--- type: "control-objective-set" title: "Controls → #1 Abuse of Functions" description: "NIST CSF control objectives and ISO 27001:2022 Annex A starter controls for TLCTC #1 Abuse of Functions." resource: "tlctc:controls:cluster-1" tags: - "controls" - "nist-csf" - "iso27001" - "cluster-1" cluster: "#1" --- # Controls → #1 Abuse of Functions > **Provenance:** the ISO 27001:2022 Annex A control placements below are *starter guidance* derived from the TLCTC Control Matrix tool (`tools/`), AI-assisted and not a certified control set. The normative cause-side taxonomy is the cluster definitions; control selection is organization-specific. See `/controls/index.md`. Cause: [#1 Abuse of Functions](/clusters/cluster-1.md). Functions: [GOVERN](/controls/functions/govern.md) · [IDENTIFY](/controls/functions/identify.md) · [PROTECT](/controls/functions/protect.md) · [DETECT](/controls/functions/detect.md) · [RESPOND](/controls/functions/respond.md) · [RECOVER](/controls/functions/recover.md). Effectiveness: [/controls/effectiveness-model.md](/controls/effectiveness-model.md). ## GOVERN *cross-cutting.* **Objective:** Establish ownership, policy, and risk-appetite for #1 Abuse of Functions. **Local controls (ISO 27001:2022 Annex A):** - A.5.10 — Acceptable use of information and other associated assets — Define acceptable use boundaries for administrative and privileged functions - A.5.37 — Documented operating procedures — Document authorized procedures for critical system functions to detect deviations - A.5.33 — Protection of records — Protect audit records and logs from tampering via function abuse - A.8.34 — Protection of information systems during audit testing — Protect systems during audit testing to prevent function abuse via test access **Umbrella controls (ISO 27001:2022 Annex A):** - A.5.1 — Policies for information security — Define acceptable-use policies addressing misuse of legitimate system functions - A.5.2 — Information security roles and responsibilities — Assign ownership for monitoring and controlling function abuse risk - A.5.3 — Segregation of duties — Enforce separation of duties to prevent single-actor function abuse ## IDENTIFY *preventive (left).* **Objective:** Identify the weaknesses and exposure enabling #1 Abuse of Functions. **Local controls (ISO 27001:2022 Annex A):** - A.8.9 — Configuration management — Identify and document all configurable functions and their security-relevant settings - A.8.2 — Privileged access rights — Identify all accounts with elevated privileges that enable function abuse **Umbrella controls (ISO 27001:2022 Annex A):** - A.5.9 — Inventory of information and other associated assets — Inventory all systems with privileged functions that could be abused - A.5.7 — Threat intelligence — Monitor threat intelligence for function-abuse TTPs targeting deployed systems ## PROTECT *preventive (left).* **Objective:** Prevent or reduce the likelihood of the #1 Abuse of Functions step. **Local controls (ISO 27001:2022 Annex A):** - A.8.2 — Privileged access rights — Enforce time-limited, just-in-time privileged access to reduce function abuse window - A.8.18 — Use of privileged utility programs — Restrict and audit use of system utilities that bypass normal controls - A.8.9 — Configuration management — Lock down system configurations to prevent unauthorized function enablement **Umbrella controls (ISO 27001:2022 Annex A):** - A.5.15 — Access control — Restrict function access to authorized use patterns; enforce least privilege for admin functions - A.5.18 — Access rights — Provision and review access rights to prevent unauthorized function use ## DETECT *mitigating (right).* **Objective:** Detect #1 Abuse of Functions activity within its Δt window, before it enables the next step. **Local controls (ISO 27001:2022 Annex A):** - A.8.15 — Logging — Log all privileged function invocations, configuration changes, and admin actions - A.8.16 — Monitoring activities — Monitor for anomalous function usage patterns (volume, timing, scope) - A.8.17 — Clock synchronization — Synchronize system clocks to ensure accurate correlation of function-abuse timelines - A.8.12 — Data leakage prevention — Deploy DLP controls to detect unauthorized data exfiltration via legitimate function abuse **Umbrella controls (ISO 27001:2022 Annex A):** - A.5.7 — Threat intelligence — Integrate function-abuse indicators into detection rules ## RESPOND *mitigating (right).* **Objective:** Contain and eradicate #1 Abuse of Functions once detected. **Local controls (ISO 27001:2022 Annex A):** - A.5.28 — Collection of evidence — Preserve logs and session data as evidence of function abuse - A.5.25 — Assessment and decision on information security events — Triage function-abuse alerts and classify severity **Umbrella controls (ISO 27001:2022 Annex A):** - A.5.24 — Information security incident management planning and preparation — Prepare response procedures for function-abuse incidents - A.5.26 — Response to information security incidents — Execute containment for active function abuse (revoke access, disable function) ## RECOVER *mitigating (right).* **Objective:** Restore trustworthy capability after #1 Abuse of Functions. **Local controls (ISO 27001:2022 Annex A):** - A.5.30 — ICT readiness for business continuity — Ensure function-abuse recovery is included in continuity plans - A.8.9 — Configuration management — Restore verified baseline configurations after function-abuse compromise - A.8.10 — Information deletion — Ensure secure deletion of data exposed or compromised during function-abuse incidents **Umbrella controls (ISO 27001:2022 Annex A):** - A.5.29 — Information security during disruption — Maintain security controls during recovery from function-abuse incidents - A.5.27 — Learning from information security incidents — Conduct post-incident reviews of function-abuse events to refine controls