Statement of Applicability For ISO 27001

Statement of Applicability
Legend (for Selected Controls and Reasons for controls selection)

LR: legal requirements, CO: contractual obligations, BR/BP: business requirements/adopted best practices, RRA: results of risk assessment, TSE: to some extent
ISO/IEC 27001:2013 Controls

Clause Title
N
A.5.1
Control
Objective/Control
6.1
A.6.1.1
A.6.1.2
A.6.1.3
A.6
Organization of A.6.1.4
Information
security
INTERNAL USE ONLY
Current
Control
(Y N TSE)
LR
CO
Management direction for information security

Objective: To provide management direction and support for information security in accordance with
business requirements and relevant
laws
and regulations.
A set of
policies
for information security shall be
A.5 Information
Policies for information
A.5.1.1
security
security
policies
A.5.1.2
Control Details
Selected Controls and Rea

selection or inclusion (m
columns maybe ticke
Review of the policies for

information security
defined, approved by management, published and

communicated to employees and relevant external
parties.
The policies for information security shall be reviewed
at planned intervals or if significant changes occur to
ensure their continuing suitability, adequacy and
effectiveness.
Internal Organization
Objective: To establish a management framework to initiate and control the implementation and
operation of information security within the organization.
Information security
All information security responsibilities shall be defined
roles and responsibilities
and allocated.
Conflicting duties and areas of responsibility shall be
segregated to reduce opportunities for unauthorized or
Segregation of duties
unintentional modification or misuse of the
organizations
assets.with relevant authorities shall be
Appropriate contacts
Contact with authorities
maintained. contacts with special interest groups or
Appropriate
Contact with special
other specialist security forums and professional
interest groups
associations shall be maintained.
1OF 34


A.6
Control
Clause Title
N
Organization
of
Objective/Control
Information
A.6.1.5
security
in project management
Control Details
Current
Control
(Y N TSE)

columns maybe ticke
LR
CO
Information security shall be addressed in project

management,
regardless of the type of the project.
Mobile devices and

teleworking
To ensure the security of teleworking and use of mobile devices.
A policy and supporting security measures shall be
A.6.2.1 Mobile device policy
adopted to
manage the risks introduced by using mobile devices.
A policy and supporting security measures shall be
A.6.2.2 Teleworking
implemented to protect information accessed,
processed or stored at teleworking sites.
A.6.2
A.7.1
Prior to Employment
To ensure that employees and contractors understand their responsibilities and are suitable
for the roles for which they are considered.
Background verification checks on all candidates for
employment shall be carried out in accordance with
relevant laws, regulations and ethics and shall be
A.7.1.1 Screening
proportional to the business requirements, the
classification of the information to be accessed and the
perceived risks.
The contractual agreements with employees and
Terms and conditions
A.7.1.2
contractors shall state their and the organizations
of employment
responsibilities for information security.
A.7.2
A.7 Human
resources
security
INTERNAL USE ONLY
During Employment
To ensure that employees and contractors are aware of and fulfil their information security
responsibilities.
Management shall require all employees and
contractors to apply information security in accordance
A.7.2.1 Management responsibilities
with the established policies and procedures of the
organization.
2OF 34


A.7 Human
resources
Control
Clause Title
N
security
Objective/Control
Control Details
Current
Control
(Y N TSE)

columns maybe ticke
LR
CO
All employees of the organization and, where relevant,

contractors shall receive appropriate awareness
education and training and regular updates in
organizational policies and procedures, as relevant for
their job function.
There shall be a formal and communicated disciplinary
process
A.7.2.3 Disciplinary process
in place to take action against employees who have
committed an information security breach.
A.7.3 Termination or change of employment
To protect the organizations interests as part of the process of changing or terminating
employment.
Termination or change
Responsibilities for performing employment terminaton
A.7.2.2 awareness, education and
training
A.7.3.1 of employment
responsibilities
A.8.1
A.8.1.1
A.8.1.2
A.8.1.3
A.8.1.4
A.8.2
A.8 Asset
INTERNAL
USE ONLY
Management
or change of employment shall be clearly defined and

assigned.
Responsibility for Assets

To identify organizational assets and define appropriate protection responsibilities.
Assets associated with information and information
processing
Inventory of assets
facilities shall be identified and an inventory of these
assets shall be drawn up and maintained.
Ownership of assets
Assets maintained in the inventory shall be owned.
Rules for the acceptable use of information and of
assets associated with information and information
Acceptable use of assets
processing facilities shall be identified, documented
andemployees
implemented.
All
and external party users shall return all
of the
Return of assets
organizational assets in their possession upon
termination of their employment, contract or
agreement.
Information classification
3OF 34


Clause Title
Control
Objective/Control
Control Details
Current
Control
(Y N TSE)

columns maybe ticke
LR
CO
To ensure that information receives an appropriate level of protection in accordance with

Information shall be classified in terms of legal
its importance to the organization.
requirements,
A.8.2.1 Classification guidelines
value, criticality and sensitivity to unauthorised
disclosure or
modification.
An
appropriate set of procedures for information
Information labeling and
labelling shall be developed and implemented in
A.8.2.2
handling
accordance with the information classification scheme
adopted by the organization.
Procedures for handling assets shall be developed and
A.8.2.3 Handling of assets
implemented in accordance with the information
classification scheme adopted by the organization.
A.8 Asset
Management
A.8.3
Media handling
To prevent unauthorized disclosure, modification, removal or destruction of information
stored on media.
Procedures shall be implemented for the management
Management of removable
A.8.3.1
of removable media in accordance with the
media
classification scheme adopted by the organization.
A.8.3.2 Disposal of media
A.8.3.3 Physical media transfer
Media shall be disposed of securely when no longer

required, using formal procedures.
Media containing information shall be protected
against unauthorized access, misuse or corruption
during transportation.
A.A.11.1 Business Requirement for Access Control

To limit access to information and
information
processing
facilities.
An access
control
policy shall
be established,
A.A.11.1.1Access control Policy
INTERNAL USE ONLY
documented and
reviewed based on business and information security
requirements.
4OF 34


Clause Title
Control
Objective/Control
Access to networks
A.A.11.1.2
and network services
Control Details
Current
Control
(Y N TSE)

columns maybe ticke
LR
CO
Users shall only be provided with access to the network

and network services that they have been specifically
authorized to use.
A.A.11.2 User Access Management

To ensure authorized user access and to prevent unauthorized access to systems and services.
There shall be a formal user registration and deUser registration and
registration procedure in place for granting and
A.A.11.2.1
de-registration
revoking access to all information systems and
services.
A formal user access provisioning process shall be
A.A.11.2.2User access provisioning
implemented to assign or revoke access rights for all
user types to all systems and services.
The allocation and use of privileged access rights shall
Management of privileged
A.A.11.2.3
be
access rights
restricted
and controlled.
Management of secret
The allocation
of secret authentication information
A.9 Access
Control
A.A.11.2.4authentication information of shall be controlled through a formal management

users
process.
Review of user access
Asset owners shall review users access rights at
A.A.11.2.5
rights
regular intervals.
The access rights of all employees and external party
users to
Removal or adjustment
A.A.11.2.6
information and information processing facilities shall
of access rights
be removed upon termination of their employment,
contract or agreement, or adjusted upon change.
A.A.11.3 User responsibilities
To prevent unauthorized access to systems and applications.
Users shall be required to follow the organizations
Use of secret authentication
practices in the use of secret authentication
A.A.11.3.1
information
information.
A.A.11.4 System and application access control
INTERNAL USE ONLY
5OF 34
A.9 Access
Statement
of Applicability
Control


Clause Title
Control
Objective/Control
Control Details
Current
Control
(Y N TSE)

columns maybe ticke
LR
CO
To prevent unauthorized access to systems and applications.

Access to information and application system functions
Information access
A.A.11.4.1
shall be
restriction
restricted
in accordance
with the
access
control
policy.
Where required
by the access
control
policy,
access
to
A.A.11.4.2Secure log-on procedures
Password management
A.A.11.4.3
system
Use of privileged utility
A.A.11.4.4
programs
Access control to program
A.A.11.4.5
source code
A.10
Cryptography
systems and applications shall be controlled by a

secure
log-on
procedure.systems shall be interactive
Password
management
and shall
The
usequality
of utility
programs that might be capable of
ensure
passwords.
overriding
system and application controls shall be restricted and
tightly
controlled.
Access to program source code shall be restricted.
A.10.1 Cryptographic controls

To ensure proper and effective use of cryptography to protect the confidentiality, authenticity
and/or integrity of information.A policy on the use of cryptographic controls for
Policy on the use of
A.10.1.1
protection of
cryptographic controls
information
shall
be protection
developed and
and lifetime
implemented.
A policy on the
use,
of
A.10.1.2 Key management
cryptographic keys shall be developed and
implemented through their whole lifecycle.
A.11.1 Secure Areas
To prevent unauthorized physical access, damage and interference to the organizations
information and information processing facilities.
Security perimeters shall be defined and used to
A.11.1.1 Physical security Perimeter
protect areas that contain either sensitive or critical
information and information processing facilities.
INTERNAL USE ONLY
6OF 34


Clause Title
Control
Objective/Control
A.11.1.2 Physical entry controls

A.11.1.3
Securing offices, rooms and

facilities
A.11.1.4
Protecting against external

and environmental threats
A.11.1.5 Working in secure areas
A.11.1.6
A.11 Physical
and
Environmental
Security
Delivery and loading

areas
Control Details
Current
Control
(Y N TSE)

columns maybe ticke
LR
CO
Secure areas shall be protected by appropriate entry

controls to ensure that only authorized personnel are
allowed access.
Physical security for offices, rooms and facilities shall
be designed and applied.
Physical protection against natural disasters, malicious
attack or
accidents
be designed
and applied.
Proceduresshall
for working
in secure
areas shall be
designed and
applied.
Access points such as delivery and loading areas and
other points where unauthorized persons could enter
the premises shall be controlled and, if possible,
isolated from information processing facilities to avoid
unauthorized access.
A.11.2 Equipment security

To prevent loss, damage, theft or compromise of assets and interruption to the organizations
operations.
Equipment shall be sited and protected to reduce the
Equipment sitting and
A.11.2.1
risks from environmental threats and hazards, and
protection
opportunities for unauthorized access.
Equipment shall be protected from power failures and
A.11.2.2 Support utilities
other disruptions caused by failures in supporting
utilities.
Power and telecommunications cabling carrying data or
A.11.2.3 Cabling security
supporting information services shall be protected from
interception, interference or damage.
A.11.2.4 Equipment Maintenance
INTERNAL USE ONLY
Equipment shall be correctly maintained to ensure its

continued availability and integrity.
7OF 34
A.11 Physical
and
Environmental
Security

Clause Title
Control
Objective/Control
A.11.2.5 Removal of assets

A.11.2.6
Security of equipment
and assets off-premises
A.11.2.7
Secure disposal or reuse

of equipment
A.11.2.8
Unattended user
equipment
A.11.2.9
Clear desk and clear

screen policy
Control Details
Current
Control
(Y N TSE)

columns maybe ticke
LR
CO
Equipment, information or software shall not be taken

off-site
without
Securityprior
shallauthorization.
be applied to off-site assets taking into
account the different risks of working outside the
organizations premises.
All items of equipment containing storage media shall
be verified to ensure that any sensitive data and
licensed software has been removed or securely
overwritten prior to disposal or re-use.
Users shall ensure that unattended equipment has
appropriate
protection.
A clear desk policy for papers and removable storage
media and
a clear screen policy for information processing
facilities shall be adopted.
A.12.1 Operational procedures and responsibilities

To ensure correct and secure operations of information processing facilities.
Operating procedures shall be documented,
Documented operating
A.12.1.1
maintained, and made available to all users who need
procedures
them.
Changes to the organization, business processes,
A.12.1.2 Change management
information processing facilities and systems that
affect information security shall be controlled.
The use of resources shall be monitored, tuned and
projections
A.12.1.3 Capacity management
made of future capacity requirements to ensure the
required system performance.
INTERNAL USE ONLY
8OF 34


Clause Title
Control Details
Control
Objective/Control
Separation of development,
A.12.1.4 testing and operational
environments
Current
Control
(Y N TSE)

columns maybe ticke
LR
CO
Development, testing, and operational environments

shall be separated to reduce the risks of unauthorized
access or changes to the operational environment.
A.12.2 Protection from malware

To ensure that information and information processing facilities are protected against
malware.
Detection, prevention and recovery controls to protect
against
A.12.2.1 Controls against malware
malware shall be implemented, combined with
appropriate user awareness.
A.12.3 Back-Up
To protect against loss of
data.
Backup copies of information, software and system
A.12.3.1 Information backup
images shall be taken and tested regularly in
accordance with an agreed backup policy.
A.12.4 Logging and monitoring
To record events and generate evidence.
A.12
Operations
Security
Event logs recording user activities, exceptions, faults

and information security events shall be produced,
kept and regularly reviewed.
Logging facilities and log information shall be protected
A.12.4.2 Protection of log information against
tampering
and unauthorized
access.
System administrator
and system
operator activities
Administrator and operator
shall be
A.12.4.3
logs
logged and the logs protected and regularly reviewed.
The clocks of all relevant information processing
systems within
A.12.4.4 Clock synchronisation
an organization or security domain shall be
synchronised to a single reference time source.
A.12.4.1 Event logging
INTERNAL USE ONLY
9OF 34
A.12
Operations
Security

Clause Title
N
A.12.5
A.12.5.1
Control
Objective/Control
Control Details
Current
Control
(Y N TSE)

columns maybe ticke
LR
CO
Control of operational
software
To ensure the integrity of operational systems.
Installation of software
on operational systems
Procedures shall be implemented to control the

installation of software on operational systems.
A.12.6 Technical vulnerability management

To prevent exploitation of technical vulnerabilities.
Information about technical vulnerabilities of
information systems being used shall be obtained in a
Management of technical
A.12.6.1
timely fashion, the organizations exposure to such
vulnerabilities
vulnerabilities evaluated and appropriate measures
taken to address the associated risk.
Rules governing the installation of software by users
Restrictions on software
shall be
A.12.6.2
installation
established and implemented.
Information systems audit
A.12.7
considerations
To minimise the impact of audit
activities
on operational
systems.
Audit
requirements
and activities
involving verification
of operational
Information systems
A.12.7.1
systems shall be carefully planned and agreed to
audit controls
minimise
disruptions to business processes.
Network security
A.13.1
management
To ensure the protection of information in networks and its supporting information processing
facilities.
Networks shall be managed and controlled to protect
A.13.1.1 Network controls
information in systems and applications.
INTERNAL USE ONLY
A.13
10OF 34


Clause Title
Control
Objective/Control
Security of network
A.13.1.2
services
A.13.1.3 Segregation in networks
Control Details
Current
Control
(Y N TSE)

columns maybe ticke
LR
CO
Security mechanisms, service levels and management

requirements of all network services shall be identified
and included in network services agreements, whether
these services are provided in-house or outsourced.
Groups of information services, users and information
systems
shall be segregated on networks.
A.13
A.13.2 Information transfer
Communication
To maintain the security of information transferred within an organization and with any
external entity.
s Security
A.13.2.1
Information transfer
policies and procedures
A.13.2.2
Agreements on information
transfer
A.13.2.3 Electronic messaging

Confidentiality or
A.13.2.4 nondisclosure
agreements
Formal transfer policies, procedures and controls shall

be in place to protect the transfer of information
through the use of all types of communication facilities.
Agreements shall address the secure transfer of
business information between the organization and
external parties.
Information involved in electronic messaging shall be
appropriately protected.
Requirements for confidentiality or non-disclosure
agreements
reflecting the organizations needs for the protection of
information shall be identified, regularly reviewed and
documented.
A.14.1 Security
of information
To ensurerequirements
that information
security is systems
an integral part of information systems across the
entire lifecycle. This also includes the requirements for information systems which provide services
The information security related requirements shall be
over
public networks.
Information
security
included in the requirements for new information
A.14.1.1 requirements analysis
systems or enhancements to existing information
and specification
systems.
INTERNAL USE ONLY
11OF 34


Clause Title
Control
Objective/Control
Control Details
Current
Control
(Y N TSE)

columns maybe ticke
LR
CO
Information involved in application services passing

over public
networks shall be protected from fraudulent activity,
contract dispute and unauthorized disclosure and
Information
modification.involved in application service transactions
shall be
Protecting application
protected to prevent incomplete transmission, misservices transactions
routing, unauthorized message alteration,
unauthorized disclosure, unauthorized message
duplication or replay.
Security in development and support processes
To ensure that information security is designed and implemented within the development
lifecycle of information systems.
Rules for the development of software and systems
Secure development
shall be established and applied to developments
policy
within
thetoorganization.
Changes
systems within the development lifecycle
System change control
shall be controlled by the use of formal change control
procedures
procedures.
When operating platforms are changed, business
Technical review of
critical applications shall be reviewed and tested to
applications after operating
ensure there is no adverse impact on organizational
platform changes
operations or security.
Modifications to software packages shall be
Restrictions on changes to
discouraged, limited to necessary changes and all
software packages
changes shall be strictly controlled.
Principles for engineering secure systems shall be
Secure system engineering established,
principles
documented, maintained and applied to any
information system
implementation
efforts.
Organizations
shall establish
and appropriately
protect
secure
Secure development
development environments for system development
environment
and integration efforts that cover the entire system
development lifecycle.
Securing application
A.14.1.2 services on public
networks
A.14.1.3
A.14.2
A.14.2.1
A.14 System
acquisition,
development
and
maintenance
A.14.2.2
A.14.2.3
A.14.2.4
A.14.2.5
A.14.2.6
INTERNAL USE ONLY
12OF 34
A.14 System
acquisition,
development
and
Statement
maintenance of Applicability


Clause Title
Control
Objective/Control
A.14.2.7 Outsourced development

A.14.2.8 System security testing
A.14.2.9
System acceptance
testing
Control Details
Current
Control
(Y N TSE)

columns maybe ticke
LR
CO
The organization shall supervise and monitor the

activity of outsourced system development.
Testing of security functionality shall be carried out
during development.
Acceptance testing programs and related criteria shall
be established for new information systems, upgrades
and new versions.
A.14.3 Test data

To ensure the protection of data used for testing.
Test data shall be selected carefully, protected and
A.14.3.1 Protection of test data
controlled.
A.15 Supplier
relationships
A.15.1 Information security in supplier relationships

To ensure protection of the organizations assets that is accessible by suppliers.
Information security requirements for mitigating the
risks associated with suppliers access to the
A.15.1.1 policy for supplier
organizations assets shall be agreed with the supplier
relationships
and documented.
All relevant information security requirements shall be
established and agreed with each supplier that may
Addressing security
A.15.1.2
access, process, store, communicate, or provide IT
within supplier agreements
infrastructure components for, the organizations
information.
Agreements with suppliers shall include requirements
Information and
to address the information security risks associated
A.15.1.3 communication
with information and communications technology
technology supply chain
services and product supply chain.
A.15.2 Supplier service delivery management
To maintain an agreed level of information security and service delivery in line with supplier
agreements.
INTERNAL USE ONLY
13OF 34

A.15 Supplier
relationships
Control
Clause Title
N
Objective/Control
A.16
Information
security
incident
management
A.15.2.1
Monitoring and review

of supplier services
A.15.2.2
Managing changes to
supplier services
Control Details
Current
Control
(Y N TSE)

columns maybe ticke
LR
CO
Organizations shall regularly monitor, review and audit

supplier
service delivery.
Changes
to the provision of services by suppliers,
including
maintaining and improving existing information
security policies, procedures and controls, shall be
managed, taking account of the criticality of business
information, systems and processes involved and reassessment of risks.
A.16.1 Management of information security incidents and improvements

To ensure a consistent and effective approach to the management of information security
incidents, including communication on security events and weaknesses.
Management responsibilities and procedures shall be
Responsibilities and
A.16.1.1
established to ensure a quick, effective and orderly
procedures
response to information security incidents.
Information security events shall be reported through
Reporting information
A.16.1.2
appropriate management channels as quickly as
security events
possible.
Employees and contractors using the organizations
Reporting information
information systems and services shall be required to
A.16.1.3
security weaknesses
note and report any observed or suspected information
security weaknesses in systems or services.
Information security events shall be assessed and it
Assessment of and
shall be
A.16.1.4 decision on information
decided if they are to be classified as information
security events
security incidents.
Response to information
Information security incidents shall be responded to in
A.16.1.5
security incidents
accordance with the documented procedures.
INTERNAL USE ONLY
14OF 34
Legend
A.16 (for Selected Controls and Reasons for controls selection)
Information
security
incident ISO/IEC 27001:2013 Controls
management
Control
Clause Title
N
Objective/Control
Learning from
A.16.1.6 information security
incidents
A.16.1.7 Collection of evidence
A.17.1
A.17
Information
security
aspects of
business
continuity
management
Control Details
Current
Control
(Y N TSE)

columns maybe ticke
LR
CO
Knowledge gained from analysing and resolving

information security incidents shall be used to reduce
the likelihood or impact of future incidents.
The organization shall define and apply procedures for
the identification, collection, acquisition and
preservation of information, which can serve as
evidence.
continuity
Information security continuity shall be embedded in the organizations business continuity
management systems.
The organization shall determine its requirements for
A.17.1.1
Planning information
security continuity
A.17.1.2
Implementing information
security continuity
Verify, review and
evaluate information
security continuity
information security and the continuity of information

security management in adverse situations, e.g. during
a crisis or disaster.
The organization shall establish, document, implement
and maintain processes, procedures and controls to
ensure the required level of continuity for information
security during an adverse situation.
implemented
information security continuity controls at regular
intervals in
order to ensure that they are valid and effective during
adverse
continuity
Information security continuity shall be embedded in the organizations business continuity
management systems.
Information processing facilities shall be implemented
Availability of information
A.17.2.1
with redundancy sufficient to meet availability
processing facilities
requirements.
A.17.2
A.18.1 Compliance with legal and contractual requirements
INTERNAL USE ONLY
15OF 34


Clause Title
A.18.1.1
A.18.1.2
A.18.1.3
A.18
Compliance
A.18.1.4
A.18.1.5
A.18.2
A.18.2.1
INTERNAL USE ONLY
Control
Objective/Control
Control Details
Current
Control
(Y N TSE)

columns maybe ticke
LR
CO
To avoid breaches of legal, statutory, regulatory or contractual obligations related to information

security and of any security requirements.
All relevant legislative statutory, regulatory,
Identification of applicable
contractual requirements and the organizations
legislation and contractual
approach to meet these requirements shall be
requirements
explicitly identified, documented and kept up to date
for
each information
system
the organization.
Appropriate
procedures
shalland
be implemented
to
ensure compliance with legislative, regulatory and
Intellectual property
contractual requirements related to intellectual
rights
property rights and use of proprietary software
Records
products.shall be protected from loss, destruction,
falsification,
unauthorized access and unauthorized release, in
Protection of records
accordance with legislatory, regulatory, contractual
and business requirements.
Privacy and protection
Privacy and protection of personally identifiable
of personally identifiable
information shall be ensured as required in relevant
information
legislation and regulation where applicable.
Cryptographic controls shall be used in compliance
Regulation of cryptographic
with all relevant agreements, legislation and
controls
regulations.
Information security reviews
To ensure that information security is implemented and operated in accordance with the
organizational policies and procedures.
The organizations approach to managing information
security and its implementation (i.e. control objectives,
Independent review of
controls, policies, processes and procedures for
information security
information security) shall be reviewed independently
at planned intervals or when significant changes occur.
16OF 34
A.18
Statement
Compliance of Applicability


Clause Title
Control
Objective/Control
Compliance with
A.18.2.2 security policies and
standards
A.18.2.3
INTERNAL USE ONLY
Technical compliance
review
Control Details
Current
Control
(Y N TSE)

columns maybe ticke
LR
CO
Managers shall regularly review the compliance of

information
processing and procedures within their area of
responsibility with the appropriate security policies,
standards and
any other
requirements.
Information
systems
shallsecurity
be regularly
reviewed for
compliance
with the organizations information security policies
and standards.
17OF 34
Updated by
E: to some extent
ontrols and Reasons for

or inclusion (multiple
mns maybe ticked)
BR/BP
RRA
INTERNAL USE ONLY
Justification
for
Exclusion
Overview of implementation
18OF 34
Updated by
E: to some extent

mns maybe ticked)
BR/BP
RRA
INTERNAL USE ONLY
Justification
for
Exclusion
19OF 34
Updated by
E: to some extent

mns maybe ticked)
BR/BP
RRA
INTERNAL USE ONLY
Justification
for
Exclusion
20OF 34
Updated by
E: to some extent

mns maybe ticked)
BR/BP
RRA
INTERNAL USE ONLY
Justification
for
Exclusion
21OF 34
Updated by
E: to some extent

mns maybe ticked)
BR/BP
RRA
INTERNAL USE ONLY
Justification
for
Exclusion
22OF 34
Updated by
E: to some extent

mns maybe ticked)
BR/BP
RRA
INTERNAL USE ONLY
Justification
for
Exclusion
23OF 34
Updated by
E: to some extent

mns maybe ticked)
BR/BP
RRA
INTERNAL USE ONLY
Justification
for
Exclusion
24OF 34
Updated by
E: to some extent

mns maybe ticked)
BR/BP
RRA
INTERNAL USE ONLY
Justification
for
Exclusion
25OF 34
Updated by
E: to some extent

mns maybe ticked)
BR/BP
RRA
INTERNAL USE ONLY
Justification
for
Exclusion
26OF 34
Updated by
E: to some extent

mns maybe ticked)
BR/BP
RRA
INTERNAL USE ONLY
Justification
for
Exclusion
27OF 34
Updated by
E: to some extent

mns maybe ticked)
BR/BP
RRA
INTERNAL USE ONLY
Justification
for
Exclusion
28OF 34
Updated by
E: to some extent

mns maybe ticked)
BR/BP
RRA
INTERNAL USE ONLY
Justification
for
Exclusion
29OF 34
Updated by
E: to some extent

mns maybe ticked)
BR/BP
RRA
INTERNAL USE ONLY
Justification
for
Exclusion
30OF 34
Updated by
E: to some extent

mns maybe ticked)
BR/BP
RRA
INTERNAL USE ONLY
Justification
for
Exclusion
31OF 34
Updated by
E: to some extent

mns maybe ticked)
BR/BP
RRA
INTERNAL USE ONLY
Justification
for
Exclusion
32OF 34
Updated by
E: to some extent

mns maybe ticked)
BR/BP
RRA
INTERNAL USE ONLY
Justification
for
Exclusion
33OF 34
Updated by
E: to some extent

mns maybe ticked)
BR/BP
RRA
INTERNAL USE ONLY
Justification
for
Exclusion
34OF 34

Statement of Applicability For ISO 27001

Uploaded by

Copyright:

Available Formats

Statement of Applicability For ISO 27001

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Statement of Applicability For ISO 27001

Uploaded by

Copyright:

Available Formats

Statement of Applicability

Legend (for Selected Controls and Reasons for controls selection)

ISO/IEC 27001:2013 Controls

INTERNAL USE ONLY

Management direction for information security

Selected Controls and Rea

Review of the policies for

defined, approved by management, published and

Legend (for Selected Controls and Reasons for controls selection)

ISO/IEC 27001:2013 Controls

Selected Controls and Rea

Information security shall be addressed in project

Mobile devices and

INTERNAL USE ONLY

Legend (for Selected Controls and Reasons for controls selection)

ISO/IEC 27001:2013 Controls

Selected Controls and Rea

All employees of the organization and, where relevant,

or change of employment shall be clearly defined and

Responsibility for Assets

Legend (for Selected Controls and Reasons for controls selection)

ISO/IEC 27001:2013 Controls

Selected Controls and Rea

To ensure that information receives an appropriate level of protection in accordance with

Media shall be disposed of securely when no longer

A.A.11.1 Business Requirement for Access Control

INTERNAL USE ONLY

Legend (for Selected Controls and Reasons for controls selection)

ISO/IEC 27001:2013 Controls

Selected Controls and Rea

Users shall only be provided with access to the network

A.A.11.2 User Access Management

A.A.11.2.4authentication information of shall be controlled through a formal management

INTERNAL USE ONLY

Legend (for Selected Controls and Reasons for controls selection)

ISO/IEC 27001:2013 Controls

Selected Controls and Rea

To prevent unauthorized access to systems and applications.

systems and applications shall be controlled by a

A.10.1 Cryptographic controls

INTERNAL USE ONLY

Legend (for Selected Controls and Reasons for controls selection)

ISO/IEC 27001:2013 Controls

A.11.1.2 Physical entry controls

Securing offices, rooms and

Protecting against external

A.11.1.5 Working in secure areas

Delivery and loading

Selected Controls and Rea

Secure areas shall be protected by appropriate entry

A.11.2 Equipment security

INTERNAL USE ONLY

Equipment shall be correctly maintained to ensure its

ISO/IEC 27001:2013 Controls

A.11.2.5 Removal of assets

Secure disposal or reuse

Clear desk and clear

Selected Controls and Rea