This page outlines the required Statement of Applicabilty and all relevant links to the required documents/samples/templates/evidence.
Information security management systems: Requirements
AREA/SECTION | CONTROL | APPLICABLE | IMPLEMENTED | JUSTIFICATION FOR INCLUSION OR EXCLUSION |
A.5 Information security policies | ||||
A.5.1 Management direction for information security | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
A.5.1.2 Review of the policies for information security | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
Totals: | 2 | 2 | ||
A.6 Organisation of information security | ||||
A.6.1 Internal organisation | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
A.6.2 Mobile devices and teleworking | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Totals: | 4 | 3 | ||
A.7 Human resources security | ||||
A.7.1 Prior to employment | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
A.7.2 During employment | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
A.7.2.2 Information security awareness, education and training | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
A.7.3 Termination and change of employment | A.7.3.1 Termination or change of employment responsibilities | Yes | Yes | Required by the standard and Vertic’s operational needs. |
Totals: | 6 | 4 | ||
A.8 Asset management | ||||
A.8.1 Responsibility for assets | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
A.8.2 Information classification | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
A.8.3 Media Handling | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Totals: | 4 | 4 | ||
A.9 Access control | ||||
A.9.1 Business requirements of access control | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
A.9.2 User access management | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
A.9.2.4 Management of secret authentication information of users | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
Yes | No | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
A.9.3 User responsibilities | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
A.9.4 System and application access control | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Totals: | 12 | 11 | ||
A.10 Cryptography | ||||
A.10.1 Cryptographic controls | A.10.1.1 Policy on the use of cryptographic controls | No | No | Vertic is not involved in cryptography work at all and therefore these controls are not applicable to our operational needs. |
A.10.1.2 Key management | No | No | Vertic is not involved in cryptography work at all and therefore these controls are not applicable to our operational needs. | |
Totals: | 0 | 0 | ||
A.11 Physical and environmental security | ||||
A.11.1 Secure areas | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
Yes | Yes | Required due to meeting room availability. No storage of any kind. | ||
Yes | Yes | Required due to meeting room availability. No storage of any kind. | ||
A.11.1.4 Protecting against external and environmental threats | Yes | Yes | This is primarily around the needs of the overseas team who are more exposed to civil unrest. | |
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
No | No | Vertic receives no deliveries to any physical locations. | ||
A.11.2 Equipment | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
No | No | We use exclusive wireless networks so no cabling. | ||
Yes | Yes | Laptop security is important but all access is cloud-based with no local storage requirements. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Adhering to client’s privacy needs by not exposing sensitive information. | ||
Totals: | 7 | 7 | ||
A.12 Operations security | ||||
A.12.1 Operational procedures and responsibilities | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
A.12.1.4 Separation of development, testing and operational environments | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
A.12.2 Protection from malware | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
A.12.3 Backup | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
A.12.4 Logging and monitoring | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
A.12.5 Control of operational software | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
A.12.6 Technical vulnerability management | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
A.12.7 Information systems audit considerations | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
Totals: | 11 | 9 | ||
A.13 Communications security | ||||
A.13.1 Network security management | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
A.13.2 Information transfer | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Totals: | 3 | 3 | ||
A.14 System acquisition, development and maintenance | ||||
A.14.1 Security requirements of information systems | A.14.1.1 Information security requirements analysis and specification | Yes | Yes | Required by the standard and Vertic’s operational needs. |
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
A.14.2 Security in development and support processes | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
A.14.2.3 Technical review of applications after operating platform changes | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
A.14.3 Test data | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
Totals: | 11 | 11 | ||
A.15 Supplier relationships | ||||
A.15.1 Information security in supplier relationships | A.15.1.1 Information security policy for supplier relationships | Yes | Yes | Required by the standard and Vertic’s operational needs. |
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
A.15.1.3 Information and communication technology supply chain | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
A.15.2 Supplier service delivery management | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Totals: | 0 | 0 | ||
A.16 Information security incident management | ||||
A.16.1 Management of information security incidents and improvements | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
A.16.1.4 Assessment of and decision on information security events | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Totals: | 7 | 7 | ||
A.17 Information security aspects of business continuity management | ||||
A.17.1 Information security continuity | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
A.17.1.3 Verify, review and evaluate information security continuity | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
A.17.2 Redundancies | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
Totals: | 3 | 2 | ||
A.18 Compliance | ||||
A.18.1 Compliance with legal and contractual requirements | A.18.1.1 Identification of applicable legislation and contractual requirements | Yes | Yes | Required by the standard and Vertic’s operational needs. |
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
A.18.1.4 Privacy and protection of personally identifiable information | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
A.18.1.5 Regulation of cryptographic controls | No | No | Vertic is not involved in cryptography work at all and therefore these controls are not applicable to our operational needs. | |
A.18.2 Information security reviews | Yes | Yes | Required by the standard and Vertic’s operational needs. | |
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Yes | Yes | Required by the standard and Vertic’s operational needs. | ||
Totals: | 7 | 7 |