Statement of Applicability
- Jan Tenenberg
This page outlines the required Statement of Applicabilty and all relevant links to the required documents/samples/templates/evidence.
Information security management systems: Requirements
AREA/SECTION | CONTROL | APPLICABLE | IMPLEMENTED | JUSTIFICATION FOR INCLUSION OR EXCLUSION |
|
|
|
|
|
A.5 Information security policies |
|
|
|
|
A.5.1 Management direction for information security | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
| A.5.1.2 Review of the policies for information security | Yes | Yes | Required by the standard and Vertic’s operational needs. |
|
|
|
|
|
| Totals: | 2 | 2 |
|
|
|
|
|
|
A.6 Organisation of information security |
|
|
|
|
A.6.1 Internal organisation | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
| Yes | Yes | Required by the standard and Vertic’s operational needs. | |
| Yes | Yes | Required by the standard and Vertic’s operational needs. | |
| Yes | Yes | Required by the standard and Vertic’s operational needs. | |
| Yes | Yes | Required by the standard and Vertic’s operational needs. | |
A.6.2 Mobile devices and teleworking | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
| Yes | Yes | Required by the standard and Vertic’s operational needs. | |
|
|
|
|
|
| Totals: | 4 | 3 |
|
|
|
|
|
|
A.7 Human resources security |
|
|
|
|
A.7.1 Prior to employment | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
| Yes | Yes | Required by the standard and Vertic’s operational needs. | |
A.7.2 During employment | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
| A.7.2.2 Information security awareness, education and training | Yes | Yes | Required by the standard and Vertic’s operational needs. |
| Yes | Yes | Required by the standard and Vertic’s operational needs. | |
A.7.3 Termination and change of employment | A.7.3.1 Termination or change of employment responsibilities | Yes | Yes | Required by the standard and Vertic’s operational needs. |
|
|
|
|
|
| Totals: | 6 | 4 |
|
|
|
|
|
|
A.8 Asset management |
|
|
|
|
A.8.1 Responsibility for assets | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
| Yes | Yes | Required by the standard and Vertic’s operational needs. | |
| Yes | Yes | Required by the standard and Vertic’s operational needs. | |
| Yes | Yes | Required by the standard and Vertic’s operational needs. | |
A.8.2 Information classification | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
| Yes | Yes | Required by the standard and Vertic’s operational needs. | |
| Yes | Yes | Required by the standard and Vertic’s operational needs. | |
A.8.3 Media Handling | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
| Yes | Yes | Required by the standard and Vertic’s operational needs. | |
| Yes | Yes | Required by the standard and Vertic’s operational needs. | |
|
|
|
|
|
| Totals: | 4 | 4 |
|
|
|
|
|
|
A.9 Access control |
|
|
|
|
A.9.1 Business requirements of access control | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
| Yes | Yes | Required by the standard and Vertic’s operational needs. | |
A.9.2 User access management | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
| Yes | Yes | Required by the standard and Vertic’s operational needs. | |
| Yes | Yes | Required by the standard and Vertic’s operational needs. | |
| A.9.2.4 Management of secret authentication information of users | Yes | Yes | Required by the standard and Vertic’s operational needs. |
| Yes | No | Required by the standard and Vertic’s operational needs. | |
| Yes | Yes | Required by the standard and Vertic’s operational needs. | |
A.9.3 User responsibilities | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
A.9.4 System and application access control | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
| Yes | Yes | Required by the standard and Vertic’s operational needs. | |
| Yes | Yes | Required by the standard and Vertic’s operational needs. | |
| Yes | Yes | Required by the standard and Vertic’s operational needs. | |
| Yes | Yes | Required by the standard and Vertic’s operational needs. | |
|
|
|
|
|
| Totals: | 12 | 11 |
|
|
|
|
|
|
A.10 Cryptography |
|
|
|
|
A.10.1 Cryptographic controls | A.10.1.1 Policy on the use of cryptographic controls | No | No | Vertic is not involved in cryptography work at all and therefore these controls are not applicable to our operational needs. |
| A.10.1.2 Key management | No | No | Vertic is not involved in cryptography work at all and therefore these controls are not applicable to our operational needs. |
|
|
|
|
|
| Totals: | 0 | 0 |
|
|
|
|
|
|
A.11 Physical and environmental security |
|
|
|
|
A.11.1 Secure areas | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
| Yes | Yes | Required due to meeting room availability. No storage of any kind. | |
| Yes | Yes | Required due to meeting room availability. No storage of any kind. | |
| A.11.1.4 Protecting against external and environmental threats | Yes | Yes | This is primarily around the needs of the overseas team who are more exposed to civil unrest. |
| Yes | Yes | Required by the standard and Vertic’s operational needs. | |
| No | No | Vertic receives no deliveries to any physical locations. | |
A.11.2 Equipment | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
| Yes | Yes | Required by the standard and Vertic’s operational needs. | |
| No | No | We use exclusive wireless networks so no cabling. | |
| Yes | Yes | Laptop security is important but all access is cloud-based with no local storage requirements. | |
| Yes | Yes | Required by the standard and Vertic’s operational needs. | |
| Yes | Yes | Required by the standard and Vertic’s operational needs. | |
| Yes | Yes | Required by the standard and Vertic’s operational needs. | |
| Yes | Yes | Required by the standard and Vertic’s operational needs. | |
| Yes | Yes | Adhering to client’s privacy needs by not exposing sensitive information. | |
|
|
|
|
|
| Totals: | 7 | 7 |
|
|
|
|
|
|
A.12 Operations security |
|
|
|
|
A.12.1 Operational procedures and responsibilities | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
| Yes | Yes | Required by the standard and Vertic’s operational needs. | |
| Yes | Yes | Required by the standard and Vertic’s operational needs. | |
| A.12.1.4 Separation of development, testing and operational environments | Yes | Yes | Required by the standard and Vertic’s operational needs. |
A.12.2 Protection from malware | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
A.12.3 Backup | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
A.12.4 Logging and monitoring | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
| Yes | Yes | Required by the standard and Vertic’s operational needs. | |
| Yes | Yes | Required by the standard and Vertic’s operational needs. | |
| Yes | Yes | Required by the standard and Vertic’s operational needs. | |
A.12.5 Control of operational software | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
A.12.6 Technical vulnerability management | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
| Yes | Yes | Required by the standard and Vertic’s operational needs. | |
A.12.7 Information systems audit considerations | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
|
|
|
|
|
| Totals: | 11 | 9 |
|
|
|
|
|
|
A.13 Communications security |
|
|
|
|
A.13.1 Network security management | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
| Yes | Yes | Required by the standard and Vertic’s operational needs. | |
| Yes | Yes | Required by the standard and Vertic’s operational needs. | |
A.13.2 Information transfer | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
| Yes | Yes | Required by the standard and Vertic’s operational needs. | |
| Yes | Yes | Required by the standard and Vertic’s operational needs. | |
| Yes | Yes | Required by the standard and Vertic’s operational needs. | |
|
|
|
|
|
| Totals: | 3 | 3 |
|
|
|
|
|
|
A.14 System acquisition, development and maintenance |
|
|
|
|
A.14.1 Security requirements of information systems | A.14.1.1 Information security requirements analysis and specification | Yes | Yes | Required by the standard and Vertic’s operational needs. |
| Yes | Yes | Required by the standard and Vertic’s operational needs. | |
| Yes | Yes | Required by the standard and Vertic’s operational needs. | |
A.14.2 Security in development and support processes | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
| Yes | Yes | Required by the standard and Vertic’s operational needs. | |
| A.14.2.3 Technical review of applications after operating platform changes | Yes | Yes | Required by the standard and Vertic’s operational needs. |
| Yes | Yes | Required by the standard and Vertic’s operational needs. | |
| Yes | Yes | Required by the standard and Vertic’s operational needs. | |
| Yes | Yes | Required by the standard and Vertic’s operational needs. | |
| Yes | Yes | Required by the standard and Vertic’s operational needs. | |
| Yes | Yes | Required by the standard and Vertic’s operational needs. | |
| Yes | Yes | Required by the standard and Vertic’s operational needs. | |
A.14.3 Test data | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
|
|
|
|
|
| Totals: | 11 | 11 |
|
|
|
|
|
|
A.15 Supplier relationships |
|
|
|
|
A.15.1 Information security in supplier relationships | A.15.1.1 Information security policy for supplier relationships | Yes | Yes | Required by the standard and Vertic’s operational needs. |
| Yes | Yes | Required by the standard and Vertic’s operational needs. | |
| A.15.1.3 Information and communication technology supply chain | Yes | Yes | Required by the standard and Vertic’s operational needs. |
A.15.2 Supplier service delivery management | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
| Yes | Yes | Required by the standard and Vertic’s operational needs. | |
|
|
|
|
|
| Totals: | 0 | 0 |
|
|
|
|
|
|
A.16 Information security incident management |
|
|
|
|
A.16.1 Management of information security incidents and improvements | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
| Yes | Yes | Required by the standard and Vertic’s operational needs. | |
| Yes | Yes | Required by the standard and Vertic’s operational needs. | |
| A.16.1.4 Assessment of and decision on information security events | Yes | Yes | Required by the standard and Vertic’s operational needs. |
| Yes | Yes | Required by the standard and Vertic’s operational needs. | |
| Yes | Yes | Required by the standard and Vertic’s operational needs. | |
| Yes | Yes | Required by the standard and Vertic’s operational needs. | |
|
|
|
|
|
| Totals: | 7 | 7 |
|
|
|
|
|
|
A.17 Information security aspects of business continuity management |
|
|
|
|
A.17.1 Information security continuity | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
| Yes | Yes | Required by the standard and Vertic’s operational needs. | |
| A.17.1.3 Verify, review and evaluate information security continuity | Yes | Yes | Required by the standard and Vertic’s operational needs. |
A.17.2 Redundancies | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
|
|
|
|
|
| Totals: | 3 | 2 |
|
|
|
|
|
|
A.18 Compliance |
|
|
|
|
A.18.1 Compliance with legal and contractual requirements | A.18.1.1 Identification of applicable legislation and contractual requirements | Yes | Yes | Required by the standard and Vertic’s operational needs. |
| Yes | Yes | Required by the standard and Vertic’s operational needs. | |
| Yes | Yes | Required by the standard and Vertic’s operational needs. | |
| A.18.1.4 Privacy and protection of personally identifiable information | Yes | Yes | Required by the standard and Vertic’s operational needs. |
| A.18.1.5 Regulation of cryptographic controls | No | No | Vertic is not involved in cryptography work at all and therefore these controls are not applicable to our operational needs. |
A.18.2 Information security reviews | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
| Yes | Yes | Required by the standard and Vertic’s operational needs. | |
| Yes | Yes | Required by the standard and Vertic’s operational needs. | |
|
|
|
|
|
| Totals: | 7 | 7 |
|