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control."[1]

"The use of resources shall be monitored and adjusted in line with current and expected capacity requirements."[1]

"Protection against malware shall be implemented and supported by appropriate user awareness."[1]

"Information about technical vulnerabilities of information systems in use shall be obtained, the organization’s exposure to such vulnerabilities shall be evaluated and appropriate measures shall be taken."[1]

"Configurations, including security configurations, of hardware, software, services and networks shall be established, documented, implemented, monitored and reviewed."[1]

"Information stored in information systems, devices or in any other storage media shall be deleted when no longer required."[1]

"Data masking shall be used in accordance with the organization’s topic-specific policy on access control and other related topic-specific policies, and business requirements, taking applicable legislation into consideration."[1]

"Data leakage prevention measures shall be applied to systems, networks and any other devices that process, store or transmit sensitive information."[1]

"Backup copies of information, software and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup."[1]

"Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements."[1]

"Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed."[1]

"Networks, systems and applications shall be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents."[1]

"The clocks of information processing systems used by the organization shall be synchronized to approved time sources."[1]

"The use of utility programs that can be capable of overriding system and application controls shall be restricted and tightly controlled."[1]

"Procedures and measures shall be implemented to securely manage software installation on operational systems."[1]

"Networks and network devices shall be secured, managed and controlled to protect information in systems and applications."[1]

"Security mechanisms, service levels and service requirements of network services shall be identified, implemented and monitored."[1]

"Groups of information services, users and information systems shall be segregated in the organization’s networks."[1]

"Access to external websites shall be managed to reduce exposure to malicious content."[1]

"Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented."[1]

"Rules for the secure development of software and systems shall be established and applied."[1]

"Information security requirements shall be identified, specified and approved when developing or acquiring applications."[1]

"Principles for engineering secure systems shall be established, documented, maintained and applied to any information system development activities."[1]

"Secure coding principles shall be applied to software development."[1]

"Security testing processes shall be defined and implemented in the development life cycle."[1]

"The organization shall direct, monitor and review the activities related to outsourced system development."[1]

"Development, testing and production environments shall be separated and secured."[1]

"Changes to information processing facilities and information systems shall be subject to change management procedures."[1]

"Test information shall be appropriately selected, protected and managed."[1]

"Audit tests and other assurance activities involving assessment of operational systems shall be planned and agreed between the tester and appropriate management."[1]