Di seguito si riporta l'elenco dei controlli ISO:27001, con la loro efficacia rispetto ai criteri di  riservatezza, integrità, disponibilità e conformità, individuati nella redazione di un Pattern (vd. Capitolo 3 del documento):

5 Security Policy

5.1.1 Information Security Policy Document

5.1.2 Review of the Information Security Policy

6 Organization of Information Security

6.1.1 Management Commitment to Information Security

6.1.2 Information Security Co-ordination

6.1.3 Allocation of Information Security Responsibilities

6.1.4 Authorization Process for Information Processing Facilities

6.1.5 Confidentiality Agreements

6.1.6 Contact with Authorities

6.1.7 Contact with Special Interest Groups

6.1.8 Independent Review of Information Security

6.2.1 Identification of Risks Related to External Parties

6.2.2 Addressing Security When Dealing with Customers

6.2.3 Addressing Security in Third Party Agreements

7 Asset Management

7.1.1 Inventory of Assets

7.1.2 Ownership of Assets

7.1.3 Acceptable Use of Assets

7.2.1 Classification Guidelines

7.2.2 Information Labeling and Handling

8 Human Resources Security

8.1.1 Roles and Responsibilities

8.1.2 Screening

8.1.3 Terms and Conditions of Employment

8.2.1 Management Responsibilities

8.2.2 Information Security Awareness, Education, and Training

8.2.3 Disciplinary Process

8.3.1 Termination Responsibilities

8.3.2 Return of Assets

8.3.3 Removal of Access Rights

9 Physical and Environmental Security

9.1.1 Physical Security Perimeter

9.1.2 Physical Entry Controls

9.1.3 Securing Offices, Rooms, and Facilities

9.1.4 Protecting Against External and Environmental Threats

9.1.5 Working in Secure Areas

9.1.6 Public Access, Delivery, and Loading Access

9.2.1 Equipment Siting and Protection

9.2.2 Supporting Utilities

9.2.3 Cabling Security

9.2.4 Equipment Maintenance

9.2.5 Security of Equipment Off-Premises

9.2.6 Secure Disposal or Re-Use of Equipment

9.2.7 Removal of Property

10 Communications and Operations Management

10.1.1 Documented Operating Procedures

10.1.2 Change Management

10.1.3 Segregation of Duties

10.1.4 Separation of Development, Test, and Operational Facilities

10.10.1 Audit Logging

10.10.2 Monitoring System Use

10.10.3 Protection of Log Information

10.10.4 Administrator and Operator Logs

10.10.5 Fault Logging

10.10.6 Clock Synchronization

10.2.1 Service Delivery

10.2.2 Monitoring and Review of Third Party Services

10.2.3 Managing Changes to Third Party Services

10.3.1 Capacity Management

10.3.2 System Acceptance

10.4.1 Controls Against Malicious Code

10.4.2 Controls Against Mobile Code

10.5.1 Information Back-Up

10.6.1 Network Controls

10.6.2 Security of Network Services

10.7.1 Management of Removable Media

10.7.2 Disposal of Media

10.7.3 Information Handling Procedures

10.7.4 Security of System Documentation

10.8.1 Information Exchange Policies and Procedures

10.8.2 Exchange Agreements

10.8.3 Physical Media in Transit

10.8.4 Electronic Messaging

10.8.5 Business Information Systems

10.9.1 Electronic Commerce

10.9.2 On-Line Transactions

10.9.3 Publicly Available Information

11 Access Control

11.1.1 Access Control Policy

11.2.1 User Registration

11.2.2 Privilege Management

11.2.3 User Password Management

11.2.4 Review of User Access Rights

11.3.1 Password Use

11.3.2 Unattended User Equipment

11.3.3 Clear Desk and Clear Screen Policy

11.4.1 Policy on Use of Network Services

11.4.2 User Authentication for External Connections

11.4.3 Equipment Identification in Networks

11.4.4 Remote Diagnostic and Configuration Port Protection

11.4.5 Segregation in Networks

11.4.6 Network Connection Control

11.4.7 Network Routing Control

11.5.1 Secure Log-On Procedures

11.5.2 User Identification and Authentication

11.5.3 Password Management System

11.5.4 Use of System Utilities

11.5.5 Session Time-Out

11.5.6 Limitation of Connection Time

11.6.1 Information Access Restriction

11.6.2 Sensitive System Isolation

11.7.1 Mobile Computing and Communications

11.7.2 Teleworking

12 Information Systems Acquisition, Development and Maintenance

12.1.1 Security Requirements Analysis and Specification

12.2.1 Input Data Validation

12.2.2 Control of Internal Processing

12.2.3 Message Integrity

12.2.4 Output Data Validation

12.3.1 Policy on the Use of Cryptographic Controls

12.3.2 Key Management

12.4.1 Control of Operational Software

12.4.2 Protection of System Test Data

12.4.3 Access Control to Program Source Code

12.5.1 Change Control Procedures

12.5.2 Technical Review of Applications after Operating System Changes

12.5.3 Restrictions on Changes to Software Packages

12.5.4 Information Leakage

12.5.5 Outsourced Software Development

12.6.1 Control of Technical Vulnerabilities

13 Information Security Incident Management

13.1.1 Reporting Information Security Events

13.1.2 Reporting Security Weaknesses

13.2.1 Responsibilities and Procedures

13.2.2 Learning from Information Security Incidents

13.2.3 Collection of Evidence

14 Business Continuity Management

14.1.1 Including Information Security in the Business Continuity Management Process

14.1.2 Business Continuity and Risk Assessment

14.1.3 Developing and Implementing Continuity Plans Including Information Security

14.1.4 Business Continuity Planning Framework

14.1.5 Testing, Maintaining and Re-Assessing Business Continuity Plans

15 Compliance

15.1.1 Identification of Applicable Legislation

15.1.2 Intellectual Property Rights (IPR)

15.1.3 Protection of Organizational Records

15.1.4 Data Protection and Privacy of Personal Information

15.1.5 Prevention of Misuse of Information Processing Facilities

15.1.6 Regulation of Cryptographic Controls

15.2.1 Compliance with Security Policies and Standards

15.2.2 Technical Compliance Checking

15.3.1 Information Systems Audit Controls

15.3.2 Protection of Information Systems Audit Tools