This page outlines the required Statement of Applicabilty and all relevant links to the required documentsThis page outlines the required Statement of Applicabilty and all relevant links to the required documents/samples/templates/evidence.
Information security management systems: Requirements
AREA/SECTION | CONTROL | APPLICABLE | IMPLEMENTED | JUSTIFICATION FOR INCLUSION OR EXCLUSION |
A.5 Information security policies | ||||
A.5.1 Management direction for information security | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
A.5.1.2 Review of the policies for information security | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
Totals: | 2 | 2 | ||
A.6 Organisation of information security | ||||
A.6.1 Internal organisation | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
A.6.2 Mobile devices and teleworking | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Totals: | 4 | 3 | ||
A.7 Human resources security | ||||
A.7.1 Prior to employment | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
A.7.2 During employment | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
A.7.2.2 Information security awareness, education and training | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
A.7.3 Termination and change of employment | A.7.3.1 Termination or change of employment responsibilities | Yes | Yes | Required by the standard and Vertic’s operational needs. |
Totals: | 6 | 4 | ||
A.8 Asset management | ||||
A.8.1 Responsibility for assets | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
A.8.2 Information classification | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
A.8.3 Media Handling | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Totals: | 4 | 4 | ||
A.9 Access control | ||||
A.9.1 Business requirements of access control | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
A.9.2 User access management | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
A.9.2.4 Management of secret authentication information of users | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
Yes | No | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
A.9.3 User responsibilities | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
A.9.4 System and application access control | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
Yes
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Totals: | 12 | 11 | ||
A.10 Cryptography | ||||
A.10.1 Cryptographic controls | A.10.1.1 Policy on the use of cryptographic |
No
controls | No | No | Vertic is not involved in cryptography work at all and therefore these controls are not applicable to our operational needs. | |
A.10.1.2 Key management | No | No | Vertic is not involved in cryptography work at all and therefore these controls are not applicable to our operational needs. | |
Totals: | 0 | 0 | ||
A.11 Physical and environmental security | ||||
A.11.1 Secure areas | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
A.11.1.4 Protecting against external and environmental threats | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
A.11.2 Equipment | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Totals: | 7 | 7 | ||
A.12 Operations security | ||||
A.12.1 Operational procedures and responsibilities | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
A.12.1.4 Separation of development, testing and operational environments | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
A.12.2 Protection from malware | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
A.12.3 Backup | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
A.12.4 Logging and monitoring | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
A.12.5 Control of operational software | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
A.12.6 Technical vulnerability management | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
A.12.7 Information systems audit considerations | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
Totals: | 11 | 9 | ||
A.13 Communications security | ||||
A.13.1 Network security management | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
A.13.2 Information transfer | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Totals: | 3 | 3 | ||
A.14 System acquisition, development and maintenance | ||||
A.14.1 Security requirements of information systems | A.14.1.1 Information security requirements analysis and specification | Yes | Yes | Required by the standard and Vertic’s operational needs. |
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
A.14.2 Security in development and support processes | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
A.14.2.3 Technical review of applications after operating platform changes | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
A.14.3 Test data | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
Totals: | 11 | 11 | ||
A.15 Supplier relationships | ||||
A.15.1 Information security in supplier relationships | A.15.1.1 Information security policy for supplier relationships | Yes | Yes | Required by the standard and Vertic’s operational needs. |
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
A.15.1.3 Information and communication technology supply chain | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
A.15.2 Supplier service delivery management | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Totals: | 0 | 0 | ||
A.16 Information security incident management | ||||
A.16.1 Management of information security incidents and improvements | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
A.16.1.4 Assessment of and decision on information security events | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Totals: | 7 | 7 | ||
A.17 Information security aspects of business continuity management | ||||
A.17.1 Information security continuity | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
A.17.1.3 Verify, review and evaluate information security continuity | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
A.17.2 Redundancies | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
Totals: | 3 | 2 | ||
A.18 Compliance | ||||
A.18.1 Compliance with legal and contractual requirements | A.18.1.1 Identification of applicable legislation and contractual requirements | Yes | Yes | Required by the standard and Vertic’s operational needs. |
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
A.18.1.4 Privacy and protection of personally identifiable information |
Yes
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
A.18.1.5 Regulation of cryptographic controls | No | No | Vertic is not involved in cryptography work at all and therefore these controls are not applicable to our operational needs. | |
A.18.2 Information security reviews | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Totals: | 7 | 7 |