Statement of Applicability Current as of: 4/24/2017

Key
ISO/IEC 27001:2013 Annex A controls Applied? Control detail Justification for exclusion Responsibility
driver

Sec Control Objective/Control

5 Information security policies
5.1 Management direction for information security
Objective: To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations.
5.1.1 Policies for information security Yes Last reviewed 5/7/16 ABP - D
5.1.2 Review of the policies for information security Yes Annual review ABP - D
6 Organization of information security
6.1 Internal organization
Objective: To establish a management framework to initiate and control the implementation and operation of information security within the organization.
6.1.1 Information security roles and responsibilities Yes Documented in org. chart/PD's BR - ISMR
6.1.2 Segregation of duties Yes As per org. chart/PD's BR - ISMR
6.1.3 Contact with authorities Yes Part of ISMR's role BR - ISMR
6.1.4 Contact with special interest groups Yes Part of ISMR's role BR - ISMR
6.1.5 Information security in project management Yes Included w/in project plan template BR - OM
6.2 Mobile devices and teleworking
Objective: To ensure the security of teleworking and the use of mobile devices.
6.2.1 Mobile device policy N/A - N/A Mobile devices not used D
6.2.2 Teleworking N/A - N/A Remote working disallowed D
7 Human resource security
7.1 Prior to employment
Objective: To ensure that employees and contractors understand their responsibilities and are suitable for the rules for which they are considered.
7.1.1 Screening Yes Outsourced to HR firm; firm audited to BR - OM
ensure ongoing compliance with
screening requirements
7.1.2 Terms and conditions of employment Yes Included in employment contracts ABP - OM
7.2 During employment
Objective: To ensure that employees and contractors are aware of and fulfil their information security responsibilities.
7.2.1 Management responsibilities Yes Biannual IS audit BR - ISMR
7.2.2 Information security awareness, education and training Yes Induction training and periodical annual BR - ISMR
refresher training
7.2.3 Disciplinary process Yes Included as pert of induction training, BR - OM
and as per HR policy
7.3 Termination and change of employment
Objective: To protect the organization's interests as part of the process of changing or terminating employment.
7.3.1 Termination or change of employment responsibilities Yes Included in employment contracts BR - OM
8 Asset management
8.1 Responsibility for assets
Objective: To identify organizational assets and define appropriate protection responsibilities.
8.1.1 Inventory of assets Yes Asset register maintained, processes BR - IT
defined and communicated for capturing
new assets and reviewing/updating
existing assets periodically
8.1.2 Ownership of assets Yes Ownership agreed with stakeholders and BR - IT
assigned in asset register
8.1.3 Acceptable use of assets Yes Acceptable use policy distributed and BR - OM
covered through induction and ongoing
training.
8.1.4 Return of assets Partial As per employment contracts. OM to BR - OM
complete employment cancellation
checklist to ensure return of all assets
8.2 Information classification
Objective: To ensure that information received an appropriate level of protection in accordance with its importance to the organization.
8.2.1 Classification of information Yes Information is classified based on the ABP - ISMR
organisation's information classification
framework. Periodic review for
completeness and accuracy.
8.2.2 Labelling of information Yes Electronic information is meta-tagged BR - AS
with its classification rating upon receipt
or creation within the organisation's
document management system. Physical
information is labelled with its
classification rating upon receipt or
creation.

8.2.3 Handling of assets Partial As per classification procedure and asset BR - IT

register
8.3 Media handling
Objective: To prevent unauthorized disclosure, modification, removal or destruction of information stored on media.
8.3.1 Management of removable media Yes As per media handling procedure BR - IT
8.3.2 Disposal of media Yes As per media handling procedure BR - IT
8.3.3 Physical media transfer Yes As per media handling procedure BR - IT
9 Access control
9.1 Business requirements of access control
Objective: To limit access to information and information processing facilities.
9.1.1 Access control policy Yes Last reviewed 5/2/16 BR - ISMR
9.1.2 Access to networks and network services Yes Access matrix maintained BR - IT
9.2 User access management
Objective: To ensure authorized user access and to prevent unauthorized access to systems and services.
9.2.1 User registration and de-registration Yes Part of on boarding/termination process BR - IT

9.2.2 User access provisioning Yes Defined approval processes for user BR - IT
provisioning. Line manager, system
owner and relevant information
custodian(s) - or delegates - must
approve access to enterprise information
systems.
9.2.3 Management of privileged access rights Yes Periodic review of privileged users. BR - ISMR
9.2.4 Management of secret authentication information of users Partial Informal processes currently in place for BR -
password distribution.
9.2.5 Review of user access rights Yes Annual review of user security BR - ISMR
configurations within information systems
and physical security system. Sign-off
required from line managers.
9.2.6 Removal or adjustment of access rights Yes Part of termination process BR - IT
9.3 User responsibilities
Objective: to make users accountable for safeguarding their authentication information.
9.3.1 Use of secret authentication information Partial Secure password policies are defined BR - ISMR
and enforced within key systems.
9.4 System and application access control
Objective: To prevent unauthorized access to systems and applications.
9.4.1 Information access restriction Partial As per access matrix BR - IT
9.4.2 Secure log-on procedures N/A Not required N/A Not required as part of Access control ISMR
policy
9.4.3 Password management system Partial Staff encouraged to use secure BR - ISMR
passwords
9.4.4 Use of privileged utility programs Yes Restricted by group membership in BR - IT
identity access management system.
Membership only assigned to IT
Manager
9.4.5 Access control to program source code Yes Restricted by group membership in BR - IT
identity access management system.
Membership only assigned to IT
Manager
10 Cryptography
10.1 Cryptographic controls
Objective: To ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information.
10.1.1 Policy on the use of cryptographic controls N/A Not required N/A Cryptographic controls not required D
10.1.2 Key management N/A Not required N/A Cryptographic controls not required D
11 Physical and environmental security
11.1 Secure areas
Objective: To prevent unauthorized physical access, damage and interference to the organization's information and information processing facilities.
11.1.1 Physical security perimeter Yes As per building floor plan BR - OM
11.1.2 Physical entry controls Yes Reception at entrance, visitors required BR - OM
to sign in. Staff areas require pin access
for secure doors
11.1.3 Securing offices, rooms and facilities Partial Building locked outside office hours BR - OM
11.1.4 Protecting against external end environmental threats Yes External backup and firewall/malware BR - IT
protections maintained
11.1.5 Working in secure areas No Specific procedures not implemented BR - OM
11.1.6 Delivery and loading areas Yes As per building floor plan; secure door BR - OM
between loading/delivery areas and
office
11.2 Equipment
Objective: To prevent loss, damage, theft or compromise of assets and interruption to the organization's operations.
11.2.1 Equipment siting and protection Partial Building maintained and secure access BR - OM
procedures followed
11.2.2 Supporting utilities Yes Surge protection equipment used BR - IT
11.2.3 Cabling security Yes Cabling purchased from approved BR - IT
suppliers
11.2.4 Equipment maintenance Yes Workplace inspections by IT BR - IT
11.2.5 Removal of assets Yes No remote working/removal of assets BR - AS
allowed
11.2.6 Security of equipment and assets off-premises N/A - N/A Off-site working not permitted D
11.2.7 Secure disposal or reuse of equipment Yes As per asset disposal procedure BR - IT
11.2.8 Unattended user equipment Yes Staff instructed to lock computers when BR - AS
unattended
11.2.9 Clear desk and clear screen policy Yes Clear desk policy last reviewed BR - ISMR
15/6/2016
12 Operations security
12.1 Operational procedures and responsibilities
Objective: To ensure correct and secure operations of information processing facilities.
12.1.1 Documented operating procedures Yes SoP's maintained as per document BR - ISMR
register
12.1.2 Change management Yes Formalised and communicated change BR - ISMR
management procedures with approval
workflows
12.1.3 Capacity management Yes Automated provisioning/deprovisioning BR - IT
of new VMs based on load/demand.
Automated reporting of over-utilisation
and under-utilisation sent to IT Manager
when triggered.
12.1.4 Separation of development, testing and operational Partial Development and testing performed in BR - OM
environments production environment for most
business information systems.
12.2 Protection from malware
Objective: To ensure that information and information processing facilities are protected against malware.
12.2.1 Controls against malware Partial Install and maintain a modern anti-virus BR - IT
suite. Keep up with security patches.
Maintain and enforce Network Access
Control List (ACL).
12.3 Backup
Objective: To protect against loss of data.
12.3.1 Information backup Yes Defined backup policies and procedures BR - IT
based on business requirements for
recovery time objective (RTO) and
recovery point objective (RPO).

12.4 Logging and monitoring

Objective: To record events and generate evidence.
12.4.1 Event logging Yes All enterprise applications and operating BR - IT
systems capture event logs.
12.4.2 Protection of log information Yes Restricted by group membership in BR - IT
identity access management system.
Membership only assigned to IT
Manager.
12.4.3 Administrator and operator logs Yes Application-level, database-level, OS- BR - IT
level and physical security logs capture
authentication activities and key events.
Maintained for 10 years.
12.4.4 Clock synchronisation Yes All devices are joined to Active Directory BR - IT
with automatic clock synchronisation.

12.5 Control of operational software

Objective: To ensure the integrity of operational systems.
12.5.1 Installation of software on operational systems Yes All users bar IT unable to install software BR - IT
on assets
12.6 Technical vulnerability management
12.6
Objective: to prevent exploitation of technical vulnerabilities.
12.6.1 Management of technical vulnerabilities Yes Quarterly IT audit and vulnerability BR - IT
testing
12.6.2 Restrictions on software installation Yes All users bar IT unable to install software BR - IT
on assets
12.7 Information systems audit considerations
Objective: To minimise the impact of audit activities on operational systems.
12.7.1 Information systems audit controls Yes Audit programme maintained BR - ISMR
13 Communications security
13.1 Network security management
Objective: To ensure the protection of information in networks and its supporting information processing facilities.
13.1.1 Network controls Partial Firewalls, intrusion prevention, BR - IT
monitoring and event logging.
13.1.2 Security of network services Yes Standard suite of information security BR - IT
network services requirements included
as mandatory in all out-sourced
contracts and in requirements
specifications for all internal projects.
Requirements assessed prior to
operational handover.

13.1.3 Segregation in networks Yes Sensitive information is maintained in a BR - IT

restricted zone. Public website and
fileserver are located in a demilitarised
zone.
13.2 Information transfer
Objective: To maintain the security of information transferred within an organization and with any external entity.
13.2.1 Information transfer policies and procedures Yes Information distribution guidelines BR - IT
developed and distributed to all staff.
Information custodian (or delegate)
approval required for release of
information.
13.2.2 Agreements on information transfer Yes All information rated higher than 'public' BR - IT
is transferred using a secure FTP server
maintained by the organisation.
Information rated 'Protected' or higher is
distributed in person.
13.2.3 Electronic messaging Yes Google Gmail services used with default BR - IT
capability for email encryption at-rest and
in-transit.
13.2.4 Confidentiality or non-disclosure agreements Yes Confidentiality agreements with BR - ISMR
employees is mandatory during
induction. NDAs are initiated with
external service providers prior to
information sharing.
14 System acquisition, development and maintenance
14.1 Security requirements of information systems
Objective: To ensure that information security is an integral part of information systems across the entire lifecycle. This also includes the requirements for information systems which
provide services over public networks.
14.1.1 Information security requirements analysis and specification Yes Audits of all information systems, both BR - ISMR
new and existing conducted as per IS
audit programme

14.1.2 Securing application services on public networks Partial Validated that cloud-based CRM system BR - AS
encrypts data in-transit.
14.1.3 Protecting application services transactions Partial Application services used by the -
organisation require encryption in-transit
if data is not classified as 'Public'

14.2 Security in development and support processes

Objective: To ensure that information security is designed and implemented within the development lifecycle of information systems.
14.2.1 Secure development policy Yes Last reviewed 10/8/2016 BR - ISMR
14.2.2 System change control procedures Yes Conducted in accordance with change BR - ISMR
management processes
14.2.3 Technical review of applications after operating platform Yes Conducted in accordance with testing BR - IT
changes procedures
14.2.4 Restrictions on changes to software packages Yes Updates and changes managed by IT, BR - IT
individual users do not have
administrative access
14.2.5 Secure system engineering principles Yes Defined in alignment with better practice. -
Architecture reviews performed prior to
transition to production environment.

14.2.6 Secure development environment Yes Maintained by IT BR - IT

14.2.7 Outsourced development N/A - N/A Organization does not require AS
outsourced development
14.2.8 System security testing Yes Vulnerability and security testing for all BR - IT
new applications and major changes.
14.2.9 System acceptance testing Yes Pilot installations tested with key staff BR - ISMR
members to ensure acceptance of new
or changed systems
14.3 Test data
Objective: To ensure the protection of data used for testing.
14.3.1 Protection of test data Yes All data used in test environments is de- BR - IT
identified prior to use.
15 Supplier relationships
15.1 Information security in supplier relationships
Objective: To ensure protection of the organization's assets that is accessible by suppliers.
15.1.1 Information security policy for supplier relationships Yes Last reviewed 25/1/16 BR - ISMR
15.1.2 Addressing security within supplier agreements Yes Preferred suppliers list maintained based BR - ISMR
on suppliers' ability to meet
organizational requirements, including IS
requirements
15.1.3 Information and communication technology supply chain Yes Preferred suppliers list maintained based BR - ISMR
on suppliers' ability to meet
organizational requirements, including IS
requirements
15.2 Supplier service delivery management
Objective: To maintain an agreed level of information security and service delivery in line with supplier agreements.
15.2.1 Monitoring and review of supplier services Yes Quarterly review of suppliers' ability to BR - ISMR
achieve intended outcomes
15.2.2 Managing changes to supplier services Yes Any changes to requirements of external BR - ISMR
providers to be included within quarterly
review of supplier activity and
performance
16 Information security aspects of business continuity management
16.1 Management of information security incidents and improvements
Objective: To ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.
16.1.1 Responsibilities and procedures Yes Corrective action processes designed to BR - ISMR
prevent recurrence of detected
nonconformities; risk management
implemented within all organizational
processes and procedures
16.1.2 Reporting information security events Yes Incident reporting process implemented BR - ISMR
to timely reporting of all incidents
16.1.3 Reporting information security weaknesses Yes Reporting conducted in accordance with BR - ISMR
incident reporting processes
16.1.4 Assessment of and decision on information security events Yes Definition of IS incident defined within BR - ISMR
corrective action processes
16.1.5 Response to information security incidents Yes Conducted in accordance with BR - ISMR
documented corrective action procedure
16.1.6 Learning from information security incidents Yes Lessons learnt performed after BR - ISMR
implementation of each corrective action;
management review process includes
review of status of actions to prevent
recurrence of nonconformities
16.1.7 Collection of evidence Yes All indicants are to be fully documented BR - ISMR
in accordance with corrective action
procedures
17 Information security aspects of business continuity management
17.1 Information security continuity
Objective: Information security continuity shall be embedded in the organization's business continuity management systems.
17.1.1 Planning information security continuity Yes Embedded within business continuity BR - ISMR
plan.
17.1.2 Implementing information security continuity Yes Embedded within business continuity BR - ISMR
plan.
17.1.3 Verify, review and evaluate information security continuity Yes IS audits conducted as per audit BR - ISMR
programme
17.2 Redundancies
Objective: To ensure availability of information processing facilities.
17.2.1 Availability of information processing facilities Yes Infrastructure-as-a-Service provider BR - ISMR
maintains a failover 'hot site'
18 Compliance
18.1 Compliance with legal and contractual requirements
Objective: To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements.
18.1.1 Identification of applicable legislation and contractual Yes Quarterly compliance audit as per ISMS LR - ISMR
requirements audit programme
18.1.2 Intellectual property rights Yes Intellectual property policy endorsed and LR - ISMR
covered in induction training
18.1.3 Protection of records Yes Maintained in accordance with ABP - ISMR
documented information procedures as
required by ISO 27001 clause 7.5
18.1.4 Privacy and protection of personally identifiable information Yes Controlled as per policy, last reviewed LR - IT
10/12/2014
18.1.5 Regulation of cryptographic controls N/A - N/A Cryptographic controls not required ISMR
18.2 Information security reviews
Objective: To ensure that information security is implemented and operated in accordance with the organizational policies and procedures.
18.2.1 Independent review of information security Yes Reviewed as per IS audit programme. BR - ISMR
Auditors shall not audit their own work
18.2.2 Compliance with security policies and standards Yes Reviewed as per IS audit programme BR - ISMR
18.2.3 Technical compliance review Yes Reviewed as per IS audit programme BR - ISMR
Legend
Applied?
Yes Control implemented and effective
No Control not implemented
Partial Control implemented but not fully effective
N/A Control not applicable to ISMS scope

Key driver
LR Legal requirement
CO Contractual obligation
CC Client commitment
BR Business requirement derived from risk assessment
ABP Adopted best practice
N/A Control not applicable to ISMS scope

Responsibility
OM Office manager
ISMR Information Security Management Representative
IT IT manager
AS All staff
D Director