1- Inventory and Control of Enterprise Assets: Organizations must maintain an inventory of all authorized and unauthorized devices, software, and applications in their network. They must also control the installation, use, and maintenance of these assets.
2- Inventory and Control of Software Assets Organizations must maintain an inventory of all authorized and unauthorized software in their network. They must also control the installation, use, and maintenance of these software assets.
3- Data Protection Organizations must classify their data based on its value and sensitivity. They must also implement appropriate security controls to protect the confidentiality, integrity, and availability of this data.
4- Secure Configuration of Enterprise Assets and Software: Organizations must establish and maintain secure configurations for their hardware and software assets. They must also ensure that these configurations are properly implemented and maintained.
5- Account Management Organizations must control the creation, use, and termination of user accounts. They must also implement appropriate security controls to protect these accounts from unauthorized access.
6- Access Control Management Organizations must control access to their network and information systems. They must also implement appropriate security controls to protect these systems from unauthorized access.
7- Continuous Vulnerability Management Organizations must continuously monitor their network and information systems for vulnerabilities. They must also implement appropriate security controls to prevent, detect, and remediate these vulnerabilities.
8- Audit Log Management Organizations must create, protect, and retain audit logs for their network and information systems. They must also implement appropriate security controls to ensure the integrity, availability, and confidentiality of these logs.
9- Email and Web Browser Protections Organizations must implement appropriate security controls to protect their email and web browsing systems from cyber threats. They must also educate their users on how to identify and avoid these threats.
10- Malware Defenses Organizations must implement appropriate security controls to protect their network and information systems from malware. They must also educate their users on how to identify and avoid these threats.
11- Data Recovery: Organizations must establish and maintain appropriate backup and recovery processes for their network and information systems. They must also test these processes regularly to ensure their effectiveness.
12- Network Infrastructure Management Organizations must establish and maintain secure configurations for their network infrastructure devices. They must also ensure that these configurations are properly implemented and maintained.
13- Network Monitoring and Defense Organizations must continuously monitor their network and information systems for cyber threats. They must also implement appropriate security controls to prevent, detect, and remediate these threats.
14- Security Awareness and Skills Training Organizations must educate their users on how to identify and avoid cyber threats. They must also provide appropriate security training to their users to improve their security awareness and skills.
15- Service Provider Management Organizations must implement appropriate security controls to manage their relationships with third-party service providers. They must also ensure that these providers meet their security requirements.
16- Application Software Security Organizations must establish and maintain secure configurations for their application software. They must also ensure that these configurations are properly implemented and maintained.
17- Incident Response Management Organizations must establish and maintain an incident response plan. They must also test this plan regularly to ensure its effectiveness.
18- Penetration Testing Organizations must conduct regular penetration testing to identify vulnerabilities in their network and information systems. They must also remediate these vulnerabilities in a timely manner.
