Statement of Applicability

CONFIDENTIAL
Statement of Applicability
1. Purpose and scope
The purpose of this document is to define applicable controls from Annex A of ISO/IEC 27001, reasons for their selection and their objectives, identify the controls currently implemented, and justify the controls that are excluded. This document applies to the whole scope of the Information Security Management System (ISMS), as defined in the ISMS Scope document. This document is compliant with clause 4.2.1 j) of ISO/IEC 27001 standard.
2. References
This document is related to the following documents: ISMS Scope document ISMS Policy Risk Assessment Methodology Risk Assessment Report
3. Controls according to Annex A

Clause No Control Applica ble (Y/N) Reason for selection / justification for exclusion Control objective Current status of control
A.5 A.5.1 A.5.1.1
Security policy Information security policy Information security policy document Review of information security policy Organization of information security Internal organization Management commitment to information
A.5.1.2 A.6 A.6.1 A.6.1.1
2010 Information Security & Business Continuity Academy www.iso27001standard.com
Page 1 of 12
Statement of Applicability [version], [date] CONFIDENTIAL

Clause No Applica ble (Y/N) Reason for selection / justification for exclusion Current status of control
Control
Control objective
security A.6.1.2 Information security coordination Allocation of information security responsibilities Authorization process for information processing facilities Confidentiality agreements Contact with authorities Contact with special interest groups Independent review of information security External parties Identification of risk related to external parties Addressing security when dealing with customers Addressing security in third party agreements Asset management Responsibility for Assets Inventory of assets Ownership of assets
A.6.1.3
A.6.1.4
A.6.1.5 A.6.1.6
A.6.1.7
A.6.1.8 A.6.2 A.6.2.1
A.6.2.2
A.6.2.3 A.7 A.7.1 A.7.1.1 A.7.1.2
Page 2 of 12

Control
Control objective
A.7.1.3 A.7.2 A.7.2.1
Acceptable use of assets Information classification Classification guidelines Information labeling and handling Human resources security Prior to employment Roles and responsibilities Screening Terms and conditions of employment During employment Management responsibilities Information security awareness, education and training Disciplinary process Termination or change of employment Termination responsibilities Return of assets Removal of access rights Physical and environmental security Secure areas Physical security
A.7.2.2 A.8 A.8.1 A.8.1.1 A.8.1.2 A.8.1.3 A.8.2 A.8.2.1
A.8.2.2
A.8.2.3 A.8.3 A.8.3.1 A.8.3.2 A.8.3.3 A.9 A.9.1 A.9.1.1
Page 3 of 12

Control
Control objective
perimeter A.9.1.2 A.9.1.3 Physical entry controls Securing offices, rooms and facilities Protecting against external and environmental threats Working in secure areas Public access, delivery and loading areas Equipment security Equipment siting and protection Support utilities Cabling security Equipment maintenance Security of equipment offpremises Secure disposal or reuse of equipment Removal of property Communications and operations management Operational procedures and responsibilities Documented operating procedures Change management
A.9.1.4
A.9.1.5
A.9.1.6 A.9.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4
A.9.2.5
A.9.2.6 A.9.2.7 A.10 A.10.1 A.10.1. 1 A.10.1. 2
Page 4 of 12

Control
Control objective
A.10.1. 3 A.10.1. 4 A.10.2 A.10.2. 1 A.10.2. 2 A.10.2. 3 A.10.3 A.10.3. 1 A.10.3. 2 A.10.4 A.10.4. 1 A.10.4. 2 A.10.5 A.10.5. 1 A.10.6 A.10.6. 1 A.10.6. 2 A.10.7
Segregation of duties Separation of development, test and operational facilities Third party service delivery management Service delivery Monitoring and review of third party services Manage changes to the third party services System planning and acceptance Capacity management System acceptance Protection against malicious and mobile code Controls against malicious code Controls against mobile code Back-up Information backup Network security management Network controls Security of network services Media handling
Page 5 of 12

Control
Control objective
A.10.7. 1 A.10.7. 2 A.10.7. 3 A.10.7. 4 A.10.8 A.10.8. 1 A.10.8. 2 A.10.8. 3 A.10.8. 4 A.10.8. 5 A.10.9 A.10.9. 1 A.10.9. 2 A.10.9. 3 A.10.10 A.10.10 .1 A.10.10 .2 A.10.10 .3
Management of removable media Disposal of media Information handling procedures Security of system documentation Exchange of information Information exchange policies and procedures Exchange agreements Physical media in transit Electronic messaging Business information systems Electronic commerce services Electronic commerce On-line transactions Publicly available information Monitoring Audit logging Monitoring system use Protection of log information
Page 6 of 12

Control
Control objective
A.10.10 .4 A.10.10 .5 A.10.10 .6 A.11 A.11.1 A.11.1. 1 A.11.2 A.11.2. 1 A.11.2. 2 A.11.2. 3 A.11.2. 4 A.11.3 A.11.3. 1 A.11.3. 2 A.11.3. 3 A.11.4 A.11.4. 1 A.11.4. 2 A.11.4. 3
Administrator and operator logs Fault logging Clock synchronization Access control Business requirement for access control Access control policy User access management User registration Privilege management User password management Review of user access rights User responsibilities Password use Unattended user equipment Clear desk and clear screen policy Network access control Policy on use of network services User authentication for external connections Equipment identification in networks
Page 7 of 12

Control
Control objective
A.11.4. 4 A.11.4. 5 A.11.4. 6 A.11.4. 7 A.11.5 A.11.5. 1 A.11.5. 2 A.11.5. 3 A.11.5. 4 A.11.5. 5 A.11.5. 6 A.11.6 A.11.6. 1 A.11.6. 2 A.11.7 A.11.7. 1 A.11.7. 2 A.12 A.12.1
Remote diagnostic and configuration port protection Segregation in networks Network connection control Network routing control Operating system access control Secure log-on procedures User identification and authentication Password management system Use of system utilities Session time-out Limitation of connection time Application access control Information access restriction Sensitive system isolation Mobile computing and teleworking Mobile computing and communication Teleworking Information systems acquisition, development and maintenance Security requirements of information systems
Page 8 of 12

Control
Control objective
A.12.1. 1 A.12.2 A.12.2. 1 A.12.2. 2 A.12.2. 3 A.12.2. 4 A.12.3 A.12.3. 1 A.12.3. 2 A.12.4 A.12.4. 1 A.12.4. 2 A.12.4. 3 A.12.5 A.12.5. 1 A.12.5. 2 A.12.5. 3
Security requirements analysis and specifications Correct processing in applications Input data validation Control of internal processing Message integrity Output data validation Cryptographic controls Policy on the use of cryptographic controls Key management Security of system files Control of operational software Protection of system test data Access control to program source code Security in development & support processes Change control procedures Technical review of applications after operating system changes Restrictions on changes to
Page 9 of 12

Control
Control objective
software packages A.12.5. 4 A.12.5. 5 A.12.6 A.12.6. 1 A.13 A.13.1 A.13.1. 1 A.13.1. 2 A.13.2 A.13.2. 1 A.13.2. 2 A.13.2. 3 A.14 A.14.1 Information leakage Outsourced software development Technical vulnerability management Control of technical vulnerabilities Information security incident management Reporting information security events and weaknesses Reporting Information security events Reporting security weaknesses Management of information security incidents and improvements Responsibilities and procedures Learning from information security incidents Collection of evidence Business continuity management Information security aspects of business continuity management Including information security in business continuity management process Business continuity and risk assessment Developing and implementing Page 10 of 12
A.14.1. 1
A.14.1. 2 A.14.1. 3

Control
Control objective
continuity plans including information security A.14.1. 4 Business continuity planning framework Testing, maintaining and reassessing business continuity plans Compliance Compliance with legal requirements Identification of applicable legislation Intellectual property rights ( IPR) Protection of organizational records Data protection and privacy of personal information Prevention of misuse of information processing facilities Regulation of cryptographic controls Compliance with security policies and standards and technical compliance Compliance with security policy Technical compliance
A.14.1. 5 A.15 A.15.1 A.15.1. 1 A.15.1. 2 A.15.1. 3
A.15.1. 4
A.15.1. 5
A.15.1. 6 A.15.2 A.15.2. 1 A.15.2. 2
Page 11 of 12

Control
Control objective
checking A.15.3 A.15.3. 1 A.15.3. 2 Information systems audit considerations Information systems audit controls Protection of information systems audit tools
4. Ownership; validity
The owner of this document is [function of the person responsible]. This document must be reviewed every time after the risk assessment and risk treatment processes have been implemented.
Page 12 of 12

Statement of Applicability

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Statement of Applicability

Uploaded by

Copyright:

Available Formats

CONFIDENTIAL

3. Controls according to Annex A

A.5 A.5.1 A.5.1.1

A.5.1.2 A.6 A.6.1 A.6.1.1

2010 Information Security & Business Continuity Academy www.iso27001standard.com