Вы находитесь на странице: 1из 34

Statement of Applicability

Legend (for Selected Controls and Reasons for controls selection)


LR: legal requirements, CO: contractual obligations, BR/BP: business requirements/adopted best practices, RRA: results of risk assessment, TSE: to some extent

ISO/IEC 27001:2013 Controls


Clause Title

N
A.5.1

Control
Objective/Control

6.1
A.6.1.1
A.6.1.2
A.6.1.3

A.6
Organization of A.6.1.4
Information
security

INTERNAL USE ONLY

Current
Control
(Y N TSE)

LR

CO

Management direction for information security


Objective: To provide management direction and support for information security in accordance with
business requirements and relevant
laws
and regulations.
A set of
policies
for information security shall be

A.5 Information
Policies for information
A.5.1.1
security
security
policies
A.5.1.2

Control Details

Selected Controls and Rea


selection or inclusion (m
columns maybe ticke

Review of the policies for


information security

defined, approved by management, published and


communicated to employees and relevant external
parties.
The policies for information security shall be reviewed
at planned intervals or if significant changes occur to
ensure their continuing suitability, adequacy and
effectiveness.

Internal Organization
Objective: To establish a management framework to initiate and control the implementation and
operation of information security within the organization.
Information security
All information security responsibilities shall be defined
roles and responsibilities
and allocated.
Conflicting duties and areas of responsibility shall be
segregated to reduce opportunities for unauthorized or
Segregation of duties
unintentional modification or misuse of the
organizations
assets.with relevant authorities shall be
Appropriate contacts
Contact with authorities
maintained. contacts with special interest groups or
Appropriate
Contact with special
other specialist security forums and professional
interest groups
associations shall be maintained.

1OF 34

Statement of Applicability

Legend (for Selected Controls and Reasons for controls selection)


LR: legal requirements, CO: contractual obligations, BR/BP: business requirements/adopted best practices, RRA: results of risk assessment, TSE: to some extent

ISO/IEC 27001:2013 Controls


A.6
Control
Clause Title
N
Organization
of
Objective/Control
Information
Information security
A.6.1.5
security
in project management

Control Details

Current
Control
(Y N TSE)

Selected Controls and Rea


selection or inclusion (m
columns maybe ticke
LR

CO

Information security shall be addressed in project


management,
regardless of the type of the project.

Mobile devices and


teleworking
To ensure the security of teleworking and use of mobile devices.
A policy and supporting security measures shall be
A.6.2.1 Mobile device policy
adopted to
manage the risks introduced by using mobile devices.
A policy and supporting security measures shall be
A.6.2.2 Teleworking
implemented to protect information accessed,
processed or stored at teleworking sites.
A.6.2

A.7.1

Prior to Employment
To ensure that employees and contractors understand their responsibilities and are suitable
for the roles for which they are considered.
Background verification checks on all candidates for
employment shall be carried out in accordance with
relevant laws, regulations and ethics and shall be
A.7.1.1 Screening
proportional to the business requirements, the
classification of the information to be accessed and the
perceived risks.
The contractual agreements with employees and
Terms and conditions
A.7.1.2
contractors shall state their and the organizations
of employment
responsibilities for information security.
A.7.2

A.7 Human
resources
security

INTERNAL USE ONLY

During Employment
To ensure that employees and contractors are aware of and fulfil their information security
responsibilities.
Management shall require all employees and
contractors to apply information security in accordance
A.7.2.1 Management responsibilities
with the established policies and procedures of the
organization.

2OF 34

Statement of Applicability

Legend (for Selected Controls and Reasons for controls selection)


LR: legal requirements, CO: contractual obligations, BR/BP: business requirements/adopted best practices, RRA: results of risk assessment, TSE: to some extent

ISO/IEC 27001:2013 Controls


A.7 Human
resources
Control
Clause Title
N
security
Objective/Control

Control Details

Current
Control
(Y N TSE)

Selected Controls and Rea


selection or inclusion (m
columns maybe ticke
LR

CO

All employees of the organization and, where relevant,


contractors shall receive appropriate awareness
education and training and regular updates in
organizational policies and procedures, as relevant for
their job function.
There shall be a formal and communicated disciplinary
process
A.7.2.3 Disciplinary process
in place to take action against employees who have
committed an information security breach.
A.7.3 Termination or change of employment
To protect the organizations interests as part of the process of changing or terminating
employment.
Termination or change
Responsibilities for performing employment terminaton
Information security
A.7.2.2 awareness, education and
training

A.7.3.1 of employment
responsibilities
A.8.1

A.8.1.1
A.8.1.2
A.8.1.3

A.8.1.4
A.8.2

A.8 Asset
INTERNAL
USE ONLY
Management

or change of employment shall be clearly defined and


assigned.

Responsibility for Assets


To identify organizational assets and define appropriate protection responsibilities.
Assets associated with information and information
processing
Inventory of assets
facilities shall be identified and an inventory of these
assets shall be drawn up and maintained.
Ownership of assets
Assets maintained in the inventory shall be owned.
Rules for the acceptable use of information and of
assets associated with information and information
Acceptable use of assets
processing facilities shall be identified, documented
andemployees
implemented.
All
and external party users shall return all
of the
Return of assets
organizational assets in their possession upon
termination of their employment, contract or
agreement.
Information classification

3OF 34

Statement of Applicability

Legend (for Selected Controls and Reasons for controls selection)


LR: legal requirements, CO: contractual obligations, BR/BP: business requirements/adopted best practices, RRA: results of risk assessment, TSE: to some extent

ISO/IEC 27001:2013 Controls


Clause Title

Control
Objective/Control

Control Details

Current
Control
(Y N TSE)

Selected Controls and Rea


selection or inclusion (m
columns maybe ticke
LR

CO

To ensure that information receives an appropriate level of protection in accordance with


Information shall be classified in terms of legal
its importance to the organization.
requirements,
A.8.2.1 Classification guidelines
value, criticality and sensitivity to unauthorised
disclosure or
modification.
An
appropriate set of procedures for information
Information labeling and
labelling shall be developed and implemented in
A.8.2.2
handling
accordance with the information classification scheme
adopted by the organization.
Procedures for handling assets shall be developed and
A.8.2.3 Handling of assets
implemented in accordance with the information
classification scheme adopted by the organization.

A.8 Asset
Management

A.8.3

Media handling
To prevent unauthorized disclosure, modification, removal or destruction of information
stored on media.
Procedures shall be implemented for the management
Management of removable
A.8.3.1
of removable media in accordance with the
media
classification scheme adopted by the organization.
A.8.3.2 Disposal of media
A.8.3.3 Physical media transfer

Media shall be disposed of securely when no longer


required, using formal procedures.
Media containing information shall be protected
against unauthorized access, misuse or corruption
during transportation.

A.A.11.1 Business Requirement for Access Control


To limit access to information and
information
processing
facilities.
An access
control
policy shall
be established,
A.A.11.1.1Access control Policy

INTERNAL USE ONLY

documented and
reviewed based on business and information security
requirements.

4OF 34

Statement of Applicability

Legend (for Selected Controls and Reasons for controls selection)


LR: legal requirements, CO: contractual obligations, BR/BP: business requirements/adopted best practices, RRA: results of risk assessment, TSE: to some extent

ISO/IEC 27001:2013 Controls


Clause Title

Control
Objective/Control

Access to networks
A.A.11.1.2
and network services

Control Details

Current
Control
(Y N TSE)

Selected Controls and Rea


selection or inclusion (m
columns maybe ticke
LR

CO

Users shall only be provided with access to the network


and network services that they have been specifically
authorized to use.

A.A.11.2 User Access Management


To ensure authorized user access and to prevent unauthorized access to systems and services.
There shall be a formal user registration and deUser registration and
registration procedure in place for granting and
A.A.11.2.1
de-registration
revoking access to all information systems and
services.
A formal user access provisioning process shall be
A.A.11.2.2User access provisioning
implemented to assign or revoke access rights for all
user types to all systems and services.
The allocation and use of privileged access rights shall
Management of privileged
A.A.11.2.3
be
access rights
restricted
and controlled.
Management of secret
The allocation
of secret authentication information

A.9 Access
Control

A.A.11.2.4authentication information of shall be controlled through a formal management


users
process.
Review of user access
Asset owners shall review users access rights at
A.A.11.2.5
rights
regular intervals.
The access rights of all employees and external party
users to
Removal or adjustment
A.A.11.2.6
information and information processing facilities shall
of access rights
be removed upon termination of their employment,
contract or agreement, or adjusted upon change.
A.A.11.3 User responsibilities
To prevent unauthorized access to systems and applications.
Users shall be required to follow the organizations
Use of secret authentication
practices in the use of secret authentication
A.A.11.3.1
information
information.
A.A.11.4 System and application access control

INTERNAL USE ONLY

5OF 34

A.9 Access

Statement
of Applicability
Control

Legend (for Selected Controls and Reasons for controls selection)


LR: legal requirements, CO: contractual obligations, BR/BP: business requirements/adopted best practices, RRA: results of risk assessment, TSE: to some extent

ISO/IEC 27001:2013 Controls


Clause Title

Control
Objective/Control

Control Details

Current
Control
(Y N TSE)

Selected Controls and Rea


selection or inclusion (m
columns maybe ticke
LR

CO

To prevent unauthorized access to systems and applications.


Access to information and application system functions
Information access
A.A.11.4.1
shall be
restriction
restricted
in accordance
with the
access
control
policy.
Where required
by the access
control
policy,
access
to
A.A.11.4.2Secure log-on procedures
Password management
A.A.11.4.3
system
Use of privileged utility
A.A.11.4.4
programs
Access control to program
A.A.11.4.5
source code

A.10
Cryptography

systems and applications shall be controlled by a


secure
log-on
procedure.systems shall be interactive
Password
management
and shall
The
usequality
of utility
programs that might be capable of
ensure
passwords.
overriding
system and application controls shall be restricted and
tightly
controlled.
Access to program source code shall be restricted.

A.10.1 Cryptographic controls


To ensure proper and effective use of cryptography to protect the confidentiality, authenticity
and/or integrity of information.A policy on the use of cryptographic controls for
Policy on the use of
A.10.1.1
protection of
cryptographic controls
information
shall
be protection
developed and
and lifetime
implemented.
A policy on the
use,
of
A.10.1.2 Key management
cryptographic keys shall be developed and
implemented through their whole lifecycle.
A.11.1 Secure Areas
To prevent unauthorized physical access, damage and interference to the organizations
information and information processing facilities.
Security perimeters shall be defined and used to
A.11.1.1 Physical security Perimeter
protect areas that contain either sensitive or critical
information and information processing facilities.

INTERNAL USE ONLY

6OF 34

Statement of Applicability

Legend (for Selected Controls and Reasons for controls selection)


LR: legal requirements, CO: contractual obligations, BR/BP: business requirements/adopted best practices, RRA: results of risk assessment, TSE: to some extent

ISO/IEC 27001:2013 Controls


Clause Title

Control
Objective/Control

A.11.1.2 Physical entry controls


A.11.1.3

Securing offices, rooms and


facilities

A.11.1.4

Protecting against external


and environmental threats

A.11.1.5 Working in secure areas

A.11.1.6

A.11 Physical
and
Environmental
Security

Delivery and loading


areas

Control Details

Current
Control
(Y N TSE)

Selected Controls and Rea


selection or inclusion (m
columns maybe ticke
LR

CO

Secure areas shall be protected by appropriate entry


controls to ensure that only authorized personnel are
allowed access.
Physical security for offices, rooms and facilities shall
be designed and applied.
Physical protection against natural disasters, malicious
attack or
accidents
be designed
and applied.
Proceduresshall
for working
in secure
areas shall be
designed and
applied.
Access points such as delivery and loading areas and
other points where unauthorized persons could enter
the premises shall be controlled and, if possible,
isolated from information processing facilities to avoid
unauthorized access.

A.11.2 Equipment security


To prevent loss, damage, theft or compromise of assets and interruption to the organizations
operations.
Equipment shall be sited and protected to reduce the
Equipment sitting and
A.11.2.1
risks from environmental threats and hazards, and
protection
opportunities for unauthorized access.
Equipment shall be protected from power failures and
A.11.2.2 Support utilities
other disruptions caused by failures in supporting
utilities.
Power and telecommunications cabling carrying data or
A.11.2.3 Cabling security
supporting information services shall be protected from
interception, interference or damage.
A.11.2.4 Equipment Maintenance

INTERNAL USE ONLY

Equipment shall be correctly maintained to ensure its


continued availability and integrity.

7OF 34

A.11 Physical
and
Statement of Applicability
Environmental
Legend (for Selected Controls and Reasons for controls selection)
Security

LR: legal requirements, CO: contractual obligations, BR/BP: business requirements/adopted best practices, RRA: results of risk assessment, TSE: to some extent

ISO/IEC 27001:2013 Controls


Clause Title

Control
Objective/Control

A.11.2.5 Removal of assets


A.11.2.6

Security of equipment
and assets off-premises

A.11.2.7

Secure disposal or reuse


of equipment

A.11.2.8

Unattended user
equipment

A.11.2.9

Clear desk and clear


screen policy

Control Details

Current
Control
(Y N TSE)

Selected Controls and Rea


selection or inclusion (m
columns maybe ticke
LR

CO

Equipment, information or software shall not be taken


off-site
without
Securityprior
shallauthorization.
be applied to off-site assets taking into
account the different risks of working outside the
organizations premises.
All items of equipment containing storage media shall
be verified to ensure that any sensitive data and
licensed software has been removed or securely
overwritten prior to disposal or re-use.
Users shall ensure that unattended equipment has
appropriate
protection.
A clear desk policy for papers and removable storage
media and
a clear screen policy for information processing
facilities shall be adopted.

A.12.1 Operational procedures and responsibilities


To ensure correct and secure operations of information processing facilities.
Operating procedures shall be documented,
Documented operating
A.12.1.1
maintained, and made available to all users who need
procedures
them.
Changes to the organization, business processes,
A.12.1.2 Change management
information processing facilities and systems that
affect information security shall be controlled.
The use of resources shall be monitored, tuned and
projections
A.12.1.3 Capacity management
made of future capacity requirements to ensure the
required system performance.

INTERNAL USE ONLY

8OF 34

Statement of Applicability

Legend (for Selected Controls and Reasons for controls selection)


LR: legal requirements, CO: contractual obligations, BR/BP: business requirements/adopted best practices, RRA: results of risk assessment, TSE: to some extent

ISO/IEC 27001:2013 Controls


Clause Title

Control Details

Control
Objective/Control

Separation of development,
A.12.1.4 testing and operational
environments

Current
Control
(Y N TSE)

Selected Controls and Rea


selection or inclusion (m
columns maybe ticke
LR

CO

Development, testing, and operational environments


shall be separated to reduce the risks of unauthorized
access or changes to the operational environment.

A.12.2 Protection from malware


To ensure that information and information processing facilities are protected against
malware.
Detection, prevention and recovery controls to protect
against
A.12.2.1 Controls against malware
malware shall be implemented, combined with
appropriate user awareness.
A.12.3 Back-Up
To protect against loss of
data.
Backup copies of information, software and system
A.12.3.1 Information backup
images shall be taken and tested regularly in
accordance with an agreed backup policy.
A.12.4 Logging and monitoring
To record events and generate evidence.

A.12
Operations
Security

Event logs recording user activities, exceptions, faults


and information security events shall be produced,
kept and regularly reviewed.
Logging facilities and log information shall be protected
A.12.4.2 Protection of log information against
tampering
and unauthorized
access.
System administrator
and system
operator activities
Administrator and operator
shall be
A.12.4.3
logs
logged and the logs protected and regularly reviewed.
The clocks of all relevant information processing
systems within
A.12.4.4 Clock synchronisation
an organization or security domain shall be
synchronised to a single reference time source.
A.12.4.1 Event logging

INTERNAL USE ONLY

9OF 34

A.12
Operations
Statement of Applicability
Security
Legend (for Selected Controls and Reasons for controls selection)

LR: legal requirements, CO: contractual obligations, BR/BP: business requirements/adopted best practices, RRA: results of risk assessment, TSE: to some extent

ISO/IEC 27001:2013 Controls


Clause Title

N
A.12.5
A.12.5.1

Control
Objective/Control

Control Details

Current
Control
(Y N TSE)

Selected Controls and Rea


selection or inclusion (m
columns maybe ticke
LR

CO

Control of operational
software
To ensure the integrity of operational systems.
Installation of software
on operational systems

Procedures shall be implemented to control the


installation of software on operational systems.

A.12.6 Technical vulnerability management


To prevent exploitation of technical vulnerabilities.
Information about technical vulnerabilities of
information systems being used shall be obtained in a
Management of technical
A.12.6.1
timely fashion, the organizations exposure to such
vulnerabilities
vulnerabilities evaluated and appropriate measures
taken to address the associated risk.
Rules governing the installation of software by users
Restrictions on software
shall be
A.12.6.2
installation
established and implemented.
Information systems audit
A.12.7
considerations
To minimise the impact of audit
activities
on operational
systems.
Audit
requirements
and activities
involving verification
of operational
Information systems
A.12.7.1
systems shall be carefully planned and agreed to
audit controls
minimise
disruptions to business processes.
Network security
A.13.1
management
To ensure the protection of information in networks and its supporting information processing
facilities.
Networks shall be managed and controlled to protect
A.13.1.1 Network controls
information in systems and applications.

INTERNAL USE ONLY

A.13

10OF 34

Statement of Applicability

Legend (for Selected Controls and Reasons for controls selection)


LR: legal requirements, CO: contractual obligations, BR/BP: business requirements/adopted best practices, RRA: results of risk assessment, TSE: to some extent

ISO/IEC 27001:2013 Controls


Clause Title

Control
Objective/Control

Security of network
A.13.1.2
services
A.13.1.3 Segregation in networks

Control Details

Current
Control
(Y N TSE)

Selected Controls and Rea


selection or inclusion (m
columns maybe ticke
LR

CO

Security mechanisms, service levels and management


requirements of all network services shall be identified
and included in network services agreements, whether
these services are provided in-house or outsourced.
Groups of information services, users and information
systems
shall be segregated on networks.

A.13
A.13.2 Information transfer
Communication
To maintain the security of information transferred within an organization and with any
external entity.
s Security
A.13.2.1

Information transfer
policies and procedures

A.13.2.2

Agreements on information
transfer

A.13.2.3 Electronic messaging


Confidentiality or
A.13.2.4 nondisclosure
agreements

Formal transfer policies, procedures and controls shall


be in place to protect the transfer of information
through the use of all types of communication facilities.
Agreements shall address the secure transfer of
business information between the organization and
external parties.
Information involved in electronic messaging shall be
appropriately protected.
Requirements for confidentiality or non-disclosure
agreements
reflecting the organizations needs for the protection of
information shall be identified, regularly reviewed and
documented.

A.14.1 Security
of information
To ensurerequirements
that information
security is systems
an integral part of information systems across the
entire lifecycle. This also includes the requirements for information systems which provide services
The information security related requirements shall be
over
public networks.
Information
security
included in the requirements for new information
A.14.1.1 requirements analysis
systems or enhancements to existing information
and specification
systems.

INTERNAL USE ONLY

11OF 34

Statement of Applicability

Legend (for Selected Controls and Reasons for controls selection)


LR: legal requirements, CO: contractual obligations, BR/BP: business requirements/adopted best practices, RRA: results of risk assessment, TSE: to some extent

ISO/IEC 27001:2013 Controls


Clause Title

Control
Objective/Control

Control Details

Current
Control
(Y N TSE)

Selected Controls and Rea


selection or inclusion (m
columns maybe ticke
LR

CO

Information involved in application services passing


over public
networks shall be protected from fraudulent activity,
contract dispute and unauthorized disclosure and
Information
modification.involved in application service transactions
shall be
Protecting application
protected to prevent incomplete transmission, misservices transactions
routing, unauthorized message alteration,
unauthorized disclosure, unauthorized message
duplication or replay.
Security in development and support processes
To ensure that information security is designed and implemented within the development
lifecycle of information systems.
Rules for the development of software and systems
Secure development
shall be established and applied to developments
policy
within
thetoorganization.
Changes
systems within the development lifecycle
System change control
shall be controlled by the use of formal change control
procedures
procedures.
When operating platforms are changed, business
Technical review of
critical applications shall be reviewed and tested to
applications after operating
ensure there is no adverse impact on organizational
platform changes
operations or security.
Modifications to software packages shall be
Restrictions on changes to
discouraged, limited to necessary changes and all
software packages
changes shall be strictly controlled.
Principles for engineering secure systems shall be
Secure system engineering established,
principles
documented, maintained and applied to any
information system
implementation
efforts.
Organizations
shall establish
and appropriately
protect
secure
Secure development
development environments for system development
environment
and integration efforts that cover the entire system
development lifecycle.

Securing application
A.14.1.2 services on public
networks

A.14.1.3
A.14.2
A.14.2.1

A.14 System
acquisition,
development
and
maintenance

A.14.2.2
A.14.2.3
A.14.2.4
A.14.2.5

A.14.2.6

INTERNAL USE ONLY

12OF 34

A.14 System
acquisition,
development
and
Statement
maintenance of Applicability

Legend (for Selected Controls and Reasons for controls selection)


LR: legal requirements, CO: contractual obligations, BR/BP: business requirements/adopted best practices, RRA: results of risk assessment, TSE: to some extent

ISO/IEC 27001:2013 Controls


Clause Title

Control
Objective/Control

A.14.2.7 Outsourced development


A.14.2.8 System security testing
A.14.2.9

System acceptance
testing

Control Details

Current
Control
(Y N TSE)

Selected Controls and Rea


selection or inclusion (m
columns maybe ticke
LR

CO

The organization shall supervise and monitor the


activity of outsourced system development.
Testing of security functionality shall be carried out
during development.
Acceptance testing programs and related criteria shall
be established for new information systems, upgrades
and new versions.

A.14.3 Test data


To ensure the protection of data used for testing.
Test data shall be selected carefully, protected and
A.14.3.1 Protection of test data
controlled.

A.15 Supplier
relationships

A.15.1 Information security in supplier relationships


To ensure protection of the organizations assets that is accessible by suppliers.
Information security requirements for mitigating the
Information security
risks associated with suppliers access to the
A.15.1.1 policy for supplier
organizations assets shall be agreed with the supplier
relationships
and documented.
All relevant information security requirements shall be
established and agreed with each supplier that may
Addressing security
A.15.1.2
access, process, store, communicate, or provide IT
within supplier agreements
infrastructure components for, the organizations
information.
Agreements with suppliers shall include requirements
Information and
to address the information security risks associated
A.15.1.3 communication
with information and communications technology
technology supply chain
services and product supply chain.
A.15.2 Supplier service delivery management
To maintain an agreed level of information security and service delivery in line with supplier
agreements.

INTERNAL USE ONLY

13OF 34

Statement of Applicability

Legend (for Selected Controls and Reasons for controls selection)


LR: legal requirements, CO: contractual obligations, BR/BP: business requirements/adopted best practices, RRA: results of risk assessment, TSE: to some extent

A.15 Supplier
ISO/IEC 27001:2013 Controls
relationships
Control
Clause Title
N
Objective/Control

A.16
Information
security
incident
management

A.15.2.1

Monitoring and review


of supplier services

A.15.2.2

Managing changes to
supplier services

Control Details

Current
Control
(Y N TSE)

Selected Controls and Rea


selection or inclusion (m
columns maybe ticke
LR

CO

Organizations shall regularly monitor, review and audit


supplier
service delivery.
Changes
to the provision of services by suppliers,
including
maintaining and improving existing information
security policies, procedures and controls, shall be
managed, taking account of the criticality of business
information, systems and processes involved and reassessment of risks.

A.16.1 Management of information security incidents and improvements


To ensure a consistent and effective approach to the management of information security
incidents, including communication on security events and weaknesses.
Management responsibilities and procedures shall be
Responsibilities and
A.16.1.1
established to ensure a quick, effective and orderly
procedures
response to information security incidents.
Information security events shall be reported through
Reporting information
A.16.1.2
appropriate management channels as quickly as
security events
possible.
Employees and contractors using the organizations
Reporting information
information systems and services shall be required to
A.16.1.3
security weaknesses
note and report any observed or suspected information
security weaknesses in systems or services.
Information security events shall be assessed and it
Assessment of and
shall be
A.16.1.4 decision on information
decided if they are to be classified as information
security events
security incidents.
Response to information
Information security incidents shall be responded to in
A.16.1.5
security incidents
accordance with the documented procedures.

INTERNAL USE ONLY

14OF 34

Statement of Applicability

Legend
A.16 (for Selected Controls and Reasons for controls selection)
LR: legal requirements, CO: contractual obligations, BR/BP: business requirements/adopted best practices, RRA: results of risk assessment, TSE: to some extent
Information

security
incident ISO/IEC 27001:2013 Controls
management
Control
Clause Title
N
Objective/Control
Learning from
A.16.1.6 information security
incidents
A.16.1.7 Collection of evidence

A.17.1

A.17
Information
security
aspects of
business
continuity
management

Control Details

Current
Control
(Y N TSE)

Selected Controls and Rea


selection or inclusion (m
columns maybe ticke
LR

CO

Knowledge gained from analysing and resolving


information security incidents shall be used to reduce
the likelihood or impact of future incidents.
The organization shall define and apply procedures for
the identification, collection, acquisition and
preservation of information, which can serve as
evidence.

Information security
continuity
Information security continuity shall be embedded in the organizations business continuity
management systems.
The organization shall determine its requirements for

A.17.1.1

Planning information
security continuity

A.17.1.2

Implementing information
security continuity
Verify, review and
evaluate information
security continuity

information security and the continuity of information


security management in adverse situations, e.g. during
a crisis or disaster.
The organization shall establish, document, implement
and maintain processes, procedures and controls to
ensure the required level of continuity for information
security during an adverse situation.
implemented
information security continuity controls at regular
intervals in
order to ensure that they are valid and effective during
adverse

Information security
continuity
Information security continuity shall be embedded in the organizations business continuity
management systems.
Information processing facilities shall be implemented
Availability of information
A.17.2.1
with redundancy sufficient to meet availability
processing facilities
requirements.
A.17.2

A.18.1 Compliance with legal and contractual requirements

INTERNAL USE ONLY

15OF 34

Statement of Applicability

Legend (for Selected Controls and Reasons for controls selection)


LR: legal requirements, CO: contractual obligations, BR/BP: business requirements/adopted best practices, RRA: results of risk assessment, TSE: to some extent

ISO/IEC 27001:2013 Controls


Clause Title

A.18.1.1

A.18.1.2

A.18.1.3

A.18
Compliance

A.18.1.4
A.18.1.5
A.18.2

A.18.2.1

INTERNAL USE ONLY

Control
Objective/Control

Control Details

Current
Control
(Y N TSE)

Selected Controls and Rea


selection or inclusion (m
columns maybe ticke
LR

CO

To avoid breaches of legal, statutory, regulatory or contractual obligations related to information


security and of any security requirements.
All relevant legislative statutory, regulatory,
Identification of applicable
contractual requirements and the organizations
legislation and contractual
approach to meet these requirements shall be
requirements
explicitly identified, documented and kept up to date
for
each information
system
the organization.
Appropriate
procedures
shalland
be implemented
to
ensure compliance with legislative, regulatory and
Intellectual property
contractual requirements related to intellectual
rights
property rights and use of proprietary software
Records
products.shall be protected from loss, destruction,
falsification,
unauthorized access and unauthorized release, in
Protection of records
accordance with legislatory, regulatory, contractual
and business requirements.
Privacy and protection
Privacy and protection of personally identifiable
of personally identifiable
information shall be ensured as required in relevant
information
legislation and regulation where applicable.
Cryptographic controls shall be used in compliance
Regulation of cryptographic
with all relevant agreements, legislation and
controls
regulations.
Information security reviews
To ensure that information security is implemented and operated in accordance with the
organizational policies and procedures.
The organizations approach to managing information
security and its implementation (i.e. control objectives,
Independent review of
controls, policies, processes and procedures for
information security
information security) shall be reviewed independently
at planned intervals or when significant changes occur.

16OF 34

A.18

Statement
Compliance of Applicability

Legend (for Selected Controls and Reasons for controls selection)


LR: legal requirements, CO: contractual obligations, BR/BP: business requirements/adopted best practices, RRA: results of risk assessment, TSE: to some extent

ISO/IEC 27001:2013 Controls


Clause Title

Control
Objective/Control

Compliance with
A.18.2.2 security policies and
standards
A.18.2.3

INTERNAL USE ONLY

Technical compliance
review

Control Details

Current
Control
(Y N TSE)

Selected Controls and Rea


selection or inclusion (m
columns maybe ticke
LR

CO

Managers shall regularly review the compliance of


information
processing and procedures within their area of
responsibility with the appropriate security policies,
standards and
any other
requirements.
Information
systems
shallsecurity
be regularly
reviewed for
compliance
with the organizations information security policies
and standards.

17OF 34

Updated by

E: to some extent

ontrols and Reasons for


or inclusion (multiple
mns maybe ticked)
BR/BP

RRA

INTERNAL USE ONLY

Justification
for
Exclusion

Overview of implementation

18OF 34

Updated by

E: to some extent

ontrols and Reasons for


or inclusion (multiple
mns maybe ticked)
BR/BP

RRA

INTERNAL USE ONLY

Justification
for
Exclusion

Overview of implementation

19OF 34

Updated by

E: to some extent

ontrols and Reasons for


or inclusion (multiple
mns maybe ticked)
BR/BP

RRA

INTERNAL USE ONLY

Justification
for
Exclusion

Overview of implementation

20OF 34

Updated by

E: to some extent

ontrols and Reasons for


or inclusion (multiple
mns maybe ticked)
BR/BP

RRA

INTERNAL USE ONLY

Justification
for
Exclusion

Overview of implementation

21OF 34

Updated by

E: to some extent

ontrols and Reasons for


or inclusion (multiple
mns maybe ticked)
BR/BP

RRA

INTERNAL USE ONLY

Justification
for
Exclusion

Overview of implementation

22OF 34

Updated by

E: to some extent

ontrols and Reasons for


or inclusion (multiple
mns maybe ticked)
BR/BP

RRA

INTERNAL USE ONLY

Justification
for
Exclusion

Overview of implementation

23OF 34

Updated by

E: to some extent

ontrols and Reasons for


or inclusion (multiple
mns maybe ticked)
BR/BP

RRA

INTERNAL USE ONLY

Justification
for
Exclusion

Overview of implementation

24OF 34

Updated by

E: to some extent

ontrols and Reasons for


or inclusion (multiple
mns maybe ticked)
BR/BP

RRA

INTERNAL USE ONLY

Justification
for
Exclusion

Overview of implementation

25OF 34

Updated by

E: to some extent

ontrols and Reasons for


or inclusion (multiple
mns maybe ticked)
BR/BP

RRA

INTERNAL USE ONLY

Justification
for
Exclusion

Overview of implementation

26OF 34

Updated by

E: to some extent

ontrols and Reasons for


or inclusion (multiple
mns maybe ticked)
BR/BP

RRA

INTERNAL USE ONLY

Justification
for
Exclusion

Overview of implementation

27OF 34

Updated by

E: to some extent

ontrols and Reasons for


or inclusion (multiple
mns maybe ticked)
BR/BP

RRA

INTERNAL USE ONLY

Justification
for
Exclusion

Overview of implementation

28OF 34

Updated by

E: to some extent

ontrols and Reasons for


or inclusion (multiple
mns maybe ticked)
BR/BP

RRA

INTERNAL USE ONLY

Justification
for
Exclusion

Overview of implementation

29OF 34

Updated by

E: to some extent

ontrols and Reasons for


or inclusion (multiple
mns maybe ticked)
BR/BP

RRA

INTERNAL USE ONLY

Justification
for
Exclusion

Overview of implementation

30OF 34

Updated by

E: to some extent

ontrols and Reasons for


or inclusion (multiple
mns maybe ticked)
BR/BP

RRA

INTERNAL USE ONLY

Justification
for
Exclusion

Overview of implementation

31OF 34

Updated by

E: to some extent

ontrols and Reasons for


or inclusion (multiple
mns maybe ticked)
BR/BP

RRA

INTERNAL USE ONLY

Justification
for
Exclusion

Overview of implementation

32OF 34

Updated by

E: to some extent

ontrols and Reasons for


or inclusion (multiple
mns maybe ticked)
BR/BP

RRA

INTERNAL USE ONLY

Justification
for
Exclusion

Overview of implementation

33OF 34

Updated by

E: to some extent

ontrols and Reasons for


or inclusion (multiple
mns maybe ticked)
BR/BP

RRA

INTERNAL USE ONLY

Justification
for
Exclusion

Overview of implementation

34OF 34

Оценить