Date 13.01.2020 Approved by Magne Myrtveit...CLAUSE TITLE CONTROL APPLICABLE JUSTIFICATION...

Date 13.01.2020

Approved by Magne Myrtveit

CLAUSE TITLE CONTROL APPLICABLE JUSTIFICATION RESPONSIBLE DOCUMENTREFERENCE IMPLEMENTATIONDESCRIPTION GAP/OPPORTUNITIESFORIMPROVEMENT IMPLEMENTED CMM

A.5 Information security policies 3A.5.1 Management direction for information security To provide management direction and support for information

security in accordance with business requirements and relevant laws and regulations.

A.5.1.1 Policies for information security A set of policies for information security shall be defined, approved by management, published, and communicated to employees and relevant external parties.

Yes

To ensure expectations and requirements of [organization] management are clearly defined and communicated to all relevant parties.

Dynaplan ‐ Information Security Management System

Defined in "information security management system.docx"‐ Information security policy‐ Human resources policy‐ Acceptable use policy‐ Bring your own device policy‐ Privileged accounts policy‐ Removable media policy‐ Privacy policy

GAP:‐ Document needs to be communicated to relevant parties.

Yes 3

A.5.1.2 Review of the policies for information security The policies for information security shall be reviewed at planned intervals, or if significant changes occur, to ensure their continuing suitability, adequacy, and effectiveness.

Yes

[organization name] operates in a dynamic environment and changes to e.g. threats, users and information assets may require changes to the policy as a tool to manage risk.

Dynaplan information security management system.docx

"These policies shall be reviewed at least annually, by the end of January, or as required if new threats appear."

Improvement:‐ Create an annual wheel showing key activities related to information security management.

Partially 3

A.6 Organization of information security 4A.6.1 Internal Organization To establish a management framework to initiate and control

the implementation and operation of information security within the organization.

A.6.1.1 Information security roles and responsibilities All information security responsibilities shall be defined and allocated.

Yes

Defining basic roles and responsibilities before entering into a contractual relationship reduces the risk of unauthorized actions due to misunderstandings and could acts as a deterrent for malicious actions

Dynaplan ‐ Information security policy (Part of Dynaplan ‐ Information Security Management System)

Roles and responsibilities.docx

The roles are described in "information security managmenet system.docx":‐ Owner of the security policy‐ Security Officer‐ System owner‐ System administrator‐ Users‐ Consultants and contractual partners

The actual role assignments to employees is documented in Shared responsibilities.docx.

Yes 5

A.6.1.2 Segregation of duties Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s assets.

Yes

To control risk and enable us to detect and correct errors made by staff og contractors


The roles and duties are described in "information security managmenet system.docx":Special consideration for segregation of duties:1. Solutions group members shall not have administrator access to Dynaplan.com and associated web services.2. Solutions group members shall not have administrator access to Sharepoint and associated web services.

The actual role assignments to employees is documented in Roles and responsibilities.docx.

Yes 5

A.6.1.3 Contact with authorities Appropriate contacts with relevant authorities shall be maintained. Yes

Allows for quick response from authorities, vendors and third parties in the event of an incident where such response is required.


Contact with data protection authority (DPA) in Norway through Magne. Yes 4

A.6.1.4 Contact with special interest groups Appropriate contacts with special interest groups or other specialist security forums and professional associations shall be maintained.

YesKeeps personnel responsible for securing our assets updated on the current threat picture and relevant infosec trends


Security Officer follows Norwegian NorSIS newsletter.SO follows advisories from MS‐ISAC

Yes 3

A.6.1.5 Information security in project management Information security shall be addressed in project management, regardless of the type of project.

Yes

Enable the outcomes of projects to be delivered in a secure state Dynaplan ‐ Information Security Management System

Project management handbook

All projects shall consider information security before and during project implementation.In particular, as detailed in the project management handbook, in customer projects, a project security plan must be agreed on with the customer.

Project security plan to be developed together with customer as part of all projects.

Improvement:‐ Ensure that process is followed always e.g. by requiring formal sign‐off of project security plan before commencing the next project phase.

Yes 3

A.6.2 Mobile devices and teleworking To ensure the security of teleworking and use of mobile devices2,5

A.6.2.1 Mobile device policy A policy and supporting security measures shall be adopted to manage the risks introduced by using mobile devices.

Yes

Selected to control risk related to access and storage of information on mobile devices


Requirements for digital devices, including mobile devices, are defined in the End‐User Policy.The technical guidelines are defined in Security.docx.

GAP:‐ Process around annual security checklists that employees should submit is not always followed.

Improvement:‐ Tablet computers can contain models as well as emails, phones can contain emails. Consider implementing MDM (mobile device management) solution to enable updates, remote wiping etc. ‐ CHECK IF IN SCOPE

Yes 2

A.6.2.2 Teleworking A policy and supporting security measures shall be implemented to protect information accessed, processed, or stored at teleworking sites.

Yes

All Dynaplan employees works from home and customer premisses and are therefore teleworkers.

Dynaplan ‐ Information Security Management SystemSecurity.docx

In principle and in practice, all Dynaplan employees are teleworkers. This includes working from their own home, from public places such as trains and planes, and at customer premises. Policy is defined in end‐user policy and security guidelines in security.docx

Yes 3

A.7 Human resources security 2

Page 2 of 24


A.7.1 Prior to employment To ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered

2

A.7.1.1 Screening Background verification checks on all candidates for employment shall be carried out in accordance with relevant laws, regulations, and ethics, and shall be proportional to the business requirements, the classification of the information to be accessed, and the perceived risks.

Yes

Reduce the risk of data loss and availability issues related to hiring people that does not fulfill competence requirements.


Some customers require background verification checks for all employees. This is no issue in Switzerland. In Norway, regulations are stricter.

For Dynaplan AS. Candidates for employment that have a financial audit or information security function, must show a criminal records excerpt. Suppliers and subcontractors that fulfil the same functions, must adhere to the same screening policy.For Dynaplan AG. All candidates for employment must show a criminal records excerpt. This also applies to external employees. Suppliers and subcontractors must adhere to the same policy.

In addition, background checks regarding compentence (e.g. by checking references) are performed.

GAP:‐ Procedure for checking criminal records established, but not implemented, yet.

Improvement:‐ Procedure for checking compentence implemented, but no records of results generated.

Yes 3

A.7.1.2 Terms and conditions of employment The contractual agreements with employees and contractors shall state their and the organization’s responsibilities for information security.

Yes

Shall clearly define the relevant responsibility with staff and raise awareness.

Dynaplan Information security management system.docx

Employees must adhere to the information security policies of Dynaplan.com. This shall be stated in their employment contract.

Contracts with subcontractors must include an information security clause that require the subcontractor to follow Dynaplan information security policies while carrying out work for or on behalf of Dynaplan.

All employees are informed that they are required to abide by Dynaplan’s policies relating to data protection and information security when they receive their terms and conditions of employment. By accepting their terms and conditions of employment, an employee makes a formal undertaking to abide by the policies. The undertaking applies both during and after their employment with Dynaplan.

GAP:‐ Need to check if employee contracts contain sufficient clauses.‐ Need to check if contract with subcontractor includes necessary clauses.

Yes 1

A.7.2 During employment To ensure that employees and contractors are aware of and fulfil their information security responsibilities

2

A.7.2.1 Management responsibilities Management shall require all employees and contractors to apply information security in accordance with the established policies and procedures of the organization.

Yes

Shall ensure policies and procedures remain effective and useful. It is also required for any kind of compliance.

Executive partners


It is the responsibility of the executive partners, as leaders of the development group and solution group, to require all employees and contractors to follow the established information security policies and procedures of Dynaplan.

New employees receive basic information security training according to their needs.

Information security is also a topic during bi‐annual company meetings.

Yes 2

A.7.2.2 Information security awareness, education and training

All employees of the organization and, where relevant, contractors shall receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant to their job function.

Yes

A highly competent staff depends on management ensuring appropriate awareness, training and education amongst staff. Shall ensure risk related to knowledge and competence is controlled.

Security Officer


As defined in the ISMS document, all Dynaplan employees must participate in security awareness training. It is the responsibility of the security officer to ensure that such training is given upon employment and thereafter at least twice annually. The security officer is furthermore responsible for defining the content and method of the training, and ensuring that it is delivered in an appropriate and timely manner.

Improvement:‐ Formalize information security awareness education and training, especially with regards to regular updates.

Yes 2

A.7.2.3 Disciplinary process There shall be a formal and communicated disciplinary process in place to take action against employees who have committed an information security breach.

YesShall work as a deterrent agains risks from unauthorized and neglilent acts that is clearly communicated to all relevant parties. Executive partners


Described in ISMS document.Yes 2

A.7.3 During employment To ensure that employees and contractors are aware of and fulfil their information security responsibilities

3

A.7.3.1 Termination or change of employment responsibilities

Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, communicated to the employee or contractor and enforced.

Yes

Shall help ensure important issues related to the termination process or internal role changes are not overlooked.


Upon employment, employees are required to sign a non‐disclosure agreement (NDA). Employees that leave Dynaplan shall be given a copy of the NDA and be reminded that they are bound by it also after employment.

Employees who leave Dynaplan or change their internal responsibilities shall undergo appropriate security process as defined in Personnel security process.docx.

Yes 3

A.8 Asset Management 3A.8.1 Responsibility for assets To identify organizational assets and define appropriate

protection responsibilitites3,25

Page 3 of 24


A.8.1.1 Inventory of assets Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained.

Yes

An inventory of assets is critical input to the risk management process. Without an overview of which resources we must protect, risk assessment is of no value.


An inventory of all Dynaplan owned information processing assets shall be maintained and be kept up to date. It is the responsibility of the executive partners to designate a person that will maintain this inventory.

Customer model overview available through system.

Improvement:‐ Update list.

Partially 3

A.8.1.2 Ownership of assets Assets maintained in the inventory shall be owned.

Yes

To ensure owners and stakeholders take responsibility in securing assets they are responsible for.

Ownership is key in ensuring risk is managed according to owners and stakeholders requirements.

Dynaplan ‐ Information Security Management SystemRoles and responsibilies.docx

System ownership is defined in Roles and responsibilies.docx. Information asset ownership is defined in Security targets and objectives.

Yes 4

A.8.1.3 Acceptable use of assets Rules for the acceptable use of information and of assets associated with information and information processing facilities shall be identified, documented and implemented.

Yes

Shall ensure risk related to information processing is managed according to Dynaplans rules and guidelines.


End‐user Policy in ISMS‐doument.

All employees must adhere to the End‐user policy.

Improvement:‐ Check if Security.docx needs to be synchronized with policy.

Yes 2

A.8.1.4 Return of assets All employees and external party users shall return all of the organizational assets in their possession upon termination of their employment, contract or agreement.

Yes

Selected to minimize risk of information disclosure and prevent data loss


Personell security routine.docx

All assets in an employee’s possession must be returned upon termination of employment. The personnel security routine defines responsibilities with regards to this.

"Personell security routine". All employees and external party users are required shall return assets. Security Officer responsible for ensuring that this has been done. Security Officer is also responsible for checking that all organizational assets from personal devices have been deleted.

Yes 4

A.8.2 Information classification To identify organizational assets and define appropriate protection responsibilitites

2

A.8.2.1 Classification of information Information shall be classified in terms of legal requirements, value, criticality, and sensitivity to unauthorized disclosure or modification.

YesShall enable correct level of protection on the right information resources.


Classifications are defined in "information security management system.docx". Yes 2

A.8.2.2 Labelling of information An appropriate set of procedures for information labelling shall be developed and implemented in accordance with the information classification scheme adopted by the organization.

Yes

This is a customer requirement. In addition, this is important to ensure that customer data is not exposed to wrong recipient (e.g. by email).


Currently, most information is stored in appropriate sites and folders on SharePoint. As a general rule, the type of site/folder indicates also the classification of the data stored within. E.g., all information in Dynaplan Internal is internal information. All information stored in a customer site pertains to that customer.

Improvement:‐ Assess alternate solutions.‐ Consider using customer tags to ease deletion of customer documents when off‐boarding them.

Yes 1

A.8.2.3 Handling of assets Procedures for handling assets shall be developed and implemented in accordance with the information classification scheme adopted by the organization.

Yes

Shall control risks associated with information leakage and protection of internal and customer data.


Security targets and objectives.dpab

The relevant general procedures are contained in the End‐User policy.

The document Security targets and objectives identify which classes of information that are stored on each system and defines specific security objectives to each system on this basis. These objectives determine the relevant security controls and refers to Annex A in this respect.

Yes 3

A.8.3 Media handling To prevent unauthorized disclosure, modification, removal, or destruction of information stored on media

3

A.8.3.1 Management of removablemedia

Procedures shall be implemented for the management of removable media in accordance with the classification scheme adopted by the organization.

Yes

This is a customer requirement and shall ensure risk related to the use of removable media is managed and done according to [organization name]s rules and guidelines.


Removable media may only be used in accordance with the end‐user policy. Removable media must be recorded in the Inventory of assets.

Improvement:‐ Formalize process for recording removable media in the inventory of assets.

Yes 2

A.8.3.2 Disposal of media Media shall be disposed of securely when no longer required, using formal procedures.

Yes

Control risk releated to information disclosure related to the disposal of removable media.

Dynaplan Information security management system.docxSecure asset sanitization routine

Media that contains data with a classification that is not open must be appropriately sanitized. Disposal methods are defined in Appendix A – Minimum Sanitization Recommendations of NIST Special Publication 800‐88.The specific routines are described in Secure asset sanitization routine.

This is done by local resources.

Yes 4

A.8.3.3 Physical media transfer Media containing information shall be protected against unauthorized access, misuse, or corruption during transportation. Yes

Control risk releated to information disclosure Dynaplan Information security management system.docx

Company, partner, or customer information shall only be stored on portable devices or removable media (e.g. external hard drives, memory sticks) if encrypted and approved by the Security Officer.

Improvement:‐ Information on this should be included in the regular awareness education and training programme.

Yes 3

A.9 Access Control 3A.9.1 Business requirement for access control To limit access to information and information processing

facilities3

Page 4 of 24


A.9.1.1 Access control policy An access control policy shall be established, documented and reviewed based on business and information security requirements.

Yes

To control risk related to how people get access to information processing systems and ensure [organization name] remains in control of who has access to customer data.


Working with customer sites

Working with project sites

Data in the Dynaplan cloud.docx

User access to information systems are given based on the needs specific to their role. It is the responsibility of the system owner to define appropriate needs and access levels. The system owners may delegate authority to grant access to their systems.

Access is given on need‐to‐know and least‐privilige principles.

Sharepoint: Different roles have been established in Sharepoint. Administrator role for Sharepoint (2 persons), can set up site collections and sites, grants access to account manager. Account manager role has access to a customer sites. Access for external users is enabled at site‐collection level and granted to indiviual users at site level or below.

Smia: Different roles exist (user ‐ read‐only or author ‐ write access). Every user is named. Access is given through licenses that are restricted by hardware. Access to non‐public models is defined at Dynaplan.com.

Web: Same users as in Smia are used. Some access is never given to users. Specific customer policy is "shared models setup form" agreed on with customer at project start

Yes 3

A.9.2 User access management To ensure authorized user access and to prevent unauthorized access to systems and services

3

A.9.2.1 User registration and de‐registration A formal user registration and de‐registration process shall be implemented to enable assignment of access rights.

Yes

Shall manage risk related to unauthorized network and systems access.


The following registration and de‐registration mechanisms are provided for Dynaplan.com:Registration

1.Self registra on via dynaplan.com 2.Appropriately filled out Shared models

setup form – Dynaplan creates the users based on the form.De‐registration

1.Appropriate de‐registra on methods are defined in general data protection regulation compliance.docx

2.Then for the specific system the user should be removed from, follow routine removing a user.docx

Once a user has an account on Dynaplan.com, Dynaplan can assign the user to a specific customer organization. Once, that has been done, a specially authorized customer user are designated organization manager and may grant users access to the organization’s models, and rescind that access.

System administrator sets up user in user database, Tortoise, and Office 365.

Process for Smia user creation is described in information security management docx

Yes 3

A.9.2.2 User access provisioning A formal user access provisioning process shall be implemented to assign or revoke access rights for all user types to all systems and services.

Yes

The provisioning process is critical in order to manage risk related to unauthorized network and systems access.


Access is provisioned at the same time as user registration. System administrator is responsible for updating access rights as needed.

Yes 3

A.9.2.3 Management of privileged access rights The allocation and use of privileged access rights shall be restricted and controlled.

Yes

Shall manage risk related to privileged access to network and information processing systems.


Access is given on need‐to‐know and least‐privilige principles.

A privileged access list shall be maintained in the security management notebook on Sharepoint.

It is the responsibility of the system owner to ensure only employees with the appropriate role are on the privileged access list for their system.

Improvement:‐ Change "security managment notebook" to be included in "Roles and responsbilities" document.

Yes 3

A.9.2.4 Management of secret authentication information of users

The allocation of secret authentication information shall be controlled through a formal management process.

Yes

Shall control the risk related to the use of passwords and 2‐factor authentication systems.


security.docx

Procedure is described in ISMS and "security.docx"Users shall create their own passwords in accordance with the password guidelines in security.docx. Passwords may not be stored in clear text. Preferably, only the password hash shall be stored to enable authentication.To ease the multiple password burden on users, operating systems’ password vaults may be used to store passwords.

Yes 3

A.9.2.5 Review of user access rights Asset owners shall review users’ access rights at regular intervals.

Yes

Shall reduce risk of people having access to customer data and information longer than they need to do their work.


It is the responsibility of the system owners to review who has access to their systems. This shall be done at least once annually, before the end of January.

GAP:‐ Implement review process.

Yes 3

Page 5 of 24


A.9.2.6 Removal or adjustment of access rights The access rights of all employees and external party users to information and information processing facilities shall be removed upon termination of their employment, contract or agreement, or adjusted upon change.

Yes

Shall reduce the risk of people keeping access after their termination or when they no longer has a defined need.


Personell security routine.docx

Employees that change their role or for which employment is terminated, must have their access rights adjusted or removed. The specific routines are described in Personnel security routine.docx.

Yes 3

A.9.3.1 User responsibilities To make users accountable for safeguarding their authentication information

3

A.9.3.1 Use of secret authentication information Users shall be required to follow the organization’s practices in the use of secret authentication information.

Yes

To control the inherent risk with users choosing and using passwords and managing their 2‐factor authentication.


security.docx

The password policy for Dynaplan is defined in security.docx.

Yes 3

A.9.4 System and application access control To prevent unauthorized access to systems and applications 2,8A.9.4.1 Information access restriction Access to information and application system functions shall be

restricted in accordance with the access control policy.

Yes

Shall control risk related to network, information systems and application access.

System Owner


It is the responsibility of the system owners to ensure that access to information and applications are in accordance with the Access control policy.

Roles are implemented in the individual applications restricting access to different information and functionality in the systems in line with the access control policy.

Yes 3

A.9.4.2 Secure log‐on procedures Where required by the access control policy, access to systems and applications shall be controlled by a secure log‐on procedure.

Yes

To control risk related to loss of secret authentication information on operating systems.

System Owner


The system owners shall define, based on risk assessment, an appropriate log on procedure for their systems.

Improvement:‐ Update information security management system description.‐ Assess if the log‐on procedure to in‐scope systems can be improved with regards to the suggestions in ISO27002.

Yes 2

A.9.4.3 Password management system Password management systems shall be interactive and shall ensure quality passwords.

Yes

To control risk related to loss of secret authentication information on operating systems and prevent users from selecting passwords that may be easily guessed.


The system owners shall ensure that their systems have mechanisms in place that enforces compliance with the password policy defined in Security.docx.

Different customers require different password policies. Currently, a system is being developed to allow for different policies.

GAP:‐ Finish ongoing project.

Yes 3

A.9.4.4 Use of privileged utility programs The use of utility programs that might be capable of overriding system and application controls shall be restricted and tightly controlled.

YesTo manage risk related to information disclosure. Dynaplan Information security

management system.docxAs defined in the end‐user policy, it is forbidden to circumvent security controls of a device, system or data.

Yes 3

A.9.4.5 Access control to program source code Access to program source code shall be restricted.Yes

Program source code does not exist within the scope of the ISMS. Dynaplan Information security management system.docx

Only members of the development team have access to the source code of Dynaplan Smia and associated web services.

Yes 3

A.10 Cryptography 3A.10.1 Cryptographic controls To ensure proper and effective use of cryptography to protect

the confidentiality, authenticity and/or integrity of information 3

A.10.1.1 Policy on the use of cryptographic controls A policy on the use of cryptographic controls for protection of information shall be developed and implemented.

Yes

Shall control the risk that selected encryption does not remaining effective in achieving required protection.


In general, cryptographic controls shall be used to protect data and files at rest and in transit. Specifically, all data and files stored on Dynaplan.com and associated web services must be encrypted to minimize the possibility that they can be read by unauthorized persons.Furthermore, Dynaplan Smia models that are part of Dynaplan’s licensed model service, must be encrypted with asymmetric encryption to ensure the protection of Dynaplan’s intellectual property, and confidentiality and integrity of any external confidential data stored in them.

Improvement:‐ Update information security management document to require customer data to be encrypted.

Yes 3

A.10.1.2 Key management A policy on the use, protection and lifetime of cryptographic keys should be developed and implemented through their whole lifecycle.

Yes

Shall control the risk related to private keys becoming exposed or compromized, leaving encryption ineffective in protecting information assets.


Dynaplan shall whenever possible, retain full control of the cryptographic keys used to access critical systems at the administrator level. Separate accounts with separate keys shall be used for accessing live systems and the backup of those systems. This is to ensure that a malicious actor cannot delete data or sabotage live systems, and at the same time sabotage or delete the backups.Cryptographic keys for access to Dynaplan Smia models are generated by the users themselves. The passwords to private keys shall not be stored in clear text, nor encrypted. Only a hash of the password will be retained to allow check of access rights.

Improvement:‐ Assess if existing policy should be tightened.

Yes 3

A.11 Physical and environmental security 3A.11.1 Secure areas To prevent unauthorized physical access, damage and

interference to the organization's premises and information. 3

Page 6 of 24


A.11.1.1 Physical security perimeter Security perimeters shall be defined and used to protect areas that contain either sensitive or critical information and information‐processing facilities.

Yes

Dynaplan currently do not own or rent any offices or physical space in which information assets reside. Instead, Dynaplan rents services from suppliers such as Amazon Web Services. Requirements for secure areas must be defined for each system procured externally. The supplier’s security documentation must be reviewed for compliance. In case of non‐compliance and no roadmap to rectify, Dynaplan cannot use the supplier.


Dynaplan currently do not own or rent any offices or physical space in which information assets reside. Instead, Dynaplan rents services from suppliers such as Amazon Web Services. Requirements for secure areas must be defined for each system procured externally. The supplier’s security documentation must be reviewed for compliance. In case of non‐compliance and no roadmap to rectify, Dynaplan cannot use the supplier.

The Dynaplan executive partners' offices are included in the ISMS scope and may contain limited information assets in physical form. The offices are defined as secure areas. Physical security is adressed in line with the result of the risk assessment.

Yes 3

A.11.1.2 Physical entry controls Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access.

Yes

Shall ensure risks related to physical attacks against information processing systems and utilities.


Managed through supplier management.

The Dynaplan executive partners' home offices are secured by locks. Accounting information incl. receipts and hard‐copies are secured using a fire proof cabinet with locks.

Yes 3

A.11.1.3 Securing offices, rooms and facilities Physical security for offices, rooms, and facilities shall be designed and applied.

Yes

Shall ensure risks related to physical attacks against information processing systems and utilities.


Managed through supplier management.

The Dynaplan executive partners' home offices are not accessible to the general public.

Yes 3

A.11.2 Equipment To prevent loss, damage, theft, or compromise of assets and interruption to the organization’s operations

3,28571429

A.11.2.1 Equipment siting and protection. Equipment shall be sited and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access.

Yes

Shall control the risk related to environmental issues and prevent unauthorixed access to information processing facilities.


Equipment shall be appropriately protected, according to the procedures in Security.docx. Disposal of equipment shall follow the procedures in Secure asset sanitization routine.docx.

Accounting information incl. receipts and hard‐copies in the Norwegian executive partner's office are stored in a fire proof cabinet that can be locked.

Yes 3

A.11.2.3 Cabling security Power and telecommunications cabling carrying data or supporting information services shall be protected from interception, interference, or damage. Yes

Shall control risks related to sabotage, wiretapping and eavesdropping from the office areas.



Yes 3

A.11.2.4 Equipment maintenance Equipment shall be correctly maintained to ensure its continued availability and integrity.

Yes

Shall control the risk of data exposure, system failure and downtime related to lack of maintenance of servers and workstations



Yes 3

A.11.2.6 Security of equipment and assets off‐premises Security shall be applied to off‐site assets, taking into account the different risks of working outside the organization’s premises. Yes

Shall control risks of information disclosure and data loss when information assets are moved outside the datacenter.



Yes 4

A.11.2.7 Secure disposal or reuse of equipment All items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re‐use.

Yes

Selected to ensure workstations are not being re‐used or disposed with information on them that could be retrieved by unathorized parties. Thereby reducing the risk of data exposure.


Equipment shall be appropriately protected, according to the procedures in Security.docx. Disposal of equipment shall follow the procedures in Secure asset sanitization routine.docx. Yes 3

A.11.2.8 Unattended user equipment Users shall ensure that unattended equipment has appropriate protection. Yes

To control risk related to user equipment being left unattended. Dynaplan Information security management system.docx

Equipment shall be appropriately protected, according to the procedures in Security.docx. Disposal of equipment shall follow the

d i S t iti ti

Yes 4

A.11.2.9 Clear desk and clear screen policy A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities shall be adopted. Yes

To control risk related to confidential media or data being available to unauthorized persons.


Acceptable Use Policy

Requirements regarding locking screen are included in the Acceptable Use Policy

GAP:‐ Policy needs to be implemented.

Yes 3

A.12 Operations security 3A.12.1 Operational procedures and responsibilities To ensure correct and secure operations of information‐

processing facilities3,25

Page 7 of 24


A.12.1.1 Documented operating procedures Operating procedures shall be documented and made available to all users who need them.

Yes

Selected to make sure custodians have all the information they need, when they need it, to perform operational tasks in a way that keep risk of critical failure as low as possible.



List over resources, routines and guides

A project management handbook has been developed to ensure projects are executed in a uniform and secure manner. The project handbook includes requirements for agreeing on appropriate security levels between Dynaplan and the customer.Appropriate routines shall be developed for recurring tasks that may have security implications. Examples of such routines include the personnel security routine, operations officer routines and working with a site mailbox (Sharepoint).The system owners are responsible for ensuring that appropriate routines are developed for their systems. The routines shall be stored on Sharepoint in the routines folder.

Routines are stored in Sharepoint from where they are accessible to relevant users.

Improvement:‐ Check if ISO27002 list contains additional documents that should be documented:a) the installation and configuration of systemsb) processing and handling of information both automated and manualc) backupd) scheduling requirements, including interdependencies with other systems, earliest job start and latest job completion timese) instructions for handling errors or other exceptional conditions, which might arise during job execution, including restrictions on the use of system utilitiesf) support and escalation contacts including external support contacts in the event of unexpected operational or technical difficultiesg) special output and media handling instructions, such as the use of special stationery or the managemnt of confidential output including procedures for secure disposal of output from failed jobsh) system restart and recovery procedures in the event of system failurei) the management of audit‐trail and system log informationj) monitoring procedures

Yes 3

A.12.1.2 Change management Changes to the organization, business processes, information‐processing facilities, and systems that affect information security shall be controlled.

Yes

Shall control risks related to changes in the operational environment


Roles and responsibilities

Roles and responsibilities regarding change management are documented and communicated.

Changes are tracked through ticket system. Changes undergo testing before rolling out to live systems. The testing is performed in several phases:1. Developers test their own code.2. Quality assurance staff tests the implemented functions.3. An internal preview is released to the solutions group.4. If the internal preview phase is successful, an external preview is made available to customers for test in their systems prior to release.

Bigger changes (e.g. changing from Google to Microsoft Sharepoint) are handled separately.

Yes 3

A.12.1.3 Capacity management The use of resources shall be monitored, tuned and projections made of future capacity requirements to ensure the required system performance.

Yes

Selected to ensure critical components do not fail due to lack of system resources.


Dynaplan shall make the appropriate agreements to ensure that external infrastructure services are scalable within a short time frame, to ensure sufficient system performance.

Initially a performance test was performed to determine capacity requirements (web). Capacity is adjusted up / down automatically based on the number of requests received. In addition, a notification is sent by email.

Sharepoint: System Owner allocates storage space to site collections. System provides warnings when reaching capacity thresholds. System owner will then adjust accordingly.

Yes 4

A.12.1.4 Separation of development, testing, and operational environments

Development, testing, and operational environments shall be separated to reduce the risks of unauthorized access or changes to the operational environment.

Yes

The physical operational environments are outside the scope of this ISMS


Development, testing, and operational environments shall be separated to reduce the risks of unauthorized access or changes to the operational environment.

Smia: Development team and one test responsible. Development, testing, and operational environments are separated from each other.

Web: Development is performed locally on developer machine. In addition, a test and a separate operational environment are used.

Yes 3

A.12.2 Protection from malware To ensure that information and information processing facilities are protected against malware

2

Page 8 of 24


A.12.2.1 Controls against malware Detection, prevention, and recovery controls to protect against malware shall be implemented, combined with appropriate user awareness.

Yes

Shall reduce the risk of systems becoming compromized by malware and ensure users know what to do if they suspect something is wrong.


Anti‐malware software shall be installed on all devices. The users shall be trained in avoiding malware threats. This shall be done as part of the regular security awareness training.

Microsoft's standard anti‐malware solution installed on all PCs. All mobile phones are equipped with anti‐malware solution.

Twice a year, security sessions where different security topics are discussed.

Yes 2

A.12.3 Backup To protect against loss of data 3A.12.3.1 Information backup Backup copies of information, software, and system images

shall be taken and tested regularly in accordance with an agreed backup policy.

Yes

Shall reduce risk of data loss in the event of system failure Dynaplan Information security management system.docx

The system owners shall ensure that appropriate mechanisms for taking backups are in place and used.

The backup mechanisms used for Dynaplan.com and associated web services are defined in data in the cloud.docx.

The source code of Dynaplan Smia and associated web services must also be backed up at regular intervals.

Yes 3

A.12.4 Logging and monitoring To record events and generate evidence 2,25A.12.4.1 Event logging Event logs recording user activities, exceptions, faults, and

information security events shall be produced, kept, and regularly reviewed.

Yes

To allow detection of and function as a deterrant against information seurity breaches.


Logs of user activities on Dynaplan.com and associated web services are maintained. This logging is automatic. Reading these logs is restricted to Dynaplan employees with the appropriate authorization, determined by the system owners.

Improvement:‐ Monitor log of downloads and activitites in from Sharepoint.

Yes 2

A.12.4.2 Protection of log information Logging facilities and log information shall be protected against tampering and unauthorized access. Yes

To ensure content in the logs can be trusted and remain an efficient information source in case of forensic investigation.


Appropriate access controls protect the logs. Wherever possible, they are also cryptographically protected.

Yes 3

A.12.4.3 Administrator andoperator logs

System administrator and system operator activities shall be logged and the logs protected and regularly reviewed.

YesTo be able to detect and deter information security incidents. Dynaplan Information security

management system.docxLogs are generated, but logs are only reviewed on demand.

GAP:‐ Assess the need for reviewing admin logs.

Partially 2

A.12.4.4 Clock synchronization The clocks of all relevant information processing systems within an organization or security domain shall be synchronised to a single reference time source.

YesShall ensure reliable operational log data and forensic data with timestamps from a trusted source.

Dynaplan Information security management system.docx Yes 2

A.12.5 Control of operational software To ensure the integrity of operational systems 3A.12.5.1 Installation of software on operational systems Procedures shall be implemented to control the installation of

software on operational systems.

Yes


All changes are managed according to the change process.

For Dynaplan.com and associated web services, installation of software and enabling of services must be approved by the system owner. The system owner is accountable, but has delegated the day‐to‐day responsibility to the system administrator.

Yes 3

A.12.6 Technical vulnerability management To prevent exploitation of technical vulnerabilities 2A.12.6.1 Management of technical vulnerabilities Information about technical vulnerabilities of information

systems being used shall be obtained in a timely fashion, the organization’s exposure to such vulnerabilities evaluated, and appropriate measures taken to address the associated risk.

Yes

Shall ensure that we are confident infrastructure provider has full control of vulnerabilities on a day‐to‐day basis and ensure the processes for handling them remain efficient.


Dynaplan developed systems: Vulnerabilities shall be tracked using the technical ticket system (for technical resolution of the issue) and Dynaplan’s incident reporting system.

For non‐Dynaplan developed systems, Dynaplan shall if the supplier offers it, subscribe to vulnerability bulletins. These bulletins shall be reviewed and a risk analysis performed for relevant vulnerabilities.Release notes for the following products are subscribed to Windows, Office 365, Tortoise, Apache, PHP, QT, Cryptlib.

GAP:‐ Subscribe to https://www.microsoft.com/en‐us/msrc/technical‐security‐notifications security bulletins.‐ Subscribe to Amazon security bulletins https://aws.amazon.com/security/security‐bulletins/

Partially 2

A.12.6.2 Restrictions on software installation Rules governing the installation of software by users shall be established and implemented.

Yes

Shall reduce the risk of unwanted software and malware, being introduced in the environment by users, that cause harm to internal and customer data.


Dynaplan employees retain administrator access to their own laptops for flexibility. Installation of software must conform to the End‐user policy

For critical systems, such as the systems on which Dynaplan.com and associated web services reside, installation of software must be approved by the system owner prior to installation.

Yes 2

A.12.7 Information systems audit conciderations To minimize the impact of audit activities on operational systems

2

A.12.7.1 Information systems audit controls Audit requirements and activities involving verification of operational systems shall be carefully planned and agreed to minimize disruptions to business processes.

Yes

Shall ensure the ISMS continue to function as a whole, focusing on processes and activities that give most value to us, and minimize impact to business operations.


The controls used to protect operational information systems shall be reviewed at least once annually, and whenever necessary (e.g., on report of a critical vulnerability). The review shall be based on an updated risk assessment of the system. The security officer is responsible for ensuring that the review is carried out before the end of January.

GAP:‐ Audits and penetration tests still to be performed.

Partially 2

A.13 Communications security 3A.13.1 Networks security Management To ensure the protection of information in networks and its

supporting information processing facilities.0

Page 9 of 24


A.13.2 Information transfer To maintain the security of information transferred within an organization and with any external entity.

2,5

A.13.2.1 Information transfer policies and procedures Formal transfer policies, procedures, and controls shall be in place to protect the transfer of information through the use of all types of communication facilities.

YesProject security plan includes requirements on how communication between Dynaplan and

customer shall happen.

Project security plan includes requirements on how communication between Dynaplan and customer shall happen.

Improvement:‐ Assess the possibility for more effective solutions.

Yes 3

A.13.2.2 Agreements on information transfer Agreements shall address the secure transfer of business information between the organization and external parties. Yes

We want to ensure we control the risk of information disclosure or data loss due to unclear responsibilities and duties.

Project security plan includes requirements on how communication between Dynaplan and customer shall happen.

Yes 3

A.13.2.3 Electronic messaging Information involved in electronic messaging shall be appropriately protected.

Yes

Shall reduce risk related to the exchange of information by electronic messaging. We want to make sure we include all form of electronic messaging.

Microsoft Azure information protection is used to protect labeled documents.

S/MIME is used with some customers.

Improvement:‐ Improve competence of tool administrator.

Yes 3

A.13.2.4 Confidentiality or nondisclosure agreements Requirements for confidentiality or non‐disclosure agreements reflecting the organization’s needs for the protection of information shall be identified, regularly reviewed, and documented.

Yes

Selected to ensure we manage the risk of information disclosure and data leakage from personnell, partners and external consultants.

Employee contracts NDAs are part of employee contracts.

Yes 1

A.14 System acquisition, development and maintenance

2

A.14.1 Security requirements of information systems To ensure that information security is an integral part of information systems across the entire lifecycle. This also includes the requirements for information systems that provide services over public networks

2,66666667

A.14.1.1 Information security requirements analysis and specification

The information‐security related requirements shall be included in the requirements for new information systems or enhancements to existing information systems Yes

Shall ensure security requirements are taken into account when provider sets up new systems or enhances existing systems related to our information processing

Dynaplan has few systems. These are shifted out seldomely. The information‐security related requirements are included as needed. System owners are included in this process.

Yes 2

A.14.1.2 Securing application services on public networks Information involved in application services passing over public networks shall be protected from fraudulent activity, contract dispute, and unauthorized disclosure and modification.

Yes

Selected to ensure we achieve sufficient protection against information theft or data loss and control the risk of fraud and misuse of information crossing the internet.

HTTPS/SSL is used to protect information passing over public networks.

Yes 3

A.14.1.3 Protecting application services transactions Information involved in application service transactions shall be protected to prevent incomplete transmission, mis‐routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication, or replay.

Yes

Shall enable approproate protection of transactions according to their importance and value.

HTTPS/SSL is used to protect information passing over public networks.

Yes 3

A.14.2 Security in development and support processes

To ensure that information security is designed and implemented within the development lifecycle of information systems

2,33333333

A.14.2.1 Secure development policy Rules for the development of software and systems shall be established and applied to developments within the organization. Yes

The process of developing software is absent in [organization name].

General rules for the development of software and systems are established. Developers keep up to date with current developments. The rules are however not formalized.

Improvement:‐ Formalize the rules, consider basing them on some well recognized standard (e.g. Microsoft Software Development Lifecycle).

Yes 2

A.14.2.2 System change control procedures Changes to systems within the development lifecycle shall be controlled by the use of formal change control procedures.

Yes

Shall control risk related to changes in operating systems and manage risk of unintended consequences.

Product backlog contains enhancements, reengineerings and fixes. These are used as input for a process. Prioritisation of changes, design, development, tests, release.

GAP:‐ Document process and check that it is aligned with best practice (e.g. ISO27002) Yes 2

A.14.2.3 Technical review of applications after operating platform changes

When operating platforms are changed, business critical applications shall be reviewed and tested to ensure there is no adverse impact on organizational operations or security.

Yes

Shall control risk related to changes in operating systems and manage risk of unintended consequences. We must ensure we work in harmony with our infrastucture provider on this.

This is seldomely done. When relevant, these changes are handled in line with the requirements (see change management process).

Yes 2

A.14.2.4 Restrictions on changes to software packages Modifications to software packages shall be discouraged, limited to necessary changes, and all changes shall be strictly controlled. Yes

Shall control risk related to changes in operating systems and manage risk of unintended consequences.

There is a policy that software package modifications should be limited. Only very few exceptions are allowed. This is then accompanied by thorough testing of modifications.

Yes 3

A.14.2.5 Secure system engineering principles Principles for engineering secure systems shall be established, documented, maintained, and applied to any information system implementation efforts. Yes

Selected to ensure our providers make sure our systems are engineered to satisfy information security requirements from the beginning.

Principles for engineering secure systems are established. Developers keep up to date with current developments. The principles are however not formalized.

Improvement:‐ Formalize the principles, consider basing them on some well recognized standard (e.g. Microsoft Software Development Lifecycle).

Yes 2

A.14.2.6 Secure development environment Organizations shall establish and appropriately protect secure development environments for system development and integration efforts that cover the entire system development lifecycle.

Yes

The process is absent in the [organization name] The same technical configuration is used for development as for operations.

Yes 3

A.14.2.7 Outsourced development The organization shall supervise and monitor the activity of outsourced system development. Yes

To ensure we control risk related to outsourced development. Dynaplan uses one external consultant. The consultant is subject to the same security requirements as all Dynaplan employees.

Yes 3

A.14.2.8 System security testing Testing of security functionality shall be carried out during development.

YesTo manage risk related to system integrity and reduce the possibility of future cost as a consequence of lack of testing.

This is done as part of the development process.

Yes 2

A.14.2.9 System acceptance testing Acceptance testing programs and related criteria shall be established for new information systems, upgrades and new versions.

YesShall ensure we manage risk related to information systems This is done as part of the development

process. Yes 2

A.14.3 Test data To ensure the protection of data used for testing 3A.14.3.1 Protection of test data Test data shall be selected carefully, protected, and controlled.

YesThere are no processes within the scope of the ISMS where test data is being used.

Generated data are used to test.Yes 3

A.15 Supplier relationships 2,0A.15.1 Information security in Supplier relationships To ensure protection of the organization’s assets that are

accessible by suppliers2

A.15.1.1 Information security policy for supplier relationships

Information security requirements for mitigating the risks associated with supplier’s access to the organization’s assets shall be agreed upon with the supplier and documented.

Yes

Shall ensure correct management of risk related to our suppliers and make sure our suppliers are aware of our requirements and expectations.


Suppliers must document that they offer at least the same level of security, as that required internally in Dynaplan. It is the responsibility of the security officer to ensure that supplier documentation are reviewed and checked against Dynaplan requirements at least once annually.

Amazon and Microsoft are key suppliers.

Yes 2

Page 10 of 24


A.15.1.2 Addressing security within supplier agreements All relevant information security requirements shall be established and agreed upon with each supplier that may access, process, store, communicate, or provide IT infrastructure components for the organization’s information.

Yes

Shall enable our suppliers to comply with our security requirements and reduce risk related to 3rd party deliveries.


Dynaplan shall ensure that information security requirements are addressed in contracts between the supplier and Dynaplan.

A supplier’s standard contract shall only be used if it satisfies the minimum defined security level based on risk assessment.


Yes 2

A.15.1.3 Information and communication technologysupply chain

Agreements with suppliers shall include requirements to address the information security risks associated with information and communications technology services and product supply chain.

Yes

Shall ensure risk related to the whole supply chain is identified and addressed by suppliers that are a part of our ICT supply chain.


Dynaplan shall ensure that information security requirements are addressed in contracts between the supplier and Dynaplan.

A supplier’s standard contract shall only be used if it satisfies the minimum defined security level based on risk assessment.


Yes 2

A.15.2 Supplier service delivery Management To maintain agreed level of information security and service delivery in line with supplier agreements

2

A.15.2.1 Monitoring and review of supplier services Organizations shall regularly monitor, review, and audit supplier service delivery.

Yes

Selected to ensure we receive the right level of service and corrects quality according to supplier agreements.


Supplier security compliance audit.docx

The security officer is responsible for ensuring that supplier services are audited with respect to information security regularly (at least once per year). As a minimum, the audit must include review of the supplier’s documentation.

Yes 2

A.15.2.2 Managing changes to supplier services Changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures, and controls, shall be managed, taking account of the criticality of business information, systems, and processes involved and re‐assessment of risks.

Yes

Shall control risk to our information processing that may be caused by changes in supplier deliveries.


GAP:‐ Check how Amazon, Microsoft and Tortoise would inform about potential changes and ensure that this is covered.

Partially 2

A.16 Information Security Incident Management 3A.16.1 Management of information security incidents

and improvementsTo ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses

3

A.16.1.1 Responsibilities and procedures Management responsibilities and procedures shall be established to ensure a quick, effective, and orderly response to information security incidents.

Yes

Shall ensure we manage information security incdents correctly and make sure responsibilities and procedures are clearly communicated.


Incident reporting and management system

Requirements and procedures for management of security incidents are defined in incident reporting and management system.docx. This includes:1. Responsibilities and procedures2. How to report incidents and other relevant events3. How to report vulnerabilities and weaknesses4. The assessment and response processes5. Procedures for ensuring learning from incidents through after action review .

Yes 3

A.16.1.2 Reporting information security events Information security events shall be reported through appropriate management channels as quickly as possible.

Yes

Selected to ensure swift handling of information security events to prevent them from escalating over time and becoming threats to our information assets.



Yes 3

A.16.1.3 Reporting information security weaknesses Employees and contractors using the organization’s information systems and services shall be required to note and report any observed or suspected information security weaknesses in systems or services.

Yes

To enable observed or suspected security weaknesses to be assessed and mitigated as quickly as possible



Employees and contractors are required to do this. They are also regularly reminded of this during bi‐annual meetings.

Improvement:‐ Ensure employees understand the benefit of reporting phishing attempts even if they themselves identify them as such.

Yes 3

A.16.1.4 Assessment of and decision on information security events

Information security events shall be assessed and it shall be decided if they are to be classified as information security incidents. Yes

To ensure actual information security events are handled correcly while limiting the spending of resources on irrelevant or harmless events.



Yes 3

A.16.1.5 Response to information security incidents Information security incidents shall be responded to in accordance with the documented procedures.

Yes

Delected to ensure the process of handling security incidents is effective and control the risk of them not being handles correcly because of lack of procedures.



Yes 3

A.16.1.6 Learning from information security incidents Knowledge gained from analysing and resolving information security incidents shall be used to reduce the likelihood or impact of future incidents. Yes

To enable continual improvement of the way we handle incidens and ensure we learn from previous incidents.



Yes 3

A.16.1.7 Collection of evidence The organization shall define and apply procedures for the identification, collection, acquisition, and preservation of information, which can serve as evidence. Yes

To enable the possibility of legal action related to the evidence collection following an information security incident.



Yes 3

A.17 Information security aspects of business continuity management

2

A.17.1 Information security continuity Information security continuity shall be embedded in the organisations business continuity management systems

1,66666667

Page 11 of 24


A.17.1.1 Planning information security continuity The organization shall determine its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or disaster.

Yes

To ensure information security is preserved even during an adverse situation lika a crisis or disaster.

Dynaplan Business Continuity Plan.docx

Requirements and procedures for management of availability issues that cause services to go offline for a longer period of time are defined in business continuity plan.docx. This includes:1. Unavailability of infrastructure services for Dynaplan.com and associated2. Unavailability of Office 365 services3. Unavailability of employees regular workspace4. Loss of critical personnel

Yes 2

A.17.1.2 Implementing information security continuity The organization shall establish, document, implement, and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation.

Yes

To enable the organisation to continue providing service even during an adverse situation.



Yes 2

A.17.1.3 Verify, review, and evaluate information security continuity

The organization shall verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations.

Yes

Selected to ensure our plans, procedures and processes related to information security and business continuity remain current and effective.



GAP:‐ Business continuity plan needs to be tested after completion.

No 1

A.17.2 Redundancies To ensure availability of information processing facilities 3A.17.2.1 Availability of information processing facilities Information processing facilities shall be implemented with

redundancy sufficient to meet availability requirements.Yes


Dynaplan shall ensure that at least two information processing facilities with mirroring are used for critical business systems, such as Dynaplan.com and associated web services.

Yes 3

A.18 Compliance 3A.18.1 Compliance with legal and contractual

requirementsTo avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements

2,8

A.18.1.1 Identification of applicable legislation and contractual requirements

All relevant legislative statutory, regulatory, contractual requirements, and the organization’s approach to meet these requirements shall be explicitly identified, documented, and kept up to date for each information system and the organization.

Yes

To control the risk related to breach of laws and regulations that occurs because we did not not about them. This is a legal compliance requirement.



It is the responsibility of the security officer to ensure that relevant legislation is identified and monitored. The security officer shall also review customer contracts for information security requirements and evaluate whether Dynaplan is able to comply with the requirements.

GDPR and contractual requirements from customers are key requirements. Additional specific customer requirements may be agreed on through the project security plan.

Yes 3

A.18.1.2 Intellectual property rights Appropriate procedures shall be implemented to ensure compliance with legislative, regulatory, and contractual requirements related to intellectual property rights and use of proprietary software products.

Yes

Shall ensure thet [organization name] is not in breach of IPR that may represent risk to management as well as financial risk.


Software licenses are managed centrally.

Users can install software on their own systems.

Improvement:‐ Require as part of the acceptable use policy that users only install properly licensed software.

Partially 2

A.18.1.3 Protection of records Records shall be protected from loss, destruction, falsification, unauthorized access, and unauthorized release in accordance with legislatory, regulatory, contractual, and business requirements.

Yes

To control the risk of loss, destriction and falsification of [organization name]al records. This is a legal compliance requirment.


Records shall be protected from loss, destruction, alteration and falsification through the use of access controls, cryptographic controls, and backup controls.

Yes 3

A.18.1.4 Privacy and protection of personally identifiable information

Privacy and protection of personally identifiable information shall be ensured as required in relevant legislation and regulation where applicable.

Yes

Selected to control risk of disclosure of personally identifiable information and limit impact of potential lawsuits


Dynaplan shall remain compliant with the General Data Protection Regulation, and other relevant laws and regulations on personal data. How personal data is specifically protected is defined in general data protection regulation.docx and Data in the Dynaplan cloud. Data protection impact assessment contains the relevant risk assessments for personally identifiable information.

Yes 3

A.18.1.5 Regulation of cryptographic controls Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations

Yes

Shall ensure the [organization name] not is in breach of agreements, laws and regulations related to its use of cryptography.



Some customer requirements regarding use of cryptographic controls. These are handled through the project process and the project security plan.

Yes 3

A.18.2 Information security reviews To ensure that information security is implemented and operated in accordance with the organizational policies and 2,33333333

A.18.2.1 Independent review ofinformation security The organization’s approach to managing information security and its implementation (e.g. control objectives, controls, policies, processes, and procedures for information security) shall be reviewed independently at planned intervals or when significant changes occur.

Yes

Selected to ensure the effectiveness of selected controls. Also ensure continual improvement and improvements to our information security.


Procedures for internal audit has been defined in Dynaplan's Information Security Management System.

Dynaplan’s customers may audit Dynaplan’s information security management system.

GAP:‐ Perform planned audits (both internal and external audit)

Partially 2

Page 12 of 24


A.18.2.2 Compliance with security policies and standards Managers shall regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards, and any other security requirements.

Yes

Shall contribute to ensure the effectiveness of selected controls in the organisation

Dynaplan Information security�

Date 13.01.2020 Approved by Magne Myrtveit...CLAUSE TITLE CONTROL APPLICABLE JUSTIFICATION...

Documents

Transcript of Date 13.01.2020 Approved by Magne Myrtveit...CLAUSE TITLE CONTROL APPLICABLE JUSTIFICATION...