Statement of Applicability Knights Inc

Knights Inc.
Statement of
Applicability
ISO 27001 : 2013

ISMS Auditor / Lead Auditor Training Course 1 | 12 P a g e

Statement of Applicability Knights Inc

DOCUMENT CONTROL

Name Action Date Signature

Harold Prepared by November 2013

Revision History

Version Date Description

1.0 First Release

ISMS Auditor / Lead Auditor Training Course 2 | 12 P a g e

Statement of Applicability Knights Inc

ISO 27001 Statement of Applicability (SOA)

Applicable
Clause Controls Justification If yes give Reference Document
Yes/ No

A.5 Information security policies

Management direction for information security

A.5.1

As a result of risk assess- ISMS Policy

A.5.1.1 Policies for information security Yes
ment
 ISMS Policy
Review of the policies for infor- As a result of risk assess-  Minutes of Meetings of the SMB
A.5.1.2 Yes
mation security ment Information Security Committee
meetings

A.6 Organization of information security

A.6.1 Internal organization

To ensure all require-
Information security roles and
A.6.1.1 Yes ments & controls have ISMS Policy (Roles & Responsibilities)
responsibilities
owners
As a result of risk assess- Policy for segregation of duties
A.6.1.2 Segregation of duties Yes
ment
As a result of risk assess- List of Contact details with Admin-
A.6.1.3 Contact with authorities Yes
ment istration department
 IT team has membership in online
Contact with special interest As a result of risk assess-
A.6.1.4 No  Records
groups ment

Software Project Management Pro-

Information security in project As a result of risk as-
A.6.1.5 Yes cedure & Infra Project Management
management sessment
Procedure

A.6.2 Mobile devices and teleworking

 Tele-working and mobile Device

As a result of risk assess- policy and procedure
A.6.2.1 Mobile device policy Yes
ment  Authorization records of users
allowed to do mobile computing
All banking and support actives are
done in office. Individuals do not
A.6.2.2 Teleworking No Tele working
connect to systems using telework-
ing.

A.7 Human resource security

A.7.1 Prior to employment

As a result of risk assess-  Personnel security policy
A.7.1.1 Screening Yes
ment  Screening procedure
As a result of risk assess-  Personnel security policy
ment, Contractual re-  Terms and conditions of employ-
Terms and conditions of em-
A.7.1.2 Yes quirement ment attached with Appointment
ployment
Letter

ISMS Auditor / Lead Auditor Training Course 3 | 12 P a g e

Statement of Applicability Knights Inc

Applicable
Clause Controls Justification If yes give Reference Document
Yes/ No

A.7.2 During employment

A.7.2.1 Management responsibilities
Information security awareness,
A.7.2.2
education and training
A.7.2.3 Disciplinary process
As a result of risk assess- Information security roles and re-
Yes
ment sponsibilities document
 Training schedule
As a result of risk assess-
Yes  Training material
ment
 Training attendance records
 Disciplinary procedure
As a result of risk assess-
Yes  Record of disciplinary actions taken
ment

Termination and change of em-

A.7.3
ployment
 Termination or change employment
Termination or change of em- As a result of risk assess- checklist
A.7.3.1 Yes
ployment responsibilities ment  Records of termination proceedings
and correspondences
A.8 Asset management

A.8.1 Responsibility for assets

 Policy and Procedure for maintain-

As a result of risk assess- ing Asset Inventory for each de-
A.8.1.1 Inventory of assets Yes
ment partment
 Asset Inventory
As a result of risk assess- Asset Inventory
A.8.1.2 Ownership of assets Yes
ment
As a result of risk assess- Acceptable use policy
A.8.1.3 Acceptable use of assets Yes
ment
As a result of risk assess- Employee clearance forms
A.8.1.4 Return of assets No
ment
A.8.2 Information classification

 Asset Classification guidelines

As a result of risk assess-
A.8.2.1 Classification of information Yes  All assets are classified as per guide-
ment
lines
As a result of risk assess- Information labelling and handling
A.8.2.2 Labelling of information Yes
ment procedure
As a result of risk assess- Information labelling and handling
A.8.2.3 Handling of assets Yes
ment procedure
A.8.3 Media handling
Management of removable me- As a result of risk assess- 
A.8.3.1 Yes
dia ment
 Media handling policy and proce-
As a result of risk assess-
A.8.3.2 Disposal of media Yes dure
ment
 Logs of disposed media
Bank process does not NA
allow any employee’s to
A.8.3.3 Physical media transfer No use any removable mate-
rial

ISMS Auditor / Lead Auditor Training Course 4 | 12 P a g e

Statement of Applicability Knights Inc

Applicable
Clause Controls Justification If yes give Reference Document
Yes/ No

A.9 Access control

Business requirements of access

A.9.1
control
 Network and Application access
control policy and procedure
As a result of risk assess-
A.9.1.1 Access control policy Yes  Logical access control matrix
ment
 Record of periodic review of the
access control matrix
Access to networks and network Logical Segregation of
A.9.1.2 Yes LAN management Process
services projects and IT services

A.9.2 User access management

 User access management policy and

procedure
 Record of all persons registered to
User registration and de- use the service
A.9.2.1 Yes
registration  Record for removal or addition of
users
 Record of periodic review of regis-
tered users
To ensure a process for
assigning and revoking of
A.9.2.2 User access provisioning Yes access rights to end users Access Control Process
for log on their desktops
and laptops
Management of privileged access There are no privileged  Authorization records for allocation
A.9.2.3 No
rights accounts of privileges
 Process for issue and control of RAS
Management of secret authenti- As a result of risk as-
A.9.2.4 Yes tokens
cation information of users sessment
 Process for password management
 User access management policy and
procedure
As a result of risk assess-
A.9.2.5 Review of user access rights Yes  Information security audit proce-
ment
dure
 Records of reviews
Removal or adjustment of access Termination checklist
A.9.2.6 Yes
rights
A.9.3 User responsibilities
Use of secret authentication in- As a result of risk as- Process for issue , control & use of
A.9.3.1 Yes
formation sessment RAS tokens
System and application access
A.9.4
control
As a result of risk assess-  Logical access control policy
A.9.4.1 Information access restriction Yes
ment  Logical access control matrix
 Operating system security policy
and procedure
As a result of risk assess-
A.9.4.2 Secure log-on procedures Yes  Security message displayed at logon
ment
 Security policies defined on Domain
Controller
As a result of risk assess-  Operating system security proce-
A.9.4.3 Password management system Yes
ment dure

ISMS Auditor / Lead Auditor Training Course 5 | 12 P a g e

Statement of Applicability Knights Inc

Applicable
Clause Controls Justification If yes give Reference Document
Yes/ No

 Password security procedure

Access to use of privi-
leged utility programs
(system utilities) are
A.9.4.4 Use of privileged utility programs Yes  Access control policy
strictly controlled based
on needs of systems and
application
 Software development and testing
policy
 Audit logs of all accesses to program
source libraries
Access control to program source As a result of risk assess-  Authorization records for personnel
A.9.4.5 Yes
code ment having access to program source
code
 Change control records
 Logical access control list of person-
nel authorized to access source code
A.10 Cryptography

A.10.1 Cryptographic controls

Encryption done for

Policy on the use of cryptographic
A.10.1.1 Yes backups, Hard disks of Encryption Policy
controls
laptops
Keys for encryption are
A.10.1.2 Key management Yes
controlled
Physical and environmental secu-
A.11
rity
A.11.1 Secure areas
As a result of risk assess- Physical and environmental security
A.11.1.1 Physical security perimeter Yes
ment Policy and Procedure
To ensure levels of secu-  Physical and environmental security
rity depending on physi- Policy and Procedure
A.11.1.2 Physical entry controls Yes cal access rights (e.g.  Visitors’ Register
Treasury, Data centre
etc.)
 Physical and environmental security
Securing offices, rooms and facili- As a result of risk assess-
A.11.1.3 Yes Policy and Procedure
ties ment
 Swipe card system logs
 Physical and environmental security
Protection against external and As a result of risk assess- Policy and Procedure
A.11.1.4 Yes
environmental threats ment  Environmental System documents
 Risk Assessment
As a result of risk assess- Physical and environmental security
A.11.1.5 Working in secure areas Yes
ment Policy and Procedure
As a result of risk assess-  Physical and environmental security
ment Policy and Procedure
A.11.1.6 Delivery and loading areas Yes  Incoming and Outgoing Materials
Register

ISMS Auditor / Lead Auditor Training Course 6 | 12 P a g e

Statement of Applicability Knights Inc

Applicable
Clause Controls Justification If yes give Reference Document
Yes/ No

A.11.2 Equipment
As a result of risk assess- Physical and environmental security
A.11.2.1 Equipment siting and protection Yes
ment Policy and Procedure
As a result of risk assess- Physical and environmental security
A.11.2.2 Supporting utilities Yes
ment Policy and Procedure
 Physical and environmental security
As a result of risk assess- Policy and Procedure
A.11.2.3 Cabling security Yes
ment  Cabling security procedure and
patch list
 Physical and environmental security
Policy and Procedure
Need to ensure availabil-
 Daily equipment monitoring records
A.11.2.4 Equipment maintenance Yes ity of all information pro-
and maintenance records
cessing equipment.
 Equipment repair / servicing records
 Equipment Insurance documents
Protection of all infor-  Physical and environmental security
Policy and Procedure
A.11.2.5 Removal of assets Yes mation processing assets
 Gate pass
to safeguard infomraiton.
 Physical and environmental security
Security of equipment and assets As a result of risk assess-
A.11.2.6 Yes Policy and Procedure
off-premises ment  Equipment Insurance documents
Secure disposal or re-use of As a result of risk assess- Physical and environmental security
A.11.2.7 Yes
equipment ment Policy and Procedure
As a result of risk assess- Physical and environmental security
A.11.2.8 Unattended user equipment Yes
ment policy
As a result of risk assess- Physical and environmental security
A.11.2.9 Clear desk and clear screen policy Yes
ment policy
A.12 Operations security
Operational procedures and re-
A.12.1
sponsibilities
Documented operating proce- As a result of risk assess- Documented operating procedures
A.12.1.1 Yes
dures ment
 Operations management and
As a result of risk assess- Change control policy and proce-
A.12.1.2 Change management Yes
ment dure
 Change management records
 Physical security procedure
As a result of risk assess-  Record of capacity planning
A.12.1.3 Capacity management Yes
ment

As all developers ensure NA

Separation of development, test-
A.12.1.4
ing and operational environments
compliance to change
management policy to
No upgrade changes to the
operational environments

ISMS Auditor / Lead Auditor Training Course 7 | 12 P a g e

Statement of Applicability Knights Inc

Applicable
Clause Controls Justification If yes give Reference Document
Yes/ No

A.12.2 Protection from malware

 Policy and procedure for protec-

tion against malicious and mobile
As a result of risk assess-
A.12.2.1 Controls against malware Yes code
ment
 Logs of scans by the antivirus
software
A.12.3
Backup
 Backup Procedure (including pro-
As a result of risk assess- cedure for backup testing)
A.12.3.1 Information backup Yes
ment  Record of backups taken
 Logs of backup testing

A.12.4 Logging and monitoring

Enabled to track to activ-

ities. Most default set- Event Log policy & Process
A.12.4.1 Event logging Yes
tings retained or in-
creased as per RA
 Event Log policy & Process
 Logging and log monitoring proce-
As a result of risk assess- dure
A.12.4.2 Protection of log information Yes
ment  Logical access control list of person-
nel authorized to maintain and ac-
cess logs
As a result of risk assess- System administrator and operator
A.12.4.3 Administrator and operator logs Yes
ment logs
As a result of risk assess- Procedure for clock synchronization
A.12.4.4 Clock synchronisation Yes
ment, Legal requirement

A.12.5 Control of operational software

 Software development and testing

policy
 Record of Acceptance Testing car-
ried out before new applications or
Installation of software on opera- As a result of risk assess- OS versions are deployed
A.12.5.1 Yes
tional systems ment  Audit logs of all updates to opera-
tional program libraries
 Logical access control list of person-
nel authorized to access internal
applications
Technical vulnerability manage-
A.12.6
ment
 Software development and testing
policy
As a result of risk assess-
Management of technical vulner-  Patch management procedure
A.12.6.1 Yes ment
abilities  Bug Fix procedure related to OS,
Application and Network
 Version control procedure

ISMS Auditor / Lead Auditor Training Course 8 | 12 P a g e

Statement of Applicability Knights Inc

Applicable
Clause Controls Justification If yes give Reference Document
Yes/ No
Restrictions on software installa-
A.12.6.2
tion
Information systems audit con-
A.12.7
siderations
Information systems audit con- As a result of risk assess- Information security audit procedure
A.12.7.1 Yes
trols ment

A.13 Communications security

A.13.1 Network security management

 Network security policy

As a result of risk assess-  Router and Switch and Firewall
A.13.1.1 Network controls Yes
ment logs
 Log monitoring records
As a result of risk assess-  Network security procedure
A.13.1.2 Security of network services Yes
ment  Email policy and procedure
As a result of risk assess- Network security procedure
A.13.1.3 Segregation in networks Yes
ment

A.13.2 Information transfer

Information transfer policies and As a result of risk assess- Email policy and procedure
A.13.2.1 Yes
procedures ment
Agreements on information Third party agreements
A.13.2.2 Yes Contractual requirement
transfer
As a result of risk assess- Email policy and procedure
A.13.2.3 Electronic messaging Yes
ment
 Terms and conditions of employ-
ment attached with Appointment
Confidentiality or nondisclosure As a result of risk assess- Letter
A.13.2.4 Yes
agreements ment  Non-Disclosure Agreements
signed with personnel handling
very sensitive information

System acquisition, development

A.14
and maintenance

Security requirements of infor-

A.14.1
mation systems

 Software development and testing

policy
Information security require- As a result of risk assess-  Security requirements specification
A.14.1.1 Yes
ments analysis and specification ment document for systems
 Record of testing carried out before
purchase of products
Online banking service
Securing application services on and ATM services use
A. 14.1.2 Yes ODBC connectivity security process
public networks applications with other
service providers
Protecting application services Online banking service
A. 14.1.3 Yes ODBC connectivity security process
transactions and ATM services use

ISMS Auditor / Lead Auditor Training Course 9 | 12 P a g e

Statement of Applicability Knights Inc

Applicable
Clause Controls Justification If yes give Reference Document
Yes/ No
applications with other
service providers

Security in development and

A.14.2
support processes

Coding Guidelines, Code review pro-

Core Banking application
cess, Vendor software development
A. 14.2.1 Secure development policy Yes & enhancements require
process and Software OEM NDA for
secure development
secure development
 Operations management and
System change control proce- As a result of risk assess- Change control policy and proce-
A. 14.2.2 Yes
dures ment dure
 Change management records
 Operations management and
Technical review of applications As a result of risk assess- Change control policy and proce-
A. 14.2.3 Yes
after operating platform changes ment dure
 Change management records
-Operations management and
Restrictions on software installa- As a result of risk assess-
A.14.2.4 Yes Change control policy and procedure
tion packages ment
-Version control procedure
To ensure security in
Secure system engineering prin- Security in application development
A. 14.2.5 Yes application development
ciples and testing process
and testing
To ensure security in
Secure development environ- application development Security in application development
A. 14.2.6 Yes
ment and testing and use of and testing process
cloned data for testing
For vendors developing Vendor management process for
A. 14.2.7 Outsourced development Yes non core banking applica- software development, testing and
tion. enhancement.
A. 14.2.8 System security testing
Acceptance criteria mentioned in the
As a result of risk assess-
A. 14.2.9 System acceptance testing Yes Software development and testing
ment
policy
A.14.3 Test data
Production data cloned to Security in application development
A. 14.3.1 Protection of test data Yes
test environment and testing process
A.15 Supplier relationships
Information security in supplier
A.15.1
relationships
Information security policy for As a result of risk as-
A.15.1.1 Yes Vendor management process
supplier relationships sessment
 Security clause present in Supplier
Addressing security within sup- agreements
A.15.1.2 Yes Contractual requirement
plier agreements  Confidentiality or Non-disclosure
agreements with certain Supplier
There are no suppliers
using banking application.
Information and communication Other banks are ad-
A.15.1.3 No Not applicable
technology supply chain dressed through Banking
regulation

ISMS Auditor / Lead Auditor Training Course 10 | 12 P a g e

Statement of Applicability Knights Inc

Applicable
Clause Controls Justification If yes give Reference Document
Yes/ No

Supplier service delivery man-

A.15.2
agement
 Third party security procedure
Monitoring and review of suppli-
A.15.2.1 Yes Contractual requirement  Record of management reviews of
er services
third party services
 Pertaining clause in agreements
Managing changes to supplier
A.15.2.2 Yes Contractual requirement with Third parties
services
 Change management records
Information security incident
A.16
management
Management of information se-
A.16.1 curity incidents and improve-
ments
As a result of risk assess- Security incident management re-
A.16.1.1 Responsibilities and procedures Yes
ment ports
 Incident detection and response
Reporting information security As a result of risk assess-
A.16.1.2 Yes policy and procedure
events ment
 Security incident reporting forms
 Incident detection and response
Reporting information security As a result of risk assess- policy and procedure
A.16.1.3 Yes
weakness ment  Security incident reporting forms
 Complaints logs
Events of system auto
Assessment of and decision on Events and Incident Management
A.16.1.4 Yes alerts are to be managed
information security events process
for performance
Response to information security As a result of risk as- Events and Incident Management
A. 16.1.5 Yes
incidents sessment process
 Incident detection and response
Learning from information securi- As a result of risk assess-
A.16.1.6 Yes policy and procedure
ty incidents ment
 Incident register
 Incident detection and response
policy and procedure
A.16.1.7 Collection of evidence Yes Legal requirement  Security incident reporting forms
 Security incident management
reports
Information security aspects of
A.17
business continuity management

A.17.1 Information security continuity

Planning information security As a result of risk assess-  Business continuity plans

A.17.1.1 Yes
continuity ment  Contingency policy
Implementing information securi- As a result of risk assess-  Business continuity plans
A.17.1.2 Yes
ty continuity ment  Contingency policy
As a result of risk assess-  Business continuity plans
ment  Contingency policy
 Record of testing and maintaining
Verify, review and evaluate in-
A.17.1.3 Yes BCPs
formation security continuity

ISMS Auditor / Lead Auditor Training Course 11 | 12 P a g e

Statement of Applicability Knights Inc

Applicable
Clause Controls Justification If yes give Reference Document
Yes/ No

A.17.2 Redundancies
Availability of information pro- <BLANK – NO JUSTIFICA-
A.17.2.1 Yes <BLANK – NO JUSTIFICATION>
cessing facilities TION>
A.18 Compliance
Compliance with legal and con-
A.18.1
tractual requirements
Identification of applicable legis- List of applicable legislations
A.18.1.1 lation and contractual require- Yes Legal requirement
ments
 IPR and Data protection policy
A.18.1.2 Intellectual property rights Yes Legal requirement  Software licenses
 Audit reports
 Information classification procedure
 Information labelling and handling
A.18.1.3 Protection of records Yes Statutory requirement procedure
 List of record categories, retention
periods etc.
Legal requirement as per IPR and Data protection policy
Privacy and protection of person-
A.18.1.4 Yes Data Protection Law and
ally identifiable information
SOX
Regulation of cryptographic con- Standard SSL certificates
A.18.1.5 Yes Cryptographic controls process
trols used

A.18.2 Information security reviews

 Information Security audit reports

Independent review of infor- As a result of risk assess-
A.18.2.1 Yes by External auditors
mation security ment
 Agreement with external auditors
 Information security audit proce-
dure
Compliance with security policies As a result of risk assess-
A.18.2.2 Yes  Internal and external audit reports
and standards ment
 Management review and Follow-up
reports
 Information security audit proce-
dure
 Internal and external technical audit
As a result of risk assess-
A.18.2.3 Technical compliance review Yes reports
ment
 Penetration test / Vulnerability
assessment reports by external au-
ditors

ISMS Auditor / Lead Auditor Training Course 12 | 12 P a g e