Content Comparison

This page outlines the required Statement of Applicabilty and all relevant links to the required documents/samples/templates/evidence.

Information security management systems: Requirements

...

AREA/SECTION

...

CONTROL

...

CONTROL APPLICABLE?

...

This page outlines the required Statement of Applicabilty and all relevant links to the required documents/samples/templates/evidence.

Information security management systems: Requirements

AREA/SECTION	CONTROL	APPLICABLE	IMPLEMENTED	JUSTIFICATION FOR INCLUSION OR EXCLUSION

A.5 Information security policies
A.5.1 Management direction for information security	A.5.1.1 Policies for information security	Yes	Yes	Required by the standard and Vertic’s operational needs.
	A.5.1.2 Review of the policies for information security	Yes	Yes	Required by the standard and Vertic’s operational needs.

	Totals:	2	2

A.6 Organisation of information security
A.6.1 Internal organisation	A.6.1.1 Information security roles and responsibilities	Yes

Yes

	Yes	Required by the standard and Vertic’s operational needs.
	A.6.1.2 Segregation of duties	Yes	Yes	Required by the standard and Vertic’s operational needs.
	A.6.1.3 Contact with authorities	Yes	Yes	Required by the standard and Vertic’s operational needs.
	A.6.1.4 Contact with special interest groups	Yes	Yes	Required by the standard and Vertic’s operational needs.
	A.6.1.5 Information security in project management	Yes	Yes	Required by the standard and Vertic’s operational needs.
A.6.2 Mobile devices and teleworking	A.6.2.1 Mobile device policy	Yes	Yes	Required by the standard and Vertic’s operational needs.
	A.6.2.2 Teleworking	Yes	Yes	Required by the standard and Vertic’s operational needs.

	Totals:	4	3

A.7 Human resources security
A.7.1 Prior to employment	A.7.1.1 Screening	Yes	Yes	Required by the standard and Vertic’s operational needs.
	A.7.1.2 Terms and conditions of employment	Yes	Yes

Security requirements need to be incorporated in employment contracts

Required by the standard and Vertic’s operational needs.
A.7.2 During employment	A.7.2.1 Management responsibilities	Yes	Yes	Required by the standard and Vertic’s operational needs.
	A.7.2.2 Information security awareness, education and training	Yes	Yes

Build an employee presentation

Required by the standard and Vertic’s operational needs.
	A.7.2.3 Disciplinary process	Yes	Yes	Required by the standard and Vertic’s operational needs.
A.7.3 Termination and change of employment	A.7.3.1 Termination or change of employment responsibilities	Yes	Yes

Classified information must continue to be protected after termination

Asset

Classification

Type

Required by the standard and Vertic’s operational needs.

	Totals:	6	4

A.8 Asset management
A.8.1 Responsibility for assets	A.8.1.1 Inventory of assets	Yes	Yes

Build an asset register (soft and hard assets)

Required by the standard and Vertic’s operational needs.
	A.8.1.2 Ownership of assets	Yes	Yes	Required by the standard and Vertic’s operational needs.
	A.8.1.3 Acceptable use of assets	Yes	Yes	Required by the standard and Vertic’s operational needs.
	A.8.1.4 Return of assets	Yes	Yes	Required by the standard and Vertic’s operational needs.
A.8.2 Information classification	A.8.2.1 Classification of information	Yes	Yes	Required by the standard and Vertic’s operational needs.
	A.8.2.2 Labelling of information	Yes	Yes	Required by the standard and Vertic’s operational needs.
	A.8.2.3 Handling of assets	Yes	Yes	Required by the standard and Vertic’s operational needs.
A.8.3 Media Handling	A.8.3.1 Management of removable media

No

Yes

No

We don't manage removable media; everything is stored in cloud-based services

Yes	Required by the standard and Vertic’s operational needs.
	A.8.3.2 Disposal of media	Yes	Yes	Required by the standard and Vertic’s operational needs.
	A.8.3.3 Physical media transfer

No

Yes

No

We don't currently transfer any physical media

Yes	Required by the standard and Vertic’s operational needs.

	Totals:	4	4

A.9 Access control
A.9.1 Business requirements of access control	A.9.1.1 Access control policy	Yes	Yes	Required by the standard and Vertic’s operational needs.
	A.9.1.2 Access to networks and network services	Yes	Yes	Required by the standard and Vertic’s operational needs.
A.9.2 User access management	A.9.2.1 User registration and de-registration	Yes	Yes	Required by the standard and Vertic’s operational needs.
	A.9.2.2 User access provisioning	Yes	Yes	Required by the standard and Vertic’s operational needs.
	A.9.2.3 Management of privileged access rights	Yes	Yes	Required by the standard and Vertic’s operational needs.
	A.9.2.4 Management of secret authentication information of users	Yes	Yes	Required by the standard and Vertic’s operational needs.
	A.9.2.5 Review of user access rights	Yes	No	Required by the standard and Vertic’s operational needs.
	A.9.2.6 Removal or adjustment of access rights	Yes	Yes	Required by the standard and Vertic’s operational needs.
A.9.3 User responsibilities	A.9.3.1 Use of secret authentication information	Yes	Yes	Required by the standard and Vertic’s operational needs.
A.9.4 System and application access control	A.9.4

.1 Information access restriction

Yes

.1 Information access restriction	Yes	Yes	Required by the standard and Vertic’s operational needs.
	A.9.4.2 Secure log-on procedures	Yes	Yes	Required by the standard and Vertic’s operational needs.
	A.9.4.3 Password management system	Yes	Yes	Required by the standard and Vertic’s operational needs.
	A.9.4.4 Use of privileged utility programs

No

Yes

No

This might be controlled by admin; could be software like a virus controller

Yes	Required by the standard and Vertic’s operational needs.
	A.9.4.5 Access control to program source code	Yes	Yes

GitHub access

Required by the standard and Vertic’s operational needs.

	Totals:	12	11

A.10 Cryptography
A.10.1 Cryptographic controls	A.10.1.1 Policy on the use of cryptographic controls	No	No

Do we encrypt any data?

Vertic is not involved in cryptography work at all and therefore these controls are not applicable to our operational needs.
	A.10.1.2 Key management	No	No

Do we encrypt any data?

Vertic is not involved in cryptography work at all and therefore these controls are not applicable to our operational needs.

	Totals:	0	0

A.11 Physical and environmental security
A.11.1 Secure areas	A.11.1.1 Physical security perimeter	Yes	Yes	Required by the standard and Vertic’s operational needs.
	A.11.1.2 Physical entry controls	Yes	Yes	Required due to meeting room availability. No storage of any kind.
	A.11.1.3 Securing offices, rooms and facilities	Yes	Yes

Doors and windows are locked where appropriate

Required due to meeting room availability. No storage of any kind.
	A.11.1.4 Protecting against external and environmental threats	Yes	Yes

All reasonable actions are taken to protect the homes we work from; no physical servers are kept on any premises

This is primarily around the needs of the overseas team who are more exposed to civil unrest.
	A.11.1.5 Working in secure areas	Yes	Yes

There are a few high security areas in the various homes

Required by the standard and Vertic’s operational needs.
	A.11.1.6 Delivery and loading areas

YesThis could be home delivery

No

Yes

No	Vertic receives no deliveries to any physical locations.
A.11.2 Equipment	A.11.2.1 Equipment siting and protection	Yes	Yes

Where are laptops located? back to the wall for example

	Required by the standard and Vertic’s operational needs.
	A.11.2.2 Supporting utilities	Yes	Yes

We don't deal with power outages; Salesforce is a distributed ecosystem and Vertic's team works on laptops with hours of backup power available

Required by the standard and Vertic’s operational needs.
	A.11.2.3 Cabling security

Yes

No

Yes

Once cables are in the ouse, how are they managed?

No	We use exclusive wireless networks so no cabling.
	A.11.2.4 Equipment maintenance	Yes	Yes

All equipment is maintained according to manufacturers' instructions

Laptop security is important but all access is cloud-based with no local storage requirements.
A.11.2.5 Removal of assets	Yes	Yes	Required by the standard and Vertic’s operational needs.
A.11.2.6 Security of equipment and assets off-premises	Yes	Yes

Assets are often used offsite in a home environment.

A.11.2.7 Secure disposal or reuse of equipment/media

Yes

Secure disposal is in place with a third party

Required by the standard and Vertic’s operational needs.
	A.11.2.

8 Unattended user equipment

7 Secure disposal or reuse of equipment/media

Yes

Training has been provided to ensure that screens and equipment are locked when unattended. What are the parameters of securing devices (ie. screensaver)

Required by the standard and Vertic’s operational needs.
	A.11.2.

9 Clear desk and clear screen policy

8 Unattended user equipment

Yes

We are a remote team and work primarily from home; all external doors are shut during the hours of work. IT policy

Required by the standard and Vertic’s operational needs.
	A.11.2.9 Clear desk and clear screen policy	Yes	Yes	Adhering to client’s privacy needs by not exposing sensitive information.

	Totals:	7	7

A.12 Operations security
A.12.1 Operational procedures and responsibilities	A.12.1.1 Documented operating procedures	Yes	Yes

Procedures must be performed the same way each time to avoid accidents

Required by the standard and Vertic’s operational needs.
	A.12.1.2 Change management	Yes	Yes

Define a change management process

Required by the standard and Vertic’s operational needs.
	A.12.1.3 Capacity management	Yes	Yes

Capacity of key resources is monitored

Required by the standard and Vertic’s operational needs.
	A.12.1.4 Separation of development, testing and operational environments	Yes	Yes

Consistent approach to Software Development is essential to Vertic's success

Required by the standard and Vertic’s operational needs.
A.12.2 Protection from malware	A.12.2.1 Controls against malware	Yes	Yes

Anti-malware is in place and monitored from a central console within the Salesforce platform.

A.12.3 Backup

A.12.3.1 Information backup

Yes

The Salesforce digital platform provides this service directly to our clients (via third-party applications).

Action: Reference cloud provider backup services

Required by the standard and Vertic’s operational needs.
A.12.3 Backup	A.12.3.1 Information backup	Yes	Yes	Required by the standard and Vertic’s operational needs.
A.12.4 Logging and monitoring	A.12.4.1 Event logging	Yes	Yes

The Salesforce digital platform provides this service directly to our clients (via third-party applications)

Required by the standard and Vertic’s operational needs.
	A.12.4.2 Protection of log information	Yes	Yes

This does not apply to Vertic as event logs are captured directly within the Salesforce platform

Required by the standard and Vertic’s operational needs.
	A.12.4.3 Administrator and operator logs	Yes	Yes

All such access is recordedput this into the IT policy

Required by the standard and Vertic’s operational needs.
	A.12.4.4 Clock synchronisation	Yes	Yes

Single Time Source;

Required by the standard and Vertic’s operational needs.
A.12.5 Control of operational software	A.12.5.1 Installation of software on operational systems	Yes	Yes

Software installation is planned and controlled

Required by the standard and Vertic’s operational needs.
A.12.6 Technical vulnerability management	A.12.6.1 Management of technical vulnerabilities	Yes	Yes

A full patching process is in place via recurring Salesforce Health Checks

Required by the standard and Vertic’s operational needs.
	A.12.6.2 Restrictions on software installation	Yes	Yes

Admin access is required to install software

Required by the standard and Vertic’s operational needs.
A.12.7 Information systems audit considerations	A.12.7.1 Information systems audit controls	Yes	Yes

Audits are planned so that business activities are not disrupted

Required by the standard and Vertic’s operational needs.

	Totals:	11	9

A.13 Communications security
A.13.1 Network security management	A.13.1.1 Network controls	Yes	Yes	Required by the standard and Vertic’s operational needs.
	A.13.1.2 Security of network services	Yes	Yes	Required by the standard and Vertic’s operational needs.
	A.13.1.3 Segregation in networks	Yes	Yes	Required by the standard and Vertic’s operational needs.
A.13.2 Information transfer	A.13.2.1 Information transfer policies and procedures	Yes	Yes

We conduct ourselves within the frameworks of the software tools we use, like Atlassian

Required by the standard and Vertic’s operational needs.
	A.13.2.2 Agreements on information transfer	Yes

Yes

	Yes	Required by the standard and Vertic’s operational needs.
	A.13.2.3 Electronic messaging	Yes	Yes

There is significant use of email and instant messaging

Required by the standard and Vertic’s operational needs.
	A.13.2.4 Confidentiality or nondisclosure agreements	Yes	Yes

NDAs should be in place with all parties with whom we share personal data

Required by the standard and Vertic’s operational needs.

	Totals:	3	3

A.14 System acquisition, development and maintenance
A.14.1 Security requirements of information systems	A.14.1.1 Information security

requirements analysis

and specification

Yes

Security requirements are specified for all new or changed systems

Required by the standard and Vertic’s operational needs.
	A.14.1.2 Securing application

services on public

networks

Yes

TLS is used in all circumstances as per the Salesforce platform

Required by the standard and Vertic’s operational needs.
	A.14.1.3 Protecting application

services transactions

Yes

TLS is used in all circumstances as per the Salesforce platform

Required by the standard and Vertic’s operational needs.
A.14.2 Security in development and support processes	A.14.2.1 Secure development policy	Yes	Yes

All software development is undertaken in accordance with Salesforce guidelines and development processes

Required by the standard and Vertic’s operational needs.
	A.14.2.2 System change control procedures	Yes	Yes	Required by the standard and Vertic’s operational needs.
	A.14.2.3 Technical review of applications after operating platform changes	Yes	Yes

Reviews are conducted as part of acceptance testing of new systemsA.14.2.7 Outsourced development

Required by the standard and Vertic’s operational needs.
	A.14.2.4 Restrictions on changes to software packages	Yes	Yes	Required by the standard and Vertic’s operational needs.
	A.14.2.5 Secure system engineering principles	Yes	Yes	Required by the standard and Vertic’s operational needs.
	A.14.2.6 Secure development environment	Yes	Yes

We are developing on top of the Salesforce platform and are limited and directed by their system engineering principles.

Required by the standard and Vertic’s operational needs.
	/wiki/spaces/PD/pages/1816920072	Yes	Yes

We outsource some of the technical software development to an outsourcing firm which exclusively delivers to Vertic under the same rules, regulations, and processes as Vertic

Required by the standard and Vertic’s operational needs.
	A.14.2.8 System security testing	Yes	Yes

New and changed systems are tested to check they meet security requirements

Required by the standard and Vertic’s operational needs.
	A.14.2.9 System acceptance testing	Yes	Yes

New and changed systems are tested to check they meet security requirements

Required by the standard and Vertic’s operational needs.
A.14.3 Test data	A.14.3.1 Protection of test data	Yes	Yes

We don’t handle data in production environments. Put this into the referenced policy

Required by the standard and Vertic’s operational needs.

	Totals:	11	11

A.15 Supplier relationships
A.15.1 Information security in supplier relationships	A.15.1.1 Information security policy for supplier relationships

No

Yes

No