Upload File

statement of applicability

15
CONFIDENTIAL Statement of Applicability 1. Purpose and scope The purpose of this document is to define applicable controls from Annex A of ISO/IEC 27001, reasons for their selection and their objectives, identify the controls currently implemented, and justify the controls that are excluded. This document applies to the whole scope of the Information Security Management System (ISMS), as defined in the ISMS Scope document. This document is compliant with clause 4.2.1 j) of ISO/IEC 27001 standard. 2.References This document is related to the following documents: ISMS Scope document ISMS Policy Risk Assessment Methodology Risk Assessment Report 3. Controls according to Annex A Clause No Control Applica ble (Y/N) Reason for selection / justification for exclusion Control objective Current status of control A.5 Security policy A.5.1 Information security policy A.5.1. 1 Information security policy document A.5.1. 2 Review of information ©2010 Information Security & Business Continuity Academy www.iso27001standard.com Page 1 of 15

Upload: narayanaraoks

Post on 22-Nov-2015

30 views

Category:

Documents


5 download

Report

DESCRIPTION

I S area

TRANSCRIPT

Statement of Applicability

CONFIDENTIAL

Statement of Applicability [version], [date]

CONFIDENTIAL

Statement of Applicability1. Purpose and scope

The purpose of this document is to define applicable controls from Annex A of ISO/IEC 27001, reasons for their selection and their objectives, identify the controls currently implemented, and justify the controls that are excluded.This document applies to the whole scope of the Information Security Management System (ISMS), as defined in the ISMS Scope document.This document is compliant with clause 4.2.1 j) of ISO/IEC 27001 standard.

2. References

This document is related to the following documents:

ISMS Scope document

ISMS Policy

Risk Assessment Methodology

Risk Assessment Report

3. Controls according to Annex AClause NoControlApplicable (Y/N)Reason for selection / justification for exclusionControl objectiveCurrent status of control

A.5Security policy

A.5.1Information security policy

A.5.1.1Information security policy document

A.5.1.2Review of information security policy

A.6Organization of information security

A.6.1Internal organization

A.6.1.1Management commitment to information security

A.6.1.2Information security co-ordination

A.6.1.3Allocation of information security responsibilities

A.6.1.4Authorization process for information processing facilities

A.6.1.5Confidentiality agreements

A.6.1.6Contact with authorities

A.6.1.7Contact with special interest groups

A.6.1.8Independent review of information security

A.6.2External parties

A.6.2.1Identification of risk related to external parties

A.6.2.2Addressing security when dealing with customers

A.6.2.3Addressing security in third party agreements

A.7Asset management

A.7.1Responsibility for Assets

A.7.1.1Inventory of assets

A.7.1.2Ownership of assets

A.7.1.3Acceptable use of assets

A.7.2Information classification

A.7.2.1Classification guidelines

A.7.2.2Information labeling and handling

A.8Human resources security

A.8.1Prior to employment

A.8.1.1Roles and responsibilities

A.8.1.2Screening

A.8.1.3Terms and conditions of employment

A.8.2During employment

A.8.2.1Management responsibilities

A.8.2.2Information security awareness, education and training

A.8.2.3Disciplinary process

A.8.3Termination or change of employment

A.8.3.1Termination responsibilities

A.8.3.2Return of assets

A.8.3.3Removal of access rights

A.9Physical and environmental security

A.9.1Secure areas

A.9.1.1Physical security perimeter

A.9.1.2Physical entry controls

A.9.1.3Securing offices, rooms and facilities

A.9.1.4Protecting against external and environmental threats

A.9.1.5Working in secure areas

A.9.1.6Public access, delivery and loading areas

A.9.2Equipment security

A.9.2.1Equipment siting and protection

A.9.2.2Support utilities

A.9.2.3Cabling security

A.9.2.4Equipment maintenance

A.9.2.5Security of equipment off-premises

A.9.2.6Secure disposal or reuse of equipment

A.9.2.7Removal of property

A.10Communications and operations management

A.10.1Operational procedures and responsibilities

A.10.1.1Documented operating procedures

A.10.1.2Change management

A.10.1.3Segregation of duties

A.10.1.4Separation of development, test and operational facilities

A.10.2Third party service delivery management

A.10.2.1Service delivery

A.10.2.2Monitoring and review of third party services

A.10.2.3Manage changes to the third party services

A.10.3System planning and acceptance

A.10.3.1Capacity management

A.10.3.2System acceptance

A.10.4Protection against malicious and mobile code

A.10.4.1Controls against malicious code

A.10.4.2Controls against mobile code

A.10.5Back-up

A.10.5.1Information back-up

A.10.6Network security management

A.10.6.1Network controls

A.10.6.2Security of network services

A.10.7Media handling

A.10.7.1Management of removable media

A.10.7.2Disposal of media

A.10.7.3Information handling procedures

A.10.7.4Security of system documentation

A.10.8Exchange of information

A.10.8.1Information exchange policies and procedures

A.10.8.2Exchange agreements

A.10.8.3Physical media in transit

A.10.8.4Electronic messaging

A.10.8.5Business information systems

A.10.9Electronic commerce services

A.10.9.1Electronic commerce

A.10.9.2On-line transactions

A.10.9.3Publicly available information

A.10.10Monitoring

A.10.10.1Audit logging

A.10.10.2Monitoring system use

A.10.10.3Protection of log information

A.10.10.4Administrator and operator logs

A.10.10.5Fault logging

A.10.10.6Clock synchronization

A.11Access control

A.11.1Business requirement for access control

A.11.1.1Access control policy

A.11.2User access management

A.11.2.1User registration

A.11.2.2Privilege management

A.11.2.3User password management

A.11.2.4Review of user access rights

A.11.3User responsibilities

A.11.3.1Password use

A.11.3.2Unattended user equipment

A.11.3.3Clear desk and clear screen policy

A.11.4Network access control

A.11.4.1Policy on use of network services

A.11.4.2User authentication for external connections

A.11.4.3Equipment identification in networks

A.11.4.4Remote diagnostic and configuration port protection

A.11.4.5Segregation in networks

A.11.4.6Network connection control

A.11.4.7Network routing control

A.11.5Operating system access control

A.11.5.1Secure log-on procedures

A.11.5.2User identification and authentication

A.11.5.3Password management system

A.11.5.4Use of system utilities

A.11.5.5Session time-out

A.11.5.6Limitation of connection time

A.11.6Application access control

A.11.6.1Information access restriction

A.11.6.2Sensitive system isolation

A.11.7Mobile computing and teleworking

A.11.7.1Mobile computing and communication

A.11.7.2Teleworking

A.12Information systems acquisition, development and maintenance

A.12.1Security requirements of information systems

A.12.1.1Security requirements analysis and specifications

A.12.2Correct processing in applications

A.12.2.1Input data validation

A.12.2.2Control of internal processing

A.12.2.3Message integrity

A.12.2.4Output data validation

A.12.3Cryptographic controls

A.12.3.1Policy on the use of cryptographic controls

A.12.3.2Key management

A.12.4Security of system files

A.12.4.1Control of operational software

A.12.4.2Protection of system test data

A.12.4.3Access control to program source code

A.12.5Security in development & support processes

A.12.5.1Change control procedures

A.12.5.2Technical review of applications after operating system changes

A.12.5.3Restrictions on changes to software packages

A.12.5.4Information leakage

A.12.5.5Outsourced software development

A.12.6Technical vulnerability management

A.12.6.1Control of technical vulnerabilities

A.13Information security incident management

A.13.1Reporting information security events and weaknesses

A.13.1.1Reporting Information security events

A.13.1.2Reporting security weaknesses

A.13.2Management of information security incidents and improvements

A.13.2.1Responsibilities and procedures

A.13.2.2Learning from information security incidents

A.13.2.3Collection of evidence

A.14Business continuity management

A.14.1Information security aspects of business continuity management

A.14.1.1Including information security in business continuity management process

A.14.1.2Business continuity and risk assessment

A.14.1.3Developing and implementing continuity plans including information security

A.14.1.4Business continuity planning framework

A.14.1.5Testing, maintaining and re-assessing business continuity plans

A.15Compliance

A.15.1Compliance with legal requirements

A.15.1.1Identification of applicable legislation

A.15.1.2Intellectual property rights ( IPR)

A.15.1.3Protection of organizational records

A.15.1.4Data protection and privacy of personal information

A.15.1.5Prevention of misuse of information processing facilities

A.15.1.6Regulation of cryptographic controls

A.15.2Compliance with security policies and standards and technical compliance

A.15.2.1Compliance with security policy

A.15.2.2Technical compliance checking

A.15.3Information systems audit considerations

A.15.3.1Information systems audit controls

A.15.3.2Protection of information systems audit tools

4. Ownership; validity

The owner of this document is [function of the person responsible]. This document must be reviewed every time after the risk assessment and risk treatment processes have been implemented.

2010 Information Security & Business Continuity Academy www.iso27001standard.com

Page 1 of 112010 Information Security & Business Continuity Academy www.iso27001standard.com

Page 2 of 11


Applicability Statement for Secure Health Transport v1.1: Proposed Clarifications & Updates July 21, 2015

interoperability.blob.core.windows.net...  · Web view1.6 Applicability Statement 10. 1.7 Versioning and Capability Negotiation 10. 1.8 Vendor-Extensible Fields 10. 1.9 Standards

ISO/IEC 27001 Information Security Management · ISO/IEC 27001 Information Security Management Securing your information assets Product Guide ... The statement of applicability (SOA)

Applicability of DryadLINQ to Scientific Applicationsgrids.ucs.indiana.edu/ptliupages/publications/DryadReport.pdf · Applicability of DryadLINQ to Scientific Applications ... 3.1.3

Applicability of Eurocode 7 to rock engineering design ...geocentrix.typepad.com/files/applicability-of-eurocode-7-to-rock... · Eurocode 7 timeline 2010‐2020 Jun-14 Applicability

TIAA policy statement on responsible investing1 I. Purpose and applicability The purpose of the seventh edition of the TIAA Policy Statement on Responsible Investing (“Policy Statement”)

APPLICABILITY OF LEAN PROJECT MANAGEMENT

Applicability of widely available methods to identify ... of... · Applicability of widely available methods to ... crystallite size ... Applicability of widely available methods

Applicability of mode-coupling theory to …digital.csic.es/bitstream/10261/102469/1/Applicability of...PHYSICAL REVIEW E 88, 042302 (2013) Applicability of mode-coupling theory to

ETSI TS 136 523-2 V11.3...The present document also specifies a recommended applicability statement for the test cases included in TS 36.523-1 [19]. These applicability statements

WHO cross-cultural applicability research on diagnosis … cross-cultural applicability research on... · WHO cross-cultural applicability research on diagnosis and assessment of

Technology Applicability Framework (TAF) – a tool for assessing applicability and scalability of WASH technologies

REQUEST FOR DETERMINATION OF APPLICABILITY

Statement of Applicability for ISO 27001

Applicability Statement for Secure Health Transport · Applicability Statement for Secure Health Transport Page 5 of 20 Version 1.1, 10 July 2012 1.1 Health Domain Name A Health Domain

TEXAS DEPARTMENT OF CRIMINAL JUSTICE PD-72 (rev. 17 ... · ; BP-02.08, “Statement of Internal Controls” APPLICABILITY: Texas Department of Criminal Justice (TDCJ) EMPLOYMENT AT

ISO 27001:2013 Statement of Applicability

Memset Statement of Applicability Head of ompliance · Memset Statement of Applicability Owner Head of ompliance Purpose To protect information and assets owned by or entrusted to

Module 7: 'Statement of Applicability'ISO 27001, 4.2.1 j): 'Prepare a Statement of Applicability'. It shall include: the controls currently implemented the controls selected in RATP

1. Scope and Applicability. 2. General Statement of Policies....General Statement of Policies • 3. Allocations • 5. Allotment of Specific Appropriations and Appropriations for

REINFORCED CONCRETE: APPLICABILITY OF SMART …

Applicability of Air Bubbler

Global Applicability of Solar Desalination

IMS Statement of Applicability · 2021. 8. 25. · IMS Statement of Applicability BCX Confidential Date: 27 January 2021 Page 2 of 26 Applicable ISO Standard Contr ol Num ber Control

The Punjab Provincial Cooperative Bank Limited Statement ... PPCBL Jun 2016.pdf · The State Bank of Pakistan has deferred the applicability of International Accounting Standard (IAS)

Document Control STATEMENT OF APPLICABILITY (SOA) Issue No: 1.1 Page: 1 … · 2019. 12. 3. · STATEMENT OF APPLICABILITY (SOA) Document Control Reference: DOC SOA Issue No: 1.1

APPLICABILITY OF COMPOSITE SOIL REINFORCEMENT SYSTEM WALLS ...maccaferri-china.net/uploads/files/APPLICABILITY OF... · APPLICABILITY OF COMPOSITE SOIL REINFORCEMENT SYSTEM WALLS

Cochetkov Applicability of the theory of relativity Applicability of...Applicability of the special theory of relativity Cochetkov Victor Nikolaevich Chief specialist, FGUP "The operation

Lawful Peacekeeping: Applicability of International

H. Zheng, Ed. Applicability of GMPLS for B100G Optical Transport … · Applicability of GMPLS for B100G Optical Transport Network draft-ietf-ccamp-gmpls-otn-b100g-applicability-03

Applicability of Logistic Regression Analysis in ...chss.uonbi.ac.ke/sites/default/files/chss/Applicability of Logistic... · i applicability of logistic regression analysis in predicting

Applicability Statement for Secure Health Transportwiki.directproject.org/file/view/2011-04-28 PDF... ·  · 2012-01-06Applicability Statement for Secure Health Transport ... Applicability

RFP on ISO 27001 Consultancy Service - .hk · 4. Preparation of ISO 27001 scope statement and Statement of Applicability (SOA). c. Providing ISO 27001 ISMS training to HKIRC staff

ww2.arb.ca.gov · DEFINITIONS AND APPLICABILITY ......................................................................... 7 Applicability

Applicability of the Act