Tae Version Date of version: Greedy ‘epreved by Confidential ‘x20 stem ma beady cet ben ape iter wer comin ard te eee [Organization logo] {Organization name] STATEMENT OF APPLICABILITY. ronan, ‘Commented [27] Tatsrahor ohiou easement ‘Somreritecopitct wht ysreed tte mets ies iat nto S070 Senet apes ‘Gerstner yrds Commented (2787 ase ac a By Srewoses[] mute ain ommented [ASH eso wet orn Theingetnel statement ples 0 27001 eau cattonent tase se DO cute ans rac cant core dios semi at nc on oy et[oxgonzaton name) {confentity eel Change history Date Version | Created by | Description of change Oi | B7O0;Academy | Basie document outine Table of contents PURPOSE, SCOPE AND USERS. REFERENCE DOCUMENTS. 1 2 3. APPLICABILITY OF CONTROIS.. 5 VALIDITY AND DOCUMENT MANAGEMENT. Seep, ~ ar ean) Fan ats)organization name} {confentity eel 11. Purpose, scope and users “The purpose ofthis document isto define which controls are appropriate to be implemented in [organization name}, the objectives ofthese controls and how they ae implemented, as well as to approve residual risks and formally approve the implementation of said controls. ‘This document includes all controls listed in Annex ofthe ISO 27001 standard. Controls are applicable to the entice Information Security Management System (SMS) scope, Users of this document are all employees of [organization name] who have arolein the SMS. 2. Reference documents ‘© IS0/lec 27001 standard, clause 6.13 4) ‘+ Information Security Policy ‘© Rsk Assessment and Risk Treatment Methodology 1+ Rsk Assessment and Risk Treatment Report ‘Commnted [275 Yolewn mae sbow NOBEL omer 3. Applicability of controls Succ estou ‘The following ont from 027001 AnnexA are applcable: tara cen ert nit ‘Commented [27A10I: scat menewaon- "Moms heey inoue aimee" lenebinetne cots made ose Information secuty AS policies Management direction forinformation Asa security ach poy has a designated Review ofthe pois —= forinfrmation - 61 tntemal organization ‘Commented (276) Sedan seen ctmtal rsp ann Seep, er ean am Ta) Peesorganization name} {confident evel Responsbities forinformation {conan oie nese sstichonee ove eee ‘coyoneaernesimcton cee fone. sted in various lends cots made ose Isms ‘ocument. required lo Information secuty tite defines role and adstons A611 responses responstbltles ‘Any activity that neues Information approved by ‘one person and Implemented by 2 another _— — 3 — _ —- se _ -—— Contact with special -—— A614 interest groups oe ‘Commented (2701 Die mrs emo be aa seigesto anette ean oseroatenct so — — Mobile devices and 62 teleworking “Raementoippieabiny serena) Fama) SSCS (ere temple mo beady cect va ape Satara wir comin earn eeeorganization name} 62a 622 an Ara araa ara Mobile device pley — security Prior to employment Séroening During employment “Rater Tap {confentity eel er ean am Ta) Pees eames tol mo beady cect va ape Sater ier comin earn eeeorganization name} Management (A721 responses 22 | —_—, “Termination and [A713 changeof employment 1031 —_ AB Asst management Responsibly for nga eats ABLA — loventry ofasets aan TARA er ean am Ta) {confentity eel Pacer eames tol mo beady cect va ae Satria er comin earn eeeorganization name} {confident evel Tiventoryof Asset] (7 {conan oie nese sstichonee ove A812 Ownership ofasets Security Pte ca Deceptable use of Uirsecuety lends cots made ose Agia ats Poly —_ A. ame — Information ‘82 cassication 2 —! _ Information Clssiestin 4522 Poly A823 Handling of asets _ 83 Medahanding Management of Unformation removatle Clsefeston A531 media Foley) Isecurty Procedures for 232 mam _ Information lssietin A533 Physical madi transfer Poly) 9 Acces contr 1 Business equrements 491 ofaccesconteo! As11 mmma _ ‘eces to networks (necess Contr A912 and network services Policy User acess 92 management “Raementoippieabiny serena) Fam ese) SSCS (eames tol mo beady cect va ape Sitar ier comin earn eeeorganization name} {confident evel mee eyeyepeye ee } ’ ——— ee i Se aaa Pcl Fle eames tol mo beady cect va ae Satria er comin earn eeeorganization name} {confident evel | ik WALENTA AYN ——_ ——— “Sateen of appieabany er veto Fam (tg) Cermo Tm tol mo beady cect va ape Satara ier comin cardorganization name} {confident evel | HAHN INTE — Se er eae Fl Fel enna eee TT ‘enmeshed cect bv ape Sater ier comin earn eeeorganization name} {confident evel | -—~— Se er eee Fc Fel cenesenceneencna ome TTT eames tot mo beady eto va ape Satara ier earn eeeorganization name} {confident evel — — = ———— = — — = —s —_— == or = ——— = a — —— — = — = = ee = = =. ——4 —4 a = = = = —_—_—_ i - = a ‘eames tol mo beady cect va ape Sitar ier comin earn eeeorganization name} {confident evel —— - -—— 7 _ _— ——— -_— — (On Se er eee Fl elcome TT ‘eames tol mo beady cect va ape Satara ier comin earn eeeorganization name} {confident evel —_—- =: —_— — — — -_——- —_—- —_, 2 — — — — —: — — = -_—— -- —— -— = - a = _—- —--— — -=_— —— _ —— =— — _-—— — =— — (eames tol mo beady cect va ape Satara ier comin earn lh eeeorganization name} {confident evel Hj UE atest a ppieabany eran Fam (tg) ‘enmeshed cect bv ape Sater ier comin earn eeeorganization name} {confident evel — a a — a -_—-- — —— _—— -— —— — -——- _— —_——— — — _ _ —— — _—_—— — -- —_— — _— — — —— — -_—— — -_— a —- _— -— --- — os —- — ae - _—— — _— —- —_—S — = ——— -- ——~— = “Gatementoippieabiny serena) romney ‘eames tol mo beady cect va ape Satara ier comin earn eeeorganization name} {confident evel | uo | Sateen a ppeabany arvana (tg) eames tol mo beady cect va ape Satara ier earn lh eeeorganization name} {confident evel ——_— — —— se —— a — —--- —_— ——— —_ = oe —_— ——— a —-- — _—- —_— -—— — — — —_— — —— — —— —_— — — oe —-- — —— — — —_ - —_ - Se ae ae eer Flaca Teme TS ‘eames tol mo beady cect va ape Satara ier comin earn eeeorganization name} {confident evel —_— — — — — — ooo —_ — =— — — ~ - — = _— == — —_ — ———— —_— — —_— — — —- — — ~ aa” - — - — -—— —- — = — =- —- -_— —_— — — _—s = — — — — amcoe = === | eames tol mo beady cect va ape Sater ier comin card eeeorganization name} “Rater Tap er ean am Ta) {confentity eel ayy ' HN il , Pay Papemaat aT ‘enmeshed cect bv ape Sater ier comin earn eeeorganization name} {confentity eel 4, Acceptance of Residual Risks Since not allrsks could be reduced inthe rsk management proces, al residual risks are hereby accepted 5. Validity and document management “This document is valid as of [ate ‘The ower of ths document is ob title], who must check and, f necessary, update the document at least nice @ year, and immediately after risk assessment review and updates to the Risk Assessment ‘Table and Risk Treatment Table. When evaluating the effectiveness and adequacy of this document, the folowing criteria must be considered “Gatement oippieabiny vere) ames) armed (AIO apna aaa nena ‘Commented [ZA daseihs os wateiae ieee Commented (271 is ny nee gE ese sopenta Commented [ZAI9} suerte new ok Suro ouneroytop mangement oat Commented (27020 Say acy Yne eee Decent ot