Professional Documents
Culture Documents
for [Dinarak]
Table of Contents
1. Document Control..........................................................................................................................................................3
1.1. Table of Abbreviations...................................................................................................................................3
1.2. Document References....................................................................................................................................3
1.3. Version History...............................................................................................................................................3
1.4. Responsibilities within this document...........................................................................................................3
1.5. Approval Authorization..................................................................................................................................3
2. Executive Summary........................................................................................................................................................4
3. Assessment Information................................................................................................................................................4
3.1. Assessment Objectives...................................................................................................................................4
3.2. Assessment Approach....................................................................................................................................4
3.3. Assessment Participants.................................................................................................................................4
3.4. Assessment Conventions............................................................................................................................................5
4. Assessment Details............................................................................................................................................................5
4.1. Assessment Methodology..............................................................................................................................5
4.2. Maturity Level – Based on Existence and Effectiveness................................................................................7
Recommendations – Annex A controls.................................................................................................................................10
A.5 Information Security Policies.........................................................................................................................10
A.6 Organization of Information Security............................................................................................................11
A.7 Organization of Information Security............................................................................................................12
A.8 Human resources security.............................................................................................................................13
A.9 Asset management.......................................................................................................................................14
A.10 Access control...............................................................................................................................................16
A.11 Cryptography.................................................................................................................................................19
A.12 Physical and environmental security.............................................................................................................20
A.13 Operations security.......................................................................................................................................22
A.14 Communications security..............................................................................................................................25
A.15 System acquisition, development and maintenance.....................................................................................27
A.16 Supplier relationships....................................................................................................................................27
A.17 Information security incident management..................................................................................................28
A.18 Information security aspects of business continuity management...............................................................29
A.19 Compliance....................................................................................................................................................30
5. Acronyms Used in Report................................................................................................................................................31
1. Document Control
This compliance assessment evaluated all of the Controls in ISMS STANDARDS standard within its all-key
areas.
In addition, some of the procedures and controls previously implemented for conformance with ISMS
STANDARDS could be used with limited work to bring the related processes in line with the Standard’s
requirements.
Please note that for each observation, we have included the maturity rating of the items and the risk to the
organization.
3. Assessment Information
3.1. Assessment Objectives
DINARAK is acquired to comply to ISO 27001 regulations and standards and has done this assessment in
order to analyze the GAP in the application of all ISMS STANDARDS controls and implementation of a
CYBER SECURITY PROGRAM that shall assist in the implementation of required requirements.
To ensure that the company continually operates in accordance with the specified policies, procedures
and external requirements in meeting company goals and objectives in relation to information security.
Also, to ensure that improvements to the Information Security Management System (CYBER SECURITY
PROGRAM) are identified, implemented and suitable to achieve objectives.
1. Mohammad Al-Khudari
– CEO
2. Rahaf Rawahneh –
Compliance lead
3. Hamsa Al-Dabbagh –
Compliance officer
The overall assessment result is based on the security controls validated on sampled system, devices, and
applications. We assumed that security posture will remain the same across all other information assets which
are part of the selected domain or group.
4. Assessment Details
4.1. Assessment Methodology
The Information Security Assessment was conducted to assess the current security posture of DINARAK.
In the Table above we have adopted a methodology where each security requirements as per ISMS
STANDARDS Standard will be assessed and concluded with reasoning and justifications.
To start, we have assigned a control implementation level to all controls listed in ISMS STANDARDS standard
between 0 to 5 based on the relative level of implementation maturity. Weight ‘5’ being the optimized
complete implementation of the control and ‘0’ being nonexistent control.
Yes: Documentation has been developed and approved by the upper management.
Partially: Documentation has been developed partially and/or approved by the upper
Documented management.
Short description The ISMS scope should be defined in terms of characteristics of the business,
the organization, its locations, assets and technologies.
Dinarak has one branch with 8 departments and 40 employees
Observations
Maturity level
3
Recommendations
Define a very specific scope for the ISMS
Select the objectives and success criteria
Short description A Risk Assessment approach should be created for the organization.
Risk assessment is provided.
Observations Lack of risk register
Maturity level 2
Short description Select the method for treating risks identified and obtain management
approval for the proposed residual risks.
Lack of risk treatment plan.
Observations Lack of previous SoA.
Maturity level
1
Short description To provide management direction and support for information security in
accordance with business requirements and relevant laws and regulations.
Maturity level 1
Maturity level 2
Maturity level 1
Maturity level 2
Maturity level 1
Short description To ensure that employees and contractors understand their responsibilities and
are suitable for the roles for which they are considered.
ISO 27001 Control A.7.1.1 Screening
A.7.1.2 Terms and conditions of employment
No screening performed prior to employment
Terms and conditions are not documented
Observations
Maturity level 1
Short description To ensure that employees and contractors are aware of and fulfil their
information security responsibilities.
Maturity level 2
All employees and end external party users using or having access to
Short description To ensure authorized user access and to prevent unauthorized access to
systems and services.
ISO 27001 Control A.9.2.1 User registration and de-registration
A.9.2.2 User access provisioning
A.9.2.3 Management of privileged access rights
A.9.2.4 Management of secret authentication information of users
A.9.2.5 Review of user access rights
A.9.2.6 Removal or adjustment of access rights
Observations Employees have a unique log-in ID when accessing data
Employees enforced to use MFA
Maturity level 3
A.9.3 User responsibilities
Short description Users should be required to follow the organization’s practices in the use of
secret authentication information.
ISO 27001 Control A.9.3.1 Use of secret authentication information
Observations No use of secret authentication
Maturity level 1
Short description To ensure proper and effective use of cryptography to protect the
confidentiality, authenticity and/or integrity of information.
ISO 27001 Control A.10.1.1 Policy on the use of cryptographic controls
A.10.1.2 Key management
Maturity level 1
Short description To prevent unauthorized physical access, damage and interference to the
organization’s information and information processing facilities.
A.11.1.1 Physical security perimeter
A.11.1.2 Physical entry controls
ISO 27001 Control A.11.1.3 Securing offices, rooms and facilities
A.11.1.4 Protecting against external and environmental threats
A.11.1.5 Working in secure areas
A.11.1.6 Delivery and loading areas
Some areas are covered by the CCTV system: entrance / Guest /Client Area
Observations
Maturity level 2
A.11.2 Equipment
Short description To prevent loss, damage, theft or compromise of assets and interruption to the
organization’s operations.
A.11.2.1 Equipment siting and protection
ISO 27001 Control A.11.2.2 Supporting utilities
A.11.2.3 Cabling security
A.11.2.4 Equipment maintenance
A.11.2.5 Removal of assets
A.11.2.6 Security of equipment and assets off-premises
A.11.2.7 Secure disposal or reuse of equipment
A.11.2.8 Unattended user equipment
A.11.2.9 Clear desk and clear screen policy
There is an asset inventory in place
Observations
Maturity level 2
Maturity level 1
A.12.3 Backup
Short description To protect against loss of data
ISO 27001 Control A.12.3.1 Information backup
Data control are in place for the system and defined with a clear fixed
schedule.
Observations
There is no Backup policy is in place
Dinarak uses Acronis and OneDrive backup and recovery to take backup
Backup task is scheduled
Maturity level 3
Maturity level 1
Short description To ensure the protection of information in networks and its supporting
information processing facilities
A.13.1.1 Network controls
ISO 27001 Control A.13.1.2 Security of network services
A.13.1.3 Segregation in networks
Observations network security policy is not defined
Maturity level 2
Short description To maintain the security of information transferred within an organization and
with any external entity
A.13.2.1 Information transfer policies and procedures
ISO 27001 Control A.13.2.2 Agreements on information transfer
A.13.2.3 Electronic messaging
A.13.2.4 Confidentiality or nondisclosure agreements
Information transfer policies are not documented
Observations
Enforced MFA on emails
Maturity level 1
Observations applied to developments within Dinarak but they are not written
Maturity level 2
Maturity level 1
Maturity level 1
5. Acronyms Used in Report