This page outlines the required Statement of Applicabilty and all relevant links to the required documents/samples/templates/evidence.
Information security management systems: Requirements
...
AREA/SECTION
...
CONTROL
This page outlines the required Statement of Applicabilty and all relevant links to the required documents/samples/templates/evidence.
Information security management systems: Requirements
AREA/SECTION | CONTROL | CONTROL APPLICABLE? | CONTROL IMPLEMENTED? | JUSTIFICATION FOR INCLUSION OR EXCLUSION | |||
A.5 Information security policies | |||||||
A.5.1 Management direction for information security | Yes | YesThere are many employees, contractors and suppliers who need to be aware of how we manage security. | |||||
A.5.1.2 Review of the policies for information security | Yes | Yes | There is a low rate of change and so regular reviews are important but not time-critical. | ||||
Totals: | 2 | 2 | |||||
A.6 Organisation of information security | |||||||
A.6.1 Internal organisation | Yes | Yes | There is a risk that our controls and response to an incident will be uncoordinated without clear roles and responsibilities. | ||||
Yes | Yes | ||||||
Yes | Yes | ||||||
Yes | Yes | ||||||
Yes | Yes | We have a small number of projects each year. | Yes | Yes | |||
A.6.2 Mobile devices and teleworking | Yes | YesWe have a small number of mobile devices in use. | |||||
No | No | We don't have any teleworking sites.Yes | Yes | ||||
Totals: | 4 | 3 | |||||
A.7 Human resources security | |||||||
A.7.1 Prior to employment | NoYesNo | Yes | |||||
Yes | NoYes | Security requirements need to be incorporated in employment contracts. | |||||
A.7.2 During employment | Yes | Yes | |||||
A.7.2.2 Information security awareness, education and training | Yes | Yes | Build an employee presentation | ||||
NoYes | No | This is covered in the standard employment agreement. | Yes | ||||
A.7.3 Termination and change of employment | A.7.3.1 Termination or change of employment responsibilities | Yes | Yes | Classified information must continue to be protected after termination. | |||
Totals: | 6 | 4 | |||||
A.8 Asset management | |||||||
A.8.1 Responsibility for assets | A.8.1.1 Inventory of assets | NoYes | No | There is not a wide variety of information assets within the organisation; we are very focused in our technical implementation focus.Yes | Build an asset register (soft and hard assets)
| ||
Yes | YesClear responsibility for assets is key to ensuring their protection. | ||||||
No | No | We don't manage a large number of assets.Yes | Yes | ||||
Yes | YesAssets such as laptops are reissued when an employee leaves. | ||||||
A.8.2 Information classification | Yes | Yes | Key information requires additional protection. | ||||
A.8.2.2 Labelling of information | NoYes | No | We only really deal with a limited set of information, none of it requires deep levels of protection. | Yes | |||
A.8.2.3 Handling of assets | No | No | Mishandling of assets is not a key risk as we have a low turnover of temporary staff. | Yes | Yes | ||
A.8.3 Media Handling | A.8.3.1 Management of removable media | No | No | We don't manage removable media; everything is stored in cloud-based services. | |||
A.8.3.2 Disposal of media | No | No | This is not applicable to Vertic’s services; we don’t handle media.Yes | Yes | |||
A.8.3.3 Physical media transfer | No | No | We don't currently transfer any physical media. | ||||
Totals: | 4 | 4 | |||||
A.9 Access control | |||||||
A.9.1 Business requirements of access control | Yes | YesRules for access to systems address the risk of unauthorised access. | |||||
No | No | We don’t maintain our own networkYes | Yes | ||||
A.9.2 User access management | Yes | Yes | We have a high number of registration and de-registration requests. | ||||
Yes | Yes | Provisioning procedures need to be formalised to prevent mistakes. | |||||
Yes | YesUse of admin rights needs to be better controlled. | ||||||
A.9.2.4 Management of secret authentication information of users | Yes | Yes | Issuing of passwords and other authentication methods is carefully managed.Yes | ||||
Yes | No | ||||||
Yes | YesThe low rate of change means that access is tightly controlled. | ||||||
A.9.3 User responsibilities | Yes | YesInstances of shared passwords are being addressed by using Bitwarden. | |||||
A.9.4 System and application access control | Yes | YesThe Salesforce platform itself is used to control access. | |||||
Yes | Yes | All systems, such as Jira, require authentication. | |||||
Yes | YesRestrictions on acceptable passwords are enforced. | ||||||
A.9.4.4 Use of privileged utility programs | No | NoNo such programs are in use | This might be controlled by admin; could be software like a virus controller. | ||||
A.9.4.5 Access control to program source code | NoYes | No | No development is undertaken.Yes | GitHub access | |||
Totals: | 12 | 11 | |||||
A.10 Cryptography | |||||||
A.10.1 Cryptographic controls | A.10.1.1 Policy on the use of cryptographic controls | No | NoWe don't implement services around Cryptography. | Do we encrypt any data? | |||
A.10.1.2 Key management | No | NoWe don't implement services around Cryptography. | Do we encrypt any data? | ||||
Totals: | 0 | 0 | |||||
A.11 Physical and environmental security | |||||||
A.11.1 Secure areas | A.11.1.1 Physical security perimeter | NoYes | No | We are a remote team and work primarily from home.Yes | Review IT policy and adjust | ||
A.11.1.2 Physical entry controls | No | No | We are a remote team and work primarily from home. | ||||
Yes | Yes | Doors and windows are locked where appropriate. | |||||
A.11.1.4 Protecting against external and environmental threats | Yes | Yes | All reasonable actions are taken to protect the homes we work from; no physical servers are kept on any premises. | ||||
Yes | Yes | There are a few high security areas in the various homes. | |||||
A.11.1.6 Delivery and loading areas | NoYes | No | No access is given to the building for deliveries, and there is no loading area.Yes | This could be home delivery | |||
A.11.2 Equipment | A.11.2.1 Equipment siting and protection | NoYes | No | Vertic's team works on secured laptops which can be sited in publicYes | Where are laptops located? back to the wall for example. | ||
A.11.2.2 Supporting utilities | NoYesNo | Yes | We don't deal with power outages; Salesforce is a distributed ecosystem and Vertic's team works on laptops with hours of backup power available. | ||||
A.11.2.3 Cabling security | NoYes | No | This does not apply to Vertic; we don't manage our own infrastructure.Yes | Once cables are in the ouse, how are they managed? | |||
Yes | Yes | All equipment is maintained according to manufacturers' instructions. | |||||
No | No | This does not apply to Vertic; we don't manage our own infrastructure.Yes | Yes | ||||
Yes | Yes | Assets are often used offsite in a home environment. | |||||
Yes | Yes | Secure disposal is in place with a third party. | |||||
A.11.2.8 Unattended user equipment | Yes | Yes | Training has been provided to ensure that screens and equipment are locked when unattended. What are the parameters of securing devices (ie. screensaver) | ||||
NoYesNo | Yes | We are a remote team and work primarily from home; all external doors are shut during the hours of work. IT policy. | |||||
Totals: | 7 | 7 | |||||
A.12 Operations security | |||||||
A.12.1 Operational procedures and responsibilities | Yes | Yes | Procedures must be performed the same way each time to avoid accidents. | ||||
A.12.1.2 Change management | NoYes | No | Vertic does not perform these functions.Yes | Define a change management process | |||
Yes | Yes | Capacity of key resources is monitored. | |||||
A.12.1.4 Separation of development, testing and operational environments | Yes | Yes | Consistent approach to Software Development is essential to Vertic's success. | ||||
A.12.2 Protection from malware | Yes | Yes | Anti-malware is in place and monitored from a central console within the Salesforce platform. | ||||
A.12.3 Backup | A.12.3.1 Information backup | NoYesNo | Yes | The Salesforce digital platform provides this service directly to our clients (via third-party applications). Action: Reference cloud provider backup services. | |||
A.12.4 Logging and monitoring | A.12.4.1 Event logging | Yes | NoYes | The Salesforce digital platform provides this service directly to our clients (via third-party applications). | |||
A.12.4.2 Protection of log information | NoYesNo | Yes | This does not apply to Vertic as event logs are captured directly within the Salesforce platform. | ||||
A.12.4.3 Administrator and operator logs | Yes | Yes | All such access is recorded. | ||||
A.12.4.4 Clock synchronisation | NoYes | No | This does not apply to VerticYes | Single Time Source; put this into the IT policy. | |||
A.12.5 Control of operational software | Yes | Yes | Software installation is planned and controlled. | ||||
A.12.6 Technical vulnerability management | Yes | Yes | A full patching process is in place via recurring Salesforce Health Checks. | ||||
Yes | Yes | Admin access is required to install software. | |||||
A.12.7 Information systems audit considerations | Yes | Yes | Audits are planned so that business activities are not disrupted. | ||||
Totals: | 11 | 9 | |||||
A.13 Communications security | |||||||
A.13.1 Network security management | No | No | Vertic does not maintain its own network; no access security is required.Yes | Yes | |||
NoYes | No | Network service agreements are in place for all services; we connect to all services via the public Internet. | Yes | ||||
No | Vertic does not maintain its own network; no access security is required.Yes | Yes | |||||
A.13.2 Information transfer | A.13.2.1 Information transfer policies and procedures | NoYesNo | Yes | We conduct ourselves within the frameworks of the software tools we use, like Atlassian. | |||
A.13.2.2 Agreements on information transfer | No | No | We do not transfer information to third parties.Yes | Yes | |||
Yes | Yes | There is significant use of email and instant messaging. | |||||
Yes | Yes | NDAs should be in place with all parties with whom we share personal data. | |||||
Totals: | 3 | 3 | |||||
A.14 System acquisition, development and maintenance | |||||||
A.14.1 Security requirements of information systems | A.14.1.1 Information security | Yes | Yes | Security requirements are specified for all new or changed systems. | |||
A.14.1.2 Securing application | Yes | Yes | TLS is used in all circumstances as per the Salesforce platform. | ||||
A.14.1.3 Protecting application | Yes | Yes | TLS is used in all circumstances as per the Salesforce platform. | ||||
A.14.2 Security in development and support processes | Yes | Yes | All software development is undertaken in accordance with Salesforce guidelines and development processes. | ||||
Yes | Yes | ||||||
A.14.2.3 Technical review of applications after operating platform changes | Yes | Yes | Reviews are conducted as part of acceptance testing of new systems. | ||||
Yes | YesA policy of no change is agreed. | ||||||
NoYes | No | We are developing on top of the Salesforce platform and are limited and directed by their system engineering principles. | Yes | ||||
Yes | Yes | We are developing on top of the Salesforce platform and are limited and directed by their system engineering principles. | |||||
A.14.2.7 Outsourced development | Yes | Yes | We outsource some of the technical software development to an outsourcing firm which exclusively delivers to Vertic under the same rules, regulations, and processes as Vertic. | ||||
A.14.2.8 System security testing | Yes | Yes | New and changed systems are tested to check they meet security requirements. | ||||
A.14.2.9 System acceptance testing | Yes | Yes | New and changed systems are tested to check they meet security requirements. | ||||
A.14.3 Test data | NoYes | No | Vertic does not use client production data at any timeYes | We don’t handle data in production environments. Put this into the referenced policy. | |||
Totals: | 11 | 11 | |||||
A.15 Supplier relationships | |||||||
A.15.1 Information security in supplier relationships | A.15.1.1 Information security policy for supplier relationships | No | No | Vertic does not use an external providers in relation to our client services. | |||
A.15.1.2 Addressing security within supplier agreements | No | No | Vertic does not use an external providers in relation to our client services. | ||||
A.15.1.3 Information and communication technology supply chain | No | No | Vertic does not use an external providers in relation to our client services. | ||||
A.15.2 Supplier service delivery management | A.15.2.1 Monitoring and review of supplier services | No | No | Vertic does not use an external providers in relation to our client services. | |||
A.15.2.2 Managing changes to supplier services | No | No | Vertic does not use an external providers in relation to our client services. | ||||
Totals: | 0 | 0 | |||||
A.16 Information security incident management | |||||||
A.16.1 Management of information security incidents and improvements | Yes | Yes | An incident response procedure is in place. | ||||
A.16.1.2 Reporting information security events | Yes | Yes | This is addressed as part of awareness training. | ||||
Yes | Yes | This is addressed via our Risk Submission Form. | |||||
A.16.1.4 Assessment of and decision on information security events | Yes | Yes | Systems and procedures are used to assess events and raise incidents where appropriate. | ||||
A.16.1.5 Response to information security incidents | Yes | Yes | Training in incident response has been carried out. | ||||
A.16.1.6 Learning from information security incidents | Yes | Yes | A review is part of the procedure. | ||||
Yes | Yes | We document all incident evidence via our Atlassian system. | |||||
Totals: | 7 | 7 | |||||
A.17 Information security aspects of business continuity management | |||||||
A.17.1 Information security continuity | A.17.1.1 Planning information security continuity | Yes | Yes | Security is considered as part of the business continuity plan. | |||
A.17.1.2 Implementing information security continuity | Yes | Yes | Security is considered as part of the business continuity plan. | ||||
A.17.1.3 Verify, review and evaluate information security continuity | Yes | No | Testing the plan is essential. | ||||
A.17.2 Redundancies | A.17.2.1 Availability of information processing facilities | No | No | We don't manage our own infrastructure and are using Salesforce's services to manage information processing. | |||
Totals: | 3 | 2 | |||||
A.18 Compliance | |||||||
A.18.1 Compliance with legal and contractual requirements | A.18.1.1 Identification of applicable legislation and contractual requirements | Yes | Yes | All applicable legislation and requirements from contracts have been identified. | |||
Yes | Yes | A policy on the use and protection of IP has been agreed and communicated. | |||||
Yes | Yes | Records are protected effectively. | |||||
A.18.1.4 Privacy and protection of personally identifiable information | Yes | Yes | A data protection policy is in place. | ||||
A.18.1.5 Regulation of cryptographic controls | No | No | Compliance has been reviewed deemed not applicable to Vertic. | ||||
A.18.2 Information security reviews | A.18.2.1 Independent review of information security | Yes | Yes | Auditors are used to review our information security approach. | |||
Yes | Yes | Managers have received training in ensuring compliance. | |||||
A.18.2.3 Technical compliance review | Yes | Yes | This will be part of Vertic’s annual compliance review. | ||||
Totals: | 7 | 7 |