StatPro Statement of Applicability v05

Information Security Management System
Statement of Applicability for

ISO27001:2005
Version: 5
th
Date of Issue: 8 July 2011
Document Control
Reference: StatPro Statement
StatPro Statement of of Applicability
Issue No: 5
Applicability (Tier 1) Issue Date: 8th July 2011
Page: 2 of 18
Clause 5: Security policy

A.5.1 Information security policy
Objective: To provide management direction and support for information security in accordance with
business requirements and relevant laws and regulations.
Clause Title Description Applied
An information security policy document shall be approved by

Information security
A5.1.1 management, and published and communicated to all Yes
policy document
employees and relevant external parties.
Review of the The information security policy shall be reviewed at planned

A5.1.2 information security intervals or if significant changes occur to ensure its Yes
policy continuing suitability, adequacy, and effectiveness.
Clause 6: Organisation of information security

A.6.1 Internal Organisation
Objective: To manage information security within the organisation.

Management shall actively support security within the
Management
organisation through clear direction, demonstrated
A.6.1.1 commitment to Yes
commitment, explicit assignment, and acknowledgment of
information security
information security responsibilities.
Information security activities shall be co-ordinated by
Information security
A.6.1.2 representatives from different parts of the organisation with Yes
coordination
relevant roles and job functions.
Allocation of
All information security responsibilities shall be clearly
A.6.1.3 information security Yes
defined.
responsibilities
Authorisation
process for A management authorisation process for new information
A.6.1.4 Yes
information processing facilities shall be defined and implemented.
processing facilities
Requirements for confidentiality or non-disclosure
Confidentiality agreements reflecting the organisation's needs for the
A.6.1.5 Yes
agreements protection of information shall be identified and regularly
reviewed.
Contact with Appropriate contact with relevant authorities shall be
A.6.1.6 Yes
authorities maintained.
Contact with Appropriate contacts with special interest groups or other
A.6.1.7 special interest specialist security forums and professional associations shall Yes
groups be maintained.
Public for limited distribution outside StatPro

Document Control
Issue No: 5
Page: 3 of 18

The organisation's approach to managing information
security and its implementation (i.e. control objectives,
Independent review
controls, policies, processes, and procedures for information
A.6.1.8 of information Yes
security) shall be reviewed independently at planned
security
intervals, or when significant changes to the security
implementation occur.
A.6.2 External Parties
Objective: To maintain the security of the organisation's information and information processing facilities that
are accessed, processed, communicated to, or managed by external parties.

The risks to the organisation's information and information
Identification of
processing facilities from business processes involving
A.6.2.1 risks related to Yes
external parties shall be identified and appropriate controls
external parties
implemented before granting access.
Addressing security All identified security requirements shall be addressed before
A.6.2.2 when dealing with giving customers access to the organisation's information or Yes
customers assets.
Agreements with third parties involving accessing,
Addressing security processing, communicating or managing the organisation's
A.6.2.3 in third party information or information processing facilities, or adding Yes
agreements products or services to information processing facilities shall
cover all relevant security requirements.
Clause 7: Asset management

A.7.1 Responsibility for assets
Objective: To achieve and maintain appropriate protection of organisation assets

All assets shall be clearly identified and an inventory of all
A.7.1.1 Inventory of assets Yes
important assets drawn up and maintained.
All information and assets associated with information
Ownership of
A.7.1.2 processing facilities shall be owned by a designated part of Yes
assets
the organisation.
Rules for the acceptable use of information and assets
Acceptable use of
A.7.1.3 associated with information processing facilities shall be Yes
assets
identified, documented and implemented.

Document Control
Issue No: 5
Page: 4 of 18
A.7.2 Information classification
Objective: To ensure that information receives an appropriate level of protection
Classification Information shall be classified in terms of its value, legal

A.7.2.1 Yes
guidelines requirements, sensitivity and criticality to the organisation.
Information An appropriate set of procedures for information labelling and
A.7.2.2 labelling and handling shall be developed and implemented in accordance Yes
handling with the classification scheme adopted by the organisation.
Clause 8: During employment

A.8.1 Prior to employment
Objective: To ensure that employees, contractors and third party users understand their responsibilities, and
are suitable for the roles they are considered for, to reduce the risk of theft, fraud or misuse of facilities.

Security roles and responsibilities of employees, contractors
Roles and and third party users shall be defined and documented in
A.8.1.1 Yes
responsibilities accordance with the organisations information security
policy.
Background verification checks on all candidates for
employment, contractors and third party users shall be
carried out in accordance with relevant laws, regulations and
A.8.1.2 Screening Yes
ethics, and proportional to the business requirements, the
classification of the information to be accessed, and the
perceived risks.
As part of their contractual obligation, employees, contractors
Terms and and third party users shall agree and sign the terms and
A.8.1.3 conditions of conditions of their employment contract, which shall state Yes
employment their and the organisations responsibility for information
security.
A.8.2 During employment
Objective: To ensure that employees, contractors and third party users are aware of information security
threats and concerns, their responsibilities and liabilities, and are equipped to support organisational security
policy in the course of their normal work, and to reduce the risk of human error.

Management shall require employees, contractors and third
Management
A.8.2.1 party users to apply security in accordance with the Yes
responsibilities
established policies and procedures of the organisation.

Document Control
Issue No: 5
Page: 5 of 18

Information security All employees of the organisation and, where relevant,
awareness, contractors and third party users shall receive appropriate
A.8.2.2 Yes
education and awareness training and regular updates in organisational
training policies and procedures, as relevant for their job function.
Disciplinary There shall be a formal disciplinary process for employees
A.8.2.3 Yes
process who have committed a security breach.
A.8.3 Termination or change of employment
Objective: To ensure that employees, contractors and third party users exit an organisation or change
employment in an orderly manner

Termination Responsibilities for performing employment termination shall
A.8.3.1 Yes
responsibilities be clearly defined and assigned.
All employees, contractors and third party users shall return
A.8.3.2 Return of assets all of the organisations assets in their possession upon Yes
termination of their employment, contract or agreement.
The access rights of all employees, contractors and third
party users of information and information processing
Removal of access
A.8.3.3 facilities shall be removed upon termination of their Yes
rights
employment, contract or agreement, or adjusted upon
change.
Clause 9: Physical and environmental security

A.9.1 Secure areas
Objective: To prevent unauthorised physical access, damage and interference to the organisations premises
and information.

Security perimeters (barriers such as walls, card controlled
Physical security entry gates or manned reception desks) shall be used to
A.9.1.1 Yes
perimeter protect areas that contain information and information
processing facilities.
Physical entry Secure areas shall be protected by appropriate entry controls
A.9.1.2 Yes
controls to ensure that only authorised personnel are allowed access.
Securing offices, Physical security for offices, rooms and facilities shall be
A.9.1.3 Yes
rooms and facilities designed and applied.
Protect against
Physical protection against damage from fire, flood,
external and
A9.1.4 earthquake, explosion, civil unrest, and other forms of natural Yes
environmental
or man-made disaster shall be designed and applied.
threats

Document Control
Issue No: 5
Page: 6 of 18

Working in secure Physical protection and guidelines for working in secure
A9.1.5 Yes
areas areas shall be designed and applied.
Access points such as delivery and loading areas and other
Public access,
points where unauthorised persons may enter the premises
A9.1.6 delivery and Yes
shall be controlled and, if possible, isolated from information
loading areas
processing facilities to avoid unauthorised access.
A.9.2 Equipment security
Objective: To prevent loss, damage, theft or compromise of assets and interruption to the organisations
activities.

Equipment shall be sited or protected to reduce the risks
Equipment siting
A.9.2.1 from environmental threats and hazards, and opportunities Yes
and protection
for unauthorised access.
Equipment shall be protected from power failures and other
A.9.2.2 Supporting utilities Yes
disruptions caused by failures in supporting utilities.
Power and telecommunications cabling carrying data or
A.9.2.3 Cabling security supporting information services shall be protected from Yes
interception or damage.
Equipment Equipment shall be correctly maintained to ensure its
A.9.2.4 Yes
maintenance continued availability and integrity.
Security of Security shall be applied to off-site equipment taking into
A.9.2.5 equipment off- account the different risks working outside the organisations Yes
premises premises.
All items of equipment containing storage media shall be
Secure disposal or
checked to ensure that any sensitive data and licensed
A.9.2.6 re-use of Yes
software has been removed or securely overwritten prior to
equipment
disposal.
Removal of Equipment, information or software shall not be taken off-site
A.9.2.7 Yes
property without prior authorisation.
Clause 10: Communications and operations management

A.10.1 Operational procedures and responsibilities
Objective: To ensure the correct and secure operation of information processing facilities.

Documented
Operating procedures shall be documented, maintained and
A.10.1.1 operating Yes
made available to all users who need them.
procedures

Document Control
Issue No: 5
Page: 7 of 18

Change Changes to information processing facilities and systems
A.10.1.2 Yes
management shall be controlled.
Duties and areas of responsibility shall be segregated to
Segregation of
A.10.1.3 reduce opportunities for unauthorised or unintentional Yes
duties
modification or misuse of the organisations assets.
Separation of
Development, test and operational facilities shall be
development, test
A.10.1.4 separated to reduce the risks of unauthorised access or Yes
and operational
changes to the operational system.
facilities
A.10.2 Third party service delivery management
Objective: To implement and maintain the appropriate level of information security and service delivery in line
with third party service delivery agreements.

It shall be ensured that the security controls, service
definitions and delivery levels included in the third party
A.10.2.1 Service delivery Yes
service delivery agreement are implemented, operated and
maintained by the third party.
Monitoring and The services, reports and records provided by the third party
A.10.2.2 review of third party shall be regularly monitored and reviewed and audits shall be Yes
services carried our regularly.
Changes to the provision of services, including maintaining
Managing changes and improving existing information security policies,
A.10.2.3 to third party procedures and controls, shall be managed, taking account Yes
services of the criticality of business systems and processes involved
and re-assessment of risks.
A.10.3 System planning and acceptance
Objective: To minimise the risks of systems failures

The use of resources shall be monitored, tuned, and
Capacity
A.10.3.1 projections made of future capacity requirements to ensure Yes
management
the required system performance.
Acceptance criteria for new information systems, upgrades
and new versions shall be established and suitable tests of
A.10.3.2 System acceptance Yes
the system(s) carried out during development and prior to
acceptance.

Document Control
Issue No: 5
Page: 8 of 18
A.10.4 Protection against malicious and mobile code
Objective: To protect the integrity of software and information

Detection, prevention and recovery controls to protect
Controls against
A.10.4.1 against malicious code and appropriate user awareness Yes
malicious code
procedures shall be implemented.
Where the use of mobile code is authorised, the configuration
Controls against shall ensure that the authorised mobile code operates
A.10.4.2 Yes
mobile code according to a clearly defined security policy, and
unauthorised mobile code shall be prevented from executing.
A.10.5 Back-up
Objective: To maintain the integrity and availability of information and information processing facilities

Back-up copies of information and software shall be taken
Information back-
A.10.5.1 and tested regularly in accordance with the agreed back-up Yes
up
policy.
A.10.6 Network Security management
Objective: To ensure the protection of information in networks and the protection of the supporting
infrastructure.

Networks shall be adequately managed and controlled, in
order to be protected from threats, and to maintain security
A.10.6.1 Network controls Yes
for the systems and applications using the network, including
information in transit.
Security features, service levels and management
Security of network requirements of all network services shall be identified and
A.10.6.2 Yes
services included in any network services agreement, whether those
services are provided in-house or outsourced.
A.10.7 Media Handling
Objective: To prevent the unauthorised disclosure, modification, removal or destruction of assets and
interruption to business activities

Management of There shall be procedures in place for the management of
A.10.7.1 Yes
removable media removable media.

Document Control
Issue No: 5
Page: 9 of 18

Media shall be disposed of securely and safely when no
A.10.7.2 Disposal of media Yes
longer required, using formal procedures.
Information Procedures for the handling and storage of information shall
A.10.7.3 handling be established to protect this information from unauthorised Yes
procedures disclosure or misuse.
Security of system System documentation shall be protected against
A.10.7.4 Yes
documentation unauthorised access.
A.10.8 Exchange of information
Objective: To maintain the security of information and software exchanged within an organisation and with
any external entity

Information Formal exchange policies, procedures and controls shall be
A.10.8.1 exchange policies in place to protect the exchange of information through the Yes
and procedures use of all types of communication facilities.
Agreements shall be established for the exchange of
Exchange
A.10.8.2 information and software between the organisation and Yes
agreements
external parties.
Media containing information shall be protected against
Physical media in
A.10.8.3 unauthorised access, misuse or corruption during Yes
transit
transportation beyond an organisations physical boundaries.
Electronic Information involved in electronic messaging shall be
A.10.8.4 Yes
messaging appropriately protected.
Business Policies and procedures shall be developed and
A.10.8.5 information implemented to protect information associated with the Yes
systems interconnection of business information systems.
A.10.9 Electronic commerce services
Objective: To ensure the security of electronic commerce services, and their secure use

Information involved in electronic commerce passing over No.
Electronic public networks shall be protected from fraudulent activity, No e-
A.10.9.1
commerce contract dispute, and unauthorised disclosure and commerce
modification. activities.
Information involved in on-line transactions shall be
No.
On-line protected to prevent incomplete transmission, mis-routing,
A.10.9.2 No on-line
transactions unauthorised message alteration, unauthorised message
transactions.
duplication or replay.

Document Control
Issue No: 5
Page: 10 of 18

The integrity of information being made available on a
Publicly available
A.10.9.3 publicly available system shall be protected to prevent Yes
information
unauthorised modification.
A.10.10 Monitoring
Objective: To detect unauthorised information processing activities

Audit logs recording user activities, exceptions and
information security events shall be produced and kept for
A.10.10.1 Audit logging Yes
an agreed period to assist in future investigations and
access control monitoring
Procedures for monitoring use of information processing
Monitoring system
A.10.10.2 facilities shall be established and the results of the Yes
use
monitoring activities reviewed regularly
Protection of log Logging facilities and log information shall be protected
A.10.10.3 Yes
information against tampering and unauthorised access
Administrator and System administrator and system operator activities shall be
A.10.10.4 Yes
operator logs logged.
Faults shall be logged, analysed and appropriate action
A.10.10.5 Fault logging Yes
taken.
The clocks of all relevant information processing systems
Clock
A.10.10.6 within an organisation or security domain shall be Yes
synchronisation
synchronised with an agreed accurate time source
Clause 11: Access control

A.11.1 Business requirement for access control
Objective: To control access to information

An access control policy shall be established, documented
Access control
A.11.1.1 and reviewed based on business and security requirements Yes
policy
for access.

Document Control
Issue No: 5
Page: 11 of 18
A.11.2 User Access Management
Objective: To ensure authorised users access and to prevent unauthorised access to information systems

There shall be a formal user registration and de-registration
A.11.2.1 User registration procedure for granting and revoking access to all information Yes
systems and services.
Privilege The allocation and use of privileges shall be restricted and
A.11.2.2 Yes
management controlled.
User password The allocation of passwords shall be controlled through a
A.11.2.3 Yes
management formal management process.
Review of user Management shall review users access rights at regular
A.11.2.4 Yes
access rights intervals using a formal process.
A.11.3 User responsibilities
Objective: To prevent unauthorised user access, and compromise or theft of information and information
processing facilities.

Users shall be required to follow good security practices in
A.11.3.1 Password use Yes
the selection and use of passwords.
Unattended user Users shall ensure that unattended equipment has
A.11.3.2 Yes
equipment appropriate protection.
A clear desk policy for papers and removable storage media
Clear desk and
A.11.3.3 and a clear screen policy for information processing facilities Yes
clear screen policy
shall be adopted.
A.11.4 Network access control
Objective: To prevent unauthorised access to networked services.

Policy on use of Users shall only be provided with access to the services
A.11.4.1 Yes
network services that they have been specifically authorised to use.
User authentication
Appropriate authentication methods shall be used to control
A.11.4.2 for external Yes
access by remote users.
connections
No.
Equipment Automatic equipment identification shall be considered as a
Auto
A.11.4.3 identification in the means to authenticate connections from specific locations
equip id
network and equipment.
not used.

Document Control
Issue No: 5
Page: 12 of 18

Remote diagnostic
Physical and logical access to diagnostic and configuration
A.11.4.4 and configuration Yes
ports shall be controlled.
port protection
Segregation in Groups of information services, users and information
A.11.4.5 Yes
network systems shall be segregated on networks.
For shared networks, especially those extending across the
organisations boundaries, the capability of users to connect
Network connection
A.11.4.6 to the network shall be restricted, in line with the access Yes
control
control policy and requirements of the business
applications.
Routing controls shall be implemented for networks to
Network routing ensure that computer connections and information flows do
A.11.4.7 Yes
control not breach the access control policy of the business
applications.
A.11.5 Operating system access control
Objective: To prevent unauthorised access to operating systems.

Secure log-on Access to operating systems shall be controlled by a secure
A.11.5.1 Yes
procedures log-on procedure.
All users shall have a unique identifier (user ID) for their
User identification
A.11.5.2 personal use only, and a suitable authentication technique Yes
and authentication
shall be chosen to substantiate the claimed identity of a user.
Password
Systems for managing passwords shall be interactive and
A.11.5.3 management Yes
shall ensure quality passwords.
system
The use of utility programs that might be capable of
Use of system
A.11.5.4 overriding system and application controls shall be restricted Yes
utilities
and tightly controlled.
Inactive sessions shall be shut down after a defined period of
A.11.5.5 Session time-out Yes
inactivity.
Limitation of Restrictions on connection times are used to provide
A.11.5.6 Yes
connection time additional security for high risk applications.
A.11.6 Application and information access control
Objective: To prevent unauthorised access to information held in application systems.

Access to information and application system functions by
Information access
A.11.6.1 users and support personnel shall be restricted in Yes
restriction
accordance with the defined access control policy.

Document Control
Issue No: 5
Page: 13 of 18
Sensitive system Sensitive systems shall have a dedicated (isolated)

A.11.6.2 Yes
isolation computing environment.
A.11.7 Mobile computing and teleworking
Objective: To ensure information security when using mobile computing and teleworking facilities.

Mobile computing A formal policy shall be in place and appropriate security
A.11.7.1 and measures shall be adopted to protect against the risks of Yes
communications using mobile computing and communication facilities.
A policy, operational plans and procedures shall be
A.11.7.2 Teleworking Yes
developed for teleworking activities.
Clause 12: Information systems acquisition, development and maintenance

A.12.1 Security requirements of information systems
Objective: To ensure that security is an integral party of information systems.

Security
Statements of business requirements for new information
requirements
A.12.1.1 systems, or enhancements to existing information systems Yes
analysis and
shall specify the requirements for security controls.
specification
A.12.2 Correct processing in applications
Objective: To prevent errors, loss, unauthorised modification or misuse of information in applications.

Input data Data input to applications shall be validated to ensure that
A.12.2.1 Yes
validation this data is correct and appropriate.
Validation checks shall be incorporated into applications to
Control on internal
A.12.2.2 detect any corruption of information through processing Yes
processing
errors or deliberate acts.
Requirements for ensuring authenticity and protecting
A.12.2.3 Message integrity message integrity in applications shall be identified, and Yes
appropriate controls identified and implemented.
Data output from an application shall be validated to ensure
Output data
A.12.2.4 that the processing of stored information is correct and Yes
validation
appropriate to the circumstances.

Document Control
Issue No: 5
Page: 14 of 18
A.12.3 Cryptographic controls
Objective: To protect the confidentiality, authenticity or integrity of information by cryptographic means.

Policy on the use of
A policy on the use of cryptographic controls for protection of
A.12.3.1 cryptographic Yes
its information shall be developed and implemented.
controls
Key management shall be in place to support the
A.12.3.2 Key management Yes
organisations use of cryptographic techniques.
A.12.4 Security of system files
Objective: To ensure the security of system files.

Control of
There shall be procedures in place to control the installation
A.12.4.1 operational Yes
of software on operational systems.
software
Protection of Test data shall be selected carefully, and protected and
A.12.4.2 Yes
system test data controlled.
Access control to
A.12.4.3 program source Access to program source code shall be restricted. Yes
code
A.12.5 Security in development and support processes
Objective: To maintain the security of application system software and information.

Change control The implementation of changes shall be controlled by the
A.12.5.1 Yes
procedures use of formal change control procedures.
When operating systems are changed, business critical
Technical review
applications shall be reviewed and tested to ensure there
A.12.5.2 of applications Yes
is no adverse impact on organisational operations or
after operating s
security.
Restrictions on Modifications to software packages shall be discouraged,
A.12.5.3 changes to limited to necessary changes and all changes shall be Yes
software packages strictly controlled.
Information
A.12.5.4 Opportunities for information leakage shall be prevented. Yes
leakage
No.
Outsourced Software
Outsourced software development shall be supervised
A.12.5.5 software development
and monitored by the organisation.
development is not
outsourced.

Document Control
Issue No: 5
Page: 15 of 18
A.12.6 Technical vulnerability management
Objective: To reduce risks resulting from exploitation of published technical vulnerabilities.

Timely information about technical vulnerabilities of
information systems being used shall be obtained, the
Control of technical
A.12.6.1 organisations exposure to such vulnerabilities evaluated, Yes
vulnerabilities
and the appropriate measures taken to address the
associated risk.
Clause 13: Information security incident management

A.13.1 Reporting information security events and weaknesses
Objective: To ensure information security events and weaknesses associated with information systems are
communicated in a manner allowing timely corrective action to be taken.

Reporting
Information security events shall be reported through
A.13.1.1 information security Yes
appropriate management channels as quickly as possible.
events
All employees, contractors and third party users of
Reporting security information systems and services shall be required to note
A.13.1.2 Yes
weaknesses and report any observed or suspected weaknesses in
systems or services.
A.13.2 Management of information security incidents and improvements
Objective: To ensure a consistent and effective approach is applied to the management of information
security incidents

Management responsibilities and procedures shall be
Responsibilities
A.13.2.1 established to ensure a quick, effective and orderly response Yes
and procedures
to information security incidents.
Learning from There shall be mechanisms in place to enable the types,
A.13.2.2 information security volumes and costs of information security incidents to be Yes
incidents quantified and monitored.
Where a follow-up action against a person or organisation
after an information security incident involves legal action
Collection of
A.13.2.3 (either civil or criminal) evidence shall be collected, retained Yes
evidence
and presented to conform to the rules for evidence laid down
in the relevant jurisdiction(s).

Document Control
Issue No: 5
Page: 16 of 18
Clause 14: Business continuity management

A.14.1 Information security aspects of business continuity management
Objective: To counteract interruptions to business activities and to protect critical business processes from
the effects of major failures of information systems or disasters and to ensure their timely resumption.

Including A managed process shall be developed and maintained for
information security business continuity throughout the organisation that
A.14.1.1 Yes
in the business addresses the information security requirements needed for
continuity process the organisations business continuity.
Business continuity Events that can cause interruptions to business processes
and risk shall be identified, along with the probability and impact of
A.14.1.2 assessment Yes
such interruptions and their consequences for information
security.
Developing and
Plans shall be developed and implemented to maintain or
implementing
restore operations and ensure availability of information at
A.14.1.3 continuity plans Yes
the required level and in the required time scales following
including
interruption to, of failure of, critical business processes.
information security
Business continuity A single framework of business continuity plans shall be

planning framework maintained to ensure all plans are consistent, to consistently
A.14.1.4 Yes
address information security requirements, and to identify
priorities for testing and maintenance.
Testing, Business continuity plans shall be tested and updated
maintaining and re- regularly to ensure that they are up to date and effective.
A.14.1.5 Yes
assessing business
continuity plans
Clause 15: Compliance

A.15.1 Compliance with legal requirements
Objective: To avoid breaches of any law, statutory, regulatory or contractual obligations, and of any security
requirements.

All relevant statutory, regulatory and contractual
Identification of requirements and the organisations approach to meet these
A.15.1.1 applicable requirements shall be explicitly defined, documented and Yes
legislation kept up to date for each information system and the
organisation.
Appropriate procedures shall be implemented to ensure
compliance with legislative, regulatory and contractual
Intellectual property
A.15.1.2 requirements on the user of material in respect of which there Yes
rights (IPR)
may be intellectual property rights and on the use of
proprietary software products.

Document Control
Issue No: 5
Page: 17 of 18

Protection of Important records shall be protected from loss, destruction
A.15.1.3 organisational and falsification, in accordance with statutory, regulatory, Yes
records contractual and business requirements.
Data protection and Data protection and privacy shall be ensured as required in
A.15.1.4 privacy of personal relevant legislation, regulations and, if applicable, contractual Yes
information clauses.
Prevention of
misuse of Users shall be deterred from using information processing
A.15.1.5 Yes
information facilities for unauthorised purposes.
processing facilities
Regulation of
Cryptographic controls shall be used in compliance with all
A.15.1.6 cryptographic Yes
relevant agreements, laws and regulations.
controls
A.15.2 Compliance with security policies and standards and technical compliance
Objective: To ensure compliance of systems with organisational security policies and standards.

Compliance with Managers shall ensure that all security procedures within
A.15.2.1 security policy and their area of responsibility are carried out correctly to achieve Yes
standards compliance with security policies and standards.
Technical
Information systems shall be regularly checked for
A.15.2.2 compliance Yes
compliance with security implementation standards.
checking
A.15.3 Information systems audit considerations
Objective: To maximise the effectiveness of and to minimise interference to/from the information systems
audit process.

Information Audit requirements and activities involving checks on
A.15.3.1 systems audit operational systems shall be carefully planned and agreed to Yes
controls minimise the risk of disruptions to business processes.
Protection of
Access to information systems audit tools shall be protected
A.15.3.2 information Yes
to prevent any possible misuse or compromise.
systems audit tools

Document Control
Issue No: 5
Page: 18 of 18
The Information Security Manager is the owner of this document and is responsible for
ensuring that this Statement is reviewed in line with the review requirements of the ISMS.
A current version of this document is available to all members of staff on the intranet and is
available to interested parties outside of StatPro at the Marketing and Technology Directors
discretion.
This procedure was approved by the Board on the 8th July 2011 and is issued on a version
controlled basis under the CEOs signature.
Signature: Date: 8th July 2011
Change history:
Issue 5 8th July 2011 No change to the Statement of Applicability

- (no changes to the nature of the business);
Version number and document approval brought in
line with ISMS requirements (Tier 1 DOC).
Issue 1.4 6th October 2010 Format updated in line with ISMS template
Assigned as a Tier 2 document
No technical changes
Issue 1.3 10th December 2009 No change
Issue 1.2 23rd December 2008 No change
Issue 1 8th July 2008 Initial issue

StatPro Statement of Applicability v05

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

StatPro Statement of Applicability v05

Загружено:

Авторское право:

Доступные форматы

Information Security Management System

Statement of Applicability for

Clause 5: Security policy

Clause Title Description Applied

An information security policy document shall be approved by

Review of the The information security policy shall be reviewed at planned

Clause 6: Organisation of information security

Objective: To manage information security within the organisation.

Clause Title Description Applied

Public for limited distribution outside StatPro

Clause Title Description Applied

A.6.2 External Parties

Clause Title Description Applied

Clause 7: Asset management

Objective: To achieve and maintain appropriate protection of organisation assets

Clause Title Description Applied

Public for limited distribution outside StatPro

A.7.2 Information classification

Objective: To ensure that information receives an appropriate level of protection

Clause Title Description Applied

Classification Information shall be classified in terms of its value, legal

Clause 8: During employment

Clause Title Description Applied

A.8.2 During employment

Clause Title Description Applied

Public for limited distribution outside StatPro

Clause Title Description Applied

A.8.3 Termination or change of employment

Clause Title Description Applied

Clause 9: Physical and environmental security

Clause Title Description Applied

Public for limited distribution outside StatPro

Clause Title Description Applied

A.9.2 Equipment security

Clause Title Description Applied

Clause 10: Communications and operations management

Clause Title Description Applied

Public for limited distribution outside StatPro

Clause Title Description Applied

A.10.2 Third party service delivery management

Clause Title Description Applied

A.10.3 System planning and acceptance

Objective: To minimise the risks of systems failures

Clause Title Description Applied

Public for limited distribution outside StatPro

A.10.4 Protection against malicious and mobile code

Objective: To protect the integrity of software and information

Clause Title Description Applied

Clause Title Description Applied

A.10.6 Network Security management

Clause Title Description Applied

A.10.7 Media Handling

Clause Title Description Applied

Public for limited distribution outside StatPro

Clause Title Description Applied

A.10.8 Exchange of information

Clause Title Description Applied

A.10.9 Electronic commerce services

Clause Title Description Applied

Public for limited distribution outside StatPro

Clause Title Description Applied

Objective: To detect unauthorised information processing activities

Clause Title Description Applied

Clause 11: Access control