Statement of Applicability

This page outlines the required Statement of Applicabilty and all relevant links to the required documents/samples/templates/evidence.

Information security management systems: Requirements

AREA/SECTION	CONTROL	CONTROL APPLICABLE?	CONTROL IMPLEMENTED?	JUSTIFICATION FOR INCLUSION OR EXCLUSION

A.5 Information security policies
A.5.1 Management direction for information security	A.5.1.1 Policies for information security	Yes	Yes
	A.5.1.2 Review of the policies for information security	Yes	Yes

	Totals:	2	2

A.6 Organisation of information security
A.6.1 Internal organisation	A.6.1.1 Information security roles and responsibilities	Yes	Yes
	A.6.1.2 Segregation of duties	Yes	Yes
	A.6.1.3 Contact with authorities	Yes	Yes
	A.6.1.4 Contact with special interest groups	Yes	Yes
	A.6.1.5 Information security in project management	Yes	Yes
A.6.2 Mobile devices and teleworking	A.6.2.1 Mobile device policy	Yes	Yes
	A.6.2.2 Teleworking	Yes	Yes

	Totals:	4	3

A.7 Human resources security
A.7.1 Prior to employment	A.7.1.1 Screening	Yes	Yes
	A.7.1.2 Terms and conditions of employment	Yes	Yes
A.7.2 During employment	A.7.2.1 Management responsibilities	Yes	Yes
	A.7.2.2 Information security awareness, education and training	Yes	Yes
	A.7.2.3 Disciplinary process	Yes	Yes
A.7.3 Termination and change of employment	A.7.3.1 Termination or change of employment responsibilities	Yes	Yes

	Totals:	6	4

A.8 Asset management
A.8.1 Responsibility for assets	A.8.1.1 Inventory of assets	Yes	Yes
	A.8.1.2 Ownership of assets	Yes	Yes
	A.8.1.3 Acceptable use of assets	Yes	Yes
	A.8.1.4 Return of assets	Yes	Yes
A.8.2 Information classification	A.8.2.1 Classification of information	Yes	Yes
	A.8.2.2 Labelling of information	Yes	Yes	Asset Management Policy - Restricted, Protected, Confidential (Internal Use)
	A.8.2.3 Handling of assets	Yes	Yes
A.8.3 Media Handling	A.8.3.1 Management of removable media	No	No	We don't manage removable media; everything is stored in cloud-based services.
	A.8.3.2 Disposal of media	Yes	Yes
	A.8.3.3 Physical media transfer	No	No	We don't currently transfer any physical media.

	Totals:	4	4

A.9 Access control
A.9.1 Business requirements of access control	A.9.1.1 Access control policy	Yes	Yes
	A.9.1.2 Access to networks and network services	Yes	Yes
A.9.2 User access management	A.9.2.1 User registration and de-registration	Yes	Yes
	A.9.2.2 User access provisioning	Yes	Yes
	A.9.2.3 Management of privileged access rights	Yes	Yes
	A.9.2.4 Management of secret authentication information of users	Yes	Yes
	A.9.2.5 Review of user access rights	Yes	No
	A.9.2.6 Removal or adjustment of access rights	Yes	Yes
A.9.3 User responsibilities	A.9.3.1 Use of secret authentication information	Yes	Yes
A.9.4 System and application access control	A.9.4.1 Information access restriction	Yes	Yes
	A.9.4.2 Secure log-on procedures	Yes	Yes
	A.9.4.3 Password management system	Yes	Yes
	A.9.4.4 Use of privileged utility programs	Yes	Yes
	A.9.4.5 Access control to program source code	Yes	Yes

	Totals:	12	11

A.10 Cryptography
A.10.1 Cryptographic controls	A.10.1.1 Policy on the use of cryptographic controls	No	No	Do we encrypt any data?
	A.10.1.2 Key management	No	No	Do we encrypt any data?

	Totals:	0	0

A.11 Physical and environmental security
A.11.1 Secure areas	A.11.1.1 Physical security perimeter	Yes	Yes
	A.11.1.2 Physical entry controls	Yes	Yes
	A.11.1.3 Securing offices, rooms and facilities	Yes	Yes
	A.11.1.4 Protecting against external and environmental threats	Yes	Yes
	A.11.1.5 Working in secure areas	Yes	Yes
	A.11.1.6 Delivery and loading areas	Yes	Yes
A.11.2 Equipment	A.11.2.1 Equipment siting and protection	Yes	Yes
	A.11.2.2 Supporting utilities	Yes	Yes
	A.11.2.3 Cabling security	Yes	Yes
	A.11.2.4 Equipment maintenance	Yes	Yes	All equipment is maintained according to manufacturers' instructions.
	A.11.2.5 Removal of assets	Yes	Yes
	A.11.2.6 Security of equipment and assets off-premises	Yes	Yes	Assets are often used offsite in a home environment.
	A.11.2.7 Secure disposal or reuse of equipment/media	Yes	Yes	Secure disposal is in place with a third party.
	A.11.2.8 Unattended user equipment	Yes	Yes	Training has been provided to ensure that screens and equipment are locked when unattended. What are the parameters of securing devices (ie. screensaver)
	A.11.2.9 Clear desk and clear screen policy	Yes	Yes

	Totals:	7	7

A.12 Operations security
A.12.1 Operational procedures and responsibilities	A.12.1.1 Documented operating procedures	Yes	Yes	Procedures must be performed the same way each time to avoid accidents.
	A.12.1.2 Change management	Yes	Yes
	A.12.1.3 Capacity management	Yes	Yes	Capacity of key resources is monitored.
	A.12.1.4 Separation of development, testing and operational environments	Yes	Yes	Consistent approach to Software Development is essential to Vertic's success.
A.12.2 Protection from malware	A.12.2.1 Controls against malware	Yes	Yes	Anti-malware is in place and monitored from a central console within the Salesforce platform.
A.12.3 Backup	A.12.3.1 Information backup	Yes	Yes	The Salesforce digital platform provides this service directly to our clients (via third-party applications). Action: Reference cloud provider backup services.
A.12.4 Logging and monitoring	A.12.4.1 Event logging	Yes	Yes	The Salesforce digital platform provides this service directly to our clients (via third-party applications).
	A.12.4.2 Protection of log information	Yes	Yes	This does not apply to Vertic as event logs are captured directly within the Salesforce platform.
	A.12.4.3 Administrator and operator logs	Yes	Yes	All such access is recorded.
	A.12.4.4 Clock synchronisation	Yes	Yes
A.12.5 Control of operational software	A.12.5.1 Installation of software on operational systems	Yes	Yes	Software installation is planned and controlled.
A.12.6 Technical vulnerability management	A.12.6.1 Management of technical vulnerabilities	Yes	Yes	A full patching process is in place via recurring Salesforce Health Checks.
	A.12.6.2 Restrictions on software installation	Yes	Yes	Admin access is required to install software.
A.12.7 Information systems audit considerations	A.12.7.1 Information systems audit controls	Yes	Yes	Audits are planned so that business activities are not disrupted.

	Totals:	11	9

A.13 Communications security
A.13.1 Network security management	A.13.1.1 Network controls	Yes	Yes
	A.13.1.2 Security of network services	Yes	Yes
	A.13.1.3 Segregation in networks	Yes	Yes
A.13.2 Information transfer	A.13.2.1 Information transfer policies and procedures	Yes	Yes	We conduct ourselves within the frameworks of the software tools we use, like Atlassian.
	A.13.2.2 Agreements on information transfer	Yes	Yes
	A.13.2.3 Electronic messaging	Yes	Yes	There is significant use of email and instant messaging.
	A.13.2.4 Confidentiality or nondisclosure agreements	Yes	Yes	NDAs should be in place with all parties with whom we share personal data.

	Totals:	3	3

A.14 System acquisition, development and maintenance
A.14.1 Security requirements of information systems	A.14.1.1 Information security requirements analysis and specification	Yes	Yes	Security requirements are specified for all new or changed systems.
	A.14.1.2 Securing application services on public networks	Yes	Yes	TLS is used in all circumstances as per the Salesforce platform.
	A.14.1.3 Protecting application services transactions	Yes	Yes	TLS is used in all circumstances as per the Salesforce platform.
A.14.2 Security in development and support processes	A.14.2.1 Secure development policy	Yes	Yes	All software development is undertaken in accordance with Salesforce guidelines and development processes.
	A.14.2.2 System change control procedures	Yes	Yes
	A.14.2.3 Technical review of applications after operating platform changes	Yes	Yes	Reviews are conducted as part of acceptance testing of new systems.
	A.14.2.4 Restrictions on changes to software packages	Yes	Yes
	A.14.2.5 Secure system engineering principles	Yes	Yes
	A.14.2.6 Secure development environment	Yes	Yes	We are developing on top of the Salesforce platform and are limited and directed by their system engineering principles.
	A.14.2.7 Outsourced development	Yes	Yes	We outsource some of the technical software development to an outsourcing firm which exclusively delivers to Vertic under the same rules, regulations, and processes as Vertic.
	A.14.2.8 System security testing	Yes	Yes	New and changed systems are tested to check they meet security requirements.
	A.14.2.9 System acceptance testing	Yes	Yes	New and changed systems are tested to check they meet security requirements.
A.14.3 Test data	A.14.3.1 Protection of test data	Yes	Yes	We don’t handle data in production environments. Put this into the referenced policy.

	Totals:	11	11

A.15 Supplier relationships
A.15.1 Information security in supplier relationships	A.15.1.1 Information security policy for supplier relationships	No	No	Vertic does not use an external providers in relation to our client services.
	A.15.1.2 Addressing security within supplier agreements	No	No	Vertic does not use an external providers in relation to our client services.
	A.15.1.3 Information and communication technology supply chain	No	No	Vertic does not use an external providers in relation to our client services.
A.15.2 Supplier service delivery management	A.15.2.1 Monitoring and review of supplier services	No	No	Vertic does not use an external providers in relation to our client services.
	A.15.2.2 Managing changes to supplier services	No	No	Vertic does not use an external providers in relation to our client services.

	Totals:	0	0

A.16 Information security incident management
A.16.1 Management of information security incidents and improvements	A.16.1.1 Responsibilities and procedures	Yes	Yes	An incident response procedure is in place.
	A.16.1.2 Reporting information security events	Yes	Yes	This is addressed as part of awareness training.
	A.16.1.3 Reporting information security weaknesses	Yes	Yes	This is addressed via our Risk Submission Form.
	A.16.1.4 Assessment of and decision on information security events	Yes	Yes	Systems and procedures are used to assess events and raise incidents where appropriate.
	A.16.1.5 Response to information security incidents	Yes	Yes	Training in incident response has been carried out.
	A.16.1.6 Learning from information security incidents	Yes	Yes	A review is part of the procedure.
	A.16.1.7 Collection of evidence	Yes	Yes	We document all incident evidence via our Atlassian system.

	Totals:	7	7

A.17 Information security aspects of business continuity management
A.17.1 Information security continuity	A.17.1.1 Planning information security continuity	Yes	Yes	Security is considered as part of the business continuity plan.
	A.17.1.2 Implementing information security continuity	Yes	Yes	Security is considered as part of the business continuity plan.
	A.17.1.3 Verify, review and evaluate information security continuity	Yes	No	Testing the plan is essential.
A.17.2 Redundancies	A.17.2.1 Availability of information processing facilities	No	No	We don't manage our own infrastructure and are using Salesforce's services to manage information processing.

	Totals:	3	2

A.18 Compliance
A.18.1 Compliance with legal and contractual requirements	A.18.1.1 Identification of applicable legislation and contractual requirements	Yes	Yes	All applicable legislation and requirements from contracts have been identified.
	A.18.1.2 Intellectual property rights	Yes	Yes	A policy on the use and protection of IP has been agreed and communicated.
	A.18.1.3 Protection of records	Yes	Yes	Records are protected effectively.
	A.18.1.4 Privacy and protection of personally identifiable information	Yes	Yes	A data protection policy is in place.
	A.18.1.5 Regulation of cryptographic controls	No	No	Compliance has been reviewed deemed not applicable to Vertic.
A.18.2 Information security reviews	A.18.2.1 Independent review of information security	Yes	Yes	Auditors are used to review our information security approach.
	A.18.2.2 Compliance with security policies and standards	Yes	Yes	Managers have received training in ensuring compliance.
	A.18.2.3 Technical compliance review	Yes	Yes	This will be part of Vertic’s annual compliance review.

	Totals:	7	7