Versions Compared

Version Old Version 33 New Version 34
Changes made by

Jan Tenenberg

Jan Tenenberg

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This page outlines the required Statement of Applicabilty and all relevant links to the required documents/samples/templates/evidence.

Information security management systems: Requirements

AREA/SECTION

CONTROL

CONTROL APPLICABLE?

CONTROL IMPLEMENTED?

JUSTIFICATION FOR INCLUSION OR EXCLUSION

A.5 Information security policies

A.5.1 Management direction for information security

A.5.1.1 Policies for information security

Yes

Yes

A.5.1.2 Review of the policies for information security

Yes

Yes

Totals:

2

2

A.6 Organisation of information security

A.6.1 Internal organisation

A.6.1.1 Information security roles and responsibilities

Yes

Yes

A.6.1.2 Segregation of duties

Yes

Yes

A.6.1.3 Contact with authorities

Yes

Yes

A.6.1.4 Contact with special interest groups

Yes

Yes

A.6.1.5 Information security in project management

Yes

Yes

A.6.2 Mobile devices and teleworking

A.6.2.1 Mobile device policy

Yes

Yes

A.6.2.2 Teleworking

Yes

Yes

Totals:

4

3

A.7 Human resources security

A.7.1 Prior to employment

A.7.1.1 Screening

Yes

Yes

A.7.1.2 Terms and conditions of employment

Yes

Yes

A.7.2 During employment

A.7.2.1 Management responsibilities

Yes

Yes

A.7.2.2 Information security awareness, education and training

Yes

Yes

A.7.2.3 Disciplinary process

Yes

Yes

A.7.3 Termination and change of employment

A.7.3.1 Termination or change of employment responsibilities

Yes

Yes

Totals:

6

4

A.8 Asset management

A.8.1 Responsibility for assets

A.8.1.1 Inventory of assets

Yes

Yes

A.8.1.2 Ownership of assets

Yes

Yes

A.8.1.3 Acceptable use of assets

Yes

Yes

A.8.1.4 Return of assets

Yes

Yes

A.8.2 Information classification

A.8.2.1 Classification of information

Yes

Yes

A.8.2.2 Labelling of information

Yes

Yes

Asset Management Policy - Restricted, Protected, Confidential (Internal Use)

A.8.2.3 Handling of assets

Yes

Yes

A.8.3 Media Handling

A.8.3.1 Management of removable media

No

No

We don't manage removable media; everything is stored in cloud-based services.Yes

Yes

A.8.3.2 Disposal of media

Yes

Yes

A.8.3.3 Physical media transfer

NoYes

No

We don't currently transfer any physical media.

Yes

Totals:

4

4

A.9 Access control

A.9.1 Business requirements of access control

A.9.1.1 Access control policy

Yes

Yes

A.9.1.2 Access to networks and network services

Yes

Yes

A.9.2 User access management

A.9.2.1 User registration and de-registration

Yes

Yes

A.9.2.2 User access provisioning

Yes

Yes

A.9.2.3 Management of privileged access rights

Yes

Yes

A.9.2.4 Management of secret authentication information of users

Yes

Yes

A.9.2.5 Review of user access rights

Yes

No

A.9.2.6 Removal or adjustment of access rights

Yes

Yes

A.9.3 User responsibilities

A.9.3.1 Use of secret authentication information

Yes

Yes

A.9.4 System and application access control

A.9.4.1 Information access restriction

Yes

Yes

A.9.4.2 Secure log-on procedures

Yes

Yes

A.9.4.3 Password management system

Yes

Yes

A.9.4.4 Use of privileged utility programs

Yes

Yes

A.9.4.5 Access control to program source code

Yes

Yes

Totals:

12

11

A.10 Cryptography

A.10.1 Cryptographic controls

A.10.1.1 Policy on the use of cryptographic controls

No

No

Do we encrypt any data?

A.10.1.2 Key managementNo

No

Do we encrypt any data?No

Totals:

0

0

A.11 Physical and environmental security

A.11.1 Secure areas

A.11.1.1 Physical security perimeter

Yes

Yes

A.11.1.2 Physical entry controls

Yes

Yes

A.11.1.3 Securing offices, rooms and facilities

Yes

Yes

A.11.1.4 Protecting against external and environmental threats

Yes

Yes

A.11.1.5 Working in secure areas

Yes

Yes

A.11.1.6 Delivery and loading areas

Yes

Yes

A.11.2 Equipment

A.11.2.1 Equipment siting and protection

Yes

Yes

A.11.2.2 Supporting utilities

Yes

Yes

A.11.2.3 Cabling security

Yes

Yes

A.11.2.4 Equipment maintenance

Yes

YesAll equipment is maintained according to manufacturers' instructions.

A.11.2.5 Removal of assets

Yes

Yes

A.11.2.6 Security of equipment and assets off-premises

Yes

Yes

Assets are often used offsite in a home environment.

A.11.2.7 Secure disposal or reuse of equipment/media

Yes

Yes

Secure disposal is in place with a third party.

A.11.2.8 Unattended user equipment

Yes

Yes

Training has been provided to ensure that screens and equipment are locked when unattended. What are the parameters of securing devices (ie. screensaver)

A.11.2.8 Unattended user equipment

Yes

Yes

A.11.2.9 Clear desk and clear screen policy

Yes

Yes

Totals:

7

7

A.12 Operations security

A.12.1 Operational procedures and responsibilities

A.12.1.1 Documented operating procedures

Yes

Yes

Procedures must be performed the same way each time to avoid accidents.

A.12.1.2 Change management

Yes

Yes

A.12.1.3 Capacity management

Yes

YesCapacity of key resources is monitored.

A.12.1.4 Separation of development, testing and operational environments

Yes

YesConsistent approach to Software Development is essential to Vertic's success.

A.12.2 Protection from malware

A.12.2.1 Controls against malware

Yes

Yes

Anti-malware is in place and monitored from a central console within the Salesforce platform.

Yes

A.12.3 Backup

A.12.3.1 Information backup

Yes

Yes

The Salesforce digital platform provides this service directly to our clients (via third-party applications).

Action: Reference cloud provider backup services.

A.12.4 Logging and monitoring

A.12.4.1 Event logging

Yes

YesThe Salesforce digital platform provides this service directly to our clients (via third-party applications).

A.12.4.2 Protection of log information

Yes

Yes

This does not apply to Vertic as event logs are captured directly within the Salesforce platform.Yes

A.12.4.3 Administrator and operator logs

Yes

YesAll such access is recorded.

A.12.4.4 Clock synchronisation

Yes

Yes

A.12.5 Control of operational software

A.12.5.1 Installation of software on operational systems

Yes

Yes

Software installation is planned and controlled.

A.12.6 Technical vulnerability management

A.12.6.1 Management of technical vulnerabilities

Yes

Yes

A full patching process is in place via recurring Salesforce Health Checks.A.12.6.2 Restrictions on software installation

Yes

YesAdmin access is required to install software.

A.12.7 Information systems audit considerations

A.12.7.1 Information systems audit controls

Yes

YesAudits are planned so that business activities are not disrupted.

Totals:

11

9

A.13 Communications security

A.13.1 Network security management

A.13.1.1 Network controls

Yes

Yes

A.13.1.2 Security of network services

Yes

Yes

A.13.1.3 Segregation in networks

Yes

Yes

A.13.2 Information transfer

A.13.2.1 Information transfer policies and procedures

Yes

YesWe conduct ourselves within the frameworks of the software tools we use, like Atlassian.

A.13.2.2 Agreements on information transfer

Yes

Yes

A.13.2.3 Electronic messaging

Yes

YesThere is significant use of email and instant messaging.

A.13.2.4 Confidentiality or nondisclosure agreements

Yes

Yes

NDAs should be in place with all parties with whom we share personal data.

Totals:

3

3

A.14 System acquisition, development and maintenance

A.14.1 Security requirements of information systems

A.14.1.1 Information security
requirements analysis
and specification

Yes

YesSecurity requirements are specified for all new or changed systems.

A.14.1.2 Securing application
services on public
networks

Yes

Yes

TLS is used in all circumstances as per the Salesforce platform.

A.14.1.3 Protecting application
services transactions

Yes

Yes

TLS is used in all circumstances as per the Salesforce platform.

Yes

A.14.2 Security in development and support processes

A.14.2.1 Secure development policy

Yes

Yes

All software development is undertaken in accordance with Salesforce guidelines and development processes.

A.14.2.2 System change control procedures

Yes

Yes

A.14.2.3 Technical review of applications after operating platform changes

Yes

Yes

Reviews are conducted as part of acceptance testing of new systems.

A.14.2.4 Restrictions on changes to software packages

Yes

Yes

A.14.2.5 Secure system engineering principles

Yes

Yes

A.14.2.6 Secure development environment

Yes

Yes

We are developing on top of the Salesforce platform and are limited and directed by their Secure system engineering principles.

Yes

Yes

A.14.2.7 Outsourced 6 Secure development environment

Yes

YesWe outsource some of the technical software development to an outsourcing firm which exclusively delivers to Vertic under the same rules, regulations, and processes as Vertic.

/wiki/spaces/PD/pages/1816920072

Yes

Yes

A.14.2.8 System security testing

Yes

Yes

New and changed systems are tested to check they meet security requirements.

Yes

A.14.2.9 System acceptance testing

Yes

YesNew and changed systems are tested to check they meet security requirements.

A.14.3 Test data

A.14.3.1 Protection of test data

Yes

Yes

We don’t handle data in production environments. Put this into the referenced policy.

Totals:

11

11

A.15 Supplier relationships

A.15.1 Information security in supplier relationships

A.15.1.1 Information security policy for supplier relationships

No

No

Vertic does not use an external providers in relation to our client services.Yes

Yes

A.15.1.2 Addressing security within supplier agreements

No

No

Vertic does not use an external providers in relation to our client services.Yes

Yes

A.15.1.3 Information and communication technology supply chain

NoYes

No

Vertic does not use an external providers in relation to our client services.

Yes

A.15.2 Supplier service delivery management

A.15.2.1 Monitoring and review of supplier services

No

No

Vertic does not use an external providers in relation to our client services.Yes

Yes

A.15.2.2 Managing changes to supplier services

NoYes

No

Vertic does not use an external providers in relation to our client services.

Yes

Totals:

0

0

A.16 Information security incident management

A.16.1 Management of information security incidents and improvements

A.16.1.1 Responsibilities and procedures

Yes

Yes

An incident response procedure is in place.Yes

A.16.1.2 Reporting information security events

Yes

YesThis is addressed as part of awareness training.

A.16.1.3 Reporting information security weaknesses

Yes

Yes

This is addressed via our Risk Submission Form.

A.16.1.4 Assessment of and decision on information security events

Yes

Yes

Systems and procedures are used to assess events and raise incidents where appropriate.

A.16.1.5 Response to information security incidents

Yes

Yes

Training in incident response has been carried out.

A.16.1.6 Learning from information security incidents

Yes

Yes

A review is part of the procedure./wiki/spaces/SCA/pages/445776488

Yes

Yes

/wiki/spaces/SCA/pages/445776488

Yes

Yes

A.16.1.7 Collection of evidence

Yes

YesWe document all incident evidence via our Atlassian system.

Totals:

7

7

A.17 Information security aspects of business continuity management

A.17.1 Information security continuity

A.17.1.1 Planning information security continuity

Yes

Yes

Security is considered as part of the business continuity plan.

A.17.1.2 Implementing information security continuity

Yes

YesSecurity is considered as part of the business continuity plan.

A.17.1.3 Verify, review and evaluate information security continuity

Yes

No

Testing the plan is essential.Yes

A.17.2 Redundancies

A.17.2.1 Availability of information processing facilities

No

No

We don't manage our own infrastructure and are using Salesforce's services to manage information processing.Yes

Yes

Totals:

3

2

A.18 Compliance

A.18.1 Compliance with legal and contractual requirements

A.18.1.1 Identification of applicable legislation and contractual requirements

Yes

YesAll applicable legislation and requirements from contracts have been identified.

A.18.1.2 Intellectual property rights

Yes

Yes

A policy on the use and protection of IP has been agreed and communicated.

.1.2 Intellectual property rights

Yes

Yes

A.18.1.3 Protection of records

Yes

Yes

Records are protected effectively.

A.18.1.4 Privacy and protection of personally identifiable information

Yes

Yes

A data protection policy is in place.A.18.1.5 Regulation of cryptographic controls

No

NoCompliance has been reviewed deemed not applicable to Vertic.

A.18.2 Information security reviews

A.18.2.1 Independent review of information security

Yes

YesAuditors are used to review our information security approach.

A.18.2.2 Compliance with security policies and standards

Yes

Yes

Managers have received training in ensuring compliance.

A.18.2.3 Technical compliance review

Yes

YesThis will be part of Vertic’s annual compliance review.

Totals:

7

7