ISMS Statement of Applicability

Information Security Management System
Statement of Applicability
Version 1.0
Warning: Not to be circulated or reproduced without authorization from Information Security Team
____________________________________________________________________________________________________________________________
Document Management Information
Document Title: NDM Global-ISMS/DOC/008-Statement of Applicability
Document Number: NDM Global-ISMS/DOC/008
Document Status: Approved
Issue Details
Release Date December 9th, 2022
Revision Details
Version No. Revision Date Particulars Approved by
0.1 06/14/2022 Draft IST
0.2 11/09/2022 Initial Release IST
1.0 12/09/2022 Final Release IST
Document Contact Details
Role Name Designation
Author Subramanya AM External Consultant
Reviewer/Custodian Natália Knob Information Security Analyst
Owner CTO Chief Technical Officer
______________________________________________________________________________________________________________________________
Restricted Page 2 of 20
____________________________________________________________________________________________________________________________
Distribution List
Name
Need Based Circulation Only
______________________________________________________________________________________________________________________________
____________________________________________________________________________________________________________________________
Table of Contents
1. Introduction 4
1.1. Statement of Applicability 5
1.2. Document Structure 5
1.3. Distribution 5
2. Statement of Applicability with ISO27001 6
______________________________________________________________________________________________________________________________
____________________________________________________________________________________________________________________________
1. Introduction
1.1. Statement of Applicability
This document details the applicability and justification for all ISO/IEC 27001:2013 controls to the internal environment. The policy reference section maps the
specific company policy that deals with the applicable control.
1.2. Document Structure
The document contains the details of the control applicability in the following manner:
● Control Statement: The statement and reference number used in ISO/IEC 27001:2013
● Applicable: “Yes” for applicable controls and “No” for non-applicable controls
● Justification: Reason for including applicable controls and excluding non-applicable controls
● Reference: Relevant Information Security Policy sections and relevant document references
1.3. Distribution
This document is provided pursuant to the terms of our engagement. The use of the document is solely for internal purposes by the Management and for the
use of external auditors. This document should not be used by or distributed to others.
______________________________________________________________________________________________________________________________
____________________________________________________________________________________________________________________________
2. Statement of Applicability with ISO27001
Control Statement Applicable Justification Reference

A.5 Information security policies
A.5.1 Management direction for information security
Objective: To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations.
All policies are documented, reviewed annually, and
A.5.1.1 Policies for information security Yes Information Systems Security Policy
approved by the CTO.
Review of the policies for information Updates to policies occur on a yearly basis, or when
A.5.1.2 Yes Information Systems Security Policy
security new policies are introduced.
A.6. Organization of information security
A.6.1 Internal organization
Objective: To establish a management framework to initiate and control the implementation and operation of information security within the organization.
The Information Security Team is responsible for all
Information security roles and
A.6.1.1 Yes access policies and documentation. Roles and Information Systems Security Policy
responsibilities
responsibilities is defined
Responsibility is mainly on the IST, but parts are
A.6.1.2 Segregation of duties Yes known to other managers for failover and holiday Information Systems Security Policy
periods. Segregation of duties is defined
An approved sheet lists organizations and their
Contacts, Interested Parties and Applicable
A.6.1.3 Contact with authorities Yes respective contacts, defining in which cases they
Legislation spreadsheet
should be notified or contacted.
Some NDM security team members are part of groups
Contacts, Interested Parties and Applicable
A.6.1.4 Contact with special interest groups Yes related to security, like ANPPD and ISO 27001
Legislation spreadsheet
Security Forum.
Information security in project Infrastructure and development security is considered
A.6.1.5 Yes Information Systems Security Policy
management in all ISMS related projects.
A.6.2 Mobile devices and teleworking
______________________________________________________________________________________________________________________________
____________________________________________________________________________________________________________________________

Objective: To ensure the security of teleworking and use of mobile devices.
Use of mobile is authorized but restricted or highly
A.6.2.1 Mobile device policy Yes restricted information cannot be stored on these Endpoint Security Sub Policy
devices.
The work is home-based, but standards must be Acceptable Use Policy
A.6.2.2 Teleworking Yes followed when using the device and handling
Endpoint Security Sub Policy
information and data.
A.7 Human resource security
A.7.1 Prior to employment
Objective: To ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered.
Employment checks are made as to the eligibility of
A.7.1.1 Screening Yes the candidate, reference checks are followed up, and Human Resource Security Sub Policy
professional qualifications are checked.
The employment contract and NDA signed by the Human Resource Security Sub Policy
7.1.2 Terms and conditions of employment Yes employees includes clauses about confidentiality and
Employment contract and NDA
liability.
A.7.2 During employment
Objective: To ensure that employees and contractors are aware of and fulfill their information security responsibilities.
All management have direct responsibility for the
7.2.1 Management responsibilities Yes policing of information security. All internal and client Human Resource Security Sub Policy
data has strict policies and procedures attached to it.
Information security awareness, Security training for all employees is systematically Human Resource Security Sub Policy. Training
7.2.2 Yes
education and training provided annually. attendance sheet
A disciplinary process shall be initiated in the event of
a breach of the Information Systems Security Policy or Human Resource Security Sub Policy
Disciplinary process Yes
A.7.2.3 any other policies, rules, and procedures that violate Progressive Discipline Policy
information security.
A.7.3 Termination and change of employment
Objective: To protect the organization’s interests as part of the process of changing or terminating employment.
______________________________________________________________________________________________________________________________
____________________________________________________________________________________________________________________________

Employees are informed of their responsibilities in the
Termination or change of Human Resource Security Sub Policy
Yes event of a change, termination, or end of contract with
A.7.3.1 employment responsibilities NDA
NDM.
A.8 Asset management
A.8.1 Responsibility for assets
Objective: To identify organizational assets and define appropriate protection responsibilities.
ISMS Asset Register
Inventory of assets Yes The asset register is reviewed and updated.
A.8.1.1 Information Classification and Handling Standard
ISMS Asset Register
Asset owners and custodians are identified in the
A.8.1.2 Ownership of assets Yes Acceptable Use Policy
asset register.
Information Classification and Handling Standard
An Acceptable Use Policy has been approved and
Acceptable use of assets Yes Acceptable Use Policy
A.8.1.3 communicated to employees.
Upon termination of employment, all NDM provided User Access Provisioning & Deprovisioning
A.8.1.4 Return of assets Yes equipment must be returned on the day of termination Procedure
or on a mutually agreed upon date. Endpoint Security Sub-Policy
A.8.2 Information classification
Objective: To ensure that information receives an appropriate level of protection in accordance with its importance to the organization.
The information is classified according to the following
Classification of information Yes scheme: Public, restricted, or highly restricted
A.8.2.1 Acceptable Use Policy
information.
The information is classified according to the
Labeling of information Yes Information Classification and Handling Standard
A.8.2.2 Information Classification and Handling Standard.
All assets (documents, client assets) are subject to the Information Classification and Handling Standard
Handling of assets Yes
A.8.2.3 Information Classification and Handling Standard. Acceptable Use Policy
A.8.3 Media handling

Objective: To prevent unauthorized disclosure, modification, removal or destruction of information stored on media.
______________________________________________________________________________________________________________________________
____________________________________________________________________________________________________________________________

NDM's infrastructure is cloud-based. Employees and
We need to mention what are the measures taken
contractors are not authorized to store non-public NDM
Management of removable media No to restrict the data on the local system to say this
A.8.3.1 information on devices (either owned or provided by
control is not applicable
the company).
NDM's infrastructure is cloud-based. Employees and
contractors are not authorized to store non-public NDM Here we need to define how media will be disposed
Disposal of media No
A.8.3.2 information on devices (either owned or provided by of
the company).
NDM's infrastructure is cloud-based. All data transfer
Physical media transfer No takes place digitally and under the Information No physical media transfer happens
A.8.3.3
Classification and Handling Standard.
A.9 Access control
A.9.1 Business requirements of access control
Objective: To limit access to information and information processing facilities.
An access control policy is in place and is accessible User Access Provisioning and Deprovisioning
Access control policy Yes to all who need it. It is reviewed on an annual basis or Procedure
A.9.1.1
according to the business requirements. Logical Access Control Standard
Logical Access Control Standard and Roles and
Access to networks and network Permissions Matrix ensures the management of user Roles and Permissions Matrix
Yes
A.9.1.2 services rights and access to resources. Logical Access Control Standard
This matrix is revised at least annually.
A.9.2 User access management
Objective: To ensure authorized user access and to prevent unauthorized access to systems and services.
Management of user registrations/deregistration’s are
User Access Provisioning and Deprovisioning
User registration and de-registration Yes performed in accordance with the User Access
A.9.2.1 Procedure
Provisioning and Deprovisioning Procedure
Management of user’s access provisioning are
User Access Provisioning and Deprovisioning
User access provisioning Yes performed in accordance with the User Access
A.9.2.2 Procedure
Provisioning and Deprovisioning Procedure
Management of privileged access Yes The CTO keeps details of all access rights to critical User Access Provisioning and Deprovisioning
______________________________________________________________________________________________________________________________
____________________________________________________________________________________________________________________________

Information Systems. Access rights are reviewed and Procedure
A.9.2.3 rights
controlled.
All roles in the information system should be identified.
For each role, the required privilege level should be
Logical Access Control Standard
Management of secret authentication identified and documented for all information system
Yes User Access Provisioning and Deprovisioning
A.9.2.4 information of users components within NDM Global Inc. Privileged user
Procedure
IDs are created separately as a unique ID. Monitoring
records of privileged users ID at regular intervals
User IDs should be reviewed by respective database,
network, and system administrators half-yearly, and User Access Provisioning and Deprovisioning
A.9.2.5 Review of user access rights Yes
review reports should be sent to the Information Procedure
Security Team
The IT Team should review accounts created and
privileges assigned. Based on this review the
Removal or adjustment of access deactivation will be done. Access rights are removed User Access Provisioning and Deprovisioning
Yes
A.9.2.6 rights immediately upon each employment termination or Procedure
change and upon end of service contract with third
parties.
A.9.3 User responsibilities
Objective: To make users accountable for safeguarding their authentication information.
Use of secret authentication There is an awareness training that cover the User Access Provisioning and Deprovisioning
A.9.3.1 Yes
information password confidentiality importance Procedure
A.9.4 System and application access control
Objective: To prevent unauthorized access to systems and applications.
Access to information and application system functions
A.9.4.1 Information access restriction Yes are restricted in accordance with the Logical Access Logical Access Control Standard
Control Standard.
All systems and access to them have required Please mention the policy name here
A.9.4.2 Secure log-on procedures Yes
passwords set.
A.9.4.3 Password management system Yes The Acceptable Use Policy provides restrictions on the Acceptable Use Policy
______________________________________________________________________________________________________________________________
____________________________________________________________________________________________________________________________

construction and use of passwords.
NDM infra is cloud-based, and utility programs are not
used. There are utility programs only on devices used
A.9.4.4 Use of privileged utility programs No No privileged utility programs are used
by the employees (laptops, desktops) where there is
not critical data.
Access to the repository, libraries, and others only to
Access control to program source the team of developers, managers or responsible for
A.9.4.5 Yes Mention the policy name here
code the DocQ. Scripts are stored in secure areas that are
accessible only to the dev teams.
A.10 Cryptography
A.10.1 Cryptographic controls
Objective: To ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information.
Secure processes should be employed for key
Policy on the use of cryptographic Cryptographic Sub-Policy
Yes generation, distribution, revocation, and storage
A.10.1.1 controls
wherever digital certificates are used.
Keys are managed by the CPO as per Cryptographic
A.10.1.2 Key management Yes Cryptographic Sub-Policy
Sub-Policy
A.11 Physical and environmental security
A.11.1 Secure areas
Objective: To prevent unauthorized physical access, damage and interference to the organization’s information and information processing facilities.
Physical security perimeter No NDM has no infrastructure of its own.

A.11.1.1
Physical entry controls No NDM has no infrastructure of its own.

A.11.1.2
A.11.1.3 Securing offices, rooms and facilities No NDM has no infrastructure of its own.
Protecting against external and NDM has no infrastructure of its own.
A.11.1.4 No
environmental threats
Working in secure areas No NDM has no infrastructure of its own.
______________________________________________________________________________________________________________________________
____________________________________________________________________________________________________________________________

A.11.1.5
NDM has no offices with servers/backups, nor
A.11.1.6 Delivery and loading areas No
unsecure data due to our data handling policy.
A.11.2 Equipment
Objective: To prevent loss, damage, theft or compromise of assets and interruption to the organization’s operations.
Devices provided by NDM or should not follow security Endpoint Security Sub Policy
A.11.2.1 Equipment siting and protection Yes Acceptable Use Policy in place
recommendations laid out in company policies
A.11.2.2 Supporting utilities No NDM has no infrastructure of its own.

A.11.2.3 Cabling security No NDM has no infrastructure of its own.
Devices provided by NDM to employees should be
A.11.2.4 Equipment maintenance Yes Endpoint Security Sub Policy
maintained to ensure information security.
NDM has no offices. All employees work on home
A.11.2.5 Removal of assets No
office basis.
Security of equipment and assets off- No data is stored locally on devices. Also, devices Acceptable Use Policy in place (Security controls for
A.11.2.6 Yes
premises must end-point devices section)
Devices should keep antivirus updated if applicable
Secure disposal or re-use of Endpoint Security Sub Policy (Re-use of laptops
Yes and have password-locked screensavers enabled due
A.11.2.7 equipment provided by NDM)
to inactivity.
All staff are expected to ensure their screens are Endpoint Security Sub Policy
A.11.2.8 Unattended user equipment Yes
locked if they are away from their devices. Acceptable Use Policy in place
Automatic locking of sessions in case of an extended Acceptable Use Policy
A.11.2.9 Clear desk and clear screen policy Yes
period of inactivity Acceptable Use Policy in place
A.12 Operations security
A.12.1 Operational procedures and responsibilities
Objective: To ensure correct and secure operations of information processing facilities.
______________________________________________________________________________________________________________________________
____________________________________________________________________________________________________________________________

NDM information systems are “cloud-based”. There should be documented operating procedure
A.12.1.1 Documented operating procedures No Traditional operational activities are automatically defining, could be SDLC or like how any changes to
performed or delegated to the cloud provider. the system takes place and things like that
The Change Management Procedure was created to
detail the process to be followed for all changes to the
A.12.1.2 Change management Yes Information Systems to ensure that all changes are Change Management Procedure
carried out in a standardized manner in a controlled
environment.
The use of resources shall be monitored, tuned and
projections made of future capacity requirements to
A.12.1.3 Capacity management Yes Ongoing monitoring of resource allocation
ensure the required system performance
Separation of development, testing There are separated environments to develop, test and System Acquisition, Development and Maintenance
A.12.1.4 Yes
and operational environments production Policy
A.12.2 Protection from malware
Objective: To ensure that information and information processing facilities are protected against malware.
Restrictions on the installation of software by users;
A.12.2.1 Controls against malware Yes Acceptable Use Policy, end point security
Recommendation to use antivirus and keep it updated
A.12.3 Backup
Objective: To protect against loss of data.
Backups are done regularly to the cloud of all data and
A.12.3.1 Information backup Yes Backup and Restore Procedure
tested on a regular basis.
A.12.4 Logging and monitoring
Objective: To record events and generate evidence.
Systems are configured to collect logs to enable
A.12.4.1 Event logging Yes Log Monitoring and Review Standard
monitoring and auditing.
Logs are protected against tampering and
A.12.4.2 Protection of log information Yes Log Monitoring and Review Standard
unauthorized access.
______________________________________________________________________________________________________________________________
____________________________________________________________________________________________________________________________

Access to the logging information is password
A.12.4.3 Administrator and operator logs Yes protected and audited. The logs themselves are kept Log Monitoring and Review Standard
securely in the cloud.
Clocks of all the systems throughout the organization
A.12.4.4 Clock synchronization Yes Information Systems Security Policy
shall be synchronized using NTP, when applicable.
A.12.5 Control of operational software
Objective: To ensure the integrity of operational systems.
Installation of software on operational
A.12.5.1 Yes Server SO managed by CPO.
systems
A.12.6 Technical vulnerability management
Objective: To prevent exploitation of technical vulnerabilities.
Vulnerability management is done through a scanning
Management of technical tool and through alerts from the CERTs Policy for
A.12.6.1 Yes
vulnerabilities handling these vulnerabilities by scope in escalation
mode.
A.12.6.2 Restrictions on software installation Yes Only authorized software can be installed. Acceptable Use Policy
A.12.7 Information systems audit considerations
Objective: To minimize the impact of audit activities on operational systems.
The scan and pen test take into account the periods of
Information systems audit controls Yes activity of the business lines in order to minimize the Internal Audit Procedure
A.12.7.1
impact.
A.13 Communications security
A.13.1 Network security management
Objective: To ensure the protection of information in networks and its supporting information processing facilities.
Network access is managed and maintained by the
A.13.1.1 Network controls Yes Network Security Standard
CTO and the IT Team.
A.13.1.2 Security of network services Yes Any service is subject to strict service level Network Security Standard
agreements and are agreed in advance between the
______________________________________________________________________________________________________________________________
____________________________________________________________________________________________________________________________

parties.
Servers which have been identified as critical or
contain sensitive and critical information as identified
by the NDM Global Inc should be protected by a web
A.13.1.3 Segregation in networks Yes Network Security Standard
application firewall. Separate segments should be
created for Production and Development/Test
information systems.
A.13.2 Information transfer
Objective: To maintain the security of information transferred within an organization and with any external entity.
A sub-policy setting out the rules for encryption and Cryptographic Sub-Policy
Information transfer policies and
A.13.2.1 Yes security of communications is established.
procedures Information Classification and Handling Standard
It is reviewed periodically.
The secure exchange protocols used with third parties Cryptographic Sub-Policy and Information
A.13.2.2 Agreements on information transfer Yes make it possible to guarantee the integrity,
Classification and Handling Standard
confidentiality, and non-repudiation of information.
Sensitive NDM information if sent on email, should be Information Classification and Handling Standard
A.13.2.3 Electronic messaging Yes encrypted or password protected to maintain Email Security Sub Policy
confidentiality. Acceptable Use Policy
All NDM personnel sign a confidentiality agreement
Confidentiality or non-disclosure Information Classification and Handling Standard
A.13.2.4 Yes that provides for disciplinary measures or prosecution
agreements NDA and Employment Contract
in the event of non-compliance.
A.14 System acquisition, development and maintenance
A.14.1 Security requirements of information systems
Objective: To ensure that information security is an integral part of information systems across the entire lifecycle. This also includes the requirements for information
systems which provide services over public networks.
Information security requirements Security procedures are integrated into all projects and System Acquisition Development and Maintenance
A.14.1.1 Yes
analysis and specification throughout the project lifecycle. Policy
A.14.1.2 Securing application services on Yes Perimeter protection of public network access is System Acquisition Development and Maintenance
public networks guaranteed through firewalls. Use of certificates issued Policy
by a recognized certification body; the keys are stored Cryptographic methods for authentication and
______________________________________________________________________________________________________________________________
____________________________________________________________________________________________________________________________

securely. securing data transfer
Use of secure protocols that ensure complete
Protecting application services transmission without possible modification of the Use of electronic signatures, encryption, secure
A.14.1.3 Yes
transactions information and prohibiting unauthorized modification protocols
and disclosure.
A.14.2 Security in development and support processes
Objective: To ensure that information security is designed and implemented within the development lifecycle of information systems.
The System Acquisition Development and System Acquisition Development and Maintenance
A.14.2.1 Secure development policy Yes
Maintenance Policy Policy
The Systems Acquisition Development and
Maintenance Policy provides guidelines to ensure that System Acquisition Development and Maintenance
A.14.2.2 System changes control procedures Yes
software is appropriately developed, complying with Policy
security best practices throughout its lifecycle.
Technical review of applications after System changes/upgrades are tested before System Acquisition Development and Maintenance
A.14.2.3 Yes
operating platform changes application to production environments. Policy
Restrictions on changes to software All changes relating to scripts are logged in System Acquisition Development and Maintenance
A.14.2.4 Yes
packages repositories. Policy
Secure system engineering principles are set out in the
System Acquisition Development and Maintenance
A.14.2.5 Secure system engineering principles Yes System Acquisition Development and Maintenance
Policy
Policy and must be abided by everyone.
CPO should establish and appropriately protect secure System Acquisition Development and Maintenance
A.14.2.6 Secure development environment Yes
development environments for system development. Policy
NDM does not contract outsourced development. If
necessary, licensing and code ownership agreements
A.14.2.7 Outsourced development Yes must be signed, the quality of the work performed must
Policy
be certified, and tests must be conducted before use to
detect errors and malicious codes.
A.14.2.8 System security testing Yes New and updated systems require thorough testing System Acquisition Development and Maintenance
and verification during the development processes. Policy
Tests should initially be performed by the development
______________________________________________________________________________________________________________________________
____________________________________________________________________________________________________________________________

team.
System acceptance testing should include testing of
A.14.2.9 System acceptance testing Yes information security requirements and adherence to
Policy
secure system development practices.
Test data shall be selected carefully, protected, and

System Acquisition, Development and Maintenance
A.14.3.1 Protection of test data Yes controlled according to the System Acquisition,
Standard
Development, and Maintenance Standard.
A.15 Supplier relationships
A.15.1 Information security in supplier relationships
Objective: To ensure protection of the organization’s assets that is accessible by suppliers.
Information security policy for NDM requires all cloud service providers to be ISO Information Systems Security Policy (Section 16)
A.15.1.1 Yes
supplier relationships 27001 or SOC 2 Type II certified.
NDM ensures that its suppliers are involved in the
Addressing security within supplier security of the delivered service through certification Non-Disclosure Agreements (NDA)
A.15.1.2 Yes
agreements and contractual commitments. Contracts
Access to NDM’s information processing facilities,

Information and communication intellectual property rights by third parties are Non-Disclosure Agreements (NDA)
A.15.1.3 Yes
technology supply chain protected by signing Non-Disclosure Agreements and Contracts
Service Level Agreements.
A.15.2 Supplier service delivery management
Objective: To maintain an agreed level of information security and service delivery in line with supplier agreements.
Monitoring and review of supplier Review published SOC II reports and security Information Systems Security Policy (Section 16)
Yes
A.15.2.1 services certifications to check if it remains fit for our purpose.
All third-party services shall be monitored regularly to
Managing changes to supplier
A.15.2.2 Yes check adherence to the information security terms and Agreements between NDM and the supplier
services
conditions in the agreement.
______________________________________________________________________________________________________________________________
____________________________________________________________________________________________________________________________

A.16 Information security incident management
A.16.1 Management of information security incidents and improvements
Objective: To ensure a consistent and effective approach to the management of information security incidents, including communication on security events and
weaknesses.
The security incident management process includes Information Security Incident Management
A.16.1.1 Responsibilities and procedures Yes security incident receipt and admission, qualification,
Procedure
investigation, resolution, reporting, and closure.
Staff is trained to identify, and report suspect events Information Security Incident Management
Reporting information security events Yes
A.16.1.2 and security incidents through DocQ form. Procedure
Reporting information security Staff is trained to identify, and report suspect events Information Security Incident Management
A.16.1.3 Yes
weaknesses and security incidents through DocQ form. Procedure
The information security team is responsible for Information Security Incident Management
Assessment of and decision on
A.16.1.4 Yes verifying that the reported event is an information
information security events Procedure
security incident.
The Information Security Team will analyze the Information Security Incident Management
Response to information security
A.16.1.5 Yes incident, identify, and work towards the resolution of
incidents Procedure
the incident.
After the incident is resolved, it is analyzed to Information Security Incident Management
Learning from information security Procedure
A.16.1.6 Yes understand how it can be avoided or resolved on
incidents
future occasions. Incident Report and RCA
Information Security Incident Management
Evidence is collected by checking access logs, emails, Procedure
A.16.1.7 Collection of evidence Yes
and documents.
Access Logs, Emails, Documents
A.17 Information security aspects of business continuity management
A.17.1 Information security continuity
Objective: Information security continuity shall be embedded in the organization’s business continuity management systems.
A.17.1.1 Planning information security Yes A business continuity management policy establishes Information Systems Security Policy (section 17 -
continuity
______________________________________________________________________________________________________________________________
____________________________________________________________________________________________________________________________

strategy and how a plan should be developed. Business Continuity Management)
The BPC provides for the cases in which the plan
Implementing information security
Yes should be activated, key contacts, and steps for Business Continuity Plan
continuity
A.17.1.2 handling incidents.
Business continuity plans will be tested and updated
Verify, review and evaluate
Yes regularly to ensure that they are up to date and Business Continuity Plan
information security continuity
A.17.1.3 effective, and that the technology used is appropriate.
A.17.2 Redundancies
Objective: To ensure availability of information processing facilities.
Availability of information processing
Yes There is redundancy built in for customers data.
A.17.2.1 facilities
A.18 Compliance
A.18.1 Compliance with legal and contractual requirements
Objective: To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements.
NDM regularly reviews its legal and contractual
requirements upon every new contractual obligation. It
Identification of applicable legislation therefore ensures its policies, SLA’s and procedures Contacts, Interested Parties and Applicable
A.18.1.1 Yes
and contractual requirements are constantly reviewed and amended to ensure it Legislation spreadsheet
complies with any obligation or requirement applicable
to the ISMS.
NDM is committed to ensuring compliance with
legislative, regulatory, and contractual
A.18.1.2 Intellectual property rights Yes Licenses and Agreements
requirements related to intellectual property rights and
the use of proprietary software products.
Records are protected from loss, destruction, Cryptographic Sub-Policy
A.18.1.3 Protection of records Yes falsification, unauthorized access, and unauthorized Information Classification and Handling Standard
publication. Network Security Standard
A.18.1.4 Privacy and protection of personally Yes All personally identifiable information is deemed Cryptographic Sub-Policy
______________________________________________________________________________________________________________________________
____________________________________________________________________________________________________________________________

restricted, and as such, only approved employees
have access. In addition, NDM ensures that General
identifiable information Data Protection Regulation is adhered to. NDM has
appointed a DPO to monitor the subject across the
company.
NDM complies with the applicable agreements, laws,
A.18.1.5 Regulation of cryptographic controls Yes and regulations relating to cryptography. NDM does
not import or export any cryptographic solutions.
A.18.2 Information security reviews
Objective: To ensure that information security is implemented and operated in accordance with the organizational policies and procedures.
Independent review of information NDM conducts an internal audit of the information
A.18.2.1 Yes Internal Audit Procedure
security system at least once a year.
Information Security meetings will have on their
agenda any review processes needed to keep
Compliance with security policies and
Yes compliance up to date. Any breaches or observations Internal Audit Procedure
A.18.2.2 standards
will be recorded in the minutes and the appropriate
action taken to rectify.
Constant day-to-day monitoring of technical systems
A.18.2.3 Technical compliance review Yes and periodic audits are carried out to help identify Internal Audit Procedure
deviations.
______________________________________________________________________________________________________________________________

ISMS Statement of Applicability

Uploaded by

Copyright:

Available Formats

ISMS Statement of Applicability

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ISMS Statement of Applicability

Uploaded by

Copyright:

Available Formats

Information Security Management System

Document Management Information

Document Title: NDM Global-ISMS/DOC/008-Statement of Applicability

Document Number: NDM Global-ISMS/DOC/008

Document Status: Approved

Release Date December 9th, 2022

Version No. Revision Date Particulars Approved by

0.1 06/14/2022 Draft IST

0.2 11/09/2022 Initial Release IST

1.0 12/09/2022 Final Release IST

Document Contact Details

Role Name Designation

Author Subramanya AM External Consultant

Reviewer/Custodian Natália Knob Information Security Analyst

Owner CTO Chief Technical Officer

Need Based Circulation Only

2. Statement of Applicability with ISO27001 6

1.1. Statement of Applicability

1.2. Document Structure

2. Statement of Applicability with ISO27001

Control Statement Applicable Justification Reference

Control Statement Applicable Justification Reference

Control Statement Applicable Justification Reference

A.8.3 Media handling

Control Statement Applicable Justification Reference

Control Statement Applicable Justification Reference

Control Statement Applicable Justification Reference

Physical security perimeter No NDM has no infrastructure of its own.

Physical entry controls No NDM has no infrastructure of its own.

Control Statement Applicable Justification Reference

A.11.2.2 Supporting utilities No NDM has no infrastructure of its own.

Control Statement Applicable Justification Reference

Control Statement Applicable Justification Reference

Control Statement Applicable Justification Reference

Control Statement Applicable Justification Reference

Control Statement Applicable Justification Reference

Test data shall be selected carefully, protected, and

Access to NDM’s information processing facilities,

Control Statement Applicable Justification Reference

Control Statement Applicable Justification Reference

Control Statement Applicable Justification Reference

You might also like