SFR ISO 27001 2013 Statement of Applicability

STANDARD FORMS AND REGISTERS
000000 SFR XXX

Issue: 01 Date:FF0000 Month/Year 000000
ISO 27001:2013 Statement of Applicability
Key for Justification for Inclusion* LR = Legal Requirement CR = Contractual Requirement BR = Business Requirement BP = Best Practice RA = Following Risk Assessment
Remarks
(Justification for
ISO 27001:2013 Controls Reference(s) Control Statements
inclusion* /
exclusion)
Clause Sec Control Objective/Control

Management direction for information Security. Objective: To provide management direction and support for information security in accordance with business requirements and relevant laws and
5.1 regulations.
Policies for information security. Control. Business leaders to ensure information security policies are available and approved by management.
A set of policies for information security The policies to state all users, whether privileged or not, must adhere to the security policies of the
shall be defined by management, published system. The business to ensure the provisions of the information security policies meet contractual
and communicated to all employees and requirements relating to the operation and maintenance of the system, where this is appropriate. A
relevant external parties. Information Security range of lower level policies should be considered to define: Access Control, information classification
5.1.1
Policy Document and handling, physical and environmental security, end user responsibilities, backup, information
transfer, protection from malware, vulnerability management, cryptographic controls, communications
security, protection of PII and supplier relationships.
5. Information
Security Policies
Review of the policies for information The review should include opportunities for improvement in response to changes in the organization's
security. Control. The policies for environment, business circumstances, legal conditions or technical environment.
information security shall be reviewed at
planned intervals or if significant changes Periodic audit and
5.1.2 occur to ensure its continuing suitability, validation.
adequacy, and effectiveness. Planned reviews.
Internal Organization. Objective: To establish a management framework to initiate and control the implementation and operation of information security within the organization.
6.1
Information security roles and Job descriptions to define roles and responsibilities of key security appointment.
responsibilities Control. All information Job descriptions. Audit
6.1.1 security responsibilities shall be defined and Validation checks.
and allocated.
000000Page 1 of 27
000000 SFR XXX
Remarks
(Justification for
inclusion* /
exclusion)

Segregation of duties. Control. Internal controls required to prevent errors and malpractice in processing and to act as a "double
Conflicting duties and areas of signature" for key security activities. e.g. Administrators allocating accounts are not to define the
responsibility shall be segregated to reduce Job Descriptions. Audit access rights of account holders. Nor should the administrator confirm compliance of account holders'
6.1.2 opportunities for unauthorized or and Validation checks. privileges. Small organizations will find this difficult to achieve, but the principle should be applied as far
unintentional modification or misuse of the as practicable.
organization's assets.
Contact with authorities. Control. Organizations should have in place details on who and when to contact authorities (e.g. law
Appropriate contacts with relevant Job Descriptions. enforcement, regulatory bodies and supervisor authorities) to report information security incidents in a
6.1.3 authorities shall be maintained. timely manner. Additional contact with other emergency services, utilities, telecoms provider might
also assist in business continuity support activities.
Contact with special interest groups. Maintaining awareness of the latest threats that could impact on the security of the service is
Control. Appropriate contacts with special recommended. This includes contact with specialist groups and professional organisations. Social
interest groups or other specialist security Job Descriptions. media, webinars, newsletters, and mail shots are typical methods of maintaining awareness.
6.1.4 forums and professional associations shall
6. Organization of be maintained.
Information
Security
Information security in project Information security considerations, including risk assessment and security objectives, to be included in
management. Control. Information Information Security all new project activities. In larger organizations, project managers to include security team member at
security shall be addressed in project Policy Document. onset of each project. Security sign-off to be provided prior to each stage of development, testing and
6.1.5
management, regardless of the type of Job Descriptions. deployment.
project.
6.2 Mobile devices and teleworking. Objective. To ensure the security of teleworking and use of mobile services.
Mobile device policy. Control. A policy Mobile devices to be subject to risk assessment. Appropriate security measures to be applied to protect
and supporting security measures shall be the asset from theft or loss, to prevent compromise of company stored information and to prevent
adopted to manage the risks introduced by access to company networks. Policy also to include: registration; physical security; limitations on
using mobile devices. Information Security software installation; software versions and patching; connection restrictions; access controls;
6.2.1 cryptographic techniques; malware; use in public places backups; separation of use from private and
Policy Document
business activities.
000000Page 2 of 27
6. Organization of
Information
Security
000000 SFR XXX
Remarks
(Justification for
inclusion* /
exclusion)

Teleworking. Control. A policy and Teleworking sites, including external/subordinate locations and homes to be subject to risk assessment.
supporting measures shall be implemented Appropriate security measures to be applied to ensure protection of the organization's information and
to protect information accessed, processed Information Security assets. Such measures include: physical security controls; protection from unauthorised use; malware
6.2.2
or stored at teleworking sites. Policy Document and firewall protection; insurance; backups; business continuity.
Prior to employment. Objective: To ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered.
7.1
Screening. Control. Background All staff working for or on behalf of the business to be screened. i.e., a pre employment check, as part
verification checks on all candidates for of the employment process. Typical requirements include: Identity confirmation; employment history;
employment shall be carried out in character references; CV verification; confirmation of academic and professional qualifications;
accordance with relevant laws, regulations nationality and immigration status. Details of any unspent criminal convictions may also be required
and ethics and shall be proportional to the Information Security depending on the nature of the role. See also BS7858.
7.1.1
business requirements, the classification of Policy Document
the information to be accessed and the
perceived risks.
Terms and conditions of employment. Management to consider the use of a Non-Disclosure Agreement (NDA) process, where relevant.
NDAs and AUPs.
Control. The contractual agreements with Likewise, those working for or on behalf of the business to sign the Acceptable Use Policy (AUP). All
Information Security
employees and contractors shall state their employees to be briefed on assignment of their individual responsibilities and action should these be
Policy Document.
7.1.2 and the organization's responsibilities for disregard. To be included as an element of employee induction. In addition employees to advised of
Employment
information security. legal responsibilities, particularly for data protection legislation and copyright laws; Where, relevant,
Contracts.
employees and contractors to be debriefed on departure regarding their ongoing legal and contractual
Job Descriptions.
responsibilities. (See also 7.2.1 below).
During employment. Objective: To ensure that employees and contractors are aware of their information security responsibilities.
7.2
Management responsibilities. Control. Management to detail employee and contractors responsibilities within contracts, AUP and job
Management shall require all employees Information Security descriptions. Each new contract of employment to detail the responsibilities of individual employees. All
and contractors to apply information Policy Document. users of the system are required to sign the Acceptable Use Policy (AUP) before being granted access.
security in accordance with the established Employment The AUP to list forbidden practices and to emphasise that every user has a role to play in maintaining
7.2.1
policies and procedures of the organisation. contracts. security of the system. Job descriptions to identify information security responsibilities, where relevant.
AUP.
Job Descriptions.
7. Human
Resource Security
000000Page 3 of 27
000000 SFR XXX
Remarks
(Justification for
inclusion* /
exclusion)
7.Clause
Human Sec Control Objective/Control
Resource Security
Information security awareness, Induction process to detail responsibilities defined in the employment contract. Employee to sign AUP.
education and training. Control. All Where relevant, information security responsibilities to be identified within employee job description.
employees of the organization and, where Information Security Planned awareness updates to be coordinated.
relevant, contractors shall receive Policy Document.
appropriate awareness education and Employment
7.2.2
training and regular updates in contracts.
organizational policies and procedures, as AUP.
relevant for their job function. Job Descriptions.
Disciplinary process. Control. There The normal business disciplinary process to apply.
shall be a formal and communicated
disciplinary process in place to take action Information Security
7.2.3 against employees who have committed an Policy Document.
information security breach. Disciplinary policy.
7.3 Termination and change of employment. Objective: To protect the organization's interests as part of the process of changing or terminating employment.
Termination or change of employment On termination of employment, arrangements to be made to revoke all computer, network, data and
responsibilities. Control. Information site accesses. Remote access must also be removed. On change of employment, a review of access
security responsibilities and duties that rights and privileges to be carried out and any changes recorded. A compliance check on both activities
remain valid after termination or change of Information Security to be verified and a record maintained.
7.3.1 employment shall be defined, Policy Document
communicated to the employee or
contractor and enforced.
8.1 Responsibility for assets. Objective: To identify organizational assets and define appropriate protection responsibilities.
Inventory of assets. Control. Assets Asset register to be maintained and controlled by an assigned employee. The register to be kept up to
associated with information and information Asset register. date and accurate. The register to be subject to audit at planned intervals.
8.1.1 processing facilities shall be identified and Information Security
an inventory of these assets shall be drawn Policy Document.
up and maintained.
000000Page 4 of 27
000000 SFR XXX
Remarks
(Justification for
inclusion* /
exclusion)

Ownership of assets. Control. Assets Owners to ensure assets are inventoried, appropriately classified, and to ensure correct handling when
maintained in the inventory shall be owned. the asset is deleted or destroyed. Assigned 'owners' to be listed in the asset register.
(Note: The term 'owner' identifies an individual or entity that has approved management responsibility
Asset register.
for controlling the production, development, maintenance, use and security of the assets. The term
8.1.2 Information Security
'owner' does not mean that the person actually has property rights of the asset).
Policy Document.
Acceptable use of assets. Control. Rules All users of the system to sign the AUP.
for the acceptable use of information and of
assets associated with information and
8.1.3 information processing facilities shall be AUPs.
identified, documented and implemented.
Return of assets. Control. All employees Managers along with the HR team to be responsible for the return of assets. The termination process
and external party users shall return all of should ensure the return of all previously issued physical and electronic assets owned by or entrusted
the organizational assets in their Leavers process. to the organization.
8.1.4 possession upon termination of their Information Security
employment, contract or agreement. Policy Document.
Information classification. Objective: To ensure that information receives an appropriate level of protection in accordance with its importance to the organization.
8.2
Classification of information. Control. Information classification scheme to be implemented. Appropriate categories of information to be
Information shall be classified in terms of created to help prevent accidental or unauthorised disclosure. Classifications should take account of
legal requirements, value, criticality and Information Security business needs for sharing or restricting access, as well as any legal requirements.
8. Asset 8.2.1
sensitivity to unauthorised disclosure or Policy Document
Management modification.
Labeling of information. Control. An Labelling policy to be developed to ensure information is suitably marked. Classification labels to be
appropriate set of procedures for applied based upon the degree of harm that could be caused if compromised. Awareness of the
information labeling shall be developed and Information Security scheme by all employees and contractors is essential for the protection of the organization and
8.2.2 customer information.
implemented in accordance with the Policy Document
information classification scheme adopted
by the organization.
000000Page 5 of 27
000000 SFR XXX
8. Asset
Management
Remarks
(Justification for
inclusion* /
exclusion)

Handling of assets. Control. Procedures Policy to include advice to employees on the use, storage, transfer, destruction, back up, and sharing of
for handling assets shall be developed and sensitive information and assets.
implemented in accordance with the Information Security
8.2.3
information classification scheme adopted Policy Document
by the organization.
Media handling. Objective: To prevent unauthorized disclosure, modification, removal or destruction of information stored in media.
8.3
Management of removable media. A record to be maintained of all items of removable media. The register to record the type,
Control. Procedures shall be implemented classification label, owner and location. Approval for offsite use to be authorised. Each element of
for the management of removable media in removable media to be stored under lock and key when not in use. Where confidentiality or integrity are
accordance with the classification scheme Information Security important then encryption to be considered. When no longer required, the contents of any re-usable
8.3.1
adopted by the organization. Policy Document media to rendered unrecoverable.
Disposal of media. Control. Media shall All media is either destroyed or overwritten to prevent access to the information. Disposal events to be
be disposed of securely when no longer Information Security recorded. Where third parties are engaged to support disposal, then a certificate of destruction to be
8.3.2
required, using formal procedures. Policy Document provided.
Physical media transfer. Control. Media Physical transfers of media to be carried out using an assured method. Typical examples include an
containing information shall be protected approved courier, e.g. organization employee, or a provider that uses barcoding and web tracking
against unauthorised access, misuse or Information Security facilities. Encryption also to be considered to protect the confidentiality and integrity of the data, where it
8.3.3
corruption during transportation. Policy Document is required.
9.1 Business requirements of access control. Objective: To limit access to information and information processing facilities.
Access control policy. Control. An Access control policies to define access levels of system users based upon business function, role,
access control policy shall be established, business need and least privilege. The access control policy to establish password and logon criteria.
documented and reviewed based on Information Security Both physical and logical access controls to be defined. Periodic review of access rights and removal of
9.1.1
business and information security Policy Document unnecessary accesses to be carried out at planned intervals.
requirements.
000000Page 6 of 27
000000 SFR XXX
Remarks
(Justification for
inclusion* /
exclusion)

Access to networks and network Access to systems and services only by those with a demonstrated need specific to their role and
services. Control. Users shall only be authorization. Access must only be by pre-approved people with a business need.
provided with access to the network and Information Security
9.1.2
network services that they have been Policy Document
specifically authorized to use.
9.2 User access management. Objective: To ensure authorized user access and to prevent unauthorized access to systems and services.
User registration and deregistration. A record is to be maintained of all system users. User Unique IDs to be allocated to enable users to be
Control. A formal user registration and de- linked to and held responsible for their actions. Access rights are to be recorded based on least
registration process shall be implemented Information Security privilege. Reviews to take place at planned intervals.
9.2.1
to enable assignment of access rights. Policy Document
User access provisioning. Control. A A central record of access rights granted to users should be maintained. A review of authorized user
formal user access provisioning process access rights to be carried out at planned intervals.
shall be implemented to assign or revoke Information Security
9.2.2 access rights for all user types to all Policy Document
systems and services.
Management of privileged access rights. Where relevant, the allocation of privilege rights (e.g. local administrator, domain administrator, super-
Control. The allocation and use of user, root access) shall be limited to the minimum possible consistent with role and business need, to
privileged access rights shall be restricted Information Security allow the efficient and effective performance of holders responsibilities. Privilege rights to customer
9.2.3
and controlled. Policy Document devices to be similarly controlled based on role and business need.
Management of secret authentication Passwords are a commonly used type of secret authentication information and are a common means of
information of users. Control. The identifying a user identity. Users to be notified to keep secret authentication information confidential.
allocation of secret authentication Other types of "secret authentication information" often relates to cryptographic keys such as those
information shall be controlled through a Information Security provided by Public Key Infrastructure (PKI) for network security (sometimes referred to as 'public key
9.2.4
formal management process. Policy Document cryptography'), and Pretty Good Privacy (PGP) for email, both of which use public and private (secret)
keys to verify the identity of the entity or user. Data stored on hardware tokens, such as smart cards,
that provide authentication codes are also included.
Review of user access rights. Control. Access control mechanisms to be used to manage user access rights, privileged access, on transfer of
Asset owners shall review users' access Information Security role and management of accounts. This determines what users can do.
9.2.5
rights at regular intervals. Policy Document
9. Access Control 000000Page 7 of 27

000000 SFR XXX
Remarks
(Justification for
inclusion* /
exclusion)

Removal or adjustment of access rights. On termination of employment, arrangements to be made to remove all access rights from information
Control. The access rights of all processing facilities. Remote access rights must also be removed. On change of employment within
employees and external party users to the business, a review of access rights and privileges to be carried out and any changes implemented.
information and information processing Information Security A compliance check on both activities to be verified and a record maintained. Managers are
9. Access Control 9.2.6 facilities shall be removed upon termination responsible for tracking the access rights and arranging removal of those rights on loss of business
Policy Document
of their employment, contract or agreement, need. See also 7.3.1 above.
or adjusted upon change.
User Responsibilities. Objective: To make users accountable for safeguarding their authentication information.
9.3
Use of secret authentication information. Awareness training to be provided on keeping secret authentication information confidential to ensure it
Control. Users shall be required to follow is not divulged to any other parties. Avoid keeping a record on paper, software file or hand held device
the organization's practices in the use ofInformation Security unless it can be stored securely. When passwords are used as secret authentication information they
9.3.1 secret authentication information. should be: easy to remember, not easily guessable by a third party, not subject to a dictionary attack,
Policy Document
consist of both alpha and numerical characters, not shared, stored securely and changed at agreed
intervals. Where private (secret) keys are in use, they are to kept confidential at all times and known
only to authorised users.
9.4 System and application access control. Objective: To prevent unauthorized access to systems and applications.
Information access restriction. Control. User access to be based on role and business need.
Access to information and application
system functions by users shall be Information Security
9.4.1
restricted in accordance with the access Policy Document
control policy.
Secure Log-on procedures. Control. Passwords are a common way to provide identification and authentication. Where relevant, logon
Where required by the access control procedures are to comprise user name and password, where passwords do not appear in plain text.
policy, access to systems and applications Information Security
9.4.2 shall be controlled by a secure log-on Policy Document
procedure.
Password Management system. Control. System to enforce the use of individual user IDs and passwords. Password length to be stated and the
Password management systems shall be format defined. Typical format includes a mixture of lower case, upper case and numeric characters. A
9.4.3 interactive and shall ensure quality non alphabetic/numeric character is also recommended. Passwords not to be displayed on screen
Policy Document
passwords. when entered. Password history to prevent repeat usage to be defined, where system allows. Changes
to passwords to occur at agreed planned intervals.
000000Page 8 of 27
000000 SFR XXX
Remarks
(Justification for
inclusion* /
exclusion)

Use of privileged utility programs. Where utility programs can override system and application controls, then the following controls should
Control. The use of utility programs that be considered: apply identification, authentication and authorization to utility programs; segregate utility
might be capable of overriding system and Information Security programs from applications software; log all use of utility programs; restrict use of utility programs by
9.4.4 application controls shall be restricted and users. All equipment to be hardened to remove unnecessary services and accounts prior to
Policy Document
tightly controlled. deployment. Once deployed, they should be locked to prevent any unauthorized changes.
Access control to program source code. Where relevant, source code is to be stored separate from operational systems. Source code in this
Control. Access to program source code context also includes design documents, functional specifications and other System Development Life
shall be restricted. Cycle (SDLC) related documents. In most development environments, source code is managed using a
Information Security configuration management (CM) tool. It is good practice to use a centralised CM tool with strict access
9.4.5 control processes implemented. Code check-in and check-out should go through a formal authorisation
Policy Document
process. Audit logs to be maintained for code access. Production systems must not contain any
program source libraries.
Cryptographic controls. Objective: To ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information.
10.1
Policy on the use of cryptographic Use of encryption techniques to be risk based with appropriate policy controls defined. Details to cover
controls. Control. A policy on the use of confidentiality, integrity and authenticity, non-repudiation, authentication and digital certificates, where
cryptographic controls for protection of Information Security necessary. Roles and responsibilities for the management of keys to be identified.
10.1.1
information shall be developed and Policy Document
implemented.
10. Cryptography
Key Management. Control. A policy on All cryptographic keys to be protected against loss or modification. Secret and private keys need to be
the use, protection and lifetime of protected against disclosure or unauthorised use. Where used, key generators are to be physically
cryptographic keys shall be developed and Information Security protected. Key management to be defined. Life cycle management, replacement keys and updating
10.1.2
implemented through their whole lifecycle. Policy Document signatures to be included. Details of destruction and degaussing will also be required.
11.1 Secure areas. Objective: To prevent unauthorized physical access, damage and interference to the organization's information and information processing facilities.
000000Page 9 of 27
000000 SFR XXX
Remarks
(Justification for
inclusion* /
exclusion)

Physical security perimeter. Control. A physical security perimeter enforced to provide a secure area for the storage and processing of
Security perimeters shall be defined and information and system components. A layered or 'defence in depth' approach is recommended.
used to protect areas that contain either Information Security Suitable intruder detection systems should be installed, where necessary.
11.1.1 sensitive or critical information and Policy Document
information processing facilities.
Physical entry controls Control. Secure Physical controls to be enforced such that only authorised people, with a business need are granted
areas shall be protected by appropriate unescorted physical access to operational areas and system components. Only authorized staff to
entry controls to ensure that only authorized Information Security escort visitors to "secure" system areas.
11.1.2 personnel are allowed access. Policy Document
Securing offices, rooms and facilities. Measures to control access to offices, rooms and facilities to be planned and implemented. Key faciities
Control. Physical security for offices, to be sighted to prevent access by the public. In general, aAccess should be based on role and
11.1.3 rooms, and facilities shall be designed and business need in all instances. Where applicable, security controls to be considered at the onset of any
Policy Document
applied. new build.
Protecting against external and The risk assessment to consider the likelihood of a natural disaster, accident or malicious attack on the
environmental threats. Control. Physical environment. The resulting output used to implement measures to reduce any impact on loss of service
protection against natural disasters, Information Security and to support Business Continuity or Disaster Recover planning
11.1.4 malicious attack or accidents shall be Policy Document
designed and applied.
Working in secure areas. Control. Measures to control access to secure environments shall be planned and implemented. Access to be
Procedures for working in secure areas Information Security based on role and business need in all instances. Unless operationally necessary, photographic, video,
11.1.5 shall be designed and applied. audio or other recording devices such as cameras in mobile devices should not be permitted in secure
Policy Document
areas. Unsupervised working in secure areas should also be avoided.
000000Page 10 of 27
000000 SFR XXX
Remarks
(Justification for
inclusion* /
exclusion)

Delivery and loading areas. Control. Where relevant, delivery and loading areas to be isolated to prevent any unauthorised access to key
Access points such as delivery and loading facilities. All deliveries are to be validated before offloading. An integrity examination of deliveries must
areas and other points where unauthorized also take place before being brought into secure areas.
persons could enter the premises shall be
controlled and, if possible, isolated from Information Security
11.1.6 information processing facilities to avoid Policy Document
unauthorized access.
Equipment. Objective: To prevent loss, damage, theft or compromise of assets and interruption to the organization's operations.
11.2
Equipment siting and protection. The environmental risk assessment output to be used to assist with risk reduction to loss of service and
Control. Equipment shall be sited and to prevent unauthorized access. All system equipment to be secured prior to an evacuation provided it
protected to reduce the risks from Information Security is safe to do so and without increasing the risk to personnel safety.
11.2.1
environmental threats and hazards, and Policy Document
opportunities for unauthorized access.
Supporting utilities. Control. Equipment The facilities that host the service equipment to be protected against variations and suspensions in the
shall be protected from power failures and electrical power supply and to remain adequately protected to provide continuous power in the event of
other disruptions caused by failures in Information Security failure of the external supply. It is recommended that testing on the supply of utilities be carried out at
11.2.2 supporting utilities. planned intervals and a record of these checks kept. Much may depend on the criticality of the service
Policy Document
11. Physical and to customers and the need for any backup power supply. Other services such as telecoms, gas,
Environmental sewage, water supply, ventilation and air conditioning are also to be considered.
Security
Cabling security. Control. Power and The facilities that host critical and secure platforms and support services to have security measures
telecommunications cabling carrying data implemented to protect against accidental damage or deliberate attack. Cabling to be clearly
or supporting information services shall be identifiable within the facility so that it can readily be examined. It is recommended that power lines
protected from interception, interference or Information Security within the building are either installed underneath the floor or the ceiling void within managed trunking
11.2.3
damage. Policy Document and separated from network cabling. Network cabling to be located underneath the floor and all dry
risers kept locked. Access to all computer and patch rooms to be controlled using appropriate security
measures.
000000Page 11 of 27
000000 SFR XXX
11. for
Key Physical and for Inclusion*
Justification LR = Legal Requirement CR = Contractual Requirement BR = Business Requirement BP = Best Practice RA = Following Risk Assessment
Environmental
Security
Remarks
(Justification for
inclusion* /
exclusion)

Equipment maintenance. Control. Details of the maintenance schedule to be recorded and carried out in accordance with the
Equipment shall be correctly maintained to manufacturer's recommendations. All software and hardware maintenance engineers carrying out work
ensure its continued availability and on any system are to be individually identified. A record to be maintained of all work conducted by
integrity. software and hardware maintenance engineers on systems. Records to be kept of suspected or actual
Information Security faults, and all preventive and corrective or maintenance activities.
11.2.4
Policy Document
Removal of assets. Control. Equipment, Procedure to be in place to ensure equipment, information or software is only removed with approval
information or software shall not be taken from the security manager, or other assigned individual. Controls include: 1. Limitations on
off-site without prior authorization. Information Security types/amounts of software, information or equipment that may be removed from-site; 2. Providing a
11.2.5
Policy Document record or inventory of all items; 3. Authorized persons are aware of security risks associated with off-site
environments and have received training in appropriate controls and counter-measures.
Security of equipment and assets off- Appropriate security measures to be implement for the protection of off-site equipment, taking into
premises. Control. Security shall be account the many risks of working outside the organization's premises. Controls include: 1.
applied to off-site assets taking into account Authorization for any off-site processing of organizational information; 2. Security measures for
the different risks of working outside the equipment in transit; 3. Security measures in off-site premises - to be appropriate to the setting and the
organization's premises. Information Security sensitivity of the information on or accessible by the device; 4. Adequate insurance coverage, where
11.2.6
Policy Document third-party insurance is cost-effective; 5. Employee and contractor responsibilities and awareness for
protecting information and the devices, and of the particular risks of off-site environments.
Secure disposal or re-use of equipment. Equipment containing storage media to be checked to ensure that sensitive data and licensed software
Control. All items of equipment containing has been removed or securely overwritten prior to disposal. Controls include: 1. Accepted methods for
storage media shall be verified to ensure secure information overwrite or removal; 2. Secure information overwritten or removal by appropriately
that any sensitive data and licensed Information Security trained personnel. 3. Verification of secure information removal by approved provider - a certificate of
11.2.7 software has been removed or securely approval to be provided.
Policy Document
overwritten prior to disposal or re-use.
000000Page 12 of 27
000000 SFR XXX
Remarks
(Justification for
inclusion* /
exclusion)

Unattended user equipment. Control. Users should be advised to: terminate secure sessions unless the end point can be protected by
Users shall ensure that unattended suitable locking mechanism such as a screen saver; log off from applications when access is no longer
equipment has appropriate protection. Information Security required; secure end points from unauthorised use by applying a key lock such as a password.
11.2.8
Policy Document Measures should also be implemented to protect unattended equipment from loss, damage or theft. All
reasonable steps to be taken to prevent the unauthorised removal of systems or system components
from facilities.
Clear Desk and Clear Screen Policy. The AUP is to mandate a clear screen and a clear desk policy. End points should be logged off or
Control. A clear desk policy for papers and protected by a screen saver or keyboard locking mechanism. For particularly sensitive information, such
removable storage media and a clear Information Security as cryptographic material and classified documents, security cabinets are to be provided. Rooms where
11.2.9
screen policy for information processing Policy Document sensitive information is used are to be secured and access by staff is to be controlled.
facilities shall be adopted.
Operational procedures and responsibilities. Objective: To ensure correct and secure operations of information processing facilities.
12.1
Documented operating procedures. Documented procedures should be prepared for operational activities associated with processing and
Control. Operating procedures shall be communicating facilities, such as start up and close down, backup, maintenance, mail handling,
documented and made available to all Information Security computer room and safety. Extracts from the Information Security Policy Document should satisfy this
12.1.1
users who need them. Policy Document requirement and be made available to users. These should be posted in any freely accessible location.
Change management. Control. Changes The organization's change management process must ensure that all changes are appropriately
to the organization, business processes, assessed, planned & tested, and agreed by management. In addition, the following areas should be
information processing facilities and Information Security considered: identification and recording of significant changes; fallback procedure, including aborting
12.1.2
systems that affect information security Policy Document and recovering from unsuccessful changes; verification that security requirements have been met;
shall be controlled. notification of change to users and customers in advance.
Capacity management. Control. The use Capacity Management of systems to be undertaken in accordance with contractual agreements and
of resources shall be monitored, tuned and business need. Capacity management of the organization's support systems is to be undertaken as a
projections made of future capacity Information Security planned activity by the individual(s) responsible for the device(s).
12.1.3 requirements to ensure the required system Policy Document
performance.
000000Page 13 of 27
000000 SFR XXX
Remarks
(Justification for
inclusion* /
exclusion)

Separation of development, testing and A level of separation between, testing and development environments is required to prevent potential
operational environments. Control. problems with the operational systems. Changes to operational systems should be carried out on a test
Development, testing and operational or staging environment prior to being placed on the live system. To prevent incorrect operation, logon
environments shall be separated to reduce Information Security procedures for development, test and production are to be discrete and secured. Development and test
12.1.4 the risks of unauthorized access or personnel are to receive restricted access credentials to fulfil their tasks. Alternatively, temporary
Policy Document
changes to the operational environment. limited access credentials are to be provided for the production environment.
Protection from malware. Objective: To ensure that information and information processing facilities are protected against malware.
12.2
Controls against malware. Control. Controls against malware are the perimeter barriers that only permit business required traffic and
Detection, prevention and recovery controls enable client computer protection. Media for importing into the organization's or customer's
to protect against malware shall be environments, is first to be scanned to gain assurance it is free from malware or virus before it is
implemented, combined with appropriate imported. All information processing devices must have anti malware/anti virus protection installed.
user awareness. Information Security Ideally it should be configured to receive updated definitions from a central server. In turn, this server
12.2.1
Policy Document will pull updated definitions direct from the Internet. Protection against malware to be included in staff
awareness presentations. Action on the detection of malware is to be made available to all staff
members.
12.3 Backup. Objective: To protect against loss of data.
Information backup. Control. Backup Where practicable, all systems and user workstations/laptops to have their "image" archived. Backup
copies of information, software and system procedures are to be scheduled, where necessary, monitored and documented. Backup data media is
images shall be taken and tested regularly subject to the same security requirements as original data (e.g. protection against theft and
in accordance with an agreed backup Information Security unauthorized access). They are to be stored separately from the IT system, so that they remain intact
12.3.1
policy. Policy Document when the IT system and its immediate surroundings are damaged or destroyed. Checks on the
readability of backup data media is to take place at planned intervals.
Logging and monitoring. Objective. To log events and generate evidence.

12.4
12. Operations
Security
000000Page 14 of 27
000000 SFR XXX
Remarks
(Justification for
inclusion* /
exclusion)

Event logging. Control. Event logs It is recommended that event logs be sent to a dedicated collection device, which is backed up daily
recording user activities, exceptions, faults and the logs archived in accordance with the Information Security Policy Document.
and information security events shall be Information Security
12. Operations 12.4.1
produced, kept and regularly reviewed. Policy Document
Security
Protection of log information. Control. System logs often contain a large amount of data, over and above what is required for security
Logging facilities and log information shall monitoring. System utilities or audit tools to interrogate and rationalize file information should be
be protected against tampering and considered. System logs also need to be protected to prevent alteration. Real time copying to a system
unauthorized access. Information Security outside the control of administrators can be used to safeguard logs. Where appropriate, it is
12.4.2 recommended that log information is archived and stored securely, preferably on site in a fireproof safe
Policy Document
and retained for a period that meets business needs. Access to logging facilities and log information to
be controlled by access permissions. Any action of clearing or otherwise altering log information, which
would call into question its integrity, is to be recordable.
Administrator and operator logs. Similar to 12.4.2. System audit logs also contain actions undertaken by users with enhanced privileges.
Control. System administrator and system These logs are to be reviewed at planned interval, where appropriate.
operator activities shall be logged and the Information Security
12.4.3 logs protected and regularly reviewed. Policy Document
Clock synchronization. Control. The A standard time reference for use in the organization should be defined. The most widely used protocol
clocks of all relevant information processing for distributing and synchronising time over the internet is the Network Time Protocol. A number of
systems within an organization or security Information Security accurate time sources are available in the open market. One of the more common time sources is the
12.4.4 domain shall be synchronized to a single GPS master clock. The service acts as a stratum 1 time source and all devices located within the
Policy Document
reference source. systems are configured to synchronize their time with the appliance. The organization must select a
suitable time source to comply with this control.
Control of operational software. Objective: To ensure the integrity of operational systems.

12.5
Change Management Process to include links to engage with designated staff. Only approved software
Installation of software on operational to be installed on platforms and under strict change management control, and by appropriate
systems. Control. Procedures shall be Information Security competent persons. See also 12.1.2
12.5.1
implemented to control the installation of Policy Document
software on operational systems.
000000Page 15 of 27
000000 SFR XXX
Remarks
(Justification for
inclusion* /
exclusion)

Technical Vulnerability Management. Objective: To prevent exploitation of technical vulnerabilities.
12.6
Management of technical vulnerabilities. Technical vulnerability management should be viewed as sub function of change management and
Control. Information about technical should take advantage of change management processes and procedures. When vulnerabilities are
vulnerabilities of information systems being published, system asset lists to be examined to asses the impact of the vulnerabilities on the security
used shall be obtained in a timely fashion, Information Security posture of the system. Where a software update is deemed necessary, then the change control process
12.6.1
the organization's exposure to such Policy Document is to be initiated. It is recommended that planned IT Health Checks are undertaken on all systems to
vulnerabilities evaluated and appropriate ensure that they remain vulnerability free.
measures taken to address the associated
risk.
Restrictions on software installation. The organization should define and enforce strict on what types of software users can install. The
Control. Rules governing the installation of Information Security principle of least privileged should apply, where practicable. Where user installation is approved, anti
12.6.2 software by users shall be established and malware controls to be in place and users made aware of these through the AUP and awareness
Policy Document
implemented. sessions. The active scanning of PCs and laptops will assist in managing this activity. See also 12.2.1
above.
12.7 Information systems audit considerations. Objective: To minimize the impact of audit activities on operational systems.
Information System Audit controls. All audits and IT Health Checks to be pre-planned. A schedule identifying areas of audit or penetration
Control. Audit requirements and activities testing is to be produced. Interruption to operational systems is to be avoided at all times. All access
involving verifications of operational Information Security should be monitored and logged to produce a reference trail.
12.7.1 systems shall be carefully planned and Policy Document
agreed to minimize disruptions to business
processes.
Network security management. Objective: To ensure the protection of information in networks and its supporting information processing facilities.
13.1
Network controls. Control. Networks The security policy is to ensure that access to the organization's network is only provided to authorized
shall be managed and controlled to protect users, that adequate controls are in place to manage remote users, that all equipment can be
information in systems and applications. Information Security recognized uniquely, that networks should be segregated based on need, and that appropriate network
13.1.1
Policy Document routing protocols are enabled.
000000Page 16 of 27
000000 SFR XXX
Remarks
(Justification for
inclusion* /
exclusion)

Security of network services. Control. A range of controls to be implemented to achieve and maintain network security including a border
Security mechanisms, service levels and firewall that limits access to the protocols, and to the organization's or clients platforms and devices.
management requirements of all network Network devices to be vulnerability free and subject to a minimum level of hardening to disable
services shall be identified and included in Information Security unnecessary and insecure services, where reasonably practical. Network services to be reviewed as
13.1.2 network services agreements, whether part of any planned IT Health Check, conducted by an approved company.
Policy Document
these services are provided in-house or
outsourced.
Segregation in networks. Control. One method of managing the security of large networks is to divide them in to separate network
Groups of information services, users and Information Security domains. Access between domains can be allowed but should be controlled at the perimeter using a
13.1.3 information systems shall be segregated on gateway e.g. a firewall or filtering router.
Policy Document
networks.
13.2 Information transfer. Objective: To maintain the security of information transferred within an organization and with any external entity.
Information transfer policies and Policies defining protection for information from interception, copying, modification, misrouting or
13.
procedures. Control. Formal transfer destruction during transfer are recommended. The policies to include: malware protection; additional
Communication
policies, procedures and controls shall be in safeguards for sensitive information; users responsibilities regarding harrassment, defamation,
Security Information Security
13.2.1 place to protect the transfer of information impersonation, forwarding of chain letters, and unauthorized purchasing. Plus guidelines on acceptable
Policy Document
through the use of all types of and unacceptable uses of communications facilities and media.
communication facilities.
Agreements on information transfer. Policies, procedures and standards should be established and maintained to protect information and
Control. Agreements shall address the media in transit and should be referenced in all transfer agreements, possible through the process of a
secure transfer of business information Information Security Service Level Agreement. The content of such agreements should reflect the sensitivity nature of
13.2.2
between the organization and external Policy Document business information required for transfer.
parties.
Electronic messaging. Control. The range of measures to include: 1. Protecting messages from unauthorized access, modification or
Information involved in electronic diversion; 2. Ensuring correct addressing and transportation; 3. Ensuring the general reliability and
13.2.3 messaging shall be appropriately protected. availability of messaging services; 4. Limiting the use of less-secure messaging systems (e.g. public
Policy Document
IM); 5. Stronger levels of authentication and message content protection when using public networks.
000000Page 17 of 27
13.
Communication
STANDARD
Security FORMS AND REGISTERS
000000 SFR XXX
Remarks
(Justification for
inclusion* /
exclusion)

Confidentiality or nondisclosure Confidentiality or non disclosure agreements should should address the requirement to protect
agreements. Control. Requirements for confidential information using legally enforced terms. Requirements for confidentiality and non
confidentiality or non-disclosure disclosure agreements should be reviewed periodically or when changes occur that affect these
agreements reflecting the organization's Information Security requirements. All users must sign a confidentiality or non disclosure agreement (NDA), or similar, as a
13.2.4 needs for the protection of information shall component of the employee contract. NDAs to be put in place for third party engagement, where
Policy Document
be identified, regularly reviewed and required. Contents and the importance of NDAs to be highlighted during awareness sessions.
documented.
Security requirements of information systems. Objective: To ensure that information security is an integral part of information systems across the entire lifecycle. This also includes the
14.1 requirements for information systems which provide services over public networks.
Information security requirements Where new products are required, a formal testing and acquisition process should be followed.
analysis and specification. Control. The Contracts with suppliers should address the security requirements. Early consideration of information
information security related requirements security
shall be included in the requirements for Information Security requirements, e.g. at the design stage can lead to more effective and cost efficient solutions. Change
14.1.1
new information systems or enhancements Policy Document Management process to be followed at all times and includes any upgrades and improvements to
to existing information systems. existing services. See also 12.1.2 above.
Securing application services on public The following provisions could be used to provide protection over public networks. 1. Encryption:
networks. Control. Information involved Encoding and scrambling of messages to prevent their access without specific authorization. 2.
in application services passing over public Authentication: Provision of secure mechanisms for accessing specific elements of the system. Most
networks shall be protected from fraudulent common method is registration and using usernames and passwords. 3. Digital signature: Digital code
activity, contract dispute and unauthorized attached to electronically transmitted message to uniquely identify contents and sender. Implemented
disclosure and modification. when receiver needs assurance of sender's authenticity (adopted now in hardware and operating
system drivers). 4. Secure Electronic Transaction (SET): Standard for securing credit card transactions
Information Security over Internet and other networks. 5. SSL Digital Certificates: SSL (Secure Socket Layer) digital
14.1.2
Policy Document certificates act as a digital ID and can be used to fulfil the authentication requirements of exchange
security. Digital certificates are widely used to prove authenticity and identify suppliers as genuine online
merchants. Digital certificates are issued by certification authorities such as VeriSign, and provide
suppliers with a completely unique digital identity.
000000Page 18 of 27
000000 SFR XXX
Remarks
(Justification for
inclusion* /
exclusion)

Protecting application services Information to be stored in a safe and secure way and inaccessible to unauthorised parties. The
transactions. Control. Information following control areas to be considered: 1. Integrity of Information. Any communication and
involved in application service transactions transactions are to be tamper proof and to maintain the integrity of the original communication. 2.
shall be protected to prevent incomplete Authentication of Identify. During the communication process proof of identify is to be established
transmission, mis-routing, unauthorized Information Security between entities. 3. Non-Repudiation. Any transactions or communication carried out between parties
14.1.3
message alteration, unauthorized Policy Document is to be proven genuine to prevent the rejection (repudiation) of a transaction.
disclosure, unauthorized message
duplication or replay.
Security in development and support processes. Objective: To ensure that information security is designed and implemented within the development lifecycle of information systems.
14.2
Secure development policy. Control. New software and systems to be subject to acceptance procedure and change control. A project plan to
Rules for the development of software and be drawn up to include all security related tasks and milestones. Acceptance of new services and
systems shall be established and applied to upgrades is at the discretion of the Security Manager who is to gain assurance that the components do
developments within the organization. Information Security not introduce any unacceptable vulnerability. Acceptance may include a formal certification to verify that
14.2.1
Policy Document the security requirements have been properly addressed, such as a penetration test using an approved
company, or other certified scheme. Where development is outsourced, then organization should
receive assurance that the external party complies with these rules.
System change control procedures. Change control is a formal process used to ensure that changes to a product or system are
Control. Changes to systems within the implemented in a controlled and coordinated manner. It reduces risk to a system to prevent the
development lifecycle shall be controlled by introduction of faults into the system or in undoing changes made by other users of software. The goals
the use of formal change control Information Security of a change control procedure usually include minimal disruption to services, reduction in back-
14.2.2
procedures. Policy Document out/rollback activities, and cost-effective utilization of resources involved in implementing change. Good
practice includes the testing of new software on an environment segregated from both development or
14. System production environments. This should include patches, service packs and other updates.
Acquisition,
Development and Technical review of applications after Change Management Process to include pre and post checks and assessments (including IT Health
Maintenance operating platform changes. Control. Checks where relevant) to ensure that no security controls have been compromised. Business
When operating platforms are changed, continuity plans to be updated, if appropriate.
business critical applications shall be Information Security
14.2.3 reviewed and tested to ensure there is no Policy Document
adverse impact o organizational operations
or security.
000000Page 19 of 27
000000 SFR XXX

14. System
KeyAcquisition,
for Justification for Inclusion* LR = Legal Requirement CR = Contractual Requirement BR = Business Requirement BP = Best Practice RA = Following Risk Assessment
Development and
Maintenance
Remarks
(Justification for
inclusion* /
exclusion)

Restrictions on changes to software It is recommended that all equipment be subjected to a hardening schedule to remove unnecessary
packages. Control. Modifications to services and accounts prior to deployment. Once hardened, only approved modifications to be carried
software packages shall be discouraged, Information Security out under change control. Where changes are necessary, the original software should be retained and
14.2.4
limited to necessary changes and all Policy Document changes applied to a designated copy. All changes should be tested and fully documented, so that the
changes shall be strictly controlled. can be reapplied, if necessary, to future software upgrades
Secure systems engineering principles. Secure systems require resistance against technical attack, coercion, fraud, and deception. Good
Control. Principles for engineering secure engineering principles to prevent such incidents should be followed. Security should be designed into
systems shall be established, documented, Information Security all architectural layers, balancing the need for information security with the need for accessibility. New
14.2.5 maintained and applied to any information technology should analysed for security risks and the design should be reviewed against known attack
Policy Document
system implementation efforts. patterns.
Secure development environment. Typical requirements for the protection of a secure development environment include: separate
Control. Organizations shall establish and environment or zone to the organization's principal network; internal firewall protection (minimize the
appropriately protect secure development number of open ports - the principle of 'least privilege' rule-set still to apply); access control policy
environments for system development and Information Security developed; access role based and under business principle; physical security measures in place, where
14.2.6 integration efforts that cover the entire relevant.
Policy Document
system development lifecycle.
Outsourced development. Control. The Outsourcing only to be with trusted partners. Escrow arrangement should be considered in such
organization shall supervise and monitor instances. The organization's rights of access to the outsourced partner's lab for audit purposes are to
the activity of out sourced system Information Security be in place. Contractual agreements to define quality and security. Full testing (including where
14.2.7
Policy Document
development. appropriate IT Health Check) to be arranged prior to any go-live.
System security testing. Control. All new systems to be subject to functionality testing during development. The security team to provide
Testing of security functionality shall be Information Security details of the test activity and if necessary, arrange for an external provider to carry out security health
14.2.8
carried out during development. Policy Document checks before moving from development to staging or production platforms.
System acceptance testing. Control. New software, upgrades and new information systems to be subject to acceptance procedures and
Acceptance testing programs and related change control. Acceptance may include a formal certification to verify that the security requirements
criteria shall be established for new Information Security have been properly addressed. An IT Health Check or penetration test is recommended for all such
14.2.9
information systems, upgrades and new Policy Document changes.
versions.
Test data. Objective: To ensure the protection of data used for testing.
14.3
000000Page 20 of 27
000000 SFR XXX
Remarks
(Justification for
inclusion* /
exclusion)

Protection of test data. Control. Test Data scrubbing or scrambling is a key requirement of this control. Whenever production data has to be
data shall be selected carefully, protected used for testing software systems, the data is to be cleaned or it should be scrambled beyond
and controlled. Information Security recognition. Sensitive fields including customer names, date of birth, social security numbers, email IDs,
14.3.1
Policy Document credit card numbers, etc., should be replaced with dummy values before such data is released into
production.
Information security in supplier relationships. Objective: To ensure protection of the organization's assets that is accessible by suppliers.
15.1
Information security policy for supplier Information can be put at risk by suppliers with inadequate information security management. Controls
relationships. Control. Information should be identified and applied to administer supplier access to information processing facilities. The
security requirements for mitigating the organization needs to be aware that legal or contractual obligations remains with the organization.
risks associated with supplier's access to Information Security Supplier security policy to be developed and approved in advance of any physical or logical access to
15.1.1
the organization's assets shall be agreed Policy Document the organization's information. Ideally each supplier should be certified to ISO27001 or demonstrate
with the supplier and documented. evidence against key controls. The scope of the policy is to include a 'right to audit' and other
compliance controls.
Addressing security within supplier The agreements can vary considerably for different organizations and among the different type of
agreements. Control. All relevant supplier. Therefore care should be taken to include all information security risks and requirements.
information security requirements shall be Scope to determine scale and depth of controls and measures for inclusion in the agreement. Principal
established and agreed with each supplier areas include but not limited to: Risk assessment and ownership, system security design, access
that may access, process, store, Information Security control measures, monitoring, communication security, incident management, business continuity and
15.1.2
communicated, or provide IT infrastructure Policy Document compliance.
components for, the organization's
information.
Information and communication ICT supply chain security requirements to be established on the basis of the 'goods and services'.
technology supply chain. Control. Security requirements to include the following: chain of custody; least privilege access; separation of
Agreements with suppliers shall include duties; tamper resistance and evidence; compliance management; awareness; intellectual property
requirements to address the information rights; procurement processes; security requirements of 3rd party suppliers; quality management; HR
security risks associated with information Information Security management; project management; supplier/relationship management; risk and security management;
15. Supplier 15.1.3
and communications technology services Policy Document configuration and change management; ICT integration; ICT testing and verification (e.g.
Relationships
and product supply chain. security/penetration testing, vulnerability scanning, stress testing, compliance testing); malware
protection; ICT management, maintenance and disposal.
Supplier service delivery management. Objective: To maintain an agreed level of information security and service delivery in line with supplier agreements.
15.2
000000Page 21 of 27
000000 SFR XXX
15. Supplier
Relationships
Remarks
(Justification for
inclusion* /
exclusion)

Monitoring and review of supplier Supplier agreement to include a 'right to audit'. The scope of the audit to be set out in the supplier
services. Control. Organizations shall security policy together with the frequency of planned visits. Approval for short notice audits to be
15.2.1 regularly monitor, review and audit supplier included in cases of any reported non-compliance.
Policy Document
service delivery.
Managing changes to supplier services. Review of supplier relationship to take place at planned intervals. The scope of review to include any
Control. Changes to the provision of changes to the provision of services that might impact on the information security requirements.
services by suppliers, including maintaining Continuous improvement to be principal function of the review.
and improving existing information security
policies, procedures and controls, shall be
managed, taking account of the criticality of Information Security
15.2.2
business information, systems and Policy Document
processes involved and re-assessment of
risks.
Management of information security incidents and improvements. Objective: To ensure a consistent and effective approach to the management of information security incidents, including
16.1 communication on security events and weaknesses.
Responsibilities and procedures. Reporting processes for all types of security incident to be established. Security incidents to be
Control. Management of responsibilities managed effectively to minimize outages and disruption to services. Procedures to be in place for
and procedures shall be established to monitoring, detecting, analyzing and reporting of information security events and incidents. Additionally,
ensure a quick, effective and orderly Information Security the following procedures should be considered: logging of incident activities; handling of forensic
16.1.1
response to information security incidents. Policy Document evidence; assessment of security events and weaknesses; escalation, controlled recovery and internal
and external communications; points of contact within the organization; reporting format; disciplinary
process, if needed; feedback.
Reporting information security events. All employees and contractors should be made aware of their responsibilities to report security events
Control. Information security events shall as quickly as possible. They should be made aware of the procedure for reporting information security
be reported through appropriate Information Security events and the point of contact to which the events should be reported. Reporting of information
16.1.2 management channels as quickly as security events to be included during employee induction process and during planned awareness
Policy Document
possible. sessions. The AUP also to contain information on the security event reporting process.
000000Page 22 of 27
16. Information
Security Incident
Management
000000 SFR XXX
Remarks
(Justification for
inclusion* /
exclusion)

Reporting information security All employees and contractors information security weakness to the point of contact as soon as
weaknesses. Control. Employees and possible in order to prevent an information security incident. The reporting process should be as easy,
contractors using the organization's accessible and available as possible.
information systems and services shall be Information Security
16.1.3 required to note and report any observed or Policy Document
suspected information security weaknesses
in systems or services.
16. Information
Security Incident Assessment of and decision on Assessment of a security event to be carried out by the point of contact and decided if it should be
Management information security events. Control. classified as a security incident. Results of the assessment and decision should be recorded in detail
Information security events shall be for the purpose of future reference and verification.
assessed and it shall be decided if they are Information Security
16.1.4
to be classified as information security Policy Document
incidents.
Response to information security The first goal of a security incident response is to resume normal security level and then initiate the
incidents. Control. Information security process of recovery. Response to an incident should include: collecting evidence; conducting forensic
incidents shall be responded to in Information Security analysis, if appropriate; escalation; logging all activities; communicating details of the incident to internal
16.1.5 accordance with the documented and external parties, where required; formally closing the incident, once closed; coordinate post incident
Policy Document
procedures. analysis to identify the cause of the incident.
Learning from information security There should be a mechanism in place to enable the types, volume and costs of information security
incidents. Control. Knowledge gained incidents to be quantified and monitored. Once assessed, measures should be considered to prevent
from analyzing and resolving information Information Security recurrence. Lessons learnt to be used during awareness briefings, where appropriate.
16.1.6 security incidents shall be used to reduce Policy Document
the likelihood or impact of future incidents.
Collection of evidence. Control. The Procedure for the collection of evidence should consider the following: chain of custody, safety of
organization shall define and apply evidence, safety of personnel, identification, collection, acquisition and preservation of evidence. Such
procedures for the identification, collection, Information Security evidence includes event logs, CCTV footage, access control mechanisms, etc. See ISO 27037 for
16.1.7 acquisition and preservation of information, more detailed advice on security techniques for digital evidence.
Policy Document
which can serve as evidence.
Information security continuity. Objective: Information security continuity shall be embedded in the organization's business continuity management systems.
17.1
000000Page 23 of 27
000000 SFR XXX
Remarks
(Justification for
inclusion* /
exclusion)

Planning information security continuity. An organization should determine whether the continuity of information security is captured within
Control. The organization shall determine the business continuity management process or within the disaster recovery management process.
its requirements for information security Information security requirements should be determined when planning for business continuity and
and the continuity of information security disaster recovery. In the absence of formal business continuity and disaster recovery planning,
management in adverse situations, e.g. Information Security information security management should assume that information security requirements remain the
17.1.1
during a crisis or disaster. Policy Document same in adverse
situations, compared to normal operational conditions. Alternatively, an organization could perform
a business impact analysis for information security aspects to determine the information security
requirements applicable to adverse situations
Implementing information security An organization should ensure that an adequate management structure is in place to prepare fore,
continuity. Control. The organization mitigate and respond to a disruptive event. Documented plans should be prepared to with response
shall establish, document, implement and and recovery procedures detailing how the organization will manage a disruptive event and will maintain
maintain processes, procedures and Information Security its information security to a predetermined level, based on management-approved information security
17.1.2
controls to ensure the required level of Policy Document continuity objectives. Information security controls that have been implemented should continue to
17. Information continuity for information security during an operate during an adverse
Security Aspects of adverse situation. situation. If security controls are not able to continue to secure information, other controls should be
Business established, implemented and maintained to maintain an acceptable level of information security.
Continuity
Management Verify, review and evaluate information Organizations should verify information security management continuity exercising and testing to
security continuity. Control. The ensure they are consistent with the information security continuity objectives. Any live tests should be
organization shall verify the established and carried out without disruption to service. Where possible, elements such as the ability to provide
implemented information security continuity Information Security support from remote locations are also to be tested. Where the live testing of services is impracticable,
17.1.3 controls at regular intervals in order to then table top exercises are recommended.
Policy Document
ensure that they are valid and effective
during adverse situations.
17.2 Redundancies. Objective: To ensure availability of information processing facilities.
Availability of information processing Organizations should identify business requirements for the availability of information systems. Where
facilities. Control. Information processing the availability cannot be guaranteed using the existing systems architecture, redundant components
facilities shall be implemented with Information Security or architectures should be considered.
17.2.1 redundancy sufficient to meet availability Policy Document
requirements.
000000Page 24 of 27
000000 SFR XXX
Remarks
(Justification for
inclusion* /
exclusion)

Compliance with legal and contractual requirements. Objective To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security
18.1 requirements.
Identification of applicable legislation The statutory, regulatory, and contractual requirements are to be recorded in the relevant Standard
and contractual requirements. Control. Forms and Registers (SFR).
All relevant legislative statutory, regulatory,
contractual requirements and the
organization's approach to meet these Information Security
18.1.1
requirements shall be explicitly identified, Policy Document
documented and kept up to date for each
information system and the organization.
Intellectual property rights. Control. The following should be considered to protect material that may considered intellectual property: publish
Appropriate procedures shall be an IPR compliance policy which the legal use of software; acquire software through reputable vendors;
implemented to ensure compliance with give notice of disciplinary action of any breach of policy; highlight assets on the inventory require IPR
legislative, regulatory and contractual Information Security protection; maintain proof of ownership; do not exceed the number of licenced users; do not copy in full
18.1.2 requirements related to intellectual property or in part other than permitted by law. The importance and awareness of intellectual property rights
Policy Document
rights and use of proprietary software should be communicated to staff for software developed by the organization. Remember, copyright
products. infringement can lead to legal action, which may involve fines and criminal proceedings.
Protection of records. Control. Records When deciding upon protection of specific organizational records, their corresponding classification
shall be protected from loss, destruction, based on the organizations classification scheme, should be considered. Records should be
falsification, unauthorized access and categorised
unauthorized release, in accordance with Information Security into record types, e.g. accounting records, database records, transaction logs, audit logs and
18.1.3
legislatory, regulatory, contractual and Policy Document operational
business requirements. procedures, each with details of retention periods and type of allowable storage media, e.g. paper,
microfiche, magnetic, optical. Any related cryptographic keys and programs associated with encrypted
archives or digital signatures (see Clause 10), should also be stored to enable decryption of the records
Privacy and protection of personally for the length
Minimize of time the
the amount records
of PII held toare retained.
what is necessary to achieve business output. Those involved in
identifiable information. Control. accessing, using or storing PII to receive the relevant training on its protection and release. Access to
Privacy and protection of personally PII to be strictly controlled on role and business need basis. Prevent or limit storage of PII on PDAs,
identifiable information shall be ensured as Information Security laptops and other mobile devices including all forms of removable media. Where necessary, apply
18.1.4
required in relevant legislation and Policy Document encryption techniques. Apply encryption to any instances of electronic transfer. Monitor access to PII
regulation where applicable. and investigate breaches.
18. Compliance
000000Page 25 of 27
000000 SFR XXX
Remarks
(Justification for
inclusion* /
exclusion)

Regulation of cryptographic controls. All cryptographic devices and solutions to be installed, managed, maintained, and used in accordance
18. Compliance Control. Cryptographic controls shall be with their installation standards. Ensure compliance with relevant legislation and regulations.
used in compliance with all relevant Information Security
18.1.5
agreements, legislation and regulations. Policy Document
Information security reviews. Objective: To ensure that information security is implemented and operated in accordance with the organizational policies and procedures.
18.2
Independent review of information Such an independent review is necessary to ensure the continuing suitability, adequacy and
security. Control. The organization's effectiveness of the organizations approach to managing information security. The review should
approach to managing information security include assessing opportunities for improvement and the need for changes to the approach to security,
and its implementation (i.e. control including the policy and control objectives. Ideally, such a review should be carried out by individuals
objectives, control, policies, processes and independent of the area under review, e.g. the internal audit function, an independent manager or an
procedures for information security) shall be Information Security external party organization specializing in such reviews. Individuals carrying out these reviews should
18.2.1
reviewed independently at planned intervals Policy Document have the appropriate skills and experience.
or when significant changes occur. The results of the independent review should be recorded and reported to the management who
initiated
the review. These records should be maintained.
Compliance with security policies and Managers should identify how to review that information security requirements defined in policies,
standards. Control. Managers shall standards and other applicable regulations are met. Automatic measurement and reporting tools should
regularly review the compliance of be considered for efficient regular review. If any non-compliance is found as a result of the review,
information processing and procedures managers should: 1.Iidentify the causes of the non-compliance; 2.Evaluate the need for actions to
within their area of responsibility with the Information Security achieve compliance; 3. Implement appropriate corrective action; 4. Review the corrective action taken
18.2.2
appropriate security policies, standards and Policy Document to verify its effectiveness and identify any deficiencies or weaknesses. Results of reviews and corrective
any other security requirements. actions carried out by managers should be recorded and these records should be maintained.
Managers should report the results to the persons carrying out independent reviews (see 18.2.1) when
an independent review takes place in the area of their responsibility.
000000Page 26 of 27
000000 SFR XXX
Remarks
(Justification for
inclusion* /
exclusion)

Technical compliance review. Control. Technical compliance reviews involve the examination of operational systems to ensure that hardware
Information systems shall be regularly and software controls have been correctly implemented. This type of compliance review requires
reviewed for compliance with the specialist technical expertise. Compliance reviews also cover, for example, penetration testing and
organization's information security policies vulnerability assessments, which might be carried out by independent experts specifically contracted for
and standards. Information Security this purpose. This can be useful in detecting vulnerabilities in the system and for inspecting how
18.2.3 effective the controls are in preventing unauthorized access due to these vulnerabilities. Penetration
Policy Document
testing and vulnerability assessments provide a snapshot of a system in a specific state at a specific
time. The snapshot is limited to those portions of the system actually tested during the penetration
attempt(s). Penetration testing and vulnerability assessments are not a substitute for risk assessment.
Reviewed and
updated by:
Name:
Position:
000000Page 27 of 27

SFR ISO 27001 2013 Statement of Applicability

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

SFR ISO 27001 2013 Statement of Applicability

Transféré par

Droits d'auteur :

Formats disponibles

STANDARD FORMS AND REGISTERS

000000 SFR XXX

ISO 27001:2013 Statement of Applicability

Clause Sec Control Objective/Control

ISO 27001:2013 Statement of Applicability

Clause Sec Control Objective/Control

ISO 27001:2013 Statement of Applicability

Clause Sec Control Objective/Control

ISO 27001:2013 Statement of Applicability

ISO 27001:2013 Statement of Applicability

Clause Sec Control Objective/Control

ISO 27001:2013 Statement of Applicability

Clause Sec Control Objective/Control

ISO 27001:2013 Statement of Applicability

Clause Sec Control Objective/Control

9. Access Control 000000Page 7 of 27

ISO 27001:2013 Statement of Applicability

Clause Sec Control Objective/Control

ISO 27001:2013 Statement of Applicability

Clause Sec Control Objective/Control

ISO 27001:2013 Statement of Applicability

Clause Sec Control Objective/Control

ISO 27001:2013 Statement of Applicability

Clause Sec Control Objective/Control

ISO 27001:2013 Statement of Applicability

Clause Sec Control Objective/Control

ISO 27001:2013 Statement of Applicability

Clause Sec Control Objective/Control

ISO 27001:2013 Statement of Applicability

Clause Sec Control Objective/Control

12.3 Backup. Objective: To protect against loss of data.

Logging and monitoring. Objective. To log events and generate evidence.

ISO 27001:2013 Statement of Applicability

Clause Sec Control Objective/Control

Control of operational software. Objective: To ensure the integrity of operational systems.

ISO 27001:2013 Statement of Applicability

Clause Sec Control Objective/Control

ISO 27001:2013 Statement of Applicability

Clause Sec Control Objective/Control

ISO 27001:2013 Statement of Applicability

Clause Sec Control Objective/Control

ISO 27001:2013 Statement of Applicability

Clause Sec Control Objective/Control

ISO 27001:2013 Statement of Applicability

Clause Sec Control Objective/Control

ISO 27001:2013 Statement of Applicability

Clause Sec Control Objective/Control

ISO 27001:2013 Statement of Applicability

Clause Sec Control Objective/Control

ISO 27001:2013 Statement of Applicability

Clause Sec Control Objective/Control

ISO 27001:2013 Statement of Applicability

Clause Sec Control Objective/Control

17.2 Redundancies. Objective: To ensure availability of information processing facilities.

ISO 27001:2013 Statement of Applicability

Clause Sec Control Objective/Control

ISO 27001:2013 Statement of Applicability

Clause Sec Control Objective/Control

ISO 27001:2013 Statement of Applicability

Clause Sec Control Objective/Control

Vous aimerez peut-être aussi