fl(ltlltttttttttlttt

information secur:ty Management system

(baSed On isc)ノ IEC 27001:2013)
STATEMENT OF APPLICAB:LITγ (SOA)
AND
CONTROLS CHECKLiST

Prepared by:

,-z\m'}}-
'rr-'>

Anele T. Patriarca
Name and Signature

Daledt May 5,2022

Dated: May 5, 2022
 I I I II
- Controls Checklist, ISOfiEC 2tOO1:2013 as of

SECURITY
Management directio n for information security

Objective: To provide management direction and support

for information security in accordance with business
and relevant laws and regulations. requirements

Policies for A set of policies for information security shalr be

defined, ISMS Sub-Policies Manual lpc 2-3
information approved by management, published and communicated 5.1.1
security to employees and relevant external parties.
Review of The policies for information security shalr be reviewed
at ISMS Sub-Policies Manual
the planned intervals or if significant changes occur /pG 3
to ensure s.2.1
policies for their continuing suitability, adequacy ind effectiveness. reviewed at least once a year during
information the Management review meeting or
security as needed
References:
'Annex 5-1 PGC-ITD euality and
lnformation Security policy
statement
Recommendation

2
:
l I

― Controls ch :SOttEC 27001:2013 as of

Of Of

Internal Organization

objective: To establish a management framework to initiate

and control the imprementation and operation of information
security within the organization.

Information All information security responsibilities shall

security roles and
ISMS Sub-Policies Manua! lpc 4 6.1.1
be defined and allocated. conduct annual review;
responsibilities monitor signifi cant changes
review & monitor incidents
approves major initiative to enhance security

Segregation ofduties Conflicting duties and areas of responsibility ISMS Sub-Policies Manual /pG 4-5 6.1.2
shall be segregated to reduce opportunities duties & areas of responsibility are
for unauthorized or unintentional segregated
modification or misuse of the ensures that development, operations, &
administration functions are
organization's assets.
segregated from one another

Contact with authorities Appropriate contacts with relevant ISMS Sub-Policies Manual /pG S 6.1.3 (f.)
authorities shall be maintained. maintained contacts of appropriate enforcement
authorities, regulatory bodies, information service
providers, and telecommunications operators

Contact with special Appropriate contacts with special interest

interest groups
|SMS Sub-Policies Manual /pG S 6.1.3 (2.)
groups or other specialist security member of ISO 27001 security group
forums and professional associations
shall be maintained.

3
 I (t
Information securit5r Information security shall be addressed
in project in proiect management,
ISMS Sub-poti.ies Manuat
/pG S 6.1.4
> information are secured in accordance with their
management regardless of the type ofthe project. information classification & corresponding
handling procedures

> risk assessments are performed per

department and include all processes and
projects ofthat particu la.
department.

Obiective: To ensure the security of teleworking

and use of mobile devices.
Mobile A policy and supporting security measures
shall be ISMS Sub.Polictes Manual 6
device adopted to manage the risks introduced by /pG 6.2.1
using backed up's are conducted regularly
policy mobile devices. employees travelling on business are
responsible for the securlty of
information in their custody
issued portable computers are
responsibility of users
person who are issued portable computeE
and
who intend to travel for business purpose
implements the appropriate safeguards to
minimize risks
Teleworkin A policy and supporting security measures
shall be ISMS Sub-polt.ies Manuat
implemented to protect information accessed, /pc G 6.2.2
offsite computer usage is only allowed with the
processed or stored at teleworking authorization of line
sites.
management
adopt adequate and appropriate
informafion security measures
References:
.Annex 6-l Information security roles and
responsibilities
'Annex 5-2 Guidelines in mobile
computing and teleworking

4
 rt
lnformation Securi - Controls Checktist, ISO/IEC 27001:2013 as of

Of

7.HUMAN RESOURCE

Prior to employment

objective:Toensurethatemployeesandcontractorsunderstandtheirresponsibilitiesandare,u,.,o*ffi
are considered.

Screening Background verification checks on all candidates

for ISMS Sub-policies Manual lpcT 7.L.1
employment shall be carried out in accordance with Background verification checks on employees
relevant laws regulations and ethics and shall be are carried at the time of processing job
proportional to the business requirements, the applications
classification of the information to be accessed and Background verification checks are in
the accordance with relevant laws
perceived risks.
Final candidates complete pre
employment screening prior to being
employed

Terms and The contractual agreements with employees and

ISMS Sub-Policies Manual lpcT 7.1.2
conditions contractors shall state their and the organization,s For all regular employees,
of responsibilities for information security. employment include compliance to the
employme lnformation Security policies
nt For all non-regular employees,
required to submit a signed pGC_lTD
Non-Disclosure Agreement.

During employment

objective:ToensurethatemployeesandcontractorsareawareofandfulfiItheirinformation,".u,,,,;;m

5
〔 { : 1

Management Management shall require all employees and

ISMS Sub‐ Po:icies Manual/Pc8 7.2.1
responsibilities contractors to apply information security in
accordance with the established policies and 記離苗器珈 l響 ∬‖
器l漁
procedures of the organization. security pOlicy and a‖ Other simllar polides

f■aHabllty
酔
ど、1犀]は I:Itiillじ
li「

Information All employees ofthe organization and, where

security relevant, contractors shall receive appropriate
awareness,
education and
awareness education and training and regular 鶴寵:零 ∫
Ttttireadequatdy trahed
updates in organizational policies and procedures, procedures and correct use oflT
as
training relevant for their job function. fad‖ ●es and informa● on seculty
concepts

Disciplinary There shall be a formal and communicated lSMS Sub・ Po:icles Manua:/PG8 723
process disciplinary process in place to take action against Violatlon ofinforma,on security pO‖ cies are
employees who have committed an inform-=ation appropriately dealt with through a formal
security breach. disciplinary process

Termination and change of employment

ObieCtiVe:To protect the organizatiOn'sinterestsaspartOftheprOcessOfchangingorterminatingemp10yment

Termination Responsibilities for performing employment lsMS SuEpolicier Ma nual lpcg 7.3.1
or change termination or change of employment shall be HR immediately notifies the tTD
of clearly defined and assigned. Manager on all
employment resigned/retired/terminated
responsibilit employees for the immediate
ies revocaton of their access rights,
Employees with predetermined end of contract
date have their access rights revoked
accordingly.
Referenceri
'Annex 7-l Training guidelines 60l .pGC.tTD
[pg
Code of Conduct
i :

ISO/IEC 27001:2013 as of

ASSET

Responsibility for assets

obiective: To identiff organizational assets and

define appropriate protection responsibilities.
Inventory of Assets associated with information and information
ISMS Sub-Policies Manual lpc LO
assets processing facilities shall be identified References:
and an 'Annex 8-1 Asset management
inventory of these assets shall be drawn up and guidelines [pg 66]
maintained.

Ownership Assets maintained in the inventory shall be

owned. ISMSSub-Policies Manual lpctO g.1.2
of assets It is by default
that the process owner is also
the nominated asset owner of the particular
asset used by the process.
References:
'Annex 8-1 Asset Management
Guidelines lpg 66]

Acceptable Rules for the acceptable use of information

and of ISMS Sub-policies Manual lpc lO2
use ofassets assets associated with information and information References:
processing facilities shall be identified, .Acceptable use of
documented Assets Guidelines
and implemented.

Return of All employees and external party users shall return

ISMS Sub-policies Manual 10
assets all of the organizational assets in their possession /pG 8.1.G
Employees and 3'd-party employees are
upon termination of their employment, contract
or required to return all the company asset in
agreement. their possession upon
termination of their employment or
agreement.

7
 lnformation Secu
- Controls lSOノ lEC 27001:2013 as of May 2022

Information classifi cation

eivesanappropriatelevelofprotectioninaccordancewithitsimportancetotheorganization.
Classificati Information shall be classified in terms of
legal
on requirements, value, criticality and sensitivitylo
ISMS Sub-Policies Manual
/pG 11 g.2,1
All PGC-ITD lnformation assets are
guidelines unauthorised disclosure or modification. categorized into the following
classifications:
.PUBLIC
or open
.INTERNAL
or proprietary
.CONFI
or RESTRTCTED
DENTTAL
References:
.Annex 8-2 lnformation
classifica6on
guidelines [pg 69-73]

Information An appropriate set of procedures for information

Iabelling labelling shall be developed and implemented
ISMS Sub-Policies Manual lpc tt g.Z.z

and in References:
accordance with the information clissification 'Data Labelling Guidelines
handling lpg 72-731
scheme adopted by the organization.

Handling of Procedures for handling assets shall be

developed
assets and implemented in accordance with the
ISMS Sub-Policies Manual
/pG 74 References:
'Annex 8-3 lnformation Shipping
and
information classification scheme adopted Handling Guidelines [pg74]
by the
organization.

,modification,remoValordestructionofinformationstoredonmedia.
Management Procedures shall be implemented for the
of removable management of removable media in accordance
ISMS Sub-Policies Manual /pG 13 8.3.1
References:
media with the classification scheme adopted by the 'Annex 8-7 Removable computer
media
organization. guidelines IpCtTl

8
I I ￨ ￨

Disposal of Media shall be disposed ofsecurely

when no :SMSsub‐ p。 :icies Manua1/PG 13 832
media longer required, using formal procedures.
References:
Annex 8‐ 6 Equipmentre‐ use and
dispOsal guidelines IP8 77】

Physical Media containing information shall

be protected :SMS sub・ P● :icles Manua1/Pc 34‐
media against unauthorized access, misuse or 35
transfer corruption Rererences:
during transportation. Annex 8‐ 3 informatlon shipping and
hand‖ ng guidelines IPg 741
4 Meda DspOsJ G面 ddhes卜
8
T発「
Annex 8‐ 5 Screening Of cOmputers and
Media Guide‖ nes IPg 76]

Business requirements of access control

Objective: To limit access to information

and information processing facilities.

::艦翼
[:I『 思R::lmr:憶 凪 a劇 ISMS Sub-policies Manual
References:
/pG 14_15 9.1.1
infOrmation security requirements
'Annex 9-l Access Control Guidelines
[pg 781
Access to Users shall only be provided with access
networks to the ISMS Sub-poticies Manuat/pc
network and network services that they 15 9.1.2
and network have been Referencer:
specifically authorized to use. Annex 9-l Access Control Guidelines
services [pt 7gl

9
 Objective:TO ensure authOrized user access and tO prevent unauthOrized access tO systems and services

User There shall be a formal user registration

and lSMS Sub― POlicies Manual/PG 16
registration oe-regrstration procedure in place for granting
and and 921
revoking access to all information systems
de-registration ani services.

A formal user access provisioning process shall be :SMS Sub‐ Policies Manua1/PG 16
implemented to assign or revoke acc-ess rights
f". 922
types to all systems and services. "li'rr".
Management
li』 躍富:∬ :淋 ∬ 前 eged a∝
of privileged
access rights
∬ “
s nghs shall |SMS Sub-policies
9.2.3
Manual/pG 16

References:
'Annex 9-1- Guidelines for
Access Control [pg g2l
3. Privileged and Service Accounts
Management The allocation of secret authentication information
of secret be controlled through a formal rnrnrg"-"nt -"
shall ISMS Sub-poticies Manuat/pG to
authenticati f.o."*. User responsibilities (9.3.1)

on
information
of users
Review Of Asset owners shall review users,access
rights at
user access regular intervals. ISMS sub‐ Policies Manua1/Pc 16

rights 924

10
 Removal or of all employees and external party
adlustment }i-:-*.r_ 1,an,r
ro lnrormation and information processing facilities
users
-1 ISMS
2013Sub-policies
as of Manuat/pG 9
ofaccess rights shall 7.3.7
be removed upon termination of their
em"ploy."ni,- --' References:
contract or agreement, or adjusted ,pon .Annex 7-1 Training
.hrng". guideljnes lpg
651 .PGCJTD Code of Conduct

Ob.jective: To prevent unauthorized

access to systems and applications.

Use ofsecret Users shall be required to follow the

organization,s practices
authenticati inthe use ofsecret authentication infoimation. ISMS Sub-policies Manual/pG 16
on 9.3.1

information

System and application access control

Oblective: To prevent unauthorized

access to systems and applications.

Informadon tg information and application system

access fccesl functions shall ISMS Sub-poticies
De restricted in accordance with the access control policy, Manuat lpc 77
restriction 9.4.1
Referencesl
.Arnex 9-1 Guidelines
for
Access Control [pg 78-79]
1. Managing Access to
PGC-lTD Network Services
1.1 Regular pGC-tTD Employees
1.2 Other tndividuals
 l,l

l,SO/lEC 27001:2013 as of 2022

Secure Where required by the.access control

policy, access to ,yrt"rf
Iog-on ISMS Sub-policies Manual lpc ll
shail be controiled by a secure rog-on
procedures ::::t*:rtions 9.4.2
References:
.Annex 9-1 Guidelines
for
Access Controt [pg 79_g2l
2. Remote Access
Management 2.1 Remote
Access System
Configuration
2.2 Scope of Use
2.3 User Management
2.4 Logging
2.5 Security Mechanisms
Password Password management systems
shall be interactive and
management shall ensure quality passwords. ISMS Sub-policies Manual
/pG 17
system 9.4.3
References:
'Annex 9-l Guidelines for
Access
[pc 8s-87]
8. Password Management
8.1 Password Selection
8.2 lnitial Setting and Resetting
Passwords
8.3 Validating Manual password
Reset Requests
8.4 Password Expiration
8.5 Password Storage and
Protection 8.6 password
Requirements
Use of The use of utility programs that
privileged might be capable of
overriding system and apprication ISMS Sub-policies Manual
/pc tl
Jontrors shail be
utility restricted and tightly controlled. 9.4.4
programs References:
.Annex 9-1
Guidelines for
Access Control [pg 82_g3l
3. Privileged and Service
Accounts 4. Termination of
Network Access privileges
II lt l,l tt It lt

ISO/IEC 27001:2013 as of

Access control Access to program source code shall

be restricted.
to program
source code

10。

objective:Toensureproperandeffectiveuseofcryptographytoprotect.r,".onr,
of information.

Policy on the use of cryptographic controls

A policy on ISMS Sub-policies
the use of Manua!/pG 18 10
cryptograp Cryptography
hic controls
ISMS Sub-policies
for Manual lp654
protection 18.1.5 - Regulation
of of cryptographic
informatio controls
n shall be
developed
and
implement
ed.

13
: : I I I

Key management A pOlicy On the use,protectiOn and lifetime Of

ISMS Sub-policies
cryptOgraphic keys shall be developed and implemented Manual/pG 18
10 Cryptoffaphy
thrOugh their whOle lifecycle

3?L*'fi :l"r'.:"J:1,":T:i*::1"'phvsicaraccess,d".
Physical Security perimeters shall be deflned and used to protect
security areas that cOntain either sensitive or critical informatiOn iSMS stlb_Policies Manua1/PG 19
Perimeter 111.■
Or informatiOn prOcessing facilities
References:
Annex ll_l Physical security
guidelines IP8 881(1)
Physical entry Secure.areas shall be protected by
controls appropriate entry iSMS Sub‐
controls to ensure that only auth;rir"a p".ronn.i ' 1112
P。 licies Manua1/PG 19

are a owed access. Rererences:

Annex ll‐ l Physical Security
guide“ nes lp8 89‐ 9ol{4)
Securing offices, Physical security for offices, rooms
and facilities shall
rooms and be designed and applied. iSMS Sub‐ Poncies Manualノ PC 19
11.■ 3
facilities
Rererences:
Annex ll.l Physical Security
guide‖ nes IP8 911{5)
Annex ll_2 Physical Security
Guide‖ nes 191‐ 93]
Protecting Physical protection against natural
disasters, :SMSSub‐ P。 !icies Manua!/Pc 19
against malicious attack or accidents shall be designed
external and and 1114
applied.
environmental
threats

14
I I 〔

Protecting Physical protection against natural

against external disasters, :SMSSub‐ Policies Manua1/Pc 19
malicious attack or accidents shall be designed
and and 1114
applied.
environmental
threats

de:lilよIi∫ I:LHli[FginSecureareasshallbe !SMSsub‐ POlicies Manua1/PG 19

1115
Delivery and
loading iSMS sub‐ PO:icies Manua1/PG 19

areas 1116

Objective:TO prevent10ss,damage′
theft Or cOmpromise ofassets and interruptiOn tO the OrganizatiOn's OperatiOns

Equipment Equipment shall be sited and protected

sitting and to reduce the iSMS Sub‐ P● :icies Manua1/PG 20
nsks trom environmental threats and
protection hazards, and 112.1
opportunities for unauthorized access.
Support Equipment shall be protected from power
failures and
utilides other disruptions caused by failures in " iSMS sub‐ Policies Manua1/PG 20

utilities.
sup;;il;- 1122

Cabling security Power and telecommunications cabling

carrying data :SMSsub‐ POlicies Manua1/PG 20‐ 21
or supporting informationservices strilt be proiecteJ 1123
聖m htercep・ On′ hterお nce Or damage
“
Equipment Equipment shall be correctly maintained
Maintenance to ensure :SMS Sub‐ P。 licies Manua1/PG 21
rts continued availability and integrity.
1124

15
 1 :

Removal of assets Equipment, information or software

shall not ISMS Sub-policies Ma nuat
be taken offsite without prior lpc 2t_22 tt.2.s
authorization. Reterences:
.Mobile Compu6ng
and Tele-working poticy
.Annex 11-2
Equipment Security
guidelines lpg 92-931
4. Removalof propeny

Security of Security shall be applied to off_site

equipment assets ISMS sub-poltcies Ma
taking into account the different nuat lpc 22 11.2.6
and assets off risks of References:
working outside the organization,s .Asset Management policy
premises premises, .Annex 11-2
Equipment Security
Suidelines [pg 921
2. Security of equipment off-premises
Secure disposal All items of equipment containing
or reuse storage media |SMS Sub-policies Ma
sha.ll.be verified to ensure that
any sensitive data
nuat lpc 22 tt.2.7
ofequipment and licensed software has been
Referencesi
removed or .Media Handling policy
securely overwritten prior to
disposal or re_use. 'Annex 11.2 Equipment
Securitv
guidelines Ipt 921
3. Secure disposal or re_use
of
equipment
Unattended Users shall ensure that unattended
user equipmenthas appropriate protection. ISMS Sub-poltcies Manuat/pG 23 U.2,8
equipment References:
.Annex 1l-3
Clear Desk, Clear Screen and
Unattended Equtpment
Ipg 941 3. Unaftended
tqutpment

CIear desk and A clear desk policy for papers

clear and removable
storage media and a clear screen ISMS Sub-policles Ma nuat
policy for lpc 23-24 tt.2.g
screen policy information processing facilities shall Reterences;
be .Annex U-3
Clear Desk, Clear Screen and
adopted. Unattended User Equipment Guidelines
lpg
93-941
1. Clear Desk
2. Clear Screen

16
〔 〔

iSO/IEc 27001:2013 as of

pem・ 。
nd procedures and respOndbJnes

rations of information processing

facilities.
Operating procedures shall be
documented, maintained,
and made available to all users who ISMS Sub-poticies Manuat
/pG 25
neea them. 72.t.1

Changes to the organization,

business processes, information
processing facilities and systems that affect ISMS Sub-policies Manual lpc 25-26
information 12.1.2
security shall be controlled. -
The use of resources shall be
monitored, tuned and
|SMS Sub-policies Manuat lpc 26
of future capaciry."qri."r"nts
iJ:i"^i:Tlrd:
the required system performance. ro ensure 12.t.3

12.1.4 Separation Development, testing, and operational

of environments shall be
separated to reduce the risks
developme ofunauthorized access or
changes tO the operatiOnal en岳
trt, testing 高品:轟 :

and
operational
environments

informationprocessingfacilitiesareprotectedagainstmalware.
Controls Detection, prevention and recovery
against controls to protect rgrinJ
malware shall be implement"a,.omUin"a ISMS Sub-policies Manual
c
malware _i,t, appropriate t2.t.l
/p 26_27

References:
.Annex l2-1 protection
from
Malware Guidelines [pg 95-96]
 - Controls Checktist, lSgr/lEC 27001:2013
as of

Objective: To protect against

loss ofdata.

12.3.1 Information hは 叩cOpietthbmm舅

backup
:liliFifrillanllestedreg
agreed backup policy.
器 蹴 惣里
軍lTS ISMS Sub-policies Manual
12.3.1
/pG 27

t2.3.2
12.3.3
72.3.4
12.3.5
72.3.6
References:
'Annex l2-2 Backup and
Restore Guidelines
[pg
s6-s7l

Objective: To record events

and generate evidence.

Event logging

聾口 ::琴
keptand regularlyrevieweal寧ξ
」 靴器柵“ ISMS Sub-policies Manual
t2.4.1
References:
/pG 28

'Annex l2-4 Audit Logging

Guidelines [pg 97_98J
Protection of Logging facilities and log information
log shall be protected
against tampering and unauthorized ISMS Sub-policies Manual lpc 28
information ".."rr. 72.4.2
References:
'Annex 12-4 Audit Logging
Guidelines [pg 97-98]
Administrat
or and
operator
:`記 :∬ 器鷺]穏 穏認翼l:電ltty誕 蹴 ll iSMS sub‐ PO‖ cies Manuai/PG 28
12.4.3
Iogs References:

出 臆￨￡;:蜻 」
::‖
ng
 013 as of 2022

Clock The c10cks ofaH relevantinfOrmatiOn processing

synchronisatiO systems within iSMs sub‐ P。 :ic:es Manua:/PG 29
n an organization or security 12.4.5
domain shall be synchronised References:
to a single reference time source.
・Annex 12‐ 2 3ackup and
recOvery guidelines〔 pg
96-97]
・Annex 12‐ 3 Audit logging guidelines
Control of operational software

Objective:TO ensure the integrity Of operatiOnal systems.

Installation of Procedures shall be implemented

software to controlthe installation
of softwareon operationalsystems. iSMs sub‐ PO‖ cies Manuai/PG 30
on 12.5-cOntrO1 0f OperatiOna!
operational software

systems

Technical vuinerability management

0切 ecave:To prevent expldtauOn oftechnicJ vuherab山

tた ξ
Management Information abOut technical vuinerabilities OfinfOrmatiOn
of technical systems being used shali be Obtained in a timely fashiOn′ :SMs sub‐ P。 :icies Manua:/PG 31
vulnerabilities
盤
l脚 霜蹴器X鷺鳳!Ji競 駆
tho nr。 .hiヮ _￨‐ 1^“ '^^___

」
assOciated risk. le
12.6.1

Rules governing the instaration

of software by users sharl
be established and implemented. ISMs sub‐ PO‖ cies Manua:/PG 31
12.6.2

InfOrmatiOn systenl audit cOnsideratiOns

Object市 e:TO minimise th e impact Ofaudit activities On OperatiOnal systems.

 I tt

lnformation Securi
|9O/]EC 27001:2013 as of

Information Audit requirements and activities

systems invorving verification of
operational ISMS Sub-policies Manual
/pG 32
audit controls systems shall be carefully planned 12.7.1
-business and agreed to References:
minimise disruptions to p.o.-"i"r. .lnformation
System Audit
Control guidelines
.Annex 12-1 protection
from
Malware Guidelines [pS 95-961
'Annex 12-2 Backup and
Restore
Guidetines [pg 96-971

rmationinnetworksanditssupportinginformationprocessingfaciIities.
Networks shall be managed and
controlled to protect
information in systems and applications. ISMS Sub-policies Manual
/pG 33
13.1.1
Security of Security mechanisms, service
levels and management
network of alt network services shatr ISMS Sub-policies Manual
/pG 33_34
seryices ::,:,j:T,:Tr
included in network services
be identified and
agreements, whether these
13.1.2

services are p rovided in-house-

or o utsourced.
Groups of information services,
users and information
systems shall be segregated on Kaseya/Active Directory
networks.

withinanorganizationandwithanyexternaIentity.

20
 !SpttEC 27001:2013 as of

Information
transfer :躍 ]:T臆 :攪 蹴t『 :i蹴瀾∬ 器P駅[犠 ∴ iSMs sub‐ POlic:es Manua:ノ PG 34‐
35
policies and 」l types ^
_^′ OfcOmmumcauon品
っ‖ hァ hハ ^^_^__ ・
菖i誕 ξ
・ f 13。 2.1

procedures

Agreements shaH address the secure transfer Ofbusiness

information between the OrganizatiOn and external iSMs sub‐ PO‖ cies Manua:/PG 35
13.2.2

Electronic Information involved in electronic

messaging messaging shall
be appropriately protected. ISMS Sub-policies Manual
/pG 35-36
13.2.3
References:
'Annex 13-2 Electronic mail
guidetines [pg 103_1071
Confidentiali Req uirements for confidentiality
ty or non or non_disclos ure
agreements reflecting the organization,s ISMS Sub-policies Manual
/pG 36
disclosure needs for the t3.2.4
protection of information shallbe
identified, regularly References:
Agreements reviewed and documented. .Annex 13-1
transfer lnformation
transfer guidelines [pg99-102]

21
l I I
It!t 1 ,1

iSO/IEC 27001:2013 as of

r.SY5TEM ACQUIsIT10N,DEVELOPMENTAN
Security requirements of information
systems
objective:Toensurethatinformationsecurityisanintegral,
￨
s which provide services over public
networks.
Information
security
requirements
脚ahL_ぃ
nr
器撃 T:獅 麗3事『癬冊器驚l:11翼 ms ●一
iSMS Sub‐ PO:icies Manua1/PG 37
14.1.1
or enhancements
^^_^― tO existing infOrmatiOn systems.
=― ‐
analysis and
specification

Securing
application
services on
脇 H翼鳳
rnn,r● ´ャ Hich.,■ 岬.■ 導:獅::鳳 :iだ 瓶猟
___ L :SMs sub‐ POiicies Manua1/PG 37‐
14.1.2
38
contract dispute^^_」 ヽ and unauthorized disclosure and
public networks modification.
Protecting
application
services
量]R器 盤:冒 諄
mis-routing,
:r_"^..● 鍔:寵 :l認 襟罵留
:__ ___
S lSMS Sub‐ PO:icies Manua:/PG 38
14.1.3
―
unauthorized message alteration,
・・ ・ ・

transactions unauthorized disclosure, unauthorized

message
duplication or replay.
Security in development and support
processes
ObieCt市 e:TO ensure thatinformatiOn security is designed and implemented within the developmentlifecycle ofinformatiOn systems.

22
 -1 2013 as
Rules for the development of software
and systems shall :SMS sub‐ POlicies Manua1/PG 39
be established and applied to developments
within the 14.2.1
organization.

System Changes to systems within the development lifecycle shall :SMS sub‐ PO‖ cies Manua:/PG 39
change be controlled by the use of formal change control
14.2.1
control procedures.
Refer tO section 12.1.2 1pg 25]
procedures

Technical VVhen Operating platfOrms are changed′

business critical iSMS Sub‐ Poiicies Manua:/PG 39
review of applications shan be reviewed and tested to ensure there is
14.2.3
applications no adverse impact On organizatiOna1 0peratiOns Or securitμ
after operating
platform
changes

Restrictions Modifications to software packages shall

be discouraged,
on changes limited to necessary changes anJ all changes iSMS sub‐ POiicies Manua:ノ PG 39

to shall be 14.2.4
strictly controlled.
software
packages

Principles fbr engineering secure systems shall be

iSMS Sub‐ PO:icies Manuai/PG 39
established′ dOcumented′ :naintained and applied tO any
14.2.5
information system ilnplementatiOn effOrts.

Secure Organizations shall establish and appropriately

development protect :SMS sub‐ PO:icies Manua:/PG 39
securedevelop ment environments for
environment
ryrt". d evelopment 14.2.6
and integrationefforts that cover the entire
system
development lifecycle.

The organization shall supervise and monitor

the activity iSMS sub‐ Po:icies Manuaiノ PG
of outsourced system development. 3940
14.2.7
 ∝ 2倒 3 as of

Testing of security functionality shall

be carried out iSMs sub‐ Po:icies Manuai/PG 40
during development.
14.2.8

Accgqtalce testing programs and related

criteria shall be :SMs sub‐ POiicies Manua:/PG 40
established for new information systems,
upgrades and 14.2.9
new versions.

Objective:TO ensure the protectiOn Ofdata used fOr testing.

Test data shail be serected carefuily, protected

and controlred. iSMS Sub‐ PO:icies Manua:/PG 40
14.3

24
I 〔 ￨ l l l
:

lnformation
- Controls 2013 as of 2022

Information security in supplier relationships

Objective:TO ensure prOtectiOn ofthe organizatiOn's assets thatis accessible by suppliers.

Information Information security requirements for mitigating

the risks :SMS Sub‐ Po:icies Manua1/PG 41
security associated with supplier,s access to the organization,s
15.1.1
poliry for assets shall be agreed with the supplier and
documented.
supplier
relationships

Addressing All relevant information security requirements

shall be ISMS Sub‐ P。 :icies Manualノ PG 41‐ 45
security established and agreed with each supplier
that may 15.1.2
within the access, process, store, communicate, or provide References:
IT
supplier infrastructure components for; the organization,s 9.1.l Access cOntroi POlicy[pg 141
agreements information.

Information Agreements with suppliers shall include requirements

and to :SMS sub― POiicies Manua:ノ PG 45
address the information security risks associated
communica with 15.1.3
information and communications technolory
services and
tio n product supply chain.
technology
supply chain

Supplier service delivery management

Object市 e:TO maintain an agreed leve1 0finfOrmatiOn security and service delively in line with supplier agreements.

Monitoring Organizations shall regularly monito4 review

and audit :SMS Sub‐ Po:icies Manuai/PG 46
and review supplier service delivery. 15.2.1
of
supplier
services
[ : 〔 ￨ : ￨ ￨ :

lnformation ― COtttroltt Check:iSt::SOttEC 27001:2013 as of

Managing Changes to the provision of services by suppliers, :SMS Sub‐ Poiicies Manuaiノ PG 46
changes to includingmaintaining and improving existing information 15.2.2
supplier security policies,procedures and controls, shall be managed,
seryices taking account of the criticality of business information,
systems and processes involved and re-assessment of risks.

Management of information security incidents and improvements

References:

obiective: To ensure a consistent and effective approach to the management

of information security incidents,
including communication on security events and weaknesses.

Responsibiliti Management responsibilities and procedures shall be iSMS Sub‐ Poiicies Manua:/PG 47
es and established to ensure a quick, effective and orderly response 16.1.1
procedures to information security incidents.
Reporting Information security events shall be reported through iSMS Sub― Po‖ cies Manualノ PG 47
information appropriate management channels as quickly as 16.1.2
security events possible. Document used:incident RepOrt form

Reporting Employees and contractors using the organization,s iSMS Sub‐ Poncies Manuai/PG 47
information information systems and services shall be required to note 16.1.3
security and report any observed or suspected information security
weaknesses weaknesses in systems or services.

Assessment of Information security events shall be assessed and it shall iSMS Sub― Po‖ cies Manuai/PG 47
and decision be decided if they are to be classified as information 16.1.4
on security incidents.
information
security events
i f i l l l l 〔 I I l l l I I i 1 1 1 1

lnformation Securitv Manaqement Svstem - Corltrols Chncklis,i ミ0ノ IFr,7∩ ∩1・ つn

16.1.5 Response to Information security incidents shall be responded to Yes iSMS Sub‐ Policies Manuaiノ PG 48
information in accordance with the documented procedures. 16.1.4
security
incidents

16.1.6 Learning from Knowledge gained from analysing and resolving Yes ISSP/APP
information information security incidents shall be used to reduce the
security likelihood or impact of future incidents.
incidents

16.1.7 Collection of The organization shall define and apply procedures for Yes iSMS Sub‐ Po:icies Manua:/PG 48
evidence the identification, collection, acquisition and 16.1.5
preservation of information, which can serve as
evidence.

27
1 : I i l i : i :

lnformation
- Controls :SC)ノ IEC 27001:2013 as of

7.INFORMAT10N SECURITY ASPECTS OF BUSINESS CONTINUITY

Information security continuity

Objective: Information security continuity shall be embedded in the organization's business continuity
management systems.

Planning The organization shall determine its requirements for iSMS Sub‐ Po:icies Manuaiノ PG 49‐ 50
information information security and the continuity of information 17.1.1
security security management in adverse situations, e.g. during a crisis
continuity or disaster.

Implementi The organization shall establish, document, implement and iSMS Sub‐ Po:icies Manua:ノ PG 50‐ 51
ng maintain processes, procedures and controls to ensure the 17.1.2
information required level of continuity for information security during
security an adverse situation.
continuity

Verify, The organization shall veriff the established and iSMS Sub‐ Po:icies Manuaiノ PG 52
review and implemented information security continuity controls at 17.1.3
evaluate regular intervals in order to ensure that they are valid and
information effective during adverse situations.
security
continuity

Objective: Information security continuity shall be embedded in the organization's business continuity
management systems.

Availability Information processing facilities shall be implemented :SMS Sub‐ Po‖ cies Manua:ノ PG 52
Of with redundancy sufficient to meet availability 17.2.1
information requirements.
processlng
facilities

28
: I I I I I I : l l i I : : I l : : : :

lnform ation - Controls ISOノ IEC 27001:2013 as of 2022

I Controls Of Of
18.

18.1 Compliance with legal and contractual requirements

Obiective: To avoid breaches of legal, statutory regulatory or contractual obligations related to information security and of any
security requirements.

18.1.1 Identification All relevant legislative statutory, regulatory Yes ISMS Sub-Policies Manual /pC 53 18.1.1
of applicable contractual requirements and the organization's
legislation approach to meet these requirements shall be
and explicitly identified, documented and kept up to
contractual date for each information system and the
requirements organization.

18。 1.2 Intellectual Appropriate procedures shall be implemented to Yes ISMS Sub-Policies Manual IPG 53
property rights ensure compliance with legislative, regulatory and
contractual requirements related to intellectual
property rights and use of proprietary software
products.

18.1.3 Protection of Records shall be protected from loss, destruction, Yes ISMS Sub-Policies Manual /PG 53 18.1.3
records falsification,unauthorized access and
unauthorized release, in accordance
withlegislatory regulatory contractual and
business requirements.

18.1.4 Privacy and Privacy and protection of personally identifiable Yes ISMS Sub-Policies Manua! /pG 53-54
protection of information shall be ensured as required in
personally relevant legislation and regulation where
identifiable applicable.
information

29
 tt
墨 OЛ EC 27001:2013 as of

Regulation of Cryptographic controls shall be used in

cryptographic
ISMS Sub-Policies Manual /pc 54 18.1.5
compliance with all relevant agreements,
controls legislation and regulations.

Information and security review

objective:Toensurethatinformationsecurityisimplementedandoperatedinaccordancewiththeo.ffi
and procedures.

Independent The organization's approach to managing

review of
ISMS Sub-Policies Manual /pG 55 18.2.1
information security and its implementation (i.e.
information control objectives, controls, policies, processes
security and procedures for information,..u.ity; shall be
reviewed independently at planned intervals or
when significant changes occur.

18.2.2 Compliance M-anagers shall regularly review the compliance

with security
ISMS Sub-Policies Manual lpc 55 t8.Z.z
of information processing and procedures within References
policies and their area of responsibility with the appropriate .Annex 18-1 Personal
information protection
standards security policies, standards and any other guidelines [pS 108]
security requirements. 'Annex 18-2 Prevention of misuse of information
facilities [pg 108-1091 .Annex 1g-3 tnformation
system audit control guidelines [pg 109]
.Annex 18-4 lntellectual property
rights
guidetines [pg 109-110]

Technical Information systems shall be regularly reviewed ISMS Sub-policies Manual lpc Ss_56 ta.z.3
compliance for compliance with the organizationb
review information security policies and standards.

30
I I I I I I I I i ! 1 : : ! : : l l l :
References
7. ISO /tEC ZT 0OZ:20 13tnfr
tso/tic27oo7:2oi,l;';;'j:lljfi"ll?[1lll,1;.illLil?":i.]liffi^,?:.f:jfii.j:::,?.ilT:[il,:];:H'J.1llli:illj.l
Legend
1. TSE - to some extent

31