| 7.1–7.6 | Security perimeters, entry controls, securing offices and facilities, physical security monitoring (7.4, new), environmental threats, and working in secure areas. | Badge/lock procedures, visitor log, camera/alarm coverage records, mostly client premises. | |
|---|
| 7.7–7.14 | Clear desk/screen; equipment siting and protection; assets off-premises (laptops, home offices); storage media lifecycle; supporting utilities; cabling; maintenance; secure disposal/reuse with verified wiping. | MDM + disk encryption cover off-premises; media destruction certificates; disposal logs. | |
|---|
| 8.1–8.5 | User device protection, privileged access management, information access restriction, source-code access, and secure authentication (MFA). | MDM baselines, PAM/admin tiering, SSO + MFA everywhere. | |
|---|
| 8.6–8.14 | Capacity, anti-malware, vulnerability management, configuration management (8.9, new), information deletion (8.10, new), data masking (8.11, new), DLP (8.12, new), backup, and redundancy. | EDR + vuln scanning cadence, hardening baselines, retention/purge jobs, DLP policies, tested backups. | |
|---|
| 8.15–8.23 | Logging with protected logs, monitoring activities (8.16, new), clock sync, privileged utilities, software installation control, network security and segregation, web filtering (8.23, new). | SIEM/log management with alert triage, network segmentation, DNS/web filtering via the security stack. | |
|---|
| 8.24–8.34 | Cryptography policy and key management; secure development lifecycle incl. secure coding (8.28, new), testing, outsourced development, environment separation, test data, and audit-test safeguards. | Encryption standards + key custody; for dev-shop clients: PR review, CI gates, environment separation, their engineers execute, you evidence. | |
|---|