ISO 27001:2013

Internal

Version 1.00

February 17, 2021

By

Raul Bernardino
Table of contents
1. Document Control 3
2. Abstract 4
3. Purpose, scope, and users 4
4. Reference documents 4
5. Applicability of Clauses 5
6. Applicability of Controls 8

© ISO27K1-RB
Internal
Document Approver(s) and Reviewer(s):
NOTE: All Approvers are required. Records of each approver must be maintained. All Reviewers in the
list are considered required unless explicitly listed as Optional.

1. Document Control

Document Ownership ISO 27001:2013K1-RB

Master Document ISMS team

Location

Created by: RB/ISMS Team

Reviewed by: RB/ISMS Team

Approved by:

Confidentiality level: Internal

Change history

Date Version Description of change

February 17, 2021 1.00 ISO 27001:2013 ISMS Created by RB

© ISO27K1-RB
Internal
 2. Abstract
Indonesia's Financial Technology and Digital Assets markets are in the middle of the crossroad. All start-
up businesses were struggling to implement the ISO 27001:2013, the information security
management system, to secure and protect their customer information. Meanwhile, the business's
operations cost should wisely expend on their daily operation to sustain and competitive. They were
focusing on reaching out to more customers and markets in comparison to securing their information
systems.

3. Purpose, scope, and users

The purpose of this document is to define which controls are appropriate to be implemented in
institution, the objectives of these controls and how they are implemented, as well as to approve
residual risks and formally approve the implementation of said controls.

This document includes all controls listed in Annex A of the ISO 27001:2013 standard. Controls are
applicable to the entire Information Security Management System (ISMS) scope.

Users of this document are all employees of STIKOM who have a role in the ISMS.

4. Reference documents
● ISO/IEC 27001:2013 standard, clause 6.1.3 d)
● Information Security Policy
● Regulation of the Minister of Communication and Information Technology Number 04 of 2016
Information Security Management System
● Chapter 3, Article 7, Verse 1: the use of the ISO 27001:2013001 standards for information
security and
● Chapter 3, Article 7, verse 2: the use of ISO 27001:2013001 standards for implementation of
the information system (electronic system).
● Regulation of the Minister of Communication and Information Technology Number 20 of 2016
Protection of Personal Data in Electronic Systems
o Chapter 1, Article 2, Verse 1: Privacy data protection
o Chapter 2, Article 3, Verse a-e: Data gathered, processed, analyzed, stored, and
transmitted has to be protected

© ISO27K1-RB
Internal
 5. Applicability of Clauses

Clauses ID Objectives Implementation Method

4 Context of the organisation
4,1 Organisational context Define Organization Context
Determine the organization's ISMS Define internal external issues and
4,1 objectives and any issues that might objectives document
affect its effectiveness
4,2 Interested parties
Identify interested parties including Define organization interested
4.2 (a) applicable laws, regulations, parties document
contracts etc.
Determine their information Define organization interested
4.2 (b) security-relevant requirements and parties document
obligations
4,3 ISMS scope
Determine and document the ISMS ISMS Scope document
4,3
scope
4,4 ISMS
Establish, implement, maintain and ISMS statement and objectives
4,4 continually improve an ISMS document
according to the standard!
5 Leadership
5,1 Leadership & commitment
Top management must Management Commitment and
5,1 demonstrate leadership & support
commitment to the ISMS
5,2 Policy

© ISO27K1-RB
Internal
 Document the information security Information Security Policy
5,2
policy document
Organizational roles,
5,3 responsibilities & authorities
Assign and communicate RASCI Matrix document
5,3 information security roles &
responsibilities
6 Planning
Actions to address risks &
6,1 opportunities
Design/plan the ISMS to satisfy the Risk Assessment and Methodology
6.1.1 requirements, addressing risks & document
opportunities
Risk Assessment and Methodology
Define and apply an information
6.1.2 document
security risk assessment process

Document and apply an information Risk Treatment Plan

6.1.3
security risk treatment process
Information security objectives &
6,2 plans
Establish and document the IS objectives and plans document
6,2 information security objectives and
plans
7 Support
7,1 Resources
Determine and allocate necessary Management support adequate
7,1 resources
resources for the ISMS
7,2 Competence
Determine, document and make All staff have competences
7,2
available necessary competences
7,3 Awareness
All staff attend the Information
Establish a security awareness Security awareness training
7,3
program

7,4 Communication

© ISO27K1-RB
Internal
 All implemented documents are
Determine the need for internal and well socialized
7,4 external communications relevant
to the ISMS

7,5 Documented information

Provide documentation required by Document control policy
7.5.1 the standard plus that required by document
the organization
Provide document titles, authors Document control policy
7.5.2 etc., format them consistently, and document
review & approve them

documentation Document control policy

Control the
7.5.3 document
properly

8 Operation
8,1 Operational planning and control
Plan, implement, control & Risk Assessment and Methodology
document ISMS processes to document
8,1
manage risks (i.e. a risk treatment
plan)
Information security risk
8,2 assessment
(Re)assess & document Risk Assessment and Methodology
8,2 information security risks regularly document
& on changes
8,3 Information security risk treatment
Implement the risk treatment plan Risk Treatment Plan
8,3 (treat the risks!) and document the
results
9 Performance evaluation
Monitoring, measurement, analysis
9,1 and evaluation
Monitor, measure, analyze and Internal auditor policy; staff KPI,
9,1
evaluate the ISMS and the controls Vendor evaluation
9,2 Internal audit
Internal Audit plan, setup criteria’s,
Plan & conduct internal audits of checklist, report, and program
9,2
the ISMS

9,3 Management review

© ISO27K1-RB
Internal
 Management review document
Undertake regular management
9,3
reviews of the ISMS

10 Improvement
Nonconformity and corrective
10,1 action
Perform corrective Action to
Identify, fix and take action to forwards internal audit findings
prevent recurrence of and external audit findings
10,1
nonconformities, documenting the
actions

10,2 Continual improvement

10,2 Continually improve the ISMS Continually committed to improve

6. Applicability of Controls
The following controls from ISO 27001:2013 Annex A Controls are applicable:

ID Controls according to Applied Justification Objective Implementation

ISO/IEC 27001:2013 Yes/No method

A.5 Information Security (IS) YES Developed and To secure and Disseminate this
Policy established IS protect information
Policy information security policy to all
assets within staff. All staff got
Confidentiality, induction from
Integrity and ISMS Team, on how
Availability to use this policy
(CIA). and protect
information assets
in their respective
department.

A.5.1 Management Direction YES Management To provide Management

for Information Security commitment management allocated proper
and support for direction and resources for ISMS
resource support for Team
allocation, and information
guide ISMS team security in
for continually accordance with
improve in the business
requirements

© ISO27K1-RB
Internal
 information and relevant
security laws and
regulations

A.5.1.1 Policies for information YES Approved and To provide Assess the Country
Security implemented guidance IT, IT Law and
policy and ISMS team, and Regulations,
procedure IT user to secure drafted, reviewed,
the information approved and
asset in terms of implemented: In
confidentiality, the institution has
integrity, and Information
availability and Security Policy
Business
processes are in
line with
relevant laws
and regulations.

A.5.1.2 Review of the policies YES ISMS Team, To overview all Setup ISMS Team,
for information Internal Audit policies and designated IA Plan
security (IA), and procedures are and Program and
management in line with Management
have to review business process Review Meeting
all company
policies and
procedures

A.6 Organization of YES Created ISMS To manage and Established the

information security Team in the organize the ISMS Team
organization implementation organization chart
of ISMS in the
organization

A.6.1 Internal Organization YES Established ISMS To establish a Established ISMS

Team and management Team roles and
appointed framework to responsibility
initiate and
control the
implementation
and operation of
the information
security within
the organization

© ISO27K1-RB
Internal
A.6.1.1 Information security YES Employees have To establish Employees and
roles and responsibilities security ISMS team; to vendors are
awareness implement attended the
certification and management security awareness
Internal Auditors decision on training; IA
are certified; all everyone attended the
of the company contribution on course and pass the
employees and information examination;
vendors are security Management
aware that review IA findings;
information PIC analysed the
security is root cause and
everyone's correct the
responsibility; nonconformities
findings;

A.6.1.2 Segregation of duties YES Employees have To ensure jobs All employees are
clear job and trained to be
descriptions and responsibilities vigilant and alert,
designated are segregated ask questions to the
offices; the in order to guests if they are
unauthorized minimize the not accompanied
person cannot unauthorized, by one of the
access; guests unintentionally, employees; staff
are misuse of the are well informed
accompanied by organization on the classification
employees and assets of the information;
guests will stay
in the
designated area;

A.6.1.3 Contact with authorities YES The company To have Contact with
have appropriate and authorities
appropriate updated documented within
contacts and relevant Business
updated authorities Continuity. IT, HR,
contact list Finance, and OPS
also maintains this
list of contact

A.6.1.4 Contact with special YES Updating and To have Administrator and
interest groups maintaining all appropriate and Customer Service
relevant interest updated and Teach team is
parties contacts relevant interest responsible for
numbers group contact monitoring the
list overall interest
groups contacts
lists and security
group forums. Each

© ISO27K1-RB
Internal
 PIC’s have their
respective interest
group contact lists.

A.6.1.5 Information security YES The ISMS To ensure ISMS team

in project management implementation information executed ISMS in
and the security the project bases.
certification implementation
auditing is project
processes are in management
progress;

A.6.2 Mobility devices and YES All staff are To ensure the Staff attend the
teleworking aware that the security of induction and
use of mobility teleworking and information
devices in the use of mobile security Awareness
public network devices. training
must follow the
IT security Policy

A.6.2.1 Mobile device policy YES All mobile To ensure the The
devices (BYOD) policy is implementation of
are in the implemented BYOD in
different Mobile and
network; BYOD Teleworking Policy
which needs to
connect office
network should
sign a waiver

A.6.2.2 Teleworking YES Although To ensure the Request whitelisted

applications teleworking is IP, determine
developed secure in access time and the
internally, processing, number of hours;
sometimes the storing, and activities log the
designated transmitting the references
teamwork from information Information
the public area assets Security Policy
/home. They Mobile and
have whitelisted Teleworking Policy
IP before
connecting back
to the server.

© ISO27K1-RB
Internal
A.7 Human resource security YES Establish HR To ensure staff Established and
Security Policy are well implement HR
equipped; new Security Policy
recruited staff
processes
should
implement
within the HR
security policy.

A.7.1 Prior to employment YES Human Capital To ensure that Human Capital
Team performed employees and Department is
according to HR contractors consistence in
security Policy understand their implementing HR
responsibilities Security policy
and are suitable
for roles for
which they are
considered.

A.7.1.1 Screening YES Human capital To ensure all Follow the

team ad hoc new recruit reference in the
performed employees are Human Resource
background proceed the Security Policy
checks for background
employees and checks
contractors

A.7.1.2 Terms and conditions of YES All employees To ensure that Follow the
employment have signed the NDA is included Employee
contracts in every contract Recruitment
or confidential process in Human
agreement Resource Policy

A.7.2 During employment YES All employees To ensure that Human Capital
and contractors employees and induct new policies,
have attended IS contractors are plan IS awareness
awareness aware of and training for new
training fulfil their staff, and evaluate
information staff.
security
responsibilities.

A.7.2.1 Management YES The To ensure the All policies and

responsibilities management application of procedures are
ensures all information well-documented
employees and security to all and disseminated
contractors are employees and to all of the
binding with contractors

© ISO27K1-RB
Internal
 information employees and
security contractors;

A.7.2.2 Information security YES The risks that are To ensure all Human Resource
awareness, education, associated with new employees Security Policy
and training the interested are well
parties inducted and
(customers, attended the
founders, security
Employees, and awareness
third parties for
outsourcing) are
assessed and
including
educate
employees and
contractors to
obey the
company
regulation and
policies;

A.7.2.3 Disciplinary process YES There shall be a To ensure Follow company

formal disciplinary employees policy and
process for comply with all regulations;
employees who policies, contracts are
have committed especially evaluated
security breach policies related periodically;
to information Human Resource
security Security Policy

A.7.3 Termination and Change YES Established Exit To protect the Human Capital
of employment interview policy organization’s implement exit
interests as part interview and the
of the process of resign person sign an
changing or NDA.
terminating.

A.7.3.1 Termination or change of YES Resigned are To ensure the Follow the Human
employment employees termination of Resource Security
responsibilities required to sign the contracts are Policy
an Exit NDA during proper; to
off boarding ensure the exit
process. This NDA forms and NDAs
is active for the are proper
next five (5) years

© ISO27K1-RB
Internal
A.8 Asset Management YES ISMS Team To ensure all ISMS Team
established business process implement
Information and information Information Assets
assets policy are collected policy

A.8.1 Responsibility for Assets YES ISMS Team and To identify Follow the
Finance team organizational Information Assets
performed and assets and policy
register define
information appropriate
assets according protection
to information responsibilities.
assets policy

A.8.1.1 Inventory of assets YES All assets are To ensure all Follow the
well registered company Information Asset
information Management Policy
assets are well
updated and
maintained

A.8.1.2 Ownership of assets YES The reviewed To ensure all Follow the
document for information Information Asset
maintaining the assets are
asset allocation owned
list; property
numbers
(inventory);

A.8.1.3 Acceptable use of assets YES The employees To ensure rules Apply the
accept any of information administrator right
responsibility for assets and waivers, checklist
the asset as media processing are and service desk
for processing,
well notified, list, forms; follow
storing, and
transmitting data
documented, the Asset
and information and Management Policy
which are contain implemented
of CIA;

A.8.1.4 Return of Assets YES All return assets To ensure all Follow the Asset
are effective on company assets Management Policy
the last day of are returned on
employment, or the last day of
exit form is employment
signed

© ISO27K1-RB
Internal
A.8.2 Information Classification YES ISMS team To ensure that ISMS Team
established information implement
Information receives and information assets
classification appropriate classification and
level of labelled
protection in
accordance with
its importance
to the
organization.

A.8.2.1 Classification of YES Information To ensure all Follow the

information assets are company Information Asset
classified as information Management Policy
secret, assets are Pol.#: Asset
Restricted classified Management Policy
confidential,
internal use only
and public

A.8.2.2 Labelling of information YES Information To ensure all Follow the

assets are information Information Asset
labelled with assets are Management Policy
Secret, labelled
restricted,
confidential,
internal use
only, and
public/open

A.8.2.3 Handling of assets YES Information To ensure Follow the

assets handling handling of Information Asset
are proper in assets are Management Policy
order to implemented
safeguard the
ISMS term of CIA

A.8.3 Media Handling YES ISMS team To prevent Follow the Media
established unauthorized Handling procedure
Media handling disclosure,
procedure modification,
removal or
destruction of
information
stored on the
media

© ISO27K1-RB
Internal
A.8.3.1 Management of YES/NO All removable To ensure media All core media are
removable media media are removals are may on the cloud
proper proper premises
according to
information
classification
and Assets and
Media Removal

A.8.3.2 Disposal of media YES All media To ensure media Follow the
disposals are disposals are Information Asset
proper proper Management Policy
according to
Assets and
Media Removal

A.8.3.3 Physical media transfer YES/NO All servers are To ensure all Institution may never
on Ali-Cloud media perform physical
premises, containing media transfer. All
however, there information are in the CSP
are laptops shall be
physical mobility protected
need to be against
secure (media unauthorized
transfers) access, misuse
or corruption
during
transportation.

A.9 Access Control YES ISMS Team To ensure all ISMS Team
established information implement and
Access Control assets protected follow the
Policy and only staff or established policy
personal who
have the access
right can access
them

A.9.1 Business requirement of YES ISMS Team To limit access to Follow the Access
access control follow information and Control Policy
established information
Access Policy to process facilities
create, disable,
change the
access

© ISO27K1-RB
Internal
A.9.1.1 Access control policy YES Employees and To ensure Follow the Access
contractors’ Access Control Control Policy
access are Policy are Ali-Cloud terms and
controlled established and contract, and
followed combines with the
Office Access Control

A.9.1.2 Access to networks and YES Employees and To ensure all Follow the Access
network services contractors’ employees are Control Policy
access are in the Ali-Cloud terms and
controlled designated contract, and
networks combines with the
Office Access Control

A.9.2 User access management YES ISMS Team To ensure Follow the user
establish user authorized user matrix and access
access matrix access and to control policy
prevent
unauthorized
access to the
systems and
services

A.9.2.1 User registration and de- YES All user accounts To ensure all Follow the Access
registration are created and account Control Policy
de-registration registration and Ali-Cloud terms and
re-registration contract, and
are proper; e.g. combines with the
rising staff Office Access Control
accounts are
disable at the
time he or she
resigned

A.9.2.2 User access provisioning YES All new To ensure all Follow the Access
employees and new employees Control Policy
contractor have follow
3 months procedures Ali-Cloud terms and
provisioning contract, and
period combines with the
Office Access Control

A.9.2.3 Management of YES All users To ensure all Follow the Access
privileged access rights accounts are users access are Control Policy
created based privileged,
on job functions restricted, and And combines with
and credentials; controlled the Office Access
in ‘Forest Control
Application’

© ISO27K1-RB
Internal
A.9.2.4 Management of secret YES All users To ensure all Follow the Access
authentication accounts are system users Control Policy
information of users created based have a
on job functions credential and Ali-Cloud terms and
and credentials have secret contract, and
authentication combines with the
Office Access Control

A.9.2.5 Review of user access YES The system To ensure Follow the Access
rights users have system users Control Policy
changed their passwords are Ali-Cloud terms and
passwords changed contract, and
periodically. The periodically combines with the
Tech team and Office Access Control
HR reviews the
user's access
rights in the
regular intervals.

A.9.2.6 Removal or adjustment YES All system users To ensure all Follow the Access
of access rights are well terminated Control Policy
controlled either contracts Ali-Cloud terms and
its resignation or accounts are contract, and
reassignment to removed or combines with the
the different disabled Office Access Control
department

A.9.3 User Responsibilities YES User are trained To make users Employees and
to not share accountable for contractors are
their credential safeguarding attended the IS
their awareness training
authentication and induction on how
information to use the policy.

A.9.3.1 Use of secret YES The system To ensure all Follow the Access
authentication users are aware systems users Control Policy
information that their shall be kept
credentials for their credentials Ali-Cloud terms and
accessing the secret contract, and
system are in combines with the
their own Office Access Control
responsibility.
They should
keep their
credentials
secret.

© ISO27K1-RB
Internal
A.9.4 System and Application YES All system and To prevent All employees and
access control applications unauthorized contractors are using
have a proper access to credential to access
authentication systems and systems and
applications application.

A.9.4.1 Information access YES The employees Access to Follow the Access
restriction are well training information and Control Policy
application Ali-Cloud terms and
system contract, and
functions are combines with the
restricted Office Access Control

A.9.4.2 Secure log-on procedures YES All employees To ensure all Follow the Access
are well accesses Control Policy
informed that controlled by Ali-Cloud terms and
secure the by a secure log- contract, and
accepted or on combines with the
assigned media Office Access Control
all the time

A.9.4.3 Password management YES Passwords are Users password Follow the Password
system well managed settings are Management Policy
proper and Ali-Cloud terms and
manageable contract, and
combines with the
Office Access Control

A.9.4.4 Use of privileged utility YES The use of utility To ensure the Follow the Access
programs programs that authorized user Control Policy
might be access and to Ali-Cloud terms and
capable of prevent contract, and
overriding unauthorized combines with the
system and access to Office Access Control
application information
controls shall be systems
restricted and
tightly
controlled

A.9.4.5 Access control to the YES The source To ensure all Follow the Access
program source code codes are source code are Control Policy
protected and protected Ali-Cloud terms and
restricted contract, and
combines with the
Office Access Control

© ISO27K1-RB
Internal
A.10 Cryptography YES Implement SSL To protected the Follow the
on the web integrity, cryptography policy
application confidentiality,
and authenticity

A.10.1 Cryptographic controls YES Web application To ensure ISMS Team follow
are protected proper and the cryptography
with SSL effective use of policy
cryptography to
protect the
confidentiality,
authenticity
and/or integrity
of the
information

A.10.1.1 Policy on the use of Yes The To ensure all .id has active SSL
cryptographic controls implementation information flow Licence and
of the SSL is to and process are employee customer
encrypt the web protected use two factors
application, and authentication;
two factors follow the Data
authentication is Encryption
for accessing Standard Policy
other resources
on the Ali-Cloud.

A.10.1.2 Key management YES/NO The To ensure Institution may not

implementation information produce and key
of the SSL is to protection and changes
encrypt the web lifetime of
application, and cryptographic
two factors keys
authentication is shall be
for accessing developed and
other resources implemented
on the Ali-Cloud. through their
whole lifecycle.

A.11 Physical and YES Developed To ensure Follow the physical

environmental Security Physical Security physical and security
Policy environmental
are secure

© ISO27K1-RB
Internal
A.11.1 Secure area YES ISMS Team and To prevent Follow the Physical
staff are well train unauthorized security policy
to protect physical physical access,
and damage and
environmental interferences to
security the
organization’s
information and
information
processing
facilities

A.11.1.1 Physical security YES .id leased on Ali- To ensure Follow the Physical
perimeter Cloud Platform; security Security Policy
therefore, all perimeters shall
physical security be defined and
perimeters are used to protect
under cloud areas that
provider controls contain either
sensitive or
critical
information and
information
processing
facilities

A.11.1.2 Physical entry controls YES .id leased on Ali- To secure areas Follow the Physical
Cloud Platform; shall be Security Policy
therefore, all protected by
physical security appropriate
perimeters are entry controls to
under cloud ensure that only
provider controls authorized
personnel are
allowed access

A.11.1.3 Securing offices, rooms, YES Doors are To ensure all Follow the Physical
and facilities locked, and the employees have Security Policy
CCTV defines the PIN code to
entrance, safety access office and
box, and finance facilities
room, and HCD

© ISO27K1-RB
Internal
A.11.1.4 Protecting against YES .id leased on Ali- Physical Follow the Physical
external and Cloud Platform; protection Security Policy
environmental threats therefore, all against natural
physical security disasters,
perimeters are malicious attack
under cloud or accidents
provider controls shall be
designed and
applied.

A.11.1.5 Working in secure areas YES Company has a To ensure all Follow the Physical
standard for employees have Security Policy
securing the access to the
working area. office; guests are
accompanied

A.11.1.6 Delivery and loading YES/NO Management To ensure Institution may not a
areas defines the management service delivery
designated decisions are company therefore it
room for fully is not relevant.
delivery and implemented
loading the front
desk

A.11.2 Equipment YES All equipment is To prevent loss, Follow Physical

well protected damage, theft or Security Policy
and secure compromise of
assets and
interruption to
the
organization’s
operation

A.11.2.1 Equipment siting and YES All employees To reduce the Physical Security
protection are ware the risk from Policy
acceptance unauthorized
media contain person to access
sensitive sensitive
information and information
have to protect

© ISO27K1-RB
Internal
A.11.2.2 Supporting utilities YES/NO Data stored and The power fails May be depends on
processed are from central Cloud Service
on the Ali-Cloud does not affect Provider (CSP)
premises; if the the system
internet fails
because of
power; users are
still able to
connect back to
the Ali-Cloud by
using alternate
sources of the
internet.
Building has its
own generator

A.11.2.3 Cabling security YES/NO Since server To ensure power May be depends on
leased under Ali- and CSP
Cloud premises, telecommunicat
therefore, follow ions cabling
the data centre carrying data or
guidance supporting
information
services shall be
protected from
interception or
damage

A.11.2.4 Equipment maintenance YES/NO Most of the data To ensure all May be depends on
and information office CPS. Some of the
are on the Ali- equipment are internal equipment's
Cloud premises updated maintenance
and it is on the services.
multi-zone; The
availability and
integrity will
certain there;
meanwhile, daily
backups are
continually
operating

A.11.2.5 Removal of assets YES All employees To ensure all Follow the Physical
are well removals assets Security Policy and
informed on are proper Information Asset
how to handle Management Policy
media; they
need approval

© ISO27K1-RB
Internal
 for any
relocation items

A.11.2.6 Security of equipment YES All employees To ensure all Follow the Physical
and assets off-premises are accountable employees have Security Policy and
for any data a sense of Information Asset
breach; when belonging and Management Policy
takes company accountable
assets off
premises,
he/she needs to
sign up the
forms for
accountability/r
esponsibility;

A.11.2.7 Secure disposal or reuse YES All sensitive data All company Follow the Physical
of equipment should take off assets are Security Policy and
before the removed before Information Asset
media is ready its disposal or Management Policy
for disposal or reuse
reuse

A.11.2.8 Unattended user YES It is the user's To ensure all Follow the Physical
equipment responsibility to unattended Security Policy and
protect equipment are Information Asset
unattended logout Management Policy
equipment
(attended
information
security
awareness
training);

A.11.2.9 Clear desk and clear YES It is the user's To adopt clear Follow the Physical
screen policy responsibility to desk and screen Security Policy and
protect from Information Asset
unattended unauthorized Management Policy
equipment, person
clear desk, and
clear screen
(attended
information
security
awareness
training);

© ISO27K1-RB
Internal
A.12 Operation Security YES ISMS team To ensure all Follow Operation
ensure information Security Policy
operation facilities are
facilities are secure
secure

A.12.1 Operational procedures YES ISMS Team To ensure Follow the

and responsibilities follow the correct and established SOPs to
established SOPs secure access the facilities.
operations of
information
processing
facilities

A.12.1.1 Documented operating YES All SoP, Policies, To ensure all Follow the Operation
procedures and essential interested Security Policy
documents are parties are
available for aware
those who need
them

A.12.1.2 Change management YES The reviewed To ensure all Follow the Operation
and approved changes are Security Policy
Change proper and not
Management have a security
Policy and breach
procedure,
Incident
Management
Frameworks,
and BCP

A.12.1.3 Capacity management YES IT team monitor To ensure all Ali- Follow the Operation
all activities and Cloud servers’ Security Policy
it is including capacities are
managing the managed and it
platform is included the
capacity load balancer

A.12.1.4 Separation of YES It is mandatory To ensure the The Ali-Cloud

development, testing, for the company separation of infrastructure and
and operational to separate servers from platforms are
environments development, developing, dedicated to the
testing, and staging and development,
production production testing, and
production services.
Follow the Operation
Security Policy

© ISO27K1-RB
Internal
A.12.2 Protection from the YES ISMS team To ensure that Follow the Antivirus
malware established information and and malware
malware information protection policy
protection policy processing
facilities are
protected
against malware

A.12.2.1 Controls against malware YES All company To ensure all On the Ali-Cloud
users have users are trained premises have cloud
attended the and alert all the flare; company
information time properties are
security protected by
awareness antiviruses and
training to take updated.
precocious on Follow the Operation
measuring the Security Policy and
security threat Virus and Malware
Protection
Management Policy

A.12.3 Backup YES ISMS Team To protect Follow the Data

established Data against loss of Backup Policy
Backup policy data

A.12.3.1 Information backup YES The company To ensure Follow the Data
perform daily backup system is Backup
backups and test proper; it a daily Management Policy
recovery backup and Backup Testing
periodically Report KOM-

A.12.4 Logging and Monitoring YES ISMS Team To record events ISMS Team activate
periodically and generate Action trial on the
monitor logs and evidence servers
events

A.12.4.1 Event logging YES All events are Event logs are Follow the
logged; such as sent to the Operation Security
backup logs, responsible
application person
backups on whenever it gets
Gitlab, and errors
Servers Desk
event logs

A.12.4.2 Protection of log YES All logs are All logs are Follow the
information protected from protected and Operation Security
unauthorized only available
users; for those who

© ISO27K1-RB
Internal
 have
authorization

A.12.4.3 Administrator and YES The IT team or The Follow the

operator logs administrator administrator Operation Security
and systems only uses for the
operators are purposes; its
logs and review logged
in regular bases;

A.12.4.4 Clock synchronization YES All systems have To ensure data Follow the
clocks and information Operation Security
synchronization are synchronize
and logs every accordingly
activity

A.12.5 Control operational YES ISMS team To ensure the Follow the
software established integrity of operation security
operation operational policy
security policy systems

A.12.5.1 Installation of software YES Dedicated Ali- To ensure all Follow the
on operational systems Cloud platform software are Operation Security
for the have the
development, licences
testing and
production
services;

A.12.6 Technical vulnerability YES ISMS Team To prevent ISMS Team

Management periodical exploitation performed
updates systems vulnerabilities technical
and application vulnerability
patches assessment

A.12.6.1 Management of technical YES The perform VA To ensure The company has a
vulnerabilities periodically periodical VA plan to train staff
who will certify CEH
and he or she will
perform the
assessment
periodically
Operation Security

© ISO27K1-RB
Internal
A.12.6.2 Restrictions on software YES The users are To ensure staff Follow the
installation not allowed to are not able to Operation Security
install software; install any
if the need software
admin right for
installation, they
should sign a
waiver;

A.12.7 Information systems YES ISMS Team due To minimise the Follow the
audit considerations diligent on the impact of the Operation Security
system audit activities
environment on the
operational
systems

A.12.7.1 Information systems YES All users’ To ensure staff Follow the
audit controls activities are activities are Operation Security
logged, plan, logged
and use
verification;

A.13 Communication Security YES ISMS Team To ensure all Follow the
established connected Communication
communication devices are Security
security policy protected and
information are
not breached

A.13.1 Network security YES ISMS team To ensure the Follow the
management established protection of the Communication
forms for non- information in Security
official devices the networks
that are and its
connected to the supporting
office network information
processing
facilities

A.13.1.1 Network controls YES The company To ensure that Follow the
network only an Communication
infrastructures authorized staff Security
are manageable can access the
and updated company
periodically; Ali- networks
Cloud platform
is for the data
processing,
storing, and

© ISO27K1-RB
Internal
 transmission;
while the ISP
provides
connections;

A.13.1.2 Security of network YES The Tech To ensure that Follow the
services department and only an Communication
administration authorized staff Security
and customer can access the
services are company
identified all networks
access level of
services;

A.13.1.3 Segregation in networks YES The company To ensure all Implement the
has grouped staff have access network
functions e.g. to the network segregation based
guest and BYOD resources; to on the business
are in the guest ensure the function (BYOD in
network, while separation of the guest network,
the official is in the services an official in the
the office office network;
network; from Communication
the public Security
network can
access the
website with
whitelisted IP;

A.13.2 Information transfer YES All employees To maintain the All employees are
are security attending
knowledgeable information information
on how to transferred security awareness
process, store, within courses; follow the
and transmit the organization and Communication
data and with any Security
information; external entity

A.13.2.1 Information transfer YES All employees To ensure all All employees are
policies and procedures are transfer attending
knowledgeable information are information
on how to secure security awareness
process, store, courses; follow the
and transmit the Communication
data and Security
information;

© ISO27K1-RB
Internal
A.13.2.2 Agreements on YES The company To ensure all Implement the
information transfer establishes an contracts have NDA, SLA, and
agreement with the NDA contracts
parties that accordingly; follow
involves; NDA, the Communication
contracts Security

A.13.2.3 Electronic messaging YES The company To ensure Follow the

interest parties information is Communication
are aware of secure Security
information
classification
and handling

A.13.2.4 Confidentiality or YES The ISPs, Ali- To ensure all Implement the
nondisclosure Cloud, and other contracts have NDA, SLA, and
agreements third parties the NDA and contracts
signed the with SLAs accordingly; follow
the company Communication
Security

A.14 System acquisition, YES ISMS Team To ensure all Follow the System
development, and established applications are Development,
maintenance Software tested in the Acquisition,
Acquisition development maintenance
Development environment
and before apply to
Maintenance production
Policy environment

A.14.1 Security Requirements of YES ISMS Team To ensure Follow the System
information systems ensure the information Development,
implementation security in an Acquisition,
of software integral part of maintenance
application are the information
met the SDLC system across
the entire
lifecycle. This
also includes the
requirements
for information
systems which
provide services
over public
networks

© ISO27K1-RB
Internal
A.14.1.1 Information security YES The company To ensure all Management
requirements analysis has embedded information continually reviews
and specification in the security security findings and proof
system, requirements the corrective
information are actions are been
asset implemented taken by ISMS
management, Team
Information
Classification,
and Gitlab

A.14.1.2 Securing application YES The company To ensure SSL Follow the System
services on public protect and licensed and Development,
networks ensure to updated Acquisition,
connect the maintenance
application on
the server from
public networks
(SSL, cloud flare)

A.14.1.3 Protecting application YES/NO The company To ensure Although it is not

services transactions ensures to customer data applicable, the
protect and information company has
customer data are protected implemented SSL,
and secure the user, and password
services; authentication to
access company
resources. In reality
all transactions are
on the third party’s
platforms, such
banks and bank
payment gateway.

A.14.2 Security in development YES ISMS Team To ensure that The ISMS team and
and support processes executed information IT team to
Software security is monitoring servers
development designed and from time to time;
according to implemented Follow the System
SDLC within the Development,
development Acquisition, and
lifecycle of Maintenance
information Security
systems.

© ISO27K1-RB
Internal
A.14.2.1 Secure development YES The company To ensure all The ISMS team and
policy servers are software are IT team to
dedicated to updated monitoring servers
Software from time to time;
updating and Follow the System
development Development,
procedure Acquisition, and
embedded on Maintenance
the security Security
system

A.14.2.2 System change control YES If a proof for any To ensure all Follow the System
procedures changes, the changes have no Development,
ISMS team has impact on the Acquisition, and
to use change security Maintenance
management Security
and control
procedure as a
guide

A.14.2.3 Technical review of YES The new To ensure all Follow the System
applications after platform is changes are Development,
operating platform tested; tested Acquisition, and
changes Maintenance
Security

A.14.2.4 Restrictions on changes YES Tech team due The IT team and Gitlab application
to software packages diligence secure ISMS team will monitor
mater monitor the development
changes performance; the
development server
is on a separate
server.
Follow the System
Development,
Acquisition, and
Maintenance
Security

A.14.2.5 Secure system YES The company To ensure all The development
engineering principles secure all testing server is separate
systems and procedures are from testing and
documented; being followed production; the
changes are well
documented
Follow the System
Development,
Acquisition, and

© ISO27K1-RB
Internal
 Maintenance
Security

A.14.2.6 Secure Development YES every change is To ensure the The Gitlab application
Environment Manageable development will monitor
development
server is performance; the
separate from development server is in
production a separate platform;
Follow the System
Development,
Acquisition, and
Maintenance Security

A.14.2.7 Outsourced development YES/NO Company To Ensure all All applications may
contract outsourcing are developed
developer supervised and internally
binding with monitored
NDA

A.14.2.8 System security testing YES All newly system To ensure all The Gitlab
applications are developing application will
tested properly software are monitor test
including pen- tested properly performance;
test before Follow the System
online/producti Development,
on Acquisition, and
Maintenance
Security

A.14.2.9 System acceptance YES Create a level of To ensure the The Gitlab
testing acceptance testing are application will
during the proper monitor test
testing period; performance;
Follow the System
Development,
Acquisition, and
Maintenance
Security

A.14.3 Test Data YES ISMS Team To ensure ISMS Team

protected the protection of the executed the
test data on the data used for testing within test
testing testing data in the
environment development
environment

© ISO27K1-RB
Internal
A.14.3.1 Protection of test data YES Test Data is To ensure the Follow the System
carefully testing data is Development,
selected, separate Acquisition, and
protected, and Maintenance
controlled. "It is Security
embedded in
Security and
Access Control
policy"

A.15 Supplier Relationship YES ISMS Team To ensure ISMS Team and
established organization operation team
Supplier business follow the supplier
relationship information are relationship
Security policy not breach security policy

A.15.1 Information security in YES ISMS Team and To ensure Produced NDA
supplier relationships Operation team protection of the which embedded in
followed the organization’s the contract and
supplier assets that is well-established
relationship accessible by SLA;
security supplier Follow the Supplier
requirement Security
(NDA, contract)

A.15.1.1 The information security YES Its requirements All contracts Produced NDA
policy for supplier for mitigation of with third which embedded in
relationships the risk parties have the contract and
associated with NDAs and SLA well-established
the supplier's SLA;
access to the Follow the Supplier
organization's Security
assets shall be
agreed with the
supplier and
documented.

A.15.1.2 Addressing security YES All relevant To ensure Suppliers signed the
within supplier information supplier are confidential
agreements security agree the terms agreements/Non-
requirements Disclosure
are established Agreements and
and agreed with SLAs;
each supplier Follow the Supplier
that may access, Security
process, store,
communicate,
or provide IT
infrastructure

© ISO27K1-RB
Internal
 components for
the
organization's
information.

A.15.1.3 ICT supply chain YES Have To ensure the Have clear SLA and
agreements with availability of signed NDAs;
the Cloud and the systems is Follow the Supplier
internet proper Security
provider

A.15.2 Supplier service delivery YES ISMS Team and To maintain an Follow the Supplier
management Operation team agreed level of services evaluation,
established and information Supplier Security
Agreed SLA, security and
NDA, and service delivery
Agreement in line with
supplier
agreements

A.15.2.1 Monitoring and review of YES The company To ensure Follow the Supplier
supplier services regularly suppliers are services evaluation,
monitors, evaluated Supplier Security
reviews, and periodically
audits supplier
service delivery.

A.15.2.2 Managing changes to YES Changes to the To ensure the Follow the Supplier
supplier services provision of supplier changes Security
services by are not impact
suppliers, to the systems
including
maintaining and
improving
existing
information
security policies,
procedures, and
controls, have
been managed,
taking account
of the criticality
of business
information,
systems, and
processes
involved and re-
assessment risk.

© ISO27K1-RB
Internal
A.16 Information security YES ISMS Team To ensure the Follow the
incident management established consistent of Information Security
information information Incident
security security and Management Policy
incidents effective
management
policy

A.16.1 Management of YES ISMS team To ensure a Follow the

information security established consistent and Information Security
incidents and incidents effective Incident
improvement records systems approach to the Management Policy
and incidents management of
report information
security
incidents,
including
communication
on security
events and
weaknesses

A.16.1.1 Responsibilities and YES Management To ensure Follow the

procedures responsibilities incident Information Security
to establish management Incident
procedures to framework is Management Policy
ensure a quick, followed
effective and
orderly response
to information
security
incidents.

A.16.1.2 Reporting information YES The incident Every staff need Follow the
security events response is to report Information Security
proper; register security breach Incident
the events and events and Management Policy
report to recorded
appropriate properly
management
channels as
quickly as
possible.

© ISO27K1-RB
Internal
A.16.1.3 Reporting information YES Everyone should Every staff need Follow the
security weaknesses be responsible to report Information Security
for the security; security breach Incident
everyone is events and Management Policy
required to note recorded
and report any properly
observed or
suspected
information
security
weaknesses in
systems or
services.
Immediately
alert the proper
management
channel;

A.16.1.4 Assessment of and YES All events are To ensure every Follow the
decision on information assessed and incident are Information Security
security events decide if they assessed Incident
are to be properly and Management Policy
classified as identified the
information root cause
security
incidents.

A.16.1.5 Response to information YES The response To ensure the Follow the
security incidents has to follow the incident Information
documented response are Security Incident
procedures such followed the Management Policy
as Incident incident
Management, framework
BCP, and Change
Management

A.16.1.6 Learning from YES All relevant All incident and Discipline and
information security produced solution are well committed to
incidents knowledge that recorded for records and
is gained from future lesson protected every
analyzing and learned events and solution
resolving for future
information references;
security Information
incidents are Security Incident
used to reduce Management
the likelihood or Policy, and Security
impact of future Incident Tracking
incidents. Report

© ISO27K1-RB
Internal
 Records are in
Service Desk and
Gitlab
application

A.16.1.7 Collection of evidence YES All events are To ensure all All incidents and
documented on events are solutions are well
the Gitlab and collected recorded for future
service desk properly references;
applications; Information
Security Incident
Management
Policy, and Security
Incident Tracking
Report

A.17 Information security YES ISMS team To ensure the Follow the Multi-
aspects of business established BCM continuation of zone Cloud and
continuity management and BCP policies information Cloud flare services
processing contract; follow the
facilities and Business Continuity
information Management
integrities Policy;
Business Continuity
Plan; Server
Capacity
Management
Report; Backup and
Restore Testing
Report

A.17.1 Information security YES ISMS team Information Follow the Multi-
continuity tested the security zone Cloud and
availability of continuity shall Cloud flare services
systems and be embedded in contract; follow the
services the Business Continuity
organization’s Management
business Policy;
continuity Business Continuity
management Plan; Server
systems. Capacity
Management
Report; Backup and
Restore Testing
Report

© ISO27K1-RB
Internal
A.17.1.1 Planning information YES The organization To ensure the Follow the Business
security continuity determined its availability, Continuity
requirements integrity and Management
for information secure Policy;
security and the Business Continuity
continuity of Plan
information
security
management in
adverse
situations. "e.g.
during crisis and
disaster,
incident
management,
DR and BCM
framework"

A.17.1.2 Implementing YES The organization To ensure Follow the Business

information security established, information Continuity
continuity documented, security is Management
implemented, implemented Policy;
and maintained and continually Business Continuity
the process; improve Plan
procedures and
controls to
ensure the
required level of
continuity for
information
security during
an adverse
situation.
"Information
security policies
and standards"

A.17.1.3 Verify, review and YES The company To ensure BCP is Follow the Multi-
evaluate information tests and verifies tested zone Cloud and
security continuity the established periodically Cloud flare services
BCP for contract; follow the
information Business Continuity
security Management
continually Policy;
controls and Business Continuity
reviews at Plan, Server
regular intervals Capacity
in order to Management

© ISO27K1-RB
Internal
 ensure that they Report; Backup and
are valid and Restore Testing
effective during Report
adverse
situations.
"Should create
support
documents/for
ms"

A.17.2 Redundancies YES ISMS Team due To ensure Follow the Multi-
diligent on BCP availability of zone Cloud and
testing and information Cloud flare services
ensure the processing contract; follow the
availability is facilities Business Continuity
high Management
Policy;
Business Continuity
Plan, Server
Capacity
Management
Report; Backup and
Restore Testing
Report

A.17.2.1 Availability of YES Cloud To ensure the Follow the Multi-

information processing infrastructure availability of zone Cloud and
facilities platform has the information Cloud flare services
Cloud flare and its contract; follow the
services and processes. Business Continuity
multi zone; Management
therefore, Policy;
Information Business Continuity
processing Plan; Server
facilities have Capacity
redundancy Management
sufficient to Report; Backup and
meet availability Restore Testing
requirements. Report

A.18 Compliance YES ISMS team To ensure all Follow the

established laws, Compliance Policy
compliance regulations
policy and
compliance ate
met

© ISO27K1-RB
Internal
A.18.1 Compliance with legal YES ISMS team To avoid Third parties have
and contractual followed and breaches of contracts,
requirements complied all legal, established SLAs,
regulatory statutory, and binding with
regulatory, or the NDAs;
contractual Follow the
obligations Compliance Policy
related to
information
security and
any security
requirements

A.18.1.1 Identification of YES The company To ensure all Third parties have
applicable legislation and identified all applicable laws contracts,
contractual requirements relevant and established SLAs,
regulations regulations are and binding with
mentioned in being followed the NDAs;
the reference Follow the
document Compliance Policy

A.18.1.2 Intellectual property YES The company To ensure all The copyrights for
rights ensures Intellectual the in a House
compliance with properties software
legislative, licensed application
regulatory, and development, and
contractual company logo are
requirements from HAKI;
related to IP Follow the
rights and the Compliance Policy
use of
proprietary
software
products.

A.18.1.3 Protection of records YES All records are To ensure Follow the
protected from customer data Compliance Policy
the loss, and information
destruction, are protected
falsification,
unauthorized
access and
unauthorized
release, in
accordance with
legislators,
regulatory,
contractual, and

© ISO27K1-RB
Internal
 business
requirements.

A.18.1.4 Privacy and protection of YES Ensuring the To ensure Follow the
personally identifiable privacy and customer data Compliance Policy
information protection of and information
personally are protected
identifiable
information as
required in the
relevant
legislation and
regulation.

A.18.1.5 Regulation of YES The To ensure all All policies and

cryptographic controls cryptographic policies and procedures are
controls, the procedures are documented,
website implemented implemented, and
protected with available for those
SSL and it shall who need them.
be used in Follow the
compliance with Compliance Policy
all relevant
agreements,
legislation, and
regulations.

A.18.2.1 Independent review of YES The company’s To ensure the The Independent
information security approach to independence of parties performed
managing reviewer and the Penetration and
information adjustment of Vulnerability
security and its the findings Assessment; every
implementation six months,
(controls, company will
policies, and review, adjust, and
procedures) managing
"The information
independent security and its
parties implementation
performed Pen- based on available
test, Vulnerable policies and
Assessment, and procedures.
gap analysis, and
management
review"

© ISO27K1-RB
Internal
A.18.2.2 Compliance with security YES The managers To ensure All approval policies
policies and standards regularly information and procedures are
reviewed the security policies well documented,
compliance of and procedures accessible, and
the information are in-line with disseminated to all
processing, the country laws of the staff;
storing, and and regulations Follow the
transmitting, Compliance Policy
and procedures Pol.#: KOM-SMKI-
within their area 01 Section A.18.1
of point 1-3
responsibilities
with the
appropriate
security policies,
standards, and
any other
security
requirements;

A.18.2.3 Technical compliance YES The To ensure The software

review implemented information management and
information security are SDLC is controlled in
systems have reviewed the Gitlab;
regularly periodically performed the
reviewed for Penetration testing
compliance with and Vulnerability
the Assessment,
organization's Review bugs and
information logs, and gap
security policies analysis
and standards.

Reference list

1. International Standard Organization (ISO) 27001:2013 Information Security Management

Systems (ISMS) [online] https://www.iso.org/standard/54534.html accessed February 17,
2021
2. Raul Bernardino, (2020) ISO 27001:2013 ISMS implementation and certification
process overview [online]
https://www.researchgate.net/publication/335174748_ISO_270012013_FRAMEWORK_NE
TWORK_INTEGRITY_SIMPLE_TRUSTED_ISMS_implementation_and_certification_process_o
verview Accessed February 17, 2021

© ISO27K1-RB
Internal