Gap Assessment Report

for [Dinarak]
Table of Contents
1. Document Control..........................................................................................................................................................3
1.1. Table of Abbreviations...................................................................................................................................3
1.2. Document References....................................................................................................................................3
1.3. Version History...............................................................................................................................................3
1.4. Responsibilities within this document...........................................................................................................3
1.5. Approval Authorization..................................................................................................................................3
2. Executive Summary........................................................................................................................................................4
3. Assessment Information................................................................................................................................................4
3.1. Assessment Objectives...................................................................................................................................4
3.2. Assessment Approach....................................................................................................................................4
3.3. Assessment Participants.................................................................................................................................4
3.4. Assessment Conventions............................................................................................................................................5
4. Assessment Details............................................................................................................................................................5
4.1. Assessment Methodology..............................................................................................................................5
4.2. Maturity Level – Based on Existence and Effectiveness................................................................................7
Recommendations – Annex A controls.................................................................................................................................10
A.5 Information Security Policies.........................................................................................................................10
A.6 Organization of Information Security............................................................................................................11
A.7 Organization of Information Security............................................................................................................12
A.8 Human resources security.............................................................................................................................13
A.9 Asset management.......................................................................................................................................14
A.10 Access control...............................................................................................................................................16
A.11 Cryptography.................................................................................................................................................19
A.12 Physical and environmental security.............................................................................................................20
A.13 Operations security.......................................................................................................................................22
A.14 Communications security..............................................................................................................................25
A.15 System acquisition, development and maintenance.....................................................................................27
A.16 Supplier relationships....................................................................................................................................27
A.17 Information security incident management..................................................................................................28
A.18 Information security aspects of business continuity management...............................................................29
A.19 Compliance....................................................................................................................................................30
5. Acronyms Used in Report................................................................................................................................................31
1. Document Control

1.1. Table of Abbreviations

Acronym Description
CYBER SECURITY Information Security Management System
PROGRAM
ISO International Organization for Standardization
ISO27001 Central Bank of Jordan
STANDARDS
VCISO Virtual Chief Information Security Officer

1.2. Document References

Document ID ISO27001 STANDARDS – DINARAK– GAP01 – 2024
Title: ISMS STANDARDS GAP Analysis Report
Document Classification Confidential
Version Number: 0.1
Status: initial
Application Standard: ISO27001 STANDARDS

1.3. Version History

Version Date Revision Author Summary of Changes
0.1 18th of Jan 2024 IC Initial Version
1.0 IC Finalized Version
2.0 IC Finalized Version

1.4. Responsibilities within this document

Review and Maintenance Compliance Team- Dinarak
Approval of this Document Dinarak

1.5. Approval Authorization

Name Job Title Signature Date
Eng. Mohammad Green circle CEO
AlKhudari
2. Executive Summary
This assessment is based upon the scope of Dinarak operating from office at one physical location and
details the results of the Gap Analysis to assess of the current level of compliance with the International
Standards.

This compliance assessment evaluated all of the Controls in ISMS STANDARDS standard within its all-key
areas.

In addition, some of the procedures and controls previously implemented for conformance with ISMS
STANDARDS could be used with limited work to bring the related processes in line with the Standard’s
requirements.
Please note that for each observation, we have included the maturity rating of the items and the risk to the
organization.

3. Assessment Information
3.1. Assessment Objectives
 DINARAK is acquired to comply to ISO 27001 regulations and standards and has done this assessment in
order to analyze the GAP in the application of all ISMS STANDARDS controls and implementation of a
CYBER SECURITY PROGRAM that shall assist in the implementation of required requirements.
 To ensure that the company continually operates in accordance with the specified policies, procedures
and external requirements in meeting company goals and objectives in relation to information security.
 Also, to ensure that improvements to the Information Security Management System (CYBER SECURITY
PROGRAM) are identified, implemented and suitable to achieve objectives.

3.2. Assessment Approach

 Review and Audit compliance for DINARAK with ISMS Standards.
 Analyzing the People, Process and Technology adopted by DINARAK.
 Setup various meetings with the process supervisors and authorities that handle the IT and Security
operations.
 Validating the current position of DINARAK with respect to ISO/IEC 27001:2022 security standards
 Validating various documents, reports and templates used for governing the IT and security domains.

3.3. Assessment Participants

Auditor Team (Assessment Participants)
 Name of the Person Designation

1. Mohammad Al-Khudari
– CEO
2. Rahaf Rawahneh –
Compliance lead
3. Hamsa Al-Dabbagh –
Compliance officer

3.4. Assessment Conventions

The Information Security Assessment was performed based on the process of on-site meetings and workshops.
The data collected was based on the period involved and the total number of information assets available and
provided by DINARAK team.

The overall assessment result is based on the security controls validated on sampled system, devices, and
applications. We assumed that security posture will remain the same across all other information assets which
are part of the selected domain or group.

4. Assessment Details
4.1. Assessment Methodology
The Information Security Assessment was conducted to assess the current security posture of DINARAK.

Maturity Level Progress

Level 0
Nonexistent Complete lack of recognizable policy, procedure, control etc.

Development has barely started and will require significant

Initial
Level 1 work to fulfil the requirements

Limited Progressing nicely but not yet complete

Level 2
Development is more or less complete although detail is
Level 3 Defined lacking and/or it’s not yet implemented, enforced and
actively supported by top management

Development is complete, the process/control has been

Managed
Level 4 implemented and recently started operating

The requirement is fully satisfied, is operating fully as

Level 5 Optimized expected, is being actively monitored and improved, and
there's substantial evidence to prove all that to the auditors

 In the Table above we have adopted a methodology where each security requirements as per ISMS
STANDARDS Standard will be assessed and concluded with reasoning and justifications.
To start, we have assigned a control implementation level to all controls listed in ISMS STANDARDS standard
between 0 to 5 based on the relative level of implementation maturity. Weight ‘5’ being the optimized
complete implementation of the control and ‘0’ being nonexistent control.

Each of the controls are validated based on following criteria:

 Existence of controls.
 Documentation of controls.
 Commitment to controls,
There are two more statuses that are not included in the levels:

 Unknown: where the control hasn’t been checked yet.

 Not Applicable: is for the Unapplicable controls on the organization (the non-mandatory).
4.2. Maturity Level – Based on Existence and Effectiveness
Controls Description

Yes: Documentation has been developed and approved by the upper management.

Partially: Documentation has been developed partially and/or approved by the upper
Documented management.

No: Documentation has not been developed or approved.

Yes: Requirement/Control is fully implemented

Implemented Partially: Requirement/Control is partially implemented

No: Requirement/Control is not implemented

Level 1 – Security Control are at Initial stage or followed Ad Hoc basis.

 Gaps in policy do not identify requirements/standards to be met.

 Base practices do not exist
 Technology controls not implemented.

Level 2 – Controls are Progressing nicely but not yet complete

 Policies are used to enforce requirements/standards.

 Base practices are poorly defined, informal and/or undocumented.
 Technology control on ad hoc.

Level 3 – Controls are Structured but not Implemented

 Policies, procedures, and technologies are relied upon to enforce requirements/standards.

 Base practices aren’t documented, standardized, and integrated.
 Management of technology is planned and structured.

Level 4 – Control Environment is Managed.

 Policies, procedures, and technologies are consistently used to enforce requirements/standards.

  Base practices are managed and quantitatively measured.
 Managers employ statistical process control techniques to achieve and maintain high levels of quality.

Level 5 – Control environment is Optimized

 Policies, procedures, and technologies are consistently used to enforce requirements/standards.

 Base practices are proactively managed for continuous improvement.
 Quantitative management techniques enable continuous improvement of processes and innovation.
Figure 1: PDCA/ Mandatory Requirements

Update and Improvement of

Establish the policies.
the policies

Implementing and workings Monitoring and Review of

of the policies the policies
Scope Definition

Short description The ISMS scope should be defined in terms of characteristics of the business,
the organization, its locations, assets and technologies.
Dinarak has one branch with 8 departments and 40 employees
Observations
Maturity level
3

Recommendations
 Define a very specific scope for the ISMS
 Select the objectives and success criteria

Risk Assessment Approach and Execution

Short description A Risk Assessment approach should be created for the organization.
Risk assessment is provided.
Observations Lack of risk register

Maturity level 2

Treatment of Risks, including Statement of Applicability

Short description Select the method for treating risks identified and obtain management
approval for the proposed residual risks.
Lack of risk treatment plan.
Observations Lack of previous SoA.

Maturity level
1

 Develop and implement a risk treatment plan

Recommendations
 The plan should contain different options like accept, transfer, avoid,
reduce.
 Define the conditions of the acceptable risk and the residual risk.
 For each risk include recommended controls and the selected controls
which need a high management approval.
 The SOA document must be derived from the output of the risk
assessment/ risk treatment plan and, if ISO 27001 compliance is to be
achieved, must directly relate the selected controls back to the original
risks they are intended to mitigate
Recommendations – Annex A controls
The tables on the subsequent pages include recommendations for improvements to the Annex A
controls. These recommendations were identified based on a review of the current state ISMS
capabilities at Dinarak. The recommendations are grouped by processes and as a result, multiple Annex
A controls may be addressed within each table.
These tables represent recommendations only and Dinarak management will need to ultimately decide
what actions to undertake to add or improve the Annex A controls that support their ISMS.

A.5 Information Security Policies

A.5.1 Management direction for information security

Short description To provide management direction and support for information security in
accordance with business requirements and relevant laws and regulations.

ISO 27001 Control A.5.1.1. Policies for information security

A.5.1.2. Review of the policies for information security
The organization doesn’t have a documented policies.
Observations
Some policies are in use but not formally documented.

Maturity level 1

 Develop and enforce policies for information security such as user

protection policy, data protection policy, information security policy,
human resource policy, password policy
Recommendations  Review the documented policies in regular basis for example annual.
 Update the policies based on the feedback
 A.6 Organization of Information Security
A.6.1 Internal Organization

Short description To establish a management framework to initiate and control the

implementation and operation of information security within the organization.
A.6.1.1 Information security roles and responsibilities
A.6.1.2 Segregation of duties
ISO 27001 Control A.6.1.3 Contact with authorities
A.6.1.4 Contact with special interest groups
A.6.1.5 Information security in project management
The roles and responsibilities of IT related employees in documented and
Observations enforced
Contacting with authorities not documented
Segregation of duties is not documented
There is no use of information security in project management
Not conducting a risk assessment prior to a project implementation

Maturity level 2

 Document the process of contacting wit authorities

Recommendations
 Document and enforce the segregation of duties
 Assign risks to project implantation

A.6.2 Mobile devices and teleworking

To ensure the security of teleworking and use of mobile devices. Teleworking
Short description refers to all forms of work outside of the office, including non-traditional work
environments, such as those referred to as “telecommuting”, “flexible
workplace”, “remote work” and “virtual work” environments.

ISO 27001 Control A.6.2.1 Mobile device policy

A.6.2.2 Teleworking
Employees use VPN while working remotely
Observations No MDM in use

Maturity level 1

Recommendations  Use MDM solution to manage mobile device policy

 The policies need to be communicated after review
 A.7 Organization of Information Security
A.6.1 Internal Organization

Short description To establish a management framework to initiate and control the

implementation and operation of information security within the organization.
A.6.1.6 Information security roles and responsibilities
A.6.1.7 Segregation of duties
ISO 27001 Control A.6.1.8 Contact with authorities
A.6.1.9 Contact with special interest groups
A.6.1.10 Information security in project management
The roles and responsibilities of IT related employees in documented and
Observations enforced
Contacting with authorities not documented
Segregation of duties is not documented
There is no use of information security in project management
Not conducting a risk assessment prior to a project implementation

Maturity level 2

 Document the process of contacting wit authorities

Recommendations
 Document and enforce the segregation of duties
 Assign risks to project implantation

A.6.2 Mobile devices and teleworking

To ensure the security of teleworking and use of mobile devices. Teleworking
Short description refers to all forms of work outside of the office, including non-traditional work
environments, such as those referred to as “telecommuting”, “flexible
workplace”, “remote work” and “virtual work” environments.

ISO 27001 Control A.6.2.3 Mobile device policy

A.6.2.4 Teleworking
Employees use VPN while working remotely
Observations No MDM in use

Maturity level 1

Recommendations  Use MDM solution to manage mobile device policy

 The policies need to be communicated after review
 A.8 Human resources security
A.7.1 Prior to employment

Short description To ensure that employees and contractors understand their responsibilities and
are suitable for the roles for which they are considered.
ISO 27001 Control A.7.1.1 Screening
A.7.1.2 Terms and conditions of employment
No screening performed prior to employment
Terms and conditions are not documented
Observations

Maturity level 1

Recommendations  Perform screening to all employees especially employees related to IT

 All Dinarak employees should sign (NDA) which cover specifically the
need to protect Dinarak business assets
 New employees competencies need to be reviewed by the CTO before
employment

A.7.2 During employment

Short description To ensure that employees and contractors are aware of and fulfil their
information security responsibilities.

A.7.2.1 Management responsibilities

ISO 27001 Control A.7.2.2 Information security awareness, education and training
A.7.2.3 Disciplinary process

No security awareness program with the help of human resources department

are implemented
Observations
There is no disciplinary process for dealing with personnel who violate
information security policies and procedures
No personnel responsible for taking actions once violation occurred
Maturity level 1

 Continuous implementation of awareness sessions

Recommendations  Establishing cyber security awareness program and include any
needed recent and necessary points and topics
 A.9 Asset management
A.8.1 Responsibility for assets

Short description To identify organizational assets and define appropriate protection

responsibilities.
A.8.1.1 Inventory of assets
ISO 27001 Control A.8.1.2 Ownership of assets
A.8.1.3 Acceptable use of assets
A.8.1.4 Return of assets
There is a defined inventory of assets documented
Observations
All employees and external party users return all of the organizational assets in
their position upon termination of their employment, contract or agreement

Maturity level 2

 All employees and end external party users using or having access to

Recommendations Dinaraks’s assets shall be made aware of the Information Security

requirements associated with assets handling

A.8.2 Information Classification

Short description To ensure that information receives an appropriate level of protection in

accordance with its importance to the organization.
A.8.2.1 Classification of information
ISO 27001 Control A.8.2.2 Labelling of information
A.8.2.3 Handling of assets
Assets are not classified in terms of legal requirements, value, criticality
and sensitivity to un authorized disclosure or modification
Observations
There is no appropriate set of procedures for information labeling and
handling developed or implemented
There is no written classification plan
Maturity level

 Develop a plan for classifying and labeling information

Recommendations
 classification plan should be written
 Agreements with other organizations that includes information
 sharing must include procedures to identify the classification of
that information and to interpret the classification labels from
other organizations

A.8.3 Media handling

Short description To prevent unauthorized disclosure, modification, removal or destruction of

information stored on media.
A.8.3.1 Management of removable media
ISO 27001 Control A.8.3.2 Disposal of media
A.8.3.3 Physical media transfer

Observations There are no processes implemented for the management of removable

media
Maturity level
1

 Media containing confidential information should be stored and

Recommendations
disposed securely
 A.10 Access control
A.9.1 Business requirements for access control
Short description To limit access to information and information processing facilities.

ISO 27001 Control A.9.1.1 Access control policy

A.9.1.2 Access to networks and network services
Procedures is not written for access control in accordance with the access
Observations control policy adopted by Dinarak
Dinarak uses a set of different security methods
Maturity level 4

 Annual maintenance contract needs to be maintained for all

Recommendations devices which require maintenance
 Procedures for access control should be written

A.9.2 User access management

Short description To ensure authorized user access and to prevent unauthorized access to
systems and services.
ISO 27001 Control A.9.2.1 User registration and de-registration
A.9.2.2 User access provisioning
A.9.2.3 Management of privileged access rights
A.9.2.4 Management of secret authentication information of users
A.9.2.5 Review of user access rights
A.9.2.6 Removal or adjustment of access rights
Observations Employees have a unique log-in ID when accessing data
Employees enforced to use MFA

Maturity level 3
A.9.3 User responsibilities

Short description Users should be required to follow the organization’s practices in the use of
secret authentication information.
ISO 27001 Control A.9.3.1 Use of secret authentication information
Observations No use of secret authentication

Maturity level 1

A.9.4 System and application access control

Short description To prevent unauthorized access to systems and applications.
A.9.4.1 Information access restriction
A.9.4.2 Secure log-on procedures
ISO 27001 Control A.9.4.3 Password management system
A.9.4.4 Use of privileged utility programs
A.9.4.5 Access control to program source code
Access to information and application system functions are restricted in
Observations
accordance with the access control policy.
Maturity level 2
A.11 Cryptography
A.10.1 Cryptographic controls

Short description To ensure proper and effective use of cryptography to protect the
confidentiality, authenticity and/or integrity of information.
ISO 27001 Control A.10.1.1 Policy on the use of cryptographic controls
A.10.1.2 Key management

There are no processes implemented for cryptographic control.

Observations

Maturity level 1

 Cryptographic control shall be implemented

Recommendations
A.12 Physical and environmental security
A.11.1 Secure areas

Short description To prevent unauthorized physical access, damage and interference to the
organization’s information and information processing facilities.
A.11.1.1 Physical security perimeter
A.11.1.2 Physical entry controls
ISO 27001 Control A.11.1.3 Securing offices, rooms and facilities
A.11.1.4 Protecting against external and environmental threats
A.11.1.5 Working in secure areas
A.11.1.6 Delivery and loading areas
Some areas are covered by the CCTV system: entrance / Guest /Client Area
Observations
Maturity level 2

 All areas within the facilities of Dinarak should be protected by

Recommendations
appropriate entry controls not only the server rooms, to ensure
that only authorized personnel are allowed access.
 Physical protection against natural disasters, malicious attack and
accidents should be applied and designed (DR site)
 Written procedures for working in secure areas should be designed
and applied.
 Access points such as delivery and loading areas and other points
where unauthorized persons could enter the premises shall be
controlled and, if possible, isolated from information processing
facilities to avoid unauthorized access.
 Guards of the building, cameras, fire alarm could be used.

A.11.2 Equipment

Short description To prevent loss, damage, theft or compromise of assets and interruption to the
organization’s operations.
A.11.2.1 Equipment siting and protection
ISO 27001 Control A.11.2.2 Supporting utilities
A.11.2.3 Cabling security
 A.11.2.4 Equipment maintenance
A.11.2.5 Removal of assets
A.11.2.6 Security of equipment and assets off-premises
A.11.2.7 Secure disposal or reuse of equipment
A.11.2.8 Unattended user equipment
A.11.2.9 Clear desk and clear screen policy
There is an asset inventory in place
Observations
Maturity level 2

 Equipment should be protected from power failures and other

disruptions caused by failures in supporting utilities
 Security should be applied to off-site assets taking into account
the different risks of working outside the Dinarak’s premises.
Recommendations
 All items of equipment containing storage media should be
verified to ensure that any sensitive data and licensed software
has been removed or securely overwritten prior to disposal or
re-use.
A.13 Operations security
A.12.1 Operational procedures and responsibilities
Short description To ensure correct and secure operations of information processing facilities.
A.12.1.1 Documented operating procedures
ISO 27001 Control A.12.1.2 Change management
A.12.1.3 Capacity management
A.12.1.4 Separation of development, testing and operational environments
There is no procedure for change management
Observations
There is a procedure for incident reporting and investigation

Maturity level 1

 Build a change management program

Recommendations

A.12.3 Backup
Short description To protect against loss of data
ISO 27001 Control A.12.3.1 Information backup
Data control are in place for the system and defined with a clear fixed
schedule.
Observations
There is no Backup policy is in place
Dinarak uses Acronis and OneDrive backup and recovery to take backup
Backup task is scheduled
Maturity level 3

 Develop and enforce a backup policy

Recommendations

A.12.4 Logging and monitoring

Short description To record events and generate evidence.
A.12.4.1 Event logging
ISO 27001 Control A.12.4.2 Protection of log information
 A.12.4.3 Administrator and operator logs
A.12.4.4 Clock synchronization
Observations No SIEM, No SOC

Maturity level 1

 Event logs should be produced, retained and regularly reviewed to

Recommendations
record user activities, expectations, defects and information
security events.
 Event logs shall include: (Logs from OS (windows) or APP)
o Activities of the system
o Dates, times and key events details, such as log-on and log-off;
o System ID or Location and device recognition where possible;
o Records of the attempts to access the system successfully as
well as rejected ones;
o The application use of system utilities;
o Accessed files and access kinds
o Network addresses and protocols;
 Anti-virus and intrusion detection systems, and ensuring they are
activated and deactivated as required.
 Controls should be designed to protect against unauthorized log
information changes and operational logging problems including:
o Alterations to the types of messages recorded
o Editing of removing log files
The logfile media storage space is surpassed, which means either that an
event is not registered or that the past events have been over-written.

A.12.6 Technical vulnerability management

Short description To prevent exploitation of technical vulnerabilities.

ISO 27001 Control A.12.6.1 Management of technical vulnerabilities

A.12.6.2 Restrictions on software installation
Rules governing the installation of software by users are not established
nor implemented
 There is no technical vulnerability management roles and responsibilities
Observations
defined, including vulnerability monitoring, asset tracking and any
necessary coordination responsibility.
System and security patches are not applied to servers and workstation on
a routine bases
Maturity level 1

A.12.7 Information systems audit considerations

Short description To minimize the impact of audit activities on operational systems.
ISO 27001 Control A.12.7.1 Information systems audit controls
Observations An information system audit is not implemented nor maintained.
Maturity level
2

 Audit standards for access to systems and data should be

Recommendations negotiated with appropriate management.
 Scope should be agreed and controlled on the technical audit tests
Documents
reviewed
A.14 Communications security
A.13.1 Network security management

Short description To ensure the protection of information in networks and its supporting
information processing facilities
A.13.1.1 Network controls
ISO 27001 Control A.13.1.2 Security of network services
A.13.1.3 Segregation in networks
Observations network security policy is not defined

Maturity level 2

 Develop and enforce network security policy

Recommendati
 Perform network segregation
ons
 Ensure the protection of information in networks and its supporting
information processing facilities.

A.13.2 Information transfer

Short description To maintain the security of information transferred within an organization and
with any external entity
A.13.2.1 Information transfer policies and procedures
ISO 27001 Control A.13.2.2 Agreements on information transfer
A.13.2.3 Electronic messaging
A.13.2.4 Confidentiality or nondisclosure agreements
 Information transfer policies are not documented
Observations
 Enforced MFA on emails
Maturity level 1

 Formal transfer procedures and controls are not in place to

protect the transfer of information through the use of all types of
Recommendations
communication facilities.
 Procedures need to be designed to protect transferred
information from interception, copying, modification, mis-routing
and destruction.
 Agreements is addressing the secure transfer of business
 information between the organization and external parties.
 Requirements of confidentiality or non-disclosure agreements
reflecting the organization’s needs for protection of information is
not identified, regularly reviewed and documented.
A.15 System acquisition, development and maintenance
A.14.1 Security requirements of information systems

To ensure that information security is an integral part of information systems

Short description across the entire lifecycle. This also includes the requirements for information
systems which provide services over public networks.

A.14.1.1 Information security requirements analysis and specification

ISO 27001 Control A.14.1.2 Securing application services on public networks
A.14.1.3 Protecting application services transactions
Rules for the development of software and systems are established and

Observations applied to developments within Dinarak but they are not written

There is no documenting and support on a clear procedure for the

development of new applications.

The database of applications is not encrypted or monitored.

Maturity level 3

 perform code security check periodically or part of development

Recommendations
A.16 Supplier relationships
A.15.1 Information security in supplier relationships
Short description To ensure protection of the organization’s assets that is accessible by suppliers.
A.15.1.1 Information security policy for supplier relationships
ISO 27001 Control A.15.1.2 Addressing security within supplier agreements
A.15.1.3 Information and communication technology supply chain
Information security policy for supplier relationships is not documented
Observations
Identifying and documenting the types of supplier, eg. IT services, logistics
utilities, financial services, IT infrastructure components, whom Ayla deal
with on regular basis and have access to Ayla information and assets.
Maturity level 3

 Awareness training for Dinarak personnel interacting with supplier

personnel regarding appropriate rules of engagement and behavior
based on the type of supplier and the level of supplier access to
Recommendations
Ayla systems and information.
 Information security requirements for mitigating the risks
associated with supplier’s access to Dinarak’s assets should be
agreed with the supplier and documented.
 All relevant information security requirements should be clearly
established and agreed with each supplier that may access process,
store, communicate, or provide IT infrastructure components for,
the organization’s information.
 Agreements with suppliers must include requirements to address
the information security risks associated with the information and
communications technology services and product supply chain.
A.17 Information security incident management
A.16.1 Management of information security incidents and improvements
To ensure a consistent and effective approach to the management of
Short description information security incidents, including communication on security events and
weaknesses.
A.16.1.1 Responsibilities and procedures
A.16.1.2 Reporting information security events
A.16.1.3 Reporting information security weaknesses
ISO 27001 Control A.16.1.4 Assessment of and decision on information security events
A.16.1.5 Response to information security incidents
A.16.1.6 Learning from information security incidents
A.16.1.7 Collection of evidence
No written procedure for incident management program
Observations

Maturity level 2

 Awareness training is needed for ayla personnel and contractors of

their responsibility to report information security events as quickly
as possible.
 Management responsibilities and procedures should be written to
ensure a quick, effective and orderly response to information
security incidents.
Recommendations
 Situations to be considered for information security event reporting
include:
o Breach of information integrity, confidentiality or
unavailability expectations.
o Human errors
o Possible non-compliances with policies or guidelines
o Breaches of physicalsecurity arrangements
o uncontrolled
A.18 Information security aspects of business continuity management
A.17.1 Information security continuity

Short description Information security continuity should be embedded in the organization’s

business continuity management systems.
A.17.1.1 Planning information security continuity
ISO 27001 Control A.17.1.2 Implementing information security continuity
A.17.1.3 Verify, review and evaluate information security continuity
No business continuity management program in place
Observations
No business continuity plan in place

Maturity level 1

Implement business continuity management program

Recommendations
A.19 Compliance

A.18.2 Information security reviews

Short description To ensure that information security is implemented and operated in

accordance with the organizational policies and procedures.
A.18.2.1 Independent review of information security
ISO 27001 Control A.18.2.2 Compliance with security policies and standards
A.18.2.3 Technical compliance review
Dinarak not comply with any international or external standards yet
Observations

Maturity level 1
5. Acronyms Used in Report

BCP Business Continuity Plan SLA Service Level Agreement

CYBER Information Security ISO27001 Central Bank of Jordan

SECURITY Management STANDARDS
PROGRAM System
IS Information Systems ISP Information Security Policy

ISO International Organization for MDM Mobile Device Management

standardization

BCM Business Continuity OPs Operating Procedures

Management

IR Incident Response AV Anti-Virus

UPS Uninterruptible Power Supply DR Disaster Recovery

VLANs Virtual Local Area Network PII Personally, Identifiable

Information

OS Operating System VA Vulnerability Assessment

NDA Non-Disclosure Agreement ACL Access Control List

DLP Data Loss Prevention NDR Network Detection and

Response

EDR End-Point Detection and PM Patch Management

Response

AST Application security Testing AUP Acceptable Use policy