Statement of Applicability

Tanggal:

ISO 27001:2013 Controls Diterapkan?

Justifikasi Kontrol
( Y/T )
Area Klausul Deskripsi
Management direction for information Objective: To provide management direction and support for information security in
5.1
security accordance with business requirements and relevant laws and regulations
5.1.1 Policies for information security Y Kebijakan SMKI
Review of the policies for information
5.1.2 Y
security
6.1 Internal Organization
Information security roles and
6.1.1 Y
responsibilities
6.1.2 Segregation of duties Y
Organization of 6.1.3 Contact with authorities Y
Information 6.1.4 Contact with special interest groups Y
security Information security in project
6.1.5 Y
management
6.2 Mobile devices and teleworking
6.2.1 Mobile device policy Y
6.2.2 Teleworking Y
7.1 Prior to Employment
7.1.1 Screening Y
7.1.2 Terms and conditions of employment Y
7.2 During Employment
Human 7.2.1 Management Responsibility Y
Resources Information security awareness,
Security 7.2.2 Y
education and training
7.2.3 Disciplinary process Y
7.3 Termination or change of employment
Termination or change of employment
7.3.1 Y
responsibilities
8.1 Responsibility for Assets
8.1.1 Inventory of assets Y
8.1.2 Ownership of Assets Y
8.1.3 Acceptable use of assets Y
8.1.4 Return of assets Y
8.2 Information classification
8.2.1 Classification Guidelines Y
Asset
management 8.2.2 Information Labeling and Handling Y
8.2.3 Handling of assets Y
8.3 Media Handling
8.3.1 Management of removable media Y
8.3.2 Disposal of media Y

8.3.3 Physical media transfer Y

Business Requirement for Access

9.1
Control
9.1.1 Access control Policy Y
 Access to networks and network
9.1.2 Y
services
9.2 User Access Management
9.2.1 User Registration and de-registration Y
9.2.2 User access provisioning Y

9.2.3 Management of privileged access rights Y

Management of secret authentication

9.2.4 Y
Access Control information of users
9.2.5 Review of user access rights Y
9.2.6 Removal or adjustment of access rights Y
9.3 User Responsibilities
9.3.1 Use of secret authentication information Y
9.4 System and application access control
9.4.1 Information access restriction Y
9.4.2 Secure log-on procedures Y
9.4.3 Password Management system Y
9.4.4 Use of privileged utility programs Y
9.4.5 Access control to program source code Y
10.1 Cryptographic controls
Policy on the use of cryptographic
Cryptography 10.1.1 Y
controls
10.1.2 Key management Y
11.1 Secure areas
11.1.1 Physical security Perimeter Y
11.1.2 Physical entry controls Y
11.1.3 Securing offices, rooms and facilities Y
Protecting against external and
11.1.4 Y
environmental threats
11.1.5 Working in secure areas Y
11.1.6 Delivery and loading areas Y
Physical and 11.2 Equipment
Environmental 11.2.1 Equipment sitting and protection Y
Security 11.2.2 Support utilities Y
11.2.3 Cabling security Y
11.2.4 Equipment Maintenance Y
11.2.5 Removal of assets Y
Security equipment and assets off-
11.2.6 Y
premises
11.2.7 Secure disposal or re-use of equipment Y
11.2.8 Unattended user equipment
11.2.9 Clear desk and clear screen policy Y
Operational Procedures and
12.1
responsibilities
12.1.1 Documented operating Procedures Y
12.1.2 Change Management Y
12.1.3 Capacity management Y
Separation of development, testing and
12.1.4 Y
Operations environments
12.2 Protection from malware
12.2.1 Controls against malware Y
12.3 Backup

Operations
Security
 12.3.1 Information backup Y
12.4 Logging and monitoring
Operations
12.4.1 Event logging Y
Security
12.4.2 Protection of log information Y
12.4.3 Administrator and operator logs Y
12.4.4 Clock synchronization Y
12.5 Control of operational software
Installation of software on operational
12.5.1 Y
systems
12.6 Technical vulnerability management
12.6.1 Management of technical vulnerability Y
12.6.2 Restrictions on software installation Y

12.7 Information system audit considerations

12.7.1 Information system audit controls Y

13.1 Network security management
13.1.1 Network controls Y
13.1.2 Security of network services Y
13.1.3 Segregation in network Y
13.2 Information transfer
Communication
Security Information transfer policies and
13.2.1 Y
procedures
13.2.2 Agreements on information transfer Y
13.2.3 Electronic messaging Y
Confidentiality or nondisclosure
13.2.4 Y
agreements
Security requirements of information
14.1
systems
Information security requirements
14.1.1 Y
analysis and specification
Securing application services on public
14.1.2 Y
networks
Protecting application services
14.1.3 T
transactions
Security in Development & Support
14.2
Processes
System 14.2.1 Secure development policy Y
acquisition, 14.2.2 System change control procedures Y
development and
maintenance Technical review of applications after
14.2.3 Y
operating platform changes
Restrictions on changes to software
14.2.4 Y
packages
14.2.5 Secure system engineering principles Y
14.2.6 Secure development environment Y
14.2.7 Outsourced development Y
14.2.8 System security testing Y
14.2.9 System acceptance testing Y
14.3 Test data
14.3.1 Protection of system test data Y
Information security in supplier
15.1
relationships
Information security policy for supplier
15.1.1 Y
relationships
Addressing security within supplier
15.1.2 Y
agreements
Supplier
Relationships
Supplier
Relationships Information and communication
15.1.3 Y
technology supply chain
15.2 Supplier service delivery management
Monitoring and review of supplier
15.2.1 Y
services

15.2.2 Managing changes to supplier services Y

Management of Information Security

16.1
Incidents and Improvements
16.1.1 Responsibilities and Procedures Y
16.1.2 Reporting information security events Y
Reporting information security
16.1.3 Y
Information weaknesses
Security Incident Assessment of and decision on
Management 16.1.4 Y
information security events
Response to information security
16.1.5 Y
incidents
Learning from information security
16.1.6 Y
incidents
16.1.7 Collection of evidence Y
17.1 Information security continuity
17.1.1 Planning information security continuity Y
Information Implementing information security
17.1.2 Y
security aspects continuity
of business Verify, review and evaluate information
continuity 17.1.3 Y
security continuity
management 17.2 Redundancies
Availability of information processing
17.2.1 Y
facilities
Compliance with Legal and Contractual
18.1
Requirements
Identification of applicable legislation
18.1.1 Y
and contractual requirements
18.1.2 Intellectual Property Rights (IPR) Y
18.1.3 Protection of records Y
Privacy and protection of personally
18.1.4 Y
Compliance identifiable information
18.1.5 Regulation of cryptographic controls T
18.2 Information security reviews
Independent review of information
18.2.1 Y
security
Compliance with security policies and
18.2.2 Y
standards
18.2.3 Technical compliance review Y