Professional Documents
Culture Documents
Statement of Applicability
Statement of Applicability
Statement of Applicability
Key
ISO/IEC 27001:2013 Annex A controls Applied? Control detail Justification for exclusion Responsibility
driver
9.2.2 User access provisioning Yes Defined approval processes for user BR - IT
provisioning. Line manager, system
owner and relevant information
custodian(s) - or delegates - must
approve access to enterprise information
systems.
9.2.3 Management of privileged access rights Yes Periodic review of privileged users. BR - ISMR
9.2.4 Management of secret authentication information of users Partial Informal processes currently in place for BR -
password distribution.
9.2.5 Review of user access rights Yes Annual review of user security BR - ISMR
configurations within information systems
and physical security system. Sign-off
required from line managers.
9.2.6 Removal or adjustment of access rights Yes Part of termination process BR - IT
9.3 User responsibilities
Objective: to make users accountable for safeguarding their authentication information.
9.3.1 Use of secret authentication information Partial Secure password policies are defined BR - ISMR
and enforced within key systems.
9.4 System and application access control
Objective: To prevent unauthorized access to systems and applications.
9.4.1 Information access restriction Partial As per access matrix BR - IT
9.4.2 Secure log-on procedures N/A Not required N/A Not required as part of Access control ISMR
policy
9.4.3 Password management system Partial Staff encouraged to use secure BR - ISMR
passwords
9.4.4 Use of privileged utility programs Yes Restricted by group membership in BR - IT
identity access management system.
Membership only assigned to IT
Manager
9.4.5 Access control to program source code Yes Restricted by group membership in BR - IT
identity access management system.
Membership only assigned to IT
Manager
10 Cryptography
10.1 Cryptographic controls
Objective: To ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information.
10.1.1 Policy on the use of cryptographic controls N/A Not required N/A Cryptographic controls not required D
10.1.2 Key management N/A Not required N/A Cryptographic controls not required D
11 Physical and environmental security
11.1 Secure areas
Objective: To prevent unauthorized physical access, damage and interference to the organization's information and information processing facilities.
11.1.1 Physical security perimeter Yes As per building floor plan BR - OM
11.1.2 Physical entry controls Yes Reception at entrance, visitors required BR - OM
to sign in. Staff areas require pin access
for secure doors
11.1.3 Securing offices, rooms and facilities Partial Building locked outside office hours BR - OM
11.1.4 Protecting against external end environmental threats Yes External backup and firewall/malware BR - IT
protections maintained
11.1.5 Working in secure areas No Specific procedures not implemented BR - OM
11.1.6 Delivery and loading areas Yes As per building floor plan; secure door BR - OM
between loading/delivery areas and
office
11.2 Equipment
Objective: To prevent loss, damage, theft or compromise of assets and interruption to the organization's operations.
11.2.1 Equipment siting and protection Partial Building maintained and secure access BR - OM
procedures followed
11.2.2 Supporting utilities Yes Surge protection equipment used BR - IT
11.2.3 Cabling security Yes Cabling purchased from approved BR - IT
suppliers
11.2.4 Equipment maintenance Yes Workplace inspections by IT BR - IT
11.2.5 Removal of assets Yes No remote working/removal of assets BR - AS
allowed
11.2.6 Security of equipment and assets off-premises N/A - N/A Off-site working not permitted D
11.2.7 Secure disposal or reuse of equipment Yes As per asset disposal procedure BR - IT
11.2.8 Unattended user equipment Yes Staff instructed to lock computers when BR - AS
unattended
11.2.9 Clear desk and clear screen policy Yes Clear desk policy last reviewed BR - ISMR
15/6/2016
12 Operations security
12.1 Operational procedures and responsibilities
Objective: To ensure correct and secure operations of information processing facilities.
12.1.1 Documented operating procedures Yes SoP's maintained as per document BR - ISMR
register
12.1.2 Change management Yes Formalised and communicated change BR - ISMR
management procedures with approval
workflows
12.1.3 Capacity management Yes Automated provisioning/deprovisioning BR - IT
of new VMs based on load/demand.
Automated reporting of over-utilisation
and under-utilisation sent to IT Manager
when triggered.
12.1.4 Separation of development, testing and operational Partial Development and testing performed in BR - OM
environments production environment for most
business information systems.
12.2 Protection from malware
Objective: To ensure that information and information processing facilities are protected against malware.
12.2.1 Controls against malware Partial Install and maintain a modern anti-virus BR - IT
suite. Keep up with security patches.
Maintain and enforce Network Access
Control List (ACL).
12.3 Backup
Objective: To protect against loss of data.
12.3.1 Information backup Yes Defined backup policies and procedures BR - IT
based on business requirements for
recovery time objective (RTO) and
recovery point objective (RPO).
14.1.2 Securing application services on public networks Partial Validated that cloud-based CRM system BR - AS
encrypts data in-transit.
14.1.3 Protecting application services transactions Partial Application services used by the -
organisation require encryption in-transit
if data is not classified as 'Public'
Key driver
LR Legal requirement
CO Contractual obligation
CC Client commitment
BR Business requirement derived from risk assessment
ABP Adopted best practice
N/A Control not applicable to ISMS scope
Responsibility
OM Office manager
ISMR Information Security Management Representative
IT IT manager
AS All staff
D Director