Statement of Applicability Template
Click here to load reader
-
Upload
usman-hamid -
Category
Documents
-
view
214 -
download
1
Transcript of Statement of Applicability Template
IT Department ISMS Policies Procedures
A.5
A.5.1
A.5.1.1Information security policy
documentYes -ISMS-A-2 ISMS Polcy & Scope
A.5.1.2Review of the information
security policyYes -ISMS-A-2 ISMS Polcy & Scope & SMC Meeting Notes
A.6
A.6.1
A.6.1.1Management commitment to
information securityYes
-ISMS-A-2 ISMS Polcy & Scope & -ISMS-B-1 Internal Information
Security Organisation Policy
A.6.1.2 Information security coordination Yes-ISMS-B-1 Internal Information Security Organisation Policy & -ISMS-B-
4 Information Security Organisation Chart
A.6.1.3Allocation of information security
responsibilitiesYes -ISMS-B-1 Internal Information Security Organisation Policy
A.6.1.4Ahorization process for
information processing facilitiesYes -ISMS-B-1 Internal Information Security Organisation Policy
A.6.1.5 Confidentiality agreements Yes -ISMS-B-1 Internal Information Security Organisation Policy
A.6.1.6 Contact with ahorities Yes -ISMS-B-1 Internal Information Security Organisation Policy
A.6.1.7Contact with special interest
groupsYes -ISMS-B-1 Internal Information Security Organisation Policy
A.6.1.8Independent review of
information securityYes -ISMS-B-1 Internal Information Security Organisation Policy
A.6.2
A.6.2.1Identification of risks related
to external partiesYes -ISMS-B-2 External Information Security Organisation Policy
A.6.2.2Addressing security when
dealing with customersYes -ISMS-B-2 External Information Security Organisation Policy
A.6.2.3Addressing security in third
party agreementsYes -ISMS-B-2 External Information Security Organisation Policy
A.7
A.7.1
A.7.1.1 Inventory of assets Yes -ISMS-C-1 Asset Management Policy
A.7.1.2 Ownership of assets Yes -ISMS-C-1 Asset Management Policy
A.7.1.3 Acceptable use of assets Yes -ISMS-C-1 Asset Management Policy
A.7.2
A.7.2.1 Classification guidelines Yes -ISMS-C-2 Information Classification Policy
A.7.2.2Information labelling and
handlingYes -ISMS-C-2 Information Classification Policy
A.8
A.8.1
A.8.1.1 Roles and responsibilities Yes -ISMS-D-1 Human Resources Security Policy
A.8.1.2 Screening Yes -ISMS-D-1 Human Resources Security Policy
A.8.1.3Terms and conditions of
employmentYes -ISMS-D-1 Human Resources Security Policy
A.8.2.2Information security awareness,
education and trainingYes -ISMS-D-1 Human Resources Security Policy
A.8.2.3 Disciplinary process Yes -ISMS-D-1 Human Resources Security Policy
Implimented
Security policy
Organization of information security
Internal organization
External parties
Control Code # Control Objective Implimented Evidence
Control Code #
Information security policy
Asset management
Responsibility for assets
Information classification
Control Code # Control Objective Implimented
Control Code # Control Objective Implimented
Control Objective Evidence / Remarks
Evidence / Remarks
Evidence
Human resources security
Prior to employment
P&P Number: UT-ISMS-A-5 Originator: CISO
Last Review: August 23, 2007 Pages: 4
Policy Title: Statement of Applicability
Ushus Technologies
Accel Transmatic Ltd Compiled by : CISO
IT Department ISMS Policies Procedures
P&P Number: UT-ISMS-A-5 Originator: CISO
Last Review: August 23, 2007 Pages: 4
Policy Title: Statement of Applicability
A.8.3
A.8.3.1 Termination responsibilities Yes -ISMS-D-2 Change of Employment Policy
A.8.3.2 Return of assets Yes -ISMS-D-2 Change of Employment Policy
A.8.3.3 Removal of access rights Yes -ISMS-D-2 Change of Employment Policy
A.9
A.9.1
A.9.1.1 Physical security perimeter Yes -ISMS-E-1 Secure Areas Policy
A.9.1.2 Physical entry controls Yes -ISMS-E-1 Secure Areas Policy
A.9.1.3Securing offices, rooms and
facilitiesYes -ISMS-E-1 Secure Areas Policy
A.9.1.4Protecting against external
and environmental threatsYes -ISMS-E-1 Secure Areas Policy
A.9.1.5 Working in secure areas Yes -ISMS-E-1 Secure Areas Policy
A.9.1.6Public access, delivery and
loading areasYes -ISMS-E-1 Secure Areas Policy
A.9.2
A.9.2.1Equipment siting and
protectionYes -ISMS-E-2 Equipment Security Policy
A.9.2.2 Supporting ilities Yes -ISMS-E-2 Equipment Security Policy
A.9.2.3 Cabling security Yes -ISMS-E-2 Equipment Security Policy
A.9.2.4 Equipment maintenance Yes -ISMS-E-2 Equipment Security Policy
A.9.2.5Security of equipment
offpremisesYes -ISMS-E-2 Equipment Security Policy
A.9.2.6Secure disposal or re-use of
equipmentYes -ISMS-E-2 Equipment Security Policy
A.9.2.7 Removal of property Yes -ISMS-E-2 Equipment Security Policy
A.10
A.10.1
A.10.1.1Documented operating
proceduresYes -ISMS-F-1 Secure Operations Policy
A.10.1.2 Change management Yes -ISMS-F-1 Secure Operations Policy
A.10.1.3 Segregation of dies Yes -ISMS-F-1 Secure Operations Policy
A.10.1.4Separation of development, test
and operational facilitiesYes -ISMS-F-1 Secure Operations Policy
A.10.2
A.10.2.1 Service delivery Yes -ISMS-F-2 Service Delivery Management Policy
A.10.2.2Monitoring and review of third
party servicesYes -ISMS-F-2 Service Delivery Management Policy
A.10.2.3Managing changes to third party
servicesYes -ISMS-F-2 Service Delivery Management Policy
A.10.3
A.10.3.1 Capacity management Yes -ISMS-F-3 System Planning Policy
A.10.3.2 System acceptance Yes -ISMS-F-3 System Planning Policy
A.10.4
A.10.4.1 Controls against malicious code YesISMS-F-4 Malicious & Mobile Code Prevention Policy
McAfee anti-virus ent edition
A.10.4.2 Controls against mobile code Yes -ISMS-F-4 Malicious & Mobile Code Prevention Policy
Control Code # Control Objective Implimented Evidence
Physical and environmental security
Implimented
Protection against malicious and mobile code
Control Code # Control Objective Implimented Evidence
Operational procedures and responsibilities
Third party service delivery management
Communications and operations management
System planning and acceptance
Control Code # Control Objective Evidence
Equipment security
Secure areas
Termination or change of employment
Ushus Technologies
Accel Transmatic Ltd Compiled by : CISO
IT Department ISMS Policies Procedures
P&P Number: UT-ISMS-A-5 Originator: CISO
Last Review: August 23, 2007 Pages: 4
Policy Title: Statement of Applicability
A.10.5
A.10.5.1 Information back-up Yes -ISMS-F-5 Backup Policy
A.10.6
A.10.6.1 Network controls Yes -ISMS-F-6 Network Security Policy
A.10.6.2 Security of network services Yes -ISMS-F-6 Network Security Policy
A.10.7
A.10.7.1 Management of removable media Yes -ISMS-F-7 Media Handling Policy
A.10.7.2 Disposal of media Yes -ISMS-F-7 Media Handling Policy
A.10.7.3 Information handling procedures Yes -ISMS-F-7 Media Handling Policy
A.10.7.4 Security of system documentation Yes -ISMS-F-7 Media Handling Policy
A.10.8
A.10.8.1Information exchange policies
and proceduresYes -ISMS-F-8 Information Exchange Policy
A.10.8.2 Exchange agreements Yes -ISMS-F-8 Information Exchange Policy
A.10.8.3 Physical media in transit Yes -ISMS-F-8 Information Exchange Policy
A.10.8.4 Electronic messaging YesISMS-F-8 Information Exchange Policy
Encrypted email transmissions using PGP
A.10.8.5 Business information systems Yes -ISMS-F-8 Information Exchange Policy
A.10.9
A.10.9.1 Electronic commerce Yes -ISMS-F-9 Electronic Commerce Policy
A.10.9.2 On-line transactions Yes -ISMS-F-9 Electronic Commerce Policy
A.10.9.3 Publicly available information Yes -ISMS-F-9 Electronic Commerce Policy
A.10.10
A.10.10.1 Audit logging Yes -ISMS-F-10 Information Process Monitoring Policy
A.10.10.2 Monitoring system use Yes -ISMS-F-10 Information Process Monitoring Policy
A.10.10.3 Protection of log information Yes -ISMS-F-10 Information Process Monitoring Policy
A.10.10.4 Administrator and operator logs Yes -ISMS-F-10 Information Process Monitoring Policy
A.10.10.5 Fault logging Yes -ISMS-F-10 Information Process Monitoring Policy
A.10.10.6 Clock synchronization Yes -ISMS-F-10 Information Process Monitoring Policy
A.11
A.11.1
A.11.1.1 Access control policy Yes -ISMS-G-1 Access Control Policy
A.11.2
A.11.2.1 User registration Yes -ISMS-G-2 User Access Management Policy
A.11.2.2 Privilege management Yes -ISMS-G-2 User Access Management Policy
A.11.2.3 User password management Yes -ISMS-G-2 User Access Management Policy
A.11.2.4 Review of user access rights Yes -ISMS-G-2 User Access Management Policy
A.11.3.2 Unattended user equipment Yes -ISMS-G-3 User Responsibility Policy
A.11.3.3 Clear desk and clear screen policy Yes -ISMS-G-3 User Responsibility Policy
Network security management
Media handling
Back-up
Exchange of information
Electronic commerce services
Monitoring
Business requirement for access control
Control Code # Evidence
User access management
Control Code # Control Objective Implimented Evidence
Access control
Control Objective Implimented
Ushus Technologies
Accel Transmatic Ltd Compiled by : CISO
IT Department ISMS Policies Procedures
P&P Number: UT-ISMS-A-5 Originator: CISO
Last Review: August 23, 2007 Pages: 4
Policy Title: Statement of Applicability
A.11.4
A.11.4.1 Policy on use of network services Yes -ISMS-G-4 Network Access Control Policy
A.11.4.2User ahentication for external
connectionsYes
ISMS-G-4 Network Access Control Policy
Checkpoint VPN connectivity
A.11.4.3Equipment identification in
networksYes -ISMS-G-4 Network Access Control Policy
A.11.4.4Remote diagnostic and
configuration port protectionYes -ISMS-G-4 Network Access Control Policy
A.11.4.5 Segregation in networks Yes -ISMS-G-4 Network Access Control Policy
A.11.4.6 Network connection control Yes -ISMS-G-4 Network Access Control Policy
A.11.4.7 Network roing control Yes -ISMS-G-4 Network Access Control Policy
A.11.5
A.11.5.1 Secure log-on procedures Yes -ISMS-G-5 Operating System Access Control Policy
A.11.5.2User identification and
ahenticationYes -ISMS-G-5 Operating System Access Control Policy
A.11.5.3 Password management system Yes -ISMS-G-5 Operating System Access Control Policy
A.11.5.4 Use of system ilities Yes -ISMS-G-5 Operating System Access Control Policy
A.11.5.5 Session time-o Yes -ISMS-G-5 Operating System Access Control Policy
A.11.5.6 Limitation of connection time Yes -ISMS-G-5 Operating System Access Control Policy
A.11.6
A.11.6.1Information access
restrictionYes -ISMS-G-6 Application & Information Access Control Policy
A.11.6.2 Sensitive system isolation Yes -ISMS-G-6 Application & Information Access Control Policy
A.11.7
A.11.7.1Mobile comping and
communicationsYes -ISMS-G-7 Mobile Comping & Teleworking Policy
A.11.7.2 Teleworking No This organization does not use teleworking for its employees
A.12
A.12.1
A.12.1.1Security requirements analysis
and specificationYes -ISMS-H-1 Security Requirement Policy
A.12.2
A.12.2.1 Inp data validation Yes -ISMS-H-2 Information Validation Policy
A.12.2.2 Control of internal processing Yes -ISMS-H-2 Information Validation Policy
A.12.2.3 Message integrity Yes -ISMS-H-2 Information Validation Policy
A.12.2.4 Op data validation Yes -ISMS-H-2 Information Validation Policy
A.12.3
A.12.3.1Policy on the use of
cryptographic controlsYes -ISMS-H-3 Cryptographic Control Policy
A.12.3.2 Key management Yes -ISMS-H-3 Cryptographic Control Policy
A.12.4
A.12.4.1 Control of operational software Yes -ISMS-G-5 Operating System Access Control Policy
A.12.4.2 Protection of system test data Yes -ISMS-G-5 Operating System Access Control Policy
A.12.4.3Access control to program source
codeYes -ISMS-G-5 Operating System Access Control Policy
A.12.4.4 Control of internal processing Yes -ISMS-G-5 Operating System Access Control Policy
A.12.4.5 Control of internal processing Yes -ISMS-G-5 Operating System Access Control Policy
Operating system access control
Application and information access control
Mobile comping and teleworking
Control Code #
Information systems acquisition, development and maintenance
Security requirements of information systems
Control Objective Implimented Evidence
Correct processing in applications
Cryptographic controls
Security of system files
Control Code # Control Objective Implimented Evidence
Network access control
Ushus Technologies
Accel Transmatic Ltd Compiled by : CISO
IT Department ISMS Policies Procedures
P&P Number: UT-ISMS-A-5 Originator: CISO
Last Review: August 23, 2007 Pages: 4
Policy Title: Statement of Applicability
A.12.5
A.12.5.1 Change control procedures Yes -ISMS-H-5 Development & Support Process Security Policy
A.12.5.2Technical review of applications
after operating system changesYes -ISMS-H-5 Development & Support Process Security Policy
A.12.5.3Restrictions on changes to
software packagesYes -ISMS-H-5 Development & Support Process Security Policy
A.12.5.4 Information leakage Yes -ISMS-H-5 Development & Support Process Security Policy
A.12.5.5Osourced software
developmentNo
There is no software development activity in this organization. The
software development activity is not outsourced.
A.12.6
A.12.6.1Control of technical
vulnerabilitiesYes -ISMS-H-6 Technical Vulnerability Management Policy
A.13
A.13.1
A.13.1.1Reporting information security
eventsYes -ISMS-I-1 Information Security Reporting Policy
A.13.1.2 Reporting security weaknesses Yes -ISMS-I-1 Information Security Reporting Policy
A.13.2
A.13.2.1 Responsibilities and procedures Yes-ISMS-I-2 Information Security Management Policy, -ISMS-I-3
Helpdesk Policy & -ISMS-I-4 Incident Response Policy
A.13.2.2Learning from inormation security
incidentsYes
-ISMS-I-2 Information Security Management Policy, -ISMS-I-3
Helpdesk Policy & -ISMS-I-4 Incident Response Policy
A.13.2.3 Collection of evidence Yes-ISMS-I-2 Information Security Management Policy, -ISMS-I-3
Helpdesk Policy & -ISMS-I-4 Incident Response Policy
A.14
A.14.1
A.14.1.1Including information security in
the BCM processYes -ISMS-J-1 Business Continuity Management Policy
A.14.1.2Business continuity and risk
assessmentYes -ISMS-J-1 Business Continuity Management Policy
A.14.1.3
Developing & implementing
continuity plans including IS
implementing continuity
Yes -ISMS-J-1 Business Continuity Management Policy
A.14.1.4Business continuity planning
frameworkYes -ISMS-J-1 Business Continuity Management Policy
A.14.1.5Testing, maintaining &
reassessing BC PlansYes -ISMS-J-1 Business Continuity Management Policy
A.15
A.15.1
A.15.1.1Identification of applicable
legislationYes -ISMS-K-1 Legal Compliance Policy
A.15.1.2 Intellectual property rights (IPR) Yes -ISMS-K-1 Legal Compliance Policy
A.15.1.3Protection of organizational
recordsYes -ISMS-K-1 Legal Compliance Policy
A.15.1.4Data protection and privacy of
personal informationYes -ISMS-K-1 Legal Compliance Policy
A.15.1.5Prevention of misuse of
information processing facilitiesYes -ISMS-K-1 Legal Compliance Policy
A.15.1.6Regulation of cryptographic
controlsYes -ISMS-K-1 Legal Compliance Policy
A.15.2
A.15.2.1Compliance with security policies
and standardsYes -ISMS-K-2 Technical Compliance Policy
A.15.2.2 Technical compliance checking Yes -ISMS-K-2 Technical Compliance Policy
A.15.3
A.15.3.1Information systems audit
controlsYes -ISMS-K-3 Information Security Audit Policy
A.15.3.2Protection of information
systems audit toolsYes -ISMS-K-3 Information Security Audit Policy
Control Code # Control Objective Implimented Evidence
Implimented Evidence
Control Code # Control Objective
Control Objective Implimented Evidence
Compliance
Compliance with legal requirements
Compliance with security policies and standards, and technical compliance
Information systems audit considerations
Control Code #
Information security incident management
Reporting information security events and weaknesses
Management of information security incidents and improvements
Control Code # Control Objective
Business Continuity Management (BCM)
Information security aspects of business continuity management
Implimented Evidence
Security in development and support processes
Technical Vulnerability Management
Ushus Technologies
Accel Transmatic Ltd Compiled by : CISO