ISMS Statement of Applicability
ISMS Statement of Applicability
ISMS Statement of Applicability
Statement of Applicability
Version 1.0
Warning: Not to be circulated or reproduced without authorization from Information Security Team
Statement of Applicability
____________________________________________________________________________________________________________________________
Issue Details
Revision Details
______________________________________________________________________________________________________________________________
Restricted Page 2 of 20
Statement of Applicability
____________________________________________________________________________________________________________________________
Distribution List
Name
______________________________________________________________________________________________________________________________
Restricted Page 3 of 20
Statement of Applicability
____________________________________________________________________________________________________________________________
Table of Contents
1. Introduction 4
1.1. Statement of Applicability 5
1.2. Document Structure 5
1.3. Distribution 5
______________________________________________________________________________________________________________________________
Restricted Page 4 of 20
Statement of Applicability
____________________________________________________________________________________________________________________________
1. Introduction
This document details the applicability and justification for all ISO/IEC 27001:2013 controls to the internal environment. The policy reference section maps the
specific company policy that deals with the applicable control.
The document contains the details of the control applicability in the following manner:
● Control Statement: The statement and reference number used in ISO/IEC 27001:2013
● Applicable: “Yes” for applicable controls and “No” for non-applicable controls
● Justification: Reason for including applicable controls and excluding non-applicable controls
● Reference: Relevant Information Security Policy sections and relevant document references
1.3. Distribution
This document is provided pursuant to the terms of our engagement. The use of the document is solely for internal purposes by the Management and for the
use of external auditors. This document should not be used by or distributed to others.
______________________________________________________________________________________________________________________________
Restricted Page 5 of 20
Statement of Applicability
____________________________________________________________________________________________________________________________
______________________________________________________________________________________________________________________________
Restricted Page 6 of 20
Statement of Applicability
____________________________________________________________________________________________________________________________
______________________________________________________________________________________________________________________________
Restricted Page 7 of 20
Statement of Applicability
____________________________________________________________________________________________________________________________
All assets (documents, client assets) are subject to the Information Classification and Handling Standard
Handling of assets Yes
A.8.2.3 Information Classification and Handling Standard. Acceptable Use Policy
______________________________________________________________________________________________________________________________
Restricted Page 8 of 20
Statement of Applicability
____________________________________________________________________________________________________________________________
______________________________________________________________________________________________________________________________
Restricted Page 9 of 20
Statement of Applicability
____________________________________________________________________________________________________________________________
______________________________________________________________________________________________________________________________
Restricted Page 10 of 20
Statement of Applicability
____________________________________________________________________________________________________________________________
______________________________________________________________________________________________________________________________
Restricted Page 11 of 20
Statement of Applicability
____________________________________________________________________________________________________________________________
______________________________________________________________________________________________________________________________
Restricted Page 12 of 20
Statement of Applicability
____________________________________________________________________________________________________________________________
Separation of development, testing There are separated environments to develop, test and System Acquisition, Development and Maintenance
A.12.1.4 Yes
and operational environments production Policy
A.12.2 Protection from malware
Objective: To ensure that information and information processing facilities are protected against malware.
Restrictions on the installation of software by users;
A.12.2.1 Controls against malware Yes Acceptable Use Policy, end point security
Recommendation to use antivirus and keep it updated
A.12.3 Backup
Objective: To protect against loss of data.
Backups are done regularly to the cloud of all data and
A.12.3.1 Information backup Yes Backup and Restore Procedure
tested on a regular basis.
A.12.4 Logging and monitoring
Objective: To record events and generate evidence.
Systems are configured to collect logs to enable
A.12.4.1 Event logging Yes Log Monitoring and Review Standard
monitoring and auditing.
Logs are protected against tampering and
A.12.4.2 Protection of log information Yes Log Monitoring and Review Standard
unauthorized access.
______________________________________________________________________________________________________________________________
Restricted Page 13 of 20
Statement of Applicability
____________________________________________________________________________________________________________________________
______________________________________________________________________________________________________________________________
Restricted Page 14 of 20
Statement of Applicability
____________________________________________________________________________________________________________________________
______________________________________________________________________________________________________________________________
Restricted Page 15 of 20
Statement of Applicability
____________________________________________________________________________________________________________________________
______________________________________________________________________________________________________________________________
Restricted Page 16 of 20
Statement of Applicability
____________________________________________________________________________________________________________________________
______________________________________________________________________________________________________________________________
Restricted Page 17 of 20
Statement of Applicability
____________________________________________________________________________________________________________________________
Reporting information security Staff is trained to identify, and report suspect events Information Security Incident Management
A.16.1.3 Yes
weaknesses and security incidents through DocQ form. Procedure
The information security team is responsible for Information Security Incident Management
Assessment of and decision on
A.16.1.4 Yes verifying that the reported event is an information
information security events Procedure
security incident.
The Information Security Team will analyze the Information Security Incident Management
Response to information security
A.16.1.5 Yes incident, identify, and work towards the resolution of
incidents Procedure
the incident.
After the incident is resolved, it is analyzed to Information Security Incident Management
Learning from information security Procedure
A.16.1.6 Yes understand how it can be avoided or resolved on
incidents
future occasions. Incident Report and RCA
Information Security Incident Management
Evidence is collected by checking access logs, emails, Procedure
A.16.1.7 Collection of evidence Yes
and documents.
Access Logs, Emails, Documents
A.17 Information security aspects of business continuity management
A.17.1 Information security continuity
Objective: Information security continuity shall be embedded in the organization’s business continuity management systems.
A.17.1.1 Planning information security Yes A business continuity management policy establishes Information Systems Security Policy (section 17 -
continuity
______________________________________________________________________________________________________________________________
Restricted Page 18 of 20
Statement of Applicability
____________________________________________________________________________________________________________________________
______________________________________________________________________________________________________________________________
Restricted Page 19 of 20
Statement of Applicability
____________________________________________________________________________________________________________________________
______________________________________________________________________________________________________________________________
Restricted Page 20 of 20