This page outlines the required Statement of Applicabilty and all relevant links to the required documents/samples/templates/evidence.
...
AREA/SECTION | CONTROL | CONTROL APPLICABLE? | CONTROL IMPLEMENTED? | JUSTIFICATION FOR INCLUSION OR EXCLUSION | ||
A.5 Information security policies | ||||||
A.5.1 Management direction for information security | Yes | Yes | There are many employees, contractors and suppliers who need to be aware of how we manage security. | |||
A.5.1.2 Review of the policies for information security | Yes | Yes | There is a low rate of change and so regular reviews are important but not time-critical. | |||
Totals: | 2 | 2 | ||||
A.6 Organisation of information security | ||||||
A.6.1 Internal organisation | Yes | Yes | There is a risk that our controls and response to an incident will be uncoordinated without clear roles and responsibilities. | |||
Yes | Yes | |||||
NoYes | No | We don't operate in a regulated industry. | Yes | |||
No | No | We work within a recurring digital framework which does not have a large group of interested groups.Yes | Yes | |||
Yes | Yes | We have a small number of projects each year. | ||||
A.6.2 Mobile devices and teleworking | Yes | Yes | We have a small number of mobile devices in use. | |||
A.6.2.2 Teleworking | No | No | We don't have any teleworking sites. | |||
Totals: | 4 | 3 | ||||
A.7 Human resources security | ||||||
A.7.1 Prior to employment | A.7.1.1 Screening | No | No | |||
Yes | No | Security requirements need to be incorporated in employment contracts. | ||||
A.7.2 During employment | Yes | Yes | ||||
A.7.2.2 Information security awareness, education and training | Yes | Yes | ||||
A.7.2.3 Disciplinary process | No | No | This is covered in the standard employment agreement. | |||
A.7.3 Termination and change of employment | A.7.3.1 Termination or change of employment responsibilities | Yes | Yes | Classified information must continue to be protected after termination. | ||
Totals: | 6 | 4 | ||||
A.8 Asset management | ||||||
A.8.1 Responsibility for assets | A.8.1.1 Inventory of assets | No | No | There is not a wide variety of information assets within the organisation; we are very focused in our technical implementation focus. | ||
Yes | Yes | Clear responsibility for assets is key to ensuring their protection. | ||||
A.8.1.3 Acceptable use of assets | No | No | We don't manage a large number of assets. | |||
Yes | Yes | Assets such as laptops are reissued when an employee leaves. | ||||
A.8.2 Information classification | A.8.2.1 Classification of information | Yes | Yes | Key information requires additional protection. | ||
A.8.2.2 Labelling of information | No | No | We only really deal with a limited set of information, none of it requires deep levels of protection. | |||
A.8.2.3 Handling of assets | No | No | Mishandling of assets is not a key risk as we have a low turnover of temporary staff. | |||
A.8.3 Media Handling | A.8.3.1 Management of removable media | No | No | We don't manage removable media; everything is stored in cloud-based services. | ||
A.8.3.2 Disposal of media | No | No | This is not applicable to Vertic’s services; we don’t handle media. | |||
A.8.3.3 Physical media transfer | No | No | We don't currently transfer any physical media. | |||
Totals: | 4 | 4 | ||||
A.9 Access control | ||||||
A.9.1 Business requirements of access control | Yes | Yes | Rules for access to systems address the risk of unauthorised access. | |||
A.9.1.2 Access to networks and network services | No | No | We don’t maintain our own network | |||
A.9.2 User access management | Yes | Yes | We have a high number of registration and de-registration requests. | |||
Yes | Yes | Provisioning procedures need to be formalised to prevent mistakes. | ||||
Yes | Yes | Use of admin rights needs to be better controlled. | ||||
A.9.2.4 Management of secret authentication information of users | Yes | Yes | Issuing of passwords and other authentication methods is carefully managed. | |||
A.9.2.5 Review of user access rights | Yes | No | Access is not generally reviewed on a regular basis. | |||
Yes | Yes | The low rate of change means that access is tightly controlled. | ||||
A.9.3 User responsibilities | Yes | Yes | Instances of shared passwords are being addressed by using Bitwarden. | |||
A.9.4 System and application access control | Yes | Yes | The Salesforce platform itself is used to control access. | |||
A.9.4.2 Secure log-on procedures | Yes | Yes | All systems require authentication. | |||
Yes | Yes | Restrictions on acceptable passwords are enforced. | ||||
A.9.4.4 Use of privileged utility programs | No | No | No such programs are in use. | |||
A.9.4.5 Access control to program source code | No | No | No development is undertaken. | |||
Totals: | 12 | 11 | ||||
A.10 Cryptography | ||||||
A.10.1 Cryptographic controls | A.10.1.1 Policy on the use of cryptographic controls | No | No | We don't implement services around Cryptography. | ||
A.10.1.2 Key management | No | No | We don't implement services around Cryptography. | |||
Totals: | 0 | 0 | ||||
A.11 Physical and environmental security | ||||||
A.11.1 Secure areas | A.11.1.1 Physical security perimeter | No | No | We are a remote team and work primarily from home. | ||
A.11.1.2 Physical entry controls | No | No | We are a remote team and work primarily from home. | |||
Yes | Yes | Doors and windows are locked where appropriate. | ||||
A.11.1.4 Protecting against external and environmental threats | Yes | Yes | All reasonable actions are taken to protect the homes we work from; no physical servers are kept on any premises. | |||
Yes | Yes | There are a few high security areas in the various homes. | ||||
A.11.1.6 Delivery and loading areas | No | No | No access is given to the building for deliveries, and there is no loading area. | |||
A.11.2 Equipment | A.11.2.1 Equipment siting and protection | No | No | Vertic's team works on secured laptops which can be sited in public. | ||
A.11.2.2 Supporting utilities | No | No | We don't deal with power outages; Salesforce is a distributed ecosystem and Vertic's team works on laptops with hours of backup power available. | |||
A.11.2.3 Cabling security | No | No | This does not apply to Vertic; we don't manage our own infrastructure. | |||
Yes | Yes | All equipment is maintained according to manufacturers' instructions. | ||||
A.11.2.5 Removal of assets | No | No | This does not apply to Vertic; we don't manage our own infrastructure. | |||
Yes | Yes | Assets are often used offsite in a home environment. | ||||
Yes | Yes | Secure disposal is in place with a third party. | ||||
A.11.2.8 Unattended user equipment | Yes | Yes | Training has been provided to ensure that screens and equipment are locked when unattended. | |||
A.11.2.9 Clear desk and clear screen policy | No | No | We are a remote team and work primarily from home; all external doors are shut during the hours of work. | |||
Totals: | 7 | 7 | ||||
A.12 Operations security | ||||||
A.12.1 Operational procedures and responsibilities | Yes | Yes | Procedures must be performed the same way each time to avoid accidents. | |||
A.12.1.2 Change management | No | No | Vertic does not perform these functions. | |||
Yes | Yes | Capacity of key resources is monitored. | ||||
A.12.1.4 Separation of development, testing and operational environments | Yes | Yes | Consistent approach to Software Development is essential to Vertic's success. | |||
A.12.2 Protection from malware | Yes | Yes | Anti-malware is in place and monitored from a central console within the Salesforce platform. | |||
A.12.3 Backup | A.12.3.1 Information backup | No | No | The Salesforce digital platform provides this service directly to our clients (via third-party applications). | ||
A.12.4 Logging and monitoring | A.12.4.1 Event logging | Yes | No | The Salesforce digital platform provides this service directly to our clients (via third-party applications). | ||
A.12.4.2 Protection of log information | No | No | This does not apply to Vertic as event logs are captured directly within the Salesforce platform. | |||
A.12.4.3 Administrator and operator logs | Yes | Yes | All such access is recorded. | |||
A.12.4.4 Clock synchronisation | No | No | This does not apply to Vertic. | |||
A.12.5 Control of operational software | Yes | Yes | Software installation is planned and controlled. | |||
A.12.6 Technical vulnerability management | Yes | Yes | A full patching process is in place via recurring Salesforce Health Checks. | |||
Yes | Yes | Admin access is required to install software. | ||||
A.12.7 Information systems audit considerations | Yes | Yes | Audits are planned so that business activities are not disrupted. | |||
Totals: | 11 | 9 | ||||
A.13 Communications security | ||||||
A.13.1 Network security management | A.13.1.1 Network controls | No | No | Vertic does not maintain its own network; no access security is required. | ||
A.13.1.2 Security of network | No | No | Network service agreements are in place for all services; we connect to all services via the public Internet. | |||
A.13.1.3 Segregation in networks | No | No | Vertic does not maintain its own network; no access security is required. | |||
A.13.2 Information transfer | A.13.2.1 Information transfer policies and procedures | No | No | We conduct ourselves within the frameworks of the software tools we use, like Atlassian. | ||
A.13.2.2 Agreements on information transfer | No | No | We do not transfer information to third parties. | |||
Yes | Yes | There is significant use of email and instant messaging. | ||||
Yes | Yes | NDAs should be in place with all parties with whom we share personal data. | ||||
Totals: | 3 | 3 | ||||
A.14 System acquisition, development and maintenance | ||||||
A.14.1 Security requirements of information systems | A.14.1.1 Information security | Yes | Yes | Security requirements are specified for all new or changed systems. | ||
A.14.1.2 Securing application | Yes | Yes | TLS is used in all circumstances as per the Salesforce platform. | |||
A.14.1.3 Protecting application | Yes | Yes | TLS is used in all circumstances as per the Salesforce platform. | |||
A.14.2 Security in development and support processes | Yes | Yes | All software development is undertaken in accordance with Salesforce guidelines and development processes. | |||
A.14.2.2 System change control procedures | Yes | Yes | All software development is undertaken in accordance with Salesforce guidelines and development processes. | |||
A.14.2.3 Technical review of applications after operating platform changes | Yes | Yes | Reviews are conducted as part of acceptance testing of new systems. | |||
Yes | Yes | A policy of no change is agreed. | ||||
A.14.2.5 Secure system engineering principles | No | No | We are developing on top of the Salesforce platform and are limited and directed by their system engineering principles. | |||
Yes | Yes | We are developing on top of the Salesforce platform and are limited and directed by their system engineering principles. | ||||
A.14.2.7 Outsourced development | Yes | Yes | We outsource some of the technical software development to an outsourcing firm which exclusively delivers to Vertic under the same rules, regulations, and processes as Vertic. | |||
A.14.2.8 System security testing | Yes | Yes | New and changed systems are tested to check they meet security requirements. | |||
A.14.2.9 System acceptance testing | Yes | Yes | New and changed systems are tested to check they meet security requirements. | |||
A.14.3 Test data | A.14.3.1 Protection of test data | No | No | Vertic does not use client production data at any time. | ||
Totals: | 11 | 11 | ||||
A.15 Supplier relationships | ||||||
A.15.1 Information security in supplier relationships | A.15.1.1 Information security policy for supplier relationships | No | No | Vertic does not use an external providers in relation to our client services. | ||
A.15.1.2 Addressing security within supplier agreements | No | No | Vertic does not use an external providers in relation to our client services. | |||
A.15.1.3 Information and communication technology supply chain | No | No | Vertic does not use an external providers in relation to our client services. | |||
A.15.2 Supplier service delivery management | A.15.2.1 Monitoring and review of supplier services | No | No | Vertic does not use an external providers in relation to our client services. | ||
A.15.2.2 Managing changes to supplier services | No | No | Vertic does not use an external providers in relation to our client services. | |||
Totals: | 0 | 0 | ||||
A.16 Information security incident management | ||||||
A.16.1 Management of information security incidents and improvements | Yes | Yes | An incident response procedure is in place. | |||
A.16.1.2 Reporting information security events | Yes | Yes | This is addressed as part of awareness training. | |||
Yes | Yes | This is addressed via our Risk Submission Form. | ||||
A.16.1.4 Assessment of and decision on information security events | Yes | Yes | Systems and procedures are used to assess events and raise incidents where appropriate. | |||
A.16.1.5 Response to information security incidents | Yes | Yes | Training in incident response has been carried out. | |||
A.16.1.6 Learning from information security incidents | Yes | Yes | A review is part of the procedure. | |||
Yes | Yes | We document all incident evidence via our Atlassian system. | ||||
Totals: | 7 | 7 | ||||
A.17 Information security aspects of business continuity management | ||||||
A.17.1 Information security continuity | A.17.1.1 Planning information security continuity | Yes | Yes | Security is considered as part of the business continuity plan. | ||
A.17.1.2 Implementing information security continuity | Yes | Yes | Security is considered as part of the business continuity plan. | |||
A.17.1.3 Verify, review and evaluate information security continuity | Yes | No | Testing the plan is essential. | |||
A.17.2 Redundancies | A.17.2.1 Availability of information processing facilities | No | No | We don't manage our own infrastructure and are using Salesforce's services to manage information processing. | ||
Totals: | 3 | 2 | ||||
A.18 Compliance | ||||||
A.18.1 Compliance with legal and contractual requirements | A.18.1.1 Identification of applicable legislation and contractual requirements | Yes | Yes | All applicable legislation and requirements from contracts have been identified. | ||
Yes | Yes | A policy on the use and protection of IP has been agreed and communicated. | ||||
Yes | Yes | Records are protected effectively. | ||||
A.18.1.4 Privacy and protection of personally identifiable information | Yes | Yes | A data protection policy is in place. | |||
A.18.1.5 Regulation of cryptographic controls | No | No | Compliance has been reviewed deemed not applicable to Vertic. | |||
A.18.2 Information security reviews | A.18.2.1 Independent review of information security | Yes | Yes | Auditors are used to review our information security approach. | ||
Yes | Yes | Managers have received training in ensuring compliance. | ||||
A.18.2.3 Technical compliance review | Yes | Yes | This will be part of Vertic’s annual compliance review. | |||
Totals: | 7 | 7 |