Databricks Iso 27001 27017 27018 Statement of Applicability

Databricks ISO 27001 / 27018 / 27017 Statement of Applicability.
ISMS
Last updated: 6/23/2021 version 5
Company Confidential. If printed, this is not the authoritative version.
ISO 27001:2013 ISO 27018:2019 ISO 27017: 2015
Section Section Title Section Objective Included Implemented Included Implemented Included Implemented Justification for inclusion
A.5 Information Security Policies or exclusion
A.5.1 Management Objective: To provide management direction and

direction for support for information security in accordance with
information security business requirements and relevant laws and
regulations.
A.5.1.1 The policies for A set of policies for information security shall be yes yes yes yes yes yes legal
information security defined, approved by management, published and risk assessment
communicated to employees and relevant external business requirement
parties. best practice
A.5.1.2 Review of the The policies for information security shall be yes yes yes yes yes yes legal
policies for reviewed at planned intervals or if significant risk assessment
information security changes occur to ensure their continuing business requirement
suitability, adequacy and effectiveness. best practice
A.6 Organization of information security
A.6.1 Internal Objective: To establish a management framework

organization to initiate and control the implementation and
operation of information security within the
organization.
ISMS
ISO 27001:2013 ISO 27018:2019 ISO 27017: 2015
A.6.1.1 Information Security All information security responsibilities shall be yes yes yes yes yes yes or exclusion
best practice
Roles and defined and allocated. risk assessment
Responsibilities
A.6.1.2 Segregation of Conflicting duties and areas of responsibility shall yes yes yes yes yes yes best practice
duties be segregated to reduce opportunities for risk assessment
unauthorized or unintentional modification or
misuse of the organization’s assets.
A.6.1.3 Contact with Appropriate contacts with relevant authorities shall yes yes yes yes yes yes best practice
authorities be maintained. risk assessment
A.6.1.4 Contact with special Appropriate contacts with special interest groups yes yes yes yes yes yes best practice
interest groups or other specialist security forums and professional risk assessment
associations shall be maintained.
A.6.1.5 Information security Information security shall be addressed in project yes yes yes yes yes yes best practice
in project management, regardless of the type of the project. risk assessment
management
A.6.2 Mobile devices and Objective: To ensure the security of teleworking

teleworking and use of mobile devices.
ISMS
ISO 27001:2013 ISO 27018:2019 ISO 27017: 2015
A.6.2.1 Mobile device policy A policy and supporting security measures shall be yes yes yes yes yes yes or exclusion
best practice
adopted to manage the risks introduced by using risk assessment
mobile devices.
A.6.2.2 Teleworking A policy and supporting security measures shall be yes yes yes yes yes yes best practice
implemented to protect information accessed, business requirement
processed or stored at teleworking sites. risk assessment
A.7 Human resource

security
A.7.1 Prior to Objective: To ensure that employees and

employment contractors understand their responsibilities and
are suitable for the roles for which they are
considered.
A.7.1.1 Screening Background verification checks on all candidates yes yes yes yes yes yes legal
for employment shall be carried out in accordance risk assessment
with relevant laws, regulations and ethics and shall business requirement
be proportional to the business requirements, the best practice
classification of the information to be accessed and
the perceived risks.
A.7.1.2 Terms and The contractual agreements with employees and yes yes yes yes yes yes legal
conditions of contractors shall state their and the organization’s business requirement
employment responsibilities for information security. best practice
risk assessment
ISMS
ISO 27001:2013 ISO 27018:2019 ISO 27017: 2015
A.7.2 During employment Objective: To ensure that employees and or exclusion
contractors are aware of and fulfil their
information security responsibilities.
A.7.2.1 Management Management shall require all employees and yes yes yes yes yes yes best practice
responsibilities contractors to apply information security in risk assessment
accordance with the established policies and
procedures of the organization.
A.7.2.2 Information security All employees of the organization and, where yes yes yes yes yes yes legal
awareness, relevant, contractors shall receive appropriate risk assessment
education and awareness education and training and regular best practice
training updates in organizational policies and procedures, risk assessment
as relevant for their job function.
A.7.2.3 Disciplinary process There shall be a formal and communicated yes yes yes yes yes yes legal
disciplinary process in place to take action against best practice
employees who have committed an information risk assessment
security breach.
A.7.3 Termination and Objective: To protect the organization’s interests

change of as part of the process of changing or terminating
employment employment.
A.7.3.1 Termination or Information security responsibilities and duties yes yes yes yes yes yes legal
change of that remain valid after termination or change of risk assessment
employment employment shall be defined, communicated to best practice
responsibilities the employee or contractor and enforced.
ISMS
ISO 27001:2013 ISO 27018:2019 ISO 27017: 2015
A.8 Asset management or exclusion
A.8.1 Responsibility for Objective: To identify organizational assets and

assets define appropriate protection responsibilities.
A.8.1.1 Inventory of assets Assets associated with information and yes yes yes yes yes yes business requirement
information processing facilities shall be identified best practice
and an inventory of these assets shall be drawn up risk assessment
and maintained.
A.8.1.2 Ownership of assets Assets maintained in the inventory shall be owned. yes yes yes yes yes yes business requirement
best practice
risk assessment
A.8.1.3 Acceptable use of Rules for the acceptable use of information and of yes yes yes yes yes yes business requirement
assets assets associated with information and information best practice
processing facilities shall be identified, risk assessment
documented and implemented.
A.8.1.4 Return of assets All employees and external party users shall return yes yes yes yes yes yes business requirement
all of the organizational assets in their possession best practice
upon termination of their employment, contract or risk assessment
agreement.
ISMS
ISO 27001:2013 ISO 27018:2019 ISO 27017: 2015
A.8.2 Information Objective: To ensure that information receives an or exclusion
classification appropriate level of protection in accordance with
its importance to the organization.
A.8.2.1 Classification of Information shall be classified in terms of legal yes yes yes yes yes yes business requirement
information requirements, value, criticality and sensitivity to best practice
unauthorised disclosure or modification. risk assessment
A.8.2.2 Labelling of An appropriate set of procedures for information yes yes yes yes yes yes business requirement
information labelling shall be developed and implemented in best practice
accordance with the information classification risk assessment
scheme adopted by the organization.
A.8.2.3 Handling of assets Procedures for handling assets shall be developed yes yes yes yes yes yes business requirement
and implemented in accordance with the best practice
information classification scheme adopted by the risk assessment
organization.
A.8.3 Media handling Objective: To prevent unauthorized disclosure,

modification, removal or destruction of
information stored on media.
A.8.3.1 Management of Procedures shall be implemented for the yes yes yes yes yes yes business requirement
removable media management of removable media in accordance best practice
with the classification scheme adopted by the risk assessment
organization.
ISMS
ISO 27001:2013 ISO 27018:2019 ISO 27017: 2015
A.8.3.2 Disposal of media Media shall be disposed of securely when no yes yes yes yes yes yes or exclusion
legal
longer required, using formal procedures. risk assessment
best practice
business requirement
A.8.3.3 Physical media Media containing information shall be protected yes yes yes yes yes yes risk assessment
transfer against unauthorized access, misuse or corruption best practice
during transportation. business requirement
A.9 Access control
A.9.1 Business Objective: To limit access to information and

requirements of information processing facilities.
access control
A.9.1.1 Access control An access control policy shall be established, yes yes yes yes yes yes legal
policy documented and reviewed based on business and risk assessment
information security requirements. best practice
A.9.1.2 Access to networks Users shall only be provided with access to the yes yes yes yes yes yes legal
and network network and network services that they have been risk assessment
services specifically authorized to use. best practice
ISMS
ISO 27001:2013 ISO 27018:2019 ISO 27017: 2015
A.9.2 User access or exclusion
management
Objective: To ensure
authorized user
access and to
prevent
unauthorized access
to systems and
services.
A.9.2.1 User registration A formal user registration and de-registration yes yes yes yes yes yes risk assessment
and de-registration process shall be implemented to enable best practice
assignment of access rights. business requirement
A.9.2.2 User access A formal user access provisioning process shall be yes yes yes yes yes yes best practice
provisioning implemented to assign or revoke access rights for business requirement
all user types to all systems and services. risk assessment
A.9.2.3 Management of The allocation and use of privileged access rights yes yes yes yes yes yes legal
privileged access shall be restricted and controlled. risk assessment
rights best practice
A.9.2.4 Management of The allocation of secret authentication information yes yes yes yes yes yes risk assessment
secret shall be controlled through a formal management best practice
authentication process. business requirement
information of users
A.9.2.5 Review of user Asset owners shall review users’ access rights at yes yes yes yes yes yes risk assessment
access rights regular intervals. best practice
ISMS
ISO 27001:2013 ISO 27018:2019 ISO 27017: 2015
A.9.2.6 Removal or The access rights of all employees and external yes yes yes yes yes yes or exclusion
risk assessment
adjustment of party users to information and information legal
access rights processing facilities shall be removed upon best practice
termination of their employment, contract or business requirement
agreement, or adjusted upon change.
A.9.3 User responsibilities Objective: To make users accountable for

safeguarding their authentication information.
A.9.3.1 Use of secret Users shall be required to follow the organization’s yes yes yes yes yes yes risk assessment
authentication practices in the use of secret authentication best practice
information information. business requirement
A.9.4 System and Objective: To prevent unauthorized access to

application access systems and applications.
control
A.9.4.1 Information access Access to information and application system yes yes yes yes yes yes risk assessment
restriction functions shall be restricted in accordance with the best practice
access control policy. business requirement
A.9.4.2 Secure log-on Where required by the access control policy, access yes yes yes yes yes yes best practice
procedures to systems and applications shall be controlled by a business requirement
secure log-on procedure. risk assessment
ISMS
ISO 27001:2013 ISO 27018:2019 ISO 27017: 2015
A.9.4.3 Password Password management systems shall be interactive yes yes yes yes yes yes or exclusion
risk assessment
management and shall ensure quality passwords. best practice
system business requirement
A.9.4.4 Use of privileged The use of utility programs that might be capable yes yes yes yes yes yes best practice
utility programs of overriding system and application controls shall business requirement
be restricted and tightly controlled. risk assessment
A.9.4.5 Access control to Access to program source code shall be restricted. yes yes yes yes yes yes best practice
program source business requirement
code risk assessment
A.10 Cryptography
A.10.1 Cryptographic Objective: To ensure proper and effective use of

controls cryptography to protect the confidentiality,
authenticity and/or integrity of information.
A.10.1.1 Policy on the use of A policy on the use of cryptographic controls for yes yes yes yes yes yes best practice
cryptographic protection of information shall be developed and business requirement
controls implemented. risk assessment
ISMS
ISO 27001:2013 ISO 27018:2019 ISO 27017: 2015
A.10.1.2 Key management A policy on the use, protection and lifetime of yes yes yes yes yes yes or exclusion
best practice
cryptographic keys shall be developed and business requirement
implemented through their whole lifecycle. risk assessment
A.11 Physical and

environmental
security
A.11.1 Secure areas Objective: To prevent unauthorized physical

access, damage and interference to the
organization’s information and information
processing facilities.
A.11.1.1 Physical security Security perimeters shall be defined and used to yes yes yes yes yes yes risk assessment
perimeter protect areas that contain either sensitive or best practice
critical information and information processing business requirement
facilities.
A.11.1.2 Physical entry Secure areas shall be protected by appropriate yes yes yes yes yes yes risk assessment
controls entry controls to ensure that only authorized best practice
personnel are allowed access. business requirement
A.11.1.3 Securing offices, Physical security for offices, rooms and facilities yes yes yes yes yes yes risk assessment
rooms and facilities shall be designed and applied. best practice
ISMS
ISO 27001:2013 ISO 27018:2019 ISO 27017: 2015
A.11.1.4 Protecting against Physical protection against natural disasters, yes yes yes yes yes yes or exclusion
risk assessment
external and malicious attack or accidents shall be designed and best practice
environmental applied. business requirement
threats
A.11.1.5 Working in secure Procedures for working in secure areas shall be yes yes yes yes yes yes risk assessment
areas designed and applied. best practice
A.11.1.6 Delivery and loading Access points such as delivery and loading areas yes yes yes yes yes yes best practice
areas and other points where unauthorized persons business requirement
could enter the premises shall be controlled and, if risk assessment
possible, isolated from information processing
facilities to avoid unauthorized access.
A.11.2 Equipment To prevent loss, damage, theft or compromise of

assets and interruption to the organization’s
operations.
A.11.2.1 Equipment siting Equipment shall be sited and protected to reduce yes yes yes yes yes yes best practice
and protection the risks from environmental threats and hazards, business requirement
and opportunities for unauthorized access. risk assessment
A.11.2.2 Supporting utilities Equipment shall be protected from power failures yes yes yes yes yes yes best practice
and other disruptions caused by failures in risk assessment
supporting utilities.
ISMS
ISO 27001:2013 ISO 27018:2019 ISO 27017: 2015
A.11.2.3 Cabling security Power and telecommunications cabling carrying yes yes yes yes yes yes or exclusion
best practice
data or supporting information services shall be risk assessment
protected from interception, interference or
damage.
A.11.2.4 Equipment Equipment shall be correctly maintained to ensure yes yes yes yes yes yes best practice
maintenance its continued availability and integrity. business requirement
risk assessment
A.11.2.5 Removal of assets Equipment, information or software shall not be yes yes yes yes yes yes best practice
taken off-site without prior authorization. risk assessment
A.11.2.6 Security of Security shall be applied to off-site assets taking yes yes yes yes yes yes risk assessment
equipment and into account the different risks of working outside best practice
assets off-premises the organization’s premises. business requirement
A.11.2.7 Secure disposal or All items of equipment containing storage media yes yes yes yes yes yes risk assessment
reuse of equipment shall be verified to ensure that any sensitive data best practice
and licensed software has been removed or
securely overwritten prior to disposal or re-use.
A.11.2.8 Unattended user Users shall ensure that unattended equipment has yes yes yes yes yes yes risk assessment
equipment appropriate protection. best practice
ISMS
ISO 27001:2013 ISO 27018:2019 ISO 27017: 2015
A.11.2.9 Clear desk and clear A clear desk policy for papers and removable yes yes yes yes yes yes or exclusion
risk assessment
screen policy storage media and a clear screen policy for best practice
information processing facilities shall be adopted. business requirement
A.12 Operations security
A.12.1 Operational Objective: To ensure correct and secure operations

procedures and of information processing facilities.
responsibilities
A.12.1.1 Documented Operating procedures shall be documented and yes yes yes yes yes yes best practice
operating made available to all users who need them. business requirement
procedures risk assessment
A.12.1.2 Change Changes to the organization, business processes, yes yes yes yes yes yes risk assessment
management information processing facilities and systems that best practice
affect information security shall be controlled. business requirement
A.12.1.3 Capacity The use of resources shall be monitored, tuned and yes yes yes yes yes yes best practice
management projections made of future capacity requirements business requirement
to ensure the required system performance. risk assessment
ISMS
ISO 27001:2013 ISO 27018:2019 ISO 27017: 2015
A.12.1.4 Separation of Development, testing, and operational yes yes yes yes yes yes or exclusion
best practice
development, environments shall be separated to reduce the business requirement
testing and risks of unauthorized access or changes to the risk assessment
operational operational environment.
environments
A.12.2 Protection from Objective: To ensure that information and

malware information processing facilities are protected
against malware.
A.12.2.1 Controls against Detection, prevention and recovery controls to yes yes yes yes yes yes risk assessment
malware protect against malware shall be implemented, best practice
combined with appropriate user awareness. business requirement
A.12.3 Backup Objective: To protect against loss of data.
A.12.3.1 Information backup Backup copies of information, software and system yes yes yes yes yes yes risk assessment
images shall be taken and tested regularly in best practice
accordance with an agreed backup policy. business requirement
A.12.4 Logging and Objective: To record events and generate evidence.

monitoring
ISMS
ISO 27001:2013 ISO 27018:2019 ISO 27017: 2015
A.12.4.1 Event logging Event logs recording user activities, exceptions, yes yes yes yes yes yes or exclusion
risk assessment
faults and information security events shall be best practice
produced, kept and regularly reviewed. business requirement
A.12.4.2 Protection of log Logging facilities and log information shall be yes yes yes yes yes yes best practice
information protected against tampering and unauthorized risk assessment
access.
A.12.4.3 Administrator and System administrator and system operator yes yes yes yes yes yes best practice
operator logs activities shall be logged and the logs protected business requirement
and regularly reviewed. risk assessment
A.12.4.4 Clock The clocks of all relevant information processing yes yes yes yes yes yes best practice
synchronisation systems within an organization or security domain risk assessment
shall be synchronised to a single reference time
source.
A.12.5 Control of Objective: To ensure the integrity of operational

operational systems.
software
A.12.5.1 Installation of Procedures shall be implemented to control the yes yes yes yes yes yes risk assessment
software on installation of software on operational systems. best practice
operational systems business requirement
ISMS
ISO 27001:2013 ISO 27018:2019 ISO 27017: 2015
A.12.6 Technical Objective: To prevent exploitation of technical or exclusion
vulnerability vulnerabilities.
management
A.12.6.1 Management of Information about technical vulnerabilities of yes yes yes yes yes yes legal
technical information systems being used shall be obtained risk assessment
vulnerabilities in a timely fashion, the organization’s exposure to best practice
such vulnerabilities evaluated and appropriate business requirement
measures taken to address the associated risk.
A.12.6.2 Restrictions on Rules governing the installation of software by yes yes yes yes yes yes risk assessment
software installation users shall be established and implemented. best practice
A.12.7 Information systems Objective: To minimise the impact of audit

audit considerations activities on operational systems.
A.12.7.1 Information systems Audit requirements and activities involving yes yes yes yes yes yes risk assessment
audit controls verification of operational systems shall be best practice
carefully planned and agreed to minimise business requirement
disruptions to business processes.
A.13 Communications
security
ISMS
ISO 27001:2013 ISO 27018:2019 ISO 27017: 2015
A.13.1 Network security Objective: To ensure the protection of information or exclusion
management in networks and its supporting information
A.13.1.1 Network controls Networks shall be managed and controlled to yes yes yes yes yes yes risk assessment
protect information in systems and applications. best practice
A.13.1.2 Security of network Security mechanisms, service levels and yes yes yes yes yes yes best practice
services management requirements of all network services risk assessment
shall be identified and included in network services
agreements, whether these services are provided
in-house or outsourced.
A.13.1.3 Segregation in Groups of information services, users and yes yes yes yes yes yes risk assessment
networks information systems shall be segregated on best practice
networks. business requirement
A.13.2 Information transfer Objective: To maintain the security of information

transferred within an organization and with any
external entity.
A.13.2.1 Information transfer Formal transfer policies, procedures and controls yes yes yes yes yes yes legal
policies and shall be in place to protect the transfer of risk assessment
procedures information through the use of all types of best practice
communication facilities.
ISMS
ISO 27001:2013 ISO 27018:2019 ISO 27017: 2015
A.13.2.2 Agreements on Agreements shall address the secure transfer of yes yes yes yes yes yes or exclusion
legal
information transfer business information between the organization best practice
and external parties. risk assessment
A.13.2.3 Electronic Information involved in electronic messaging shall yes yes yes yes yes yes best practice
messaging be appropriately protected. risk assessment
A.13.2.4 Confidentiality or Requirements for confidentiality or non-disclosure yes yes yes yes yes yes legal
nondisclosure agreements reflecting the organization’s needs for best practice
agreements the protection of information shall be identified, risk assessment
regularly reviewed and documented.
A.14 System acquisition,

development and
maintenance
A.14.1 Security Objective: To ensure that information security is an

requirements of integral part of information systems across the
information systems entire lifecycle. This also includes the requirements
for information systems which provide services
over public networks.
A.14.1.1 Information security The information security related requirements shall yes yes yes yes yes yes best practice
requirements be included in the requirements for new risk assessment
analysis and information systems or enhancements to existing
specification information systems.
ISMS
ISO 27001:2013 ISO 27018:2019 ISO 27017: 2015
A.14.1.2 Securing application Information involved in application services passing yes yes yes yes yes yes or exclusion
risk assessment
services on public over public networks shall be protected from best practice
networks fraudulent activity, contract dispute and business requirement
unauthorized disclosure and modification.
A.14.1.3 Protecting Information involved in application service yes yes yes yes yes yes best practice
application services transactions shall be protected to prevent business requirement
transactions incomplete transmission, mis-routing, risk assessment
unauthorized message alteration, unauthorized
disclosure, unauthorized message duplication or
replay.
A.14.2 Security in Objective: To ensure that information security is

development and designed and implemented within the
support processes development lifecycle of information systems.
A.14.2.1 Secure Rules for the development of software and systems yes yes yes yes yes yes best practice
development policy shall be established and applied to developments business requirement
within the organization. risk assessment
A.14.2.2 System change Changes to systems within the development yes yes yes yes yes yes best practice
control procedures lifecycle shall be controlled by the use of formal business requirement
change control procedures. risk assessment
A.14.2.3 Technical review of When operating platforms are changed, business yes yes yes yes yes yes best practice
applications after critical applications shall be reviewed and tested to business requirement
operating platform ensure there is no adverse impact on risk assessment
changes organizational operations or security.
ISMS
ISO 27001:2013 ISO 27018:2019 ISO 27017: 2015
A.14.2.4 Restrictions on Modifications to software packages shall be yes yes yes yes yes yes or exclusion
best practice
changes to software discouraged, limited to necessary changes and all risk assessment
packages changes shall be strictly controlled.
A.14.2.5 Secure system Principles for engineering secure systems shall be yes yes yes yes yes yes best practice
engineering established, documented, maintained and applied risk assessment
principles to any information system implementation efforts.
A.14.2.6 Secure Organizations shall establish and appropriately yes yes yes yes yes yes best practice
development protect secure development environments for risk assessment
environment system development and integration efforts that
cover the entire system development lifecycle.
A.14.2.7 Outsourced The organization shall supervise and monitor the no n/a n/a n/a n/a n/a system or software
development activity of outsourced system development. development is not
outsourced
risk assessment
A.14.2.8 System security Testing of security functionality shall be carried out yes yes yes yes yes yes best practice
testing during development. risk assessment
A.14.2.9 System acceptance Acceptance testing programs and related criteria yes yes yes yes yes yes best practice
testing shall be established for new information systems, risk assessment
upgrades and new versions.
ISMS
ISO 27001:2013 ISO 27018:2019 ISO 27017: 2015
A.14.3 Test data Objective: To ensure the protection of data used or exclusion
for testing.
A.14.3.1 Protection of test Test data shall be selected carefully, protected and yes yes yes yes yes yes best practice
data controlled. risk assessment
A.15 Supplier
relationships
A.15.1 Information security To ensure protection of the organization’s assets

in supplier that is accessible by suppliers.
relationships
A.15.1.1 Information security Information security requirements for mitigating yes yes yes yes yes yes best practice
policy for supplier the risks associated with supplier’s access to the risk assessment
relationships organization’s assets shall be agreed with the
supplier and documented.
A.15.1.2 Addressing security All relevant information security requirements shall yes yes yes yes yes yes legal
within supplier be established and agreed with each supplier that best practice
agreements may access, process, store, communicate, or business requirement
provide IT infrastructure components for, the risk assessment
organization’s information.
ISMS
ISO 27001:2013 ISO 27018:2019 ISO 27017: 2015
A.15.1.3 Information and Agreements with suppliers shall include yes yes yes yes yes yes or exclusion
best practice
communication requirements to address the information security risk assessment
technology supply risks associated with information and
chain communications technology services and product
supply chain.
A.15.2 Supplier service Objective: To maintain an agreed level of

delivery information security and service delivery in line
management with supplier agreements.
A.15.2.1 Monitoring and Organizations shall regularly monitor, review and yes yes yes yes yes yes best practice
review of supplier audit supplier service delivery. risk assessment
services
A.15.2.2 Managing changes Changes to the provision of services by suppliers, yes yes yes yes yes yes best practice
to supplier services including maintaining and improving existing risk assessment
information security policies, procedures and
controls, shall be managed, taking account of the
criticality of business information, systems and
processes involved and re-assessment of risks.
A.16 Information
security incident
management
A.16.1 Management of Objective: To ensure a consistent and effective

information security approach to the management of information
incidents and security incidents, including communication on
improvements security events and weaknesses.
ISMS
ISO 27001:2013 ISO 27018:2019 ISO 27017: 2015
A.16.1.1 Responsibilities and Management responsibilities and procedures shall yes yes yes yes yes yes or exclusion
best practice
procedures be established to ensure a quick, effective and business requirement
orderly response to information security incidents. risk assessment
A.16.1.2 Reporting Information security events shall be reported yes yes yes yes yes yes legal
information security through appropriate management channels as risk assessment
events quickly as possible. best practice
A.16.1.3 Reporting Employees and contractors using the organization’s yes yes yes yes yes yes legal
information security information systems and services shall be required risk assessment
weaknesses to note and report any observed or suspected best practice
information security weaknesses in systems or
services.
A.16.1.4 Assessment of and Information security events shall be assessed and it yes yes yes yes yes yes best practice
decision on shall be decided if they are to be classified as business requirement
information security information security incidents. risk assessment
events
A.16.1.5 Response to Information security incidents shall be responded yes yes yes yes yes yes best practice
information security to in accordance with the documented procedures. business requirement
incidents risk assessment
A.16.1.6 Learning from Knowledge gained from analysing and resolving yes yes yes yes yes yes best practice
information security information security incidents shall be used to business requirement
incidents reduce the likelihood or impact of future incidents. risk assessment
ISMS
ISO 27001:2013 ISO 27018:2019 ISO 27017: 2015
A.16.1.7 Collection of The organization shall define and apply procedures yes yes yes yes yes yes or exclusion
best practice
evidence for the identification, collection, acquisition and business requirement
preservation of information, which can serve as risk assessment
evidence.
A.17 Information
security aspects of
business continuity
management
A.17.1 Information security Objective: Information security continuity shall be

continuity embedded in the organization’s business continuity
management systems.
A.17.1.1 Planning The organization shall determine its requirements yes yes yes yes yes yes legal
information security for information security and the continuity of risk assessment
continuity information security management in adverse best practice
situations, e.g. during a crisis or disaster. business requirement
A.17.1.2 Implementing The organization shall establish, document, yes yes yes yes yes yes legal
information security implement and maintain processes, procedures risk assessment
continuity and controls to ensure the required level of best practice
continuity for information security during an business requirement
adverse situation.
A.17.1.3 Verify, review and The organization shall verify the established and yes yes yes yes yes yes legal
evaluate implemented information security continuity risk assessment
information security controls at regular intervals in order to ensure that best practice
continuity they are valid and effective during adverse business requirement
situations.
ISMS
ISO 27001:2013 ISO 27018:2019 ISO 27017: 2015
A.17.2 Redundancies Objective: To ensure availability of information or exclusion
A.17.2.1 Availability of Information processing facilities shall be yes yes yes yes yes yes risk assessment
information implemented with redundancy sufficient to meet best practice
processing facilities availability requirements. business requirement
A.18 Compliance
A.18.1 Compliance with Objective: To avoid breaches of legal, statutory,

legal and regulatory or contractual obligations related to
contractual information security and of any security
requirements requirements.
A.18.1.1 Identification of All relevant legislative statutory, regulatory, yes yes yes yes yes yes legal
applicable contractual requirements and the organization’s best practice
legislation and approach to meet these requirements shall be risk assessment
contractual explicitly identified, documented and kept up to
requirements date for each information system and the
organization.
A.18.1.2 Intellectual property Appropriate procedures shall be implemented to yes yes yes yes yes yes legal
rights ensure compliance with legislative, regulatory and best practice
contractual requirements related to intellectual risk assessment
property rights and use of proprietary software
products.
ISMS
ISO 27001:2013 ISO 27018:2019 ISO 27017: 2015
A.18.1.3 Protection of Records shall be protected from loss, destruction, yes yes yes yes yes yes or exclusion
legal
records falsification, unauthorized access and unauthorized best practice
release, in accordance with legislatory, regulatory, risk assessment
contractual and business requirements.
A.18.1.4 Privacy and Privacy and protection of personally identifiable yes yes yes yes yes yes legal
protection of information shall be ensured as required in best practice
personally relevant legislation and regulation where business requirement
identifiable applicable. risk assessment
information
A.18.1.5 Regulation of Cryptographic controls shall be used in compliance yes yes yes yes yes yes legal
cryptographic with all relevant agreements, legislation and risk assessment
controls regulations. best practice
A.18.2 Information security Objective: To ensure that information security is

reviews implemented and operated in accordance with the
organizational policies and procedures.
A.18.2.1 Independent review The organization’s approach to managing yes yes yes yes yes yes best practice
of information information security and its implementation (i.e. business requirement
security control objectives, controls, policies, processes and risk assessment
procedures for information security) shall be
reviewed independently at planned intervals or
when significant changes occur.
A.18.2.2 Compliance with Managers shall regularly review the compliance of yes yes yes yes yes yes best practice
security policies and information processing and procedures within their risk assessment
standards area of responsibility with the appropriate security
policies, standards and any other security
requirements.
ISMS
ISO 27001:2013 ISO 27018:2019 ISO 27017: 2015
A.18.2.3 Technical Information systems shall be regularly reviewed for yes yes yes yes yes yes or exclusion
best practice
compliance review compliance with the organization’s information risk assessment
security policies and standards.
Databricks ISO 27018 Appendix A Statement of Applicability. Public cloud PII processor
extended control set for PII protection.
ISMS
ISO 27018:2019 Appendix A
Section Section Title Section Objective Included Implemented Justification for inclusion
A.2 Consent and Choice or exclusion
A.2.1 Obligation to co- The public cloud PII processor should provide the Yes Yes Public cloud PII
operate regarding cloud service customer with the means to enable processor extended
PII principals’ rights them to fulfil their obligation to facilitate the control set for PII
exercise of PII principals’ rights to access, correct protection
and/or erase PII pertaining to them.
A.3 Purpose Legitimacy

and Specification
A.3.1 Public cloud PII PII to be processed under a contract should not be Yes Yes Public cloud PII
processor’s purpose processed for any purpose independent of the processor extended
instructions of the cloud service customer. control set for PII
protection
A.3.2 Public cloud PII PII processed under a contract should not be used Yes Yes Public cloud PII
processor’s by the public cloud PII processor for the purposes processor extended
commercial use of marketing and advertising without express control set for PII
consent. Such consent should not be a condition of protection
receiving the service.
A.5 Data Minimization

A.5.1 Secure erasure of Temporary files and documents should be erased Yes Yes Public cloud PII
temporary files or destroyed within a specified, documented processor extended
period. control set for PII
protection
A.6 Use, Retention and
Disclosure
Limitation
ISMS
A.6.1 PII Disclosure The contract between the public cloud PII Yes Yes or exclusion
Public cloud PII
Notification processor and the cloud service customer should processor extended
require the public cloud PII processor to notify the control set for PII
cloud service customer, in accordance with any protection
procedure and time periods agreed in the contract,
of any legally binding request for disclosure of PII
by a law enforcement authority, unless such a
disclosure is otherwise prohibited.
A.6.2 Recording of PII Disclosures of PII to third parties should be Yes Yes Public cloud PII
disclosures recorded, including what PII has been disclosed, to processor extended
whom and at what time. control set for PII
protection
A.8 Openness,
Transparency and
Notice
A.8.1 Disclosure of sub- The use of sub-contractors by the public cloud PII Yes Yes Public cloud PII
contracted PII processor to process PII should be disclosed to the processor extended
processing relevant cloud service customers before their use. control set for PII
protection
A.10 Accountability
A.10.1 Notification of a The public cloud PII processor should promptly Yes Yes Public cloud PII
data breach notify the relevant cloud service customer in the processor extended
involving PII event of any unauthorized access to PII or control set for PII
unauthorized access to processing equipment or protection
facilities resulting in loss, disclosure or alteration of
PII.
A.10.2 Retention period for Copies of security policies and operating Yes Yes Public cloud PII
administrative procedures should be retained for a specified, processor extended
security policies and documented period upon replacement (including control set for PII
guidelines updating). protection
ISMS
A.10.3 PII return, transfer The public cloud PII processor should have a policy Yes Yes or exclusion
Public cloud PII
and disposal in respect of the return, transfer and/or disposal of processor extended
PII and should make this policy available to the control set for PII
cloud service customer. protection
A.11 Information
Security
A.11.1 Confidentiality or Individuals under the public cloud PII processor’s Yes Yes Public cloud PII
non-disclosure control with access to PII should be subject to a processor extended
agreements confidentiality obligation. control set for PII
protection
A.11.2 Restriction of the The creation of hardcopy material displaying PII Yes Yes Public cloud PII
creation of should be restricted. processor extended
hardcopy material control set for PII
protection
A.11.3 Control and logging There should be a procedure for, and a log of, data Yes Yes Public cloud PII
of data restoration restoration efforts. processor extended
control set for PII
protection
A.11.4 Protecting data on PII on media leaving the organization’s premises Yes Yes Public cloud PII
storage media should be subject to an authorization procedure processor extended
leaving the premises and should not be accessible to anyone other than control set for PII
authorized personnel (e.g. by encrypting the data protection
concerned).
A.11.5 Use of unencrypted Portable physical media and portable devices that Yes Yes Public cloud PII
portable storage do not permit encryption should not be used processor extended
media and devices except where it is unavoidable, and any use of such control set for PII
portable media and devices should be protection
documented.
ISMS
A.11.6 Encryption of PII PII that is transmitted over public data- Yes Yes or exclusion
Public cloud PII
transmitted over transmission networks should be encrypted prior processor extended
public data- to transmission. control set for PII
transmission protection
networks
A.11.7 Secure disposal of Where hardcopy materials are destroyed, they Yes Yes Public cloud PII
hardcopy materials should be destroyed securely using mechanisms processor extended
such as cross-cutting, shredding, incinerating, control set for PII
pulping, etc. protection
A.11.8 Unique use of user If more than one individual has access to stored PII, Yes Yes Public cloud PII
IDs then they should each have a distinct user ID for processor extended
identification, authentication and authorization control set for PII
purposes. protection
A.11.9 Records of An up-to-date record of the users or profiles of Yes Yes Public cloud PII
authorized users users who have authorized access to the processor extended
information system should be maintained. control set for PII
protection
A.11.10 User ID De-activated or expired user IDs should not be Yes Yes Public cloud PII
management granted to other individuals. processor extended
control set for PII
protection
A.11.11 Contract measures Contracts between the cloud service customer and Yes Yes Public cloud PII
the public cloud PII processor should specify processor extended
minimum technical and organizational measures to control set for PII
ensure that the contracted security arrangements protection
are in place and that data are not processed for
any purpose independent of the instructions of the
controller. Such measures should not be subject to
unilateral reduction by the public cloud PII
processor.
ISMS
A.11.12 Sub-contracted PII Contracts between the public cloud PII processor Yes Yes or exclusion
Public cloud PII
processing and any sub-contractors that process PII should processor extended
specify minimum technical and organizational control set for PII
measures that meet the information security and protection
PII protection obligations of the public cloud PII
processor. Such measures should not be subject to
unilateral reduction by the sub-contractor.
A.11.13 Access to data on The public cloud PII processor should ensure that Yes Yes Public cloud PII
pre-used data whenever data storage space is assigned to a cloud processor extended
storage space service customer, any data previously residing on control set for PII
that storage space is not visible to that cloud protection
service customer.
A.12 Privacy Compliance

A.12.1 Geographical The public cloud PII processor should specify and Yes Yes Public cloud PII
location of PII document the countries in which PII might possibly processor extended
be stored. control set for PII
protection
A.12.2 Intended PII transmitted using a data-transmission network Yes Yes Public cloud PII
destination of PII should be subject to appropriate controls designed processor extended
to ensure that data reaches its intended control set for PII
destination. protection
Databricks ISO 27017 Appendix B Statement of Applicability. Cloud service providers and customers
extended control set for provision and user of cloud services.
ISMS
ISO 27017 : 2015 Appendix B
Section Section Title Section Objective Included Implemented Justification for
inclusion or
exclusion
CLD.6.3 Relationship between cloud To ensure that the information security is
service customer and cloud implemented and operated in accordance with the
service provider organizational security policies and standards.
CLD.6.3.1 Shared roles and Responsibilities for shared information security roles Yes Yes Cloud service
responsibilities within a cloud in the use of the cloud service should be allocated to providers and
computing environment identified customers
extended control
set for provision
and user of cloud
services
CLD.8.1 Responsibility for assets To ensure that the information security is
implemented and operated in accordance with the
organizational security policies and standards.
CLD.8.1.5 Removal of cloud service Assets of the cloud service customer that are on the Yes Yes Cloud service
customer assets cloud service provider's premises should be removed, providers and
and returned if necessary, in a timely manner upon customers
termination of the cloud service agreement. extended control
set for provision
and user of cloud
services
CLD.9.5 Access control of cloud To ensure that the information security is
service customer data in implemented and operated in accordance with the
shared virtual environment organizational security policies and standards.
CLD.9.5.1 Segregation in virtual A cloud service customer's virtual environment Yes Yes Cloud service
computing environments running on a cloud service should be protected from providers and
other cloud service customers and unauthorized customers
persons. extended control
set for provision
and user of cloud
services
CLD.9.5.2 Virtual machine hardening Virtual machines in a cloud computing environment Yes Yes Cloud service
should be hardened to meet business needs. providers and
customers
extended control
set for provision
and user of cloud
services
CLD.12.1 Operational procedures and To ensure that the information security is
responsibilities implemented and operated in accordance with the
CLD.12.1.5 Administrator's operational Procedures for administrative operations of a cloud Yes Yes Cloud service
security computing environment should be defined, providers and
documented and monitored. customers
extended control
set for provision
and user of cloud
services
CLD.12.4 Logging and monitoring To ensure that the information security is
implemented and operated in accordance with the
CLD.12.1.5 Monitoring of Cloud Services The cloud service customer should have the capability Yes Yes Cloud service
to monitor specified aspects of the operation of the providers and
cloud services that the cloud service customer uses. customers
extended control
CLD.13.1 Network security To ensure that the information security is set for provision
management implemented and operated in accordance with the and user of cloud
organizational security policies and standards. services
CLD.13.1.4 Alignment of security Upon configuration of virtual networks, consistency of Yes Yes Cloud service
management for virtual and configurations between virtual and physical networks providers and
physical networks should be verified based on the cloud service customers
provider's network security policy. extended control
set for provision
and user of cloud
services

Databricks Iso 27001 27017 27018 Statement of Applicability

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Databricks Iso 27001 27017 27018 Statement of Applicability

Uploaded by

Copyright:

Available Formats

Databricks ISO 27001 / 27018 / 27017 Statement of Applicability.

A.5.1 Management Objective: To provide management direction and

A.6 Organization of information security

A.6.1 Internal Objective: To establish a management framework

A.6.2 Mobile devices and Objective: To ensure the security of teleworking

A.7 Human resource

A.7.1 Prior to Objective: To ensure that employees and

A.7.3 Termination and Objective: To protect the organization’s interests

A.8.1 Responsibility for Objective: To identify organizational assets and

A.8.3 Media handling Objective: To prevent unauthorized disclosure,

A.9 Access control

A.9.1 Business Objective: To limit access to information and

A.9.3 User responsibilities Objective: To make users accountable for

A.9.4 System and Objective: To prevent unauthorized access to

A.10.1 Cryptographic Objective: To ensure proper and effective use of

A.11 Physical and

A.11.1 Secure areas Objective: To prevent unauthorized physical

A.11.2 Equipment To prevent loss, damage, theft or compromise of

A.12 Operations security

A.12.1 Operational Objective: To ensure correct and secure operations

A.12.2 Protection from Objective: To ensure that information and

A.12.3 Backup Objective: To protect against loss of data.

A.12.4 Logging and Objective: To record events and generate evidence.

A.12.5 Control of Objective: To ensure the integrity of operational

A.12.7 Information systems Objective: To minimise the impact of audit

A.13.2 Information transfer Objective: To maintain the security of information

A.14 System acquisition,

A.14.1 Security Objective: To ensure that information security is an

A.14.2 Security in Objective: To ensure that information security is

A.15.1 Information security To ensure protection of the organization’s assets

A.15.2 Supplier service Objective: To maintain an agreed level of

A.16.1 Management of Objective: To ensure a consistent and effective

A.17.1 Information security Objective: Information security continuity shall be

A.18.1 Compliance with Objective: To avoid breaches of legal, statutory,

A.18.2 Information security Objective: To ensure that information security is

A.3 Purpose Legitimacy

A.5 Data Minimization

A.12 Privacy Compliance

You might also like