Professional Documents
Culture Documents
ISO 27001 Ver 2013: February 2021
ISO 27001 Ver 2013: February 2021
net/publication/349366608
CITATIONS READS
0 500
1 author:
Raul Bernardino
University of Liverpool
19 PUBLICATIONS 2 CITATIONS
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Raul Bernardino on 17 February 2021.
Internal
Version 1.00
By
Raul Bernardino
Table of contents
1. Document Control 3
2. Abstract 4
3. Purpose, scope, and users 4
4. Reference documents 4
5. Applicability of Clauses 5
6. Applicability of Controls 8
© ISO27K1-RB
Internal
Document Approver(s) and Reviewer(s):
NOTE: All Approvers are required. Records of each approver must be maintained. All Reviewers in the
list are considered required unless explicitly listed as Optional.
1. Document Control
Approved by:
Change history
© ISO27K1-RB
Internal
2. Abstract
Indonesia's Financial Technology and Digital Assets markets are in the middle of the crossroad. All start-
up businesses were struggling to implement the ISO 27001:2013, the information security
management system, to secure and protect their customer information. Meanwhile, the business's
operations cost should wisely expend on their daily operation to sustain and competitive. They were
focusing on reaching out to more customers and markets in comparison to securing their information
systems.
This document includes all controls listed in Annex A of the ISO 27001:2013 standard. Controls are
applicable to the entire Information Security Management System (ISMS) scope.
Users of this document are all employees of STIKOM who have a role in the ISMS.
4. Reference documents
● ISO/IEC 27001:2013 standard, clause 6.1.3 d)
● Information Security Policy
● Regulation of the Minister of Communication and Information Technology Number 04 of 2016
Information Security Management System
● Chapter 3, Article 7, Verse 1: the use of the ISO 27001:2013001 standards for information
security and
● Chapter 3, Article 7, verse 2: the use of ISO 27001:2013001 standards for implementation of
the information system (electronic system).
● Regulation of the Minister of Communication and Information Technology Number 20 of 2016
Protection of Personal Data in Electronic Systems
o Chapter 1, Article 2, Verse 1: Privacy data protection
o Chapter 2, Article 3, Verse a-e: Data gathered, processed, analyzed, stored, and
transmitted has to be protected
© ISO27K1-RB
Internal
5. Applicability of Clauses
© ISO27K1-RB
Internal
Document the information security Information Security Policy
5,2
policy document
Organizational roles,
5,3 responsibilities & authorities
Assign and communicate RASCI Matrix document
5,3 information security roles &
responsibilities
6 Planning
Actions to address risks &
6,1 opportunities
Design/plan the ISMS to satisfy the Risk Assessment and Methodology
6.1.1 requirements, addressing risks & document
opportunities
Risk Assessment and Methodology
Define and apply an information
6.1.2 document
security risk assessment process
7,4 Communication
© ISO27K1-RB
Internal
All implemented documents are
Determine the need for internal and well socialized
7,4 external communications relevant
to the ISMS
8 Operation
8,1 Operational planning and control
Plan, implement, control & Risk Assessment and Methodology
document ISMS processes to document
8,1
manage risks (i.e. a risk treatment
plan)
Information security risk
8,2 assessment
(Re)assess & document Risk Assessment and Methodology
8,2 information security risks regularly document
& on changes
8,3 Information security risk treatment
Implement the risk treatment plan Risk Treatment Plan
8,3 (treat the risks!) and document the
results
9 Performance evaluation
Monitoring, measurement, analysis
9,1 and evaluation
Monitor, measure, analyze and Internal auditor policy; staff KPI,
9,1
evaluate the ISMS and the controls Vendor evaluation
9,2 Internal audit
Internal Audit plan, setup criteria’s,
Plan & conduct internal audits of checklist, report, and program
9,2
the ISMS
© ISO27K1-RB
Internal
Management review document
Undertake regular management
9,3
reviews of the ISMS
10 Improvement
Nonconformity and corrective
10,1 action
Perform corrective Action to
Identify, fix and take action to forwards internal audit findings
prevent recurrence of and external audit findings
10,1
nonconformities, documenting the
actions
6. Applicability of Controls
The following controls from ISO 27001:2013 Annex A Controls are applicable:
A.5 Information Security (IS) YES Developed and To secure and Disseminate this
Policy established IS protect information
Policy information security policy to all
assets within staff. All staff got
Confidentiality, induction from
Integrity and ISMS Team, on how
Availability to use this policy
(CIA). and protect
information assets
in their respective
department.
© ISO27K1-RB
Internal
information and relevant
security laws and
regulations
A.5.1.1 Policies for information YES Approved and To provide Assess the Country
Security implemented guidance IT, IT Law and
policy and ISMS team, and Regulations,
procedure IT user to secure drafted, reviewed,
the information approved and
asset in terms of implemented: In
confidentiality, the institution has
integrity, and Information
availability and Security Policy
Business
processes are in
line with
relevant laws
and regulations.
A.5.1.2 Review of the policies YES ISMS Team, To overview all Setup ISMS Team,
for information Internal Audit policies and designated IA Plan
security (IA), and procedures are and Program and
management in line with Management
have to review business process Review Meeting
all company
policies and
procedures
© ISO27K1-RB
Internal
A.6.1.1 Information security YES Employees have To establish Employees and
roles and responsibilities security ISMS team; to vendors are
awareness implement attended the
certification and management security awareness
Internal Auditors decision on training; IA
are certified; all everyone attended the
of the company contribution on course and pass the
employees and information examination;
vendors are security Management
aware that review IA findings;
information PIC analysed the
security is root cause and
everyone's correct the
responsibility; nonconformities
findings;
A.6.1.2 Segregation of duties YES Employees have To ensure jobs All employees are
clear job and trained to be
descriptions and responsibilities vigilant and alert,
designated are segregated ask questions to the
offices; the in order to guests if they are
unauthorized minimize the not accompanied
person cannot unauthorized, by one of the
access; guests unintentionally, employees; staff
are misuse of the are well informed
accompanied by organization on the classification
employees and assets of the information;
guests will stay
in the
designated area;
A.6.1.3 Contact with authorities YES The company To have Contact with
have appropriate and authorities
appropriate updated documented within
contacts and relevant Business
updated authorities Continuity. IT, HR,
contact list Finance, and OPS
also maintains this
list of contact
A.6.1.4 Contact with special YES Updating and To have Administrator and
interest groups maintaining all appropriate and Customer Service
relevant interest updated and Teach team is
parties contacts relevant interest responsible for
numbers group contact monitoring the
list overall interest
groups contacts
lists and security
group forums. Each
© ISO27K1-RB
Internal
PIC’s have their
respective interest
group contact lists.
A.6.2 Mobility devices and YES All staff are To ensure the Staff attend the
teleworking aware that the security of induction and
use of mobility teleworking and information
devices in the use of mobile security Awareness
public network devices. training
must follow the
IT security Policy
A.6.2.1 Mobile device policy YES All mobile To ensure the The
devices (BYOD) policy is implementation of
are in the implemented BYOD in
different Mobile and
network; BYOD Teleworking Policy
which needs to
connect office
network should
sign a waiver
© ISO27K1-RB
Internal
A.7 Human resource security YES Establish HR To ensure staff Established and
Security Policy are well implement HR
equipped; new Security Policy
recruited staff
processes
should
implement
within the HR
security policy.
A.7.1 Prior to employment YES Human Capital To ensure that Human Capital
Team performed employees and Department is
according to HR contractors consistence in
security Policy understand their implementing HR
responsibilities Security policy
and are suitable
for roles for
which they are
considered.
A.7.1.2 Terms and conditions of YES All employees To ensure that Follow the
employment have signed the NDA is included Employee
contracts in every contract Recruitment
or confidential process in Human
agreement Resource Policy
A.7.2 During employment YES All employees To ensure that Human Capital
and contractors employees and induct new policies,
have attended IS contractors are plan IS awareness
awareness aware of and training for new
training fulfil their staff, and evaluate
information staff.
security
responsibilities.
© ISO27K1-RB
Internal
information employees and
security contractors;
A.7.2.2 Information security YES The risks that are To ensure all Human Resource
awareness, education, associated with new employees Security Policy
and training the interested are well
parties inducted and
(customers, attended the
founders, security
Employees, and awareness
third parties for
outsourcing) are
assessed and
including
educate
employees and
contractors to
obey the
company
regulation and
policies;
A.7.3 Termination and Change YES Established Exit To protect the Human Capital
of employment interview policy organization’s implement exit
interests as part interview and the
of the process of resign person sign an
changing or NDA.
terminating.
A.7.3.1 Termination or change of YES Resigned are To ensure the Follow the Human
employment employees termination of Resource Security
responsibilities required to sign the contracts are Policy
an Exit NDA during proper; to
off boarding ensure the exit
process. This NDA forms and NDAs
is active for the are proper
next five (5) years
© ISO27K1-RB
Internal
A.8 Asset Management YES ISMS Team To ensure all ISMS Team
established business process implement
Information and information Information Assets
assets policy are collected policy
A.8.1 Responsibility for Assets YES ISMS Team and To identify Follow the
Finance team organizational Information Assets
performed and assets and policy
register define
information appropriate
assets according protection
to information responsibilities.
assets policy
A.8.1.1 Inventory of assets YES All assets are To ensure all Follow the
well registered company Information Asset
information Management Policy
assets are well
updated and
maintained
A.8.1.2 Ownership of assets YES The reviewed To ensure all Follow the
document for information Information Asset
maintaining the assets are
asset allocation owned
list; property
numbers
(inventory);
A.8.1.3 Acceptable use of assets YES The employees To ensure rules Apply the
accept any of information administrator right
responsibility for assets and waivers, checklist
the asset as media processing are and service desk
for processing,
well notified, list, forms; follow
storing, and
transmitting data
documented, the Asset
and information and Management Policy
which are contain implemented
of CIA;
A.8.1.4 Return of Assets YES All return assets To ensure all Follow the Asset
are effective on company assets Management Policy
the last day of are returned on
employment, or the last day of
exit form is employment
signed
© ISO27K1-RB
Internal
A.8.2 Information Classification YES ISMS team To ensure that ISMS Team
established information implement
Information receives and information assets
classification appropriate classification and
level of labelled
protection in
accordance with
its importance
to the
organization.
A.8.3 Media Handling YES ISMS team To prevent Follow the Media
established unauthorized Handling procedure
Media handling disclosure,
procedure modification,
removal or
destruction of
information
stored on the
media
© ISO27K1-RB
Internal
A.8.3.1 Management of YES/NO All removable To ensure media All core media are
removable media media are removals are may on the cloud
proper proper premises
according to
information
classification
and Assets and
Media Removal
A.8.3.2 Disposal of media YES All media To ensure media Follow the
disposals are disposals are Information Asset
proper proper Management Policy
according to
Assets and
Media Removal
A.8.3.3 Physical media transfer YES/NO All servers are To ensure all Institution may never
on Ali-Cloud media perform physical
premises, containing media transfer. All
however, there information are in the CSP
are laptops shall be
physical mobility protected
need to be against
secure (media unauthorized
transfers) access, misuse
or corruption
during
transportation.
A.9 Access Control YES ISMS Team To ensure all ISMS Team
established information implement and
Access Control assets protected follow the
Policy and only staff or established policy
personal who
have the access
right can access
them
A.9.1 Business requirement of YES ISMS Team To limit access to Follow the Access
access control follow information and Control Policy
established information
Access Policy to process facilities
create, disable,
change the
access
© ISO27K1-RB
Internal
A.9.1.1 Access control policy YES Employees and To ensure Follow the Access
contractors’ Access Control Control Policy
access are Policy are Ali-Cloud terms and
controlled established and contract, and
followed combines with the
Office Access Control
A.9.1.2 Access to networks and YES Employees and To ensure all Follow the Access
network services contractors’ employees are Control Policy
access are in the Ali-Cloud terms and
controlled designated contract, and
networks combines with the
Office Access Control
A.9.2 User access management YES ISMS Team To ensure Follow the user
establish user authorized user matrix and access
access matrix access and to control policy
prevent
unauthorized
access to the
systems and
services
A.9.2.1 User registration and de- YES All user accounts To ensure all Follow the Access
registration are created and account Control Policy
de-registration registration and Ali-Cloud terms and
re-registration contract, and
are proper; e.g. combines with the
rising staff Office Access Control
accounts are
disable at the
time he or she
resigned
A.9.2.2 User access provisioning YES All new To ensure all Follow the Access
employees and new employees Control Policy
contractor have follow
3 months procedures Ali-Cloud terms and
provisioning contract, and
period combines with the
Office Access Control
A.9.2.3 Management of YES All users To ensure all Follow the Access
privileged access rights accounts are users access are Control Policy
created based privileged,
on job functions restricted, and And combines with
and credentials; controlled the Office Access
in ‘Forest Control
Application’
© ISO27K1-RB
Internal
A.9.2.4 Management of secret YES All users To ensure all Follow the Access
authentication accounts are system users Control Policy
information of users created based have a
on job functions credential and Ali-Cloud terms and
and credentials have secret contract, and
authentication combines with the
Office Access Control
A.9.2.5 Review of user access YES The system To ensure Follow the Access
rights users have system users Control Policy
changed their passwords are Ali-Cloud terms and
passwords changed contract, and
periodically. The periodically combines with the
Tech team and Office Access Control
HR reviews the
user's access
rights in the
regular intervals.
A.9.2.6 Removal or adjustment YES All system users To ensure all Follow the Access
of access rights are well terminated Control Policy
controlled either contracts Ali-Cloud terms and
its resignation or accounts are contract, and
reassignment to removed or combines with the
the different disabled Office Access Control
department
A.9.3 User Responsibilities YES User are trained To make users Employees and
to not share accountable for contractors are
their credential safeguarding attended the IS
their awareness training
authentication and induction on how
information to use the policy.
A.9.3.1 Use of secret YES The system To ensure all Follow the Access
authentication users are aware systems users Control Policy
information that their shall be kept
credentials for their credentials Ali-Cloud terms and
accessing the secret contract, and
system are in combines with the
their own Office Access Control
responsibility.
They should
keep their
credentials
secret.
© ISO27K1-RB
Internal
A.9.4 System and Application YES All system and To prevent All employees and
access control applications unauthorized contractors are using
have a proper access to credential to access
authentication systems and systems and
applications application.
A.9.4.1 Information access YES The employees Access to Follow the Access
restriction are well training information and Control Policy
application Ali-Cloud terms and
system contract, and
functions are combines with the
restricted Office Access Control
A.9.4.2 Secure log-on procedures YES All employees To ensure all Follow the Access
are well accesses Control Policy
informed that controlled by Ali-Cloud terms and
secure the by a secure log- contract, and
accepted or on combines with the
assigned media Office Access Control
all the time
A.9.4.3 Password management YES Passwords are Users password Follow the Password
system well managed settings are Management Policy
proper and Ali-Cloud terms and
manageable contract, and
combines with the
Office Access Control
A.9.4.4 Use of privileged utility YES The use of utility To ensure the Follow the Access
programs programs that authorized user Control Policy
might be access and to Ali-Cloud terms and
capable of prevent contract, and
overriding unauthorized combines with the
system and access to Office Access Control
application information
controls shall be systems
restricted and
tightly
controlled
A.9.4.5 Access control to the YES The source To ensure all Follow the Access
program source code codes are source code are Control Policy
protected and protected Ali-Cloud terms and
restricted contract, and
combines with the
Office Access Control
© ISO27K1-RB
Internal
A.10 Cryptography YES Implement SSL To protected the Follow the
on the web integrity, cryptography policy
application confidentiality,
and authenticity
A.10.1 Cryptographic controls YES Web application To ensure ISMS Team follow
are protected proper and the cryptography
with SSL effective use of policy
cryptography to
protect the
confidentiality,
authenticity
and/or integrity
of the
information
A.10.1.1 Policy on the use of Yes The To ensure all .id has active SSL
cryptographic controls implementation information flow Licence and
of the SSL is to and process are employee customer
encrypt the web protected use two factors
application, and authentication;
two factors follow the Data
authentication is Encryption
for accessing Standard Policy
other resources
on the Ali-Cloud.
© ISO27K1-RB
Internal
A.11.1 Secure area YES ISMS Team and To prevent Follow the Physical
staff are well train unauthorized security policy
to protect physical physical access,
and damage and
environmental interferences to
security the
organization’s
information and
information
processing
facilities
A.11.1.1 Physical security YES .id leased on Ali- To ensure Follow the Physical
perimeter Cloud Platform; security Security Policy
therefore, all perimeters shall
physical security be defined and
perimeters are used to protect
under cloud areas that
provider controls contain either
sensitive or
critical
information and
information
processing
facilities
A.11.1.2 Physical entry controls YES .id leased on Ali- To secure areas Follow the Physical
Cloud Platform; shall be Security Policy
therefore, all protected by
physical security appropriate
perimeters are entry controls to
under cloud ensure that only
provider controls authorized
personnel are
allowed access
A.11.1.3 Securing offices, rooms, YES Doors are To ensure all Follow the Physical
and facilities locked, and the employees have Security Policy
CCTV defines the PIN code to
entrance, safety access office and
box, and finance facilities
room, and HCD
© ISO27K1-RB
Internal
A.11.1.4 Protecting against YES .id leased on Ali- Physical Follow the Physical
external and Cloud Platform; protection Security Policy
environmental threats therefore, all against natural
physical security disasters,
perimeters are malicious attack
under cloud or accidents
provider controls shall be
designed and
applied.
A.11.1.5 Working in secure areas YES Company has a To ensure all Follow the Physical
standard for employees have Security Policy
securing the access to the
working area. office; guests are
accompanied
A.11.1.6 Delivery and loading YES/NO Management To ensure Institution may not a
areas defines the management service delivery
designated decisions are company therefore it
room for fully is not relevant.
delivery and implemented
loading the front
desk
A.11.2.1 Equipment siting and YES All employees To reduce the Physical Security
protection are ware the risk from Policy
acceptance unauthorized
media contain person to access
sensitive sensitive
information and information
have to protect
© ISO27K1-RB
Internal
A.11.2.2 Supporting utilities YES/NO Data stored and The power fails May be depends on
processed are from central Cloud Service
on the Ali-Cloud does not affect Provider (CSP)
premises; if the the system
internet fails
because of
power; users are
still able to
connect back to
the Ali-Cloud by
using alternate
sources of the
internet.
Building has its
own generator
A.11.2.3 Cabling security YES/NO Since server To ensure power May be depends on
leased under Ali- and CSP
Cloud premises, telecommunicat
therefore, follow ions cabling
the data centre carrying data or
guidance supporting
information
services shall be
protected from
interception or
damage
A.11.2.4 Equipment maintenance YES/NO Most of the data To ensure all May be depends on
and information office CPS. Some of the
are on the Ali- equipment are internal equipment's
Cloud premises updated maintenance
and it is on the services.
multi-zone; The
availability and
integrity will
certain there;
meanwhile, daily
backups are
continually
operating
A.11.2.5 Removal of assets YES All employees To ensure all Follow the Physical
are well removals assets Security Policy and
informed on are proper Information Asset
how to handle Management Policy
media; they
need approval
© ISO27K1-RB
Internal
for any
relocation items
A.11.2.6 Security of equipment YES All employees To ensure all Follow the Physical
and assets off-premises are accountable employees have Security Policy and
for any data a sense of Information Asset
breach; when belonging and Management Policy
takes company accountable
assets off
premises,
he/she needs to
sign up the
forms for
accountability/r
esponsibility;
A.11.2.7 Secure disposal or reuse YES All sensitive data All company Follow the Physical
of equipment should take off assets are Security Policy and
before the removed before Information Asset
media is ready its disposal or Management Policy
for disposal or reuse
reuse
A.11.2.8 Unattended user YES It is the user's To ensure all Follow the Physical
equipment responsibility to unattended Security Policy and
protect equipment are Information Asset
unattended logout Management Policy
equipment
(attended
information
security
awareness
training);
A.11.2.9 Clear desk and clear YES It is the user's To adopt clear Follow the Physical
screen policy responsibility to desk and screen Security Policy and
protect from Information Asset
unattended unauthorized Management Policy
equipment, person
clear desk, and
clear screen
(attended
information
security
awareness
training);
© ISO27K1-RB
Internal
A.12 Operation Security YES ISMS team To ensure all Follow Operation
ensure information Security Policy
operation facilities are
facilities are secure
secure
A.12.1.1 Documented operating YES All SoP, Policies, To ensure all Follow the Operation
procedures and essential interested Security Policy
documents are parties are
available for aware
those who need
them
A.12.1.2 Change management YES The reviewed To ensure all Follow the Operation
and approved changes are Security Policy
Change proper and not
Management have a security
Policy and breach
procedure,
Incident
Management
Frameworks,
and BCP
A.12.1.3 Capacity management YES IT team monitor To ensure all Ali- Follow the Operation
all activities and Cloud servers’ Security Policy
it is including capacities are
managing the managed and it
platform is included the
capacity load balancer
© ISO27K1-RB
Internal
A.12.2 Protection from the YES ISMS team To ensure that Follow the Antivirus
malware established information and and malware
malware information protection policy
protection policy processing
facilities are
protected
against malware
A.12.2.1 Controls against malware YES All company To ensure all On the Ali-Cloud
users have users are trained premises have cloud
attended the and alert all the flare; company
information time properties are
security protected by
awareness antiviruses and
training to take updated.
precocious on Follow the Operation
measuring the Security Policy and
security threat Virus and Malware
Protection
Management Policy
A.12.3.1 Information backup YES The company To ensure Follow the Data
perform daily backup system is Backup
backups and test proper; it a daily Management Policy
recovery backup and Backup Testing
periodically Report KOM-
A.12.4 Logging and Monitoring YES ISMS Team To record events ISMS Team activate
periodically and generate Action trial on the
monitor logs and evidence servers
events
A.12.4.1 Event logging YES All events are Event logs are Follow the
logged; such as sent to the Operation Security
backup logs, responsible
application person
backups on whenever it gets
Gitlab, and errors
Servers Desk
event logs
A.12.4.2 Protection of log YES All logs are All logs are Follow the
information protected from protected and Operation Security
unauthorized only available
users; for those who
© ISO27K1-RB
Internal
have
authorization
A.12.4.4 Clock synchronization YES All systems have To ensure data Follow the
clocks and information Operation Security
synchronization are synchronize
and logs every accordingly
activity
A.12.5 Control operational YES ISMS team To ensure the Follow the
software established integrity of operation security
operation operational policy
security policy systems
A.12.5.1 Installation of software YES Dedicated Ali- To ensure all Follow the
on operational systems Cloud platform software are Operation Security
for the have the
development, licences
testing and
production
services;
A.12.6.1 Management of technical YES The perform VA To ensure The company has a
vulnerabilities periodically periodical VA plan to train staff
who will certify CEH
and he or she will
perform the
assessment
periodically
Operation Security
© ISO27K1-RB
Internal
A.12.6.2 Restrictions on software YES The users are To ensure staff Follow the
installation not allowed to are not able to Operation Security
install software; install any
if the need software
admin right for
installation, they
should sign a
waiver;
A.12.7 Information systems YES ISMS Team due To minimise the Follow the
audit considerations diligent on the impact of the Operation Security
system audit activities
environment on the
operational
systems
A.12.7.1 Information systems YES All users’ To ensure staff Follow the
audit controls activities are activities are Operation Security
logged, plan, logged
and use
verification;
A.13 Communication Security YES ISMS Team To ensure all Follow the
established connected Communication
communication devices are Security
security policy protected and
information are
not breached
A.13.1 Network security YES ISMS team To ensure the Follow the
management established protection of the Communication
forms for non- information in Security
official devices the networks
that are and its
connected to the supporting
office network information
processing
facilities
A.13.1.1 Network controls YES The company To ensure that Follow the
network only an Communication
infrastructures authorized staff Security
are manageable can access the
and updated company
periodically; Ali- networks
Cloud platform
is for the data
processing,
storing, and
© ISO27K1-RB
Internal
transmission;
while the ISP
provides
connections;
A.13.1.2 Security of network YES The Tech To ensure that Follow the
services department and only an Communication
administration authorized staff Security
and customer can access the
services are company
identified all networks
access level of
services;
A.13.1.3 Segregation in networks YES The company To ensure all Implement the
has grouped staff have access network
functions e.g. to the network segregation based
guest and BYOD resources; to on the business
are in the guest ensure the function (BYOD in
network, while separation of the guest network,
the official is in the services an official in the
the office office network;
network; from Communication
the public Security
network can
access the
website with
whitelisted IP;
A.13.2 Information transfer YES All employees To maintain the All employees are
are security attending
knowledgeable information information
on how to transferred security awareness
process, store, within courses; follow the
and transmit the organization and Communication
data and with any Security
information; external entity
A.13.2.1 Information transfer YES All employees To ensure all All employees are
policies and procedures are transfer attending
knowledgeable information are information
on how to secure security awareness
process, store, courses; follow the
and transmit the Communication
data and Security
information;
© ISO27K1-RB
Internal
A.13.2.2 Agreements on YES The company To ensure all Implement the
information transfer establishes an contracts have NDA, SLA, and
agreement with the NDA contracts
parties that accordingly; follow
involves; NDA, the Communication
contracts Security
A.13.2.4 Confidentiality or YES The ISPs, Ali- To ensure all Implement the
nondisclosure Cloud, and other contracts have NDA, SLA, and
agreements third parties the NDA and contracts
signed the with SLAs accordingly; follow
the company Communication
Security
A.14 System acquisition, YES ISMS Team To ensure all Follow the System
development, and established applications are Development,
maintenance Software tested in the Acquisition,
Acquisition development maintenance
Development environment
and before apply to
Maintenance production
Policy environment
A.14.1 Security Requirements of YES ISMS Team To ensure Follow the System
information systems ensure the information Development,
implementation security in an Acquisition,
of software integral part of maintenance
application are the information
met the SDLC system across
the entire
lifecycle. This
also includes the
requirements
for information
systems which
provide services
over public
networks
© ISO27K1-RB
Internal
A.14.1.1 Information security YES The company To ensure all Management
requirements analysis has embedded information continually reviews
and specification in the security security findings and proof
system, requirements the corrective
information are actions are been
asset implemented taken by ISMS
management, Team
Information
Classification,
and Gitlab
A.14.1.2 Securing application YES The company To ensure SSL Follow the System
services on public protect and licensed and Development,
networks ensure to updated Acquisition,
connect the maintenance
application on
the server from
public networks
(SSL, cloud flare)
A.14.2 Security in development YES ISMS Team To ensure that The ISMS team and
and support processes executed information IT team to
Software security is monitoring servers
development designed and from time to time;
according to implemented Follow the System
SDLC within the Development,
development Acquisition, and
lifecycle of Maintenance
information Security
systems.
© ISO27K1-RB
Internal
A.14.2.1 Secure development YES The company To ensure all The ISMS team and
policy servers are software are IT team to
dedicated to updated monitoring servers
Software from time to time;
updating and Follow the System
development Development,
procedure Acquisition, and
embedded on Maintenance
the security Security
system
A.14.2.2 System change control YES If a proof for any To ensure all Follow the System
procedures changes, the changes have no Development,
ISMS team has impact on the Acquisition, and
to use change security Maintenance
management Security
and control
procedure as a
guide
A.14.2.3 Technical review of YES The new To ensure all Follow the System
applications after platform is changes are Development,
operating platform tested; tested Acquisition, and
changes Maintenance
Security
A.14.2.4 Restrictions on changes YES Tech team due The IT team and Gitlab application
to software packages diligence secure ISMS team will monitor
mater monitor the development
changes performance; the
development server
is on a separate
server.
Follow the System
Development,
Acquisition, and
Maintenance
Security
A.14.2.5 Secure system YES The company To ensure all The development
engineering principles secure all testing server is separate
systems and procedures are from testing and
documented; being followed production; the
changes are well
documented
Follow the System
Development,
Acquisition, and
© ISO27K1-RB
Internal
Maintenance
Security
A.14.2.6 Secure Development YES every change is To ensure the The Gitlab application
Environment Manageable development will monitor
development
server is performance; the
separate from development server is in
production a separate platform;
Follow the System
Development,
Acquisition, and
Maintenance Security
A.14.2.7 Outsourced development YES/NO Company To Ensure all All applications may
contract outsourcing are developed
developer supervised and internally
binding with monitored
NDA
A.14.2.8 System security testing YES All newly system To ensure all The Gitlab
applications are developing application will
tested properly software are monitor test
including pen- tested properly performance;
test before Follow the System
online/producti Development,
on Acquisition, and
Maintenance
Security
A.14.2.9 System acceptance YES Create a level of To ensure the The Gitlab
testing acceptance testing are application will
during the proper monitor test
testing period; performance;
Follow the System
Development,
Acquisition, and
Maintenance
Security
© ISO27K1-RB
Internal
A.14.3.1 Protection of test data YES Test Data is To ensure the Follow the System
carefully testing data is Development,
selected, separate Acquisition, and
protected, and Maintenance
controlled. "It is Security
embedded in
Security and
Access Control
policy"
A.15 Supplier Relationship YES ISMS Team To ensure ISMS Team and
established organization operation team
Supplier business follow the supplier
relationship information are relationship
Security policy not breach security policy
A.15.1 Information security in YES ISMS Team and To ensure Produced NDA
supplier relationships Operation team protection of the which embedded in
followed the organization’s the contract and
supplier assets that is well-established
relationship accessible by SLA;
security supplier Follow the Supplier
requirement Security
(NDA, contract)
A.15.1.1 The information security YES Its requirements All contracts Produced NDA
policy for supplier for mitigation of with third which embedded in
relationships the risk parties have the contract and
associated with NDAs and SLA well-established
the supplier's SLA;
access to the Follow the Supplier
organization's Security
assets shall be
agreed with the
supplier and
documented.
A.15.1.2 Addressing security YES All relevant To ensure Suppliers signed the
within supplier information supplier are confidential
agreements security agree the terms agreements/Non-
requirements Disclosure
are established Agreements and
and agreed with SLAs;
each supplier Follow the Supplier
that may access, Security
process, store,
communicate,
or provide IT
infrastructure
© ISO27K1-RB
Internal
components for
the
organization's
information.
A.15.1.3 ICT supply chain YES Have To ensure the Have clear SLA and
agreements with availability of signed NDAs;
the Cloud and the systems is Follow the Supplier
internet proper Security
provider
A.15.2 Supplier service delivery YES ISMS Team and To maintain an Follow the Supplier
management Operation team agreed level of services evaluation,
established and information Supplier Security
Agreed SLA, security and
NDA, and service delivery
Agreement in line with
supplier
agreements
A.15.2.1 Monitoring and review of YES The company To ensure Follow the Supplier
supplier services regularly suppliers are services evaluation,
monitors, evaluated Supplier Security
reviews, and periodically
audits supplier
service delivery.
A.15.2.2 Managing changes to YES Changes to the To ensure the Follow the Supplier
supplier services provision of supplier changes Security
services by are not impact
suppliers, to the systems
including
maintaining and
improving
existing
information
security policies,
procedures, and
controls, have
been managed,
taking account
of the criticality
of business
information,
systems, and
processes
involved and re-
assessment risk.
© ISO27K1-RB
Internal
A.16 Information security YES ISMS Team To ensure the Follow the
incident management established consistent of Information Security
information information Incident
security security and Management Policy
incidents effective
management
policy
A.16.1.2 Reporting information YES The incident Every staff need Follow the
security events response is to report Information Security
proper; register security breach Incident
the events and events and Management Policy
report to recorded
appropriate properly
management
channels as
quickly as
possible.
© ISO27K1-RB
Internal
A.16.1.3 Reporting information YES Everyone should Every staff need Follow the
security weaknesses be responsible to report Information Security
for the security; security breach Incident
everyone is events and Management Policy
required to note recorded
and report any properly
observed or
suspected
information
security
weaknesses in
systems or
services.
Immediately
alert the proper
management
channel;
A.16.1.4 Assessment of and YES All events are To ensure every Follow the
decision on information assessed and incident are Information Security
security events decide if they assessed Incident
are to be properly and Management Policy
classified as identified the
information root cause
security
incidents.
A.16.1.5 Response to information YES The response To ensure the Follow the
security incidents has to follow the incident Information
documented response are Security Incident
procedures such followed the Management Policy
as Incident incident
Management, framework
BCP, and Change
Management
A.16.1.6 Learning from YES All relevant All incident and Discipline and
information security produced solution are well committed to
incidents knowledge that recorded for records and
is gained from future lesson protected every
analyzing and learned events and solution
resolving for future
information references;
security Information
incidents are Security Incident
used to reduce Management
the likelihood or Policy, and Security
impact of future Incident Tracking
incidents. Report
© ISO27K1-RB
Internal
Records are in
Service Desk and
Gitlab
application
A.16.1.7 Collection of evidence YES All events are To ensure all All incidents and
documented on events are solutions are well
the Gitlab and collected recorded for future
service desk properly references;
applications; Information
Security Incident
Management
Policy, and Security
Incident Tracking
Report
A.17 Information security YES ISMS team To ensure the Follow the Multi-
aspects of business established BCM continuation of zone Cloud and
continuity management and BCP policies information Cloud flare services
processing contract; follow the
facilities and Business Continuity
information Management
integrities Policy;
Business Continuity
Plan; Server
Capacity
Management
Report; Backup and
Restore Testing
Report
A.17.1 Information security YES ISMS team Information Follow the Multi-
continuity tested the security zone Cloud and
availability of continuity shall Cloud flare services
systems and be embedded in contract; follow the
services the Business Continuity
organization’s Management
business Policy;
continuity Business Continuity
management Plan; Server
systems. Capacity
Management
Report; Backup and
Restore Testing
Report
© ISO27K1-RB
Internal
A.17.1.1 Planning information YES The organization To ensure the Follow the Business
security continuity determined its availability, Continuity
requirements integrity and Management
for information secure Policy;
security and the Business Continuity
continuity of Plan
information
security
management in
adverse
situations. "e.g.
during crisis and
disaster,
incident
management,
DR and BCM
framework"
A.17.1.3 Verify, review and YES The company To ensure BCP is Follow the Multi-
evaluate information tests and verifies tested zone Cloud and
security continuity the established periodically Cloud flare services
BCP for contract; follow the
information Business Continuity
security Management
continually Policy;
controls and Business Continuity
reviews at Plan, Server
regular intervals Capacity
in order to Management
© ISO27K1-RB
Internal
ensure that they Report; Backup and
are valid and Restore Testing
effective during Report
adverse
situations.
"Should create
support
documents/for
ms"
A.17.2 Redundancies YES ISMS Team due To ensure Follow the Multi-
diligent on BCP availability of zone Cloud and
testing and information Cloud flare services
ensure the processing contract; follow the
availability is facilities Business Continuity
high Management
Policy;
Business Continuity
Plan, Server
Capacity
Management
Report; Backup and
Restore Testing
Report
© ISO27K1-RB
Internal
A.18.1 Compliance with legal YES ISMS team To avoid Third parties have
and contractual followed and breaches of contracts,
requirements complied all legal, established SLAs,
regulatory statutory, and binding with
regulatory, or the NDAs;
contractual Follow the
obligations Compliance Policy
related to
information
security and
any security
requirements
A.18.1.1 Identification of YES The company To ensure all Third parties have
applicable legislation and identified all applicable laws contracts,
contractual requirements relevant and established SLAs,
regulations regulations are and binding with
mentioned in being followed the NDAs;
the reference Follow the
document Compliance Policy
A.18.1.2 Intellectual property YES The company To ensure all The copyrights for
rights ensures Intellectual the in a House
compliance with properties software
legislative, licensed application
regulatory, and development, and
contractual company logo are
requirements from HAKI;
related to IP Follow the
rights and the Compliance Policy
use of
proprietary
software
products.
A.18.1.3 Protection of records YES All records are To ensure Follow the
protected from customer data Compliance Policy
the loss, and information
destruction, are protected
falsification,
unauthorized
access and
unauthorized
release, in
accordance with
legislators,
regulatory,
contractual, and
© ISO27K1-RB
Internal
business
requirements.
A.18.1.4 Privacy and protection of YES Ensuring the To ensure Follow the
personally identifiable privacy and customer data Compliance Policy
information protection of and information
personally are protected
identifiable
information as
required in the
relevant
legislation and
regulation.
A.18.2.1 Independent review of YES The company’s To ensure the The Independent
information security approach to independence of parties performed
managing reviewer and the Penetration and
information adjustment of Vulnerability
security and its the findings Assessment; every
implementation six months,
(controls, company will
policies, and review, adjust, and
procedures) managing
"The information
independent security and its
parties implementation
performed Pen- based on available
test, Vulnerable policies and
Assessment, and procedures.
gap analysis, and
management
review"
© ISO27K1-RB
Internal
A.18.2.2 Compliance with security YES The managers To ensure All approval policies
policies and standards regularly information and procedures are
reviewed the security policies well documented,
compliance of and procedures accessible, and
the information are in-line with disseminated to all
processing, the country laws of the staff;
storing, and and regulations Follow the
transmitting, Compliance Policy
and procedures Pol.#: KOM-SMKI-
within their area 01 Section A.18.1
of point 1-3
responsibilities
with the
appropriate
security policies,
standards, and
any other
security
requirements;
Reference list
© ISO27K1-RB
Internal