ISO/IEC27001WORKBOOKPuttingtheoryintopractice

Version1.0

The APMG International ISO/IEC 27001 and Swirl Device logo is a trademark of The APM Group Limited, used under permission of The APM Group Limited |

Thispageisintentionallyblank

ISO27001PractitionerWorkbookIntroductionWelcometotheISO/IEC27001practitionerworkbook.ThisworkbookhasbeendesignedtopracticeandtestyourapplicationandanalyticalskillsbasedonspecificscenariosthatyoumaybefacedwithinanISO/IEC27001environment.ThisworkbookisadditionaltotheISO/IEC27001e-learningcourse,andshouldbeusedwithinthecoursemoduleswhenprompted.HowtousethisworkbookThisworkbookisfocusingonyourprofessionalskillsthatgobeyondmemoryoftheISO/IEC27001standardorthee-Learning,inthisworkbookyouwillbeintroducedtosimplescenariosthatmaybesimilartowhatyoucouldfaceintherealworld.Withthis,analyseeachscenarioandthinkaboutwhatyouhavelearnt–therecouldbefundamentalissueswithinthem,thatyoushouldnowbeabletoidentify.Thisworkbookisnotmarkedorevaluated,butitshouldnotbeignoredasitwillhelpyouapplywhatyouhavelearnt,andthuswillhelpyouinternalisetheinformationforbothyourexam,andreallifeprojectsyoumaybeworkingon.Anapproachtousethisbookisthefollowing1. Takethee-Learningmodule2. Readthescenario3. Readtheadditionalinformationforthequestion4. Tacklethequestionsinthisworkbook5. Refertoyoure-learningforguidanceifneeded6. FillintheanswerandcheckifyouarerightAsaguide,eachquestionshouldtakeyounomorethan30minutestocomplete.AnswerstoquestionsYes,thereareanswerstoeachquestionorproblem.Thesearelocatedatthebackofyourworkbook.Wewouldhighlyencourageyoutonotgostraighttotheseanswerswhenyoumaybelostwithaquestionasthisdefeatsthepoint.Thequestionsareopenended,inthisyouneedtoanalyse,analyse,analysethencompareagainsttheIOS/IEC27001andfinallycomeupwithyourconclusion.

ScenarioNote:thiscasestudyhasbeentakendirectlyfromthepracticeexamguideyoutodepthtoexpectonyourfinalexam–ThiscasestudyisownedbyAPMGCaseStudy:EquitableProducts(Theorganisationandpeoplewithinthescenarioarefictional.)BackgroundEquitableProductsareafoodprocessingandsupplycompanytosupermarkets.Theysupplyfoodpackagedundertheirownbrandnametogeneralretailersand‘supermarketbrand’packagedgoodstosupermarketchains.Inaddition,theyhaverecentlybegunsupplyingfrozen'readymeal'productstoamajorrestaurantchain.Tosupporttheirbusiness,EquitableProductshasfoodprocessingplantsattwosites.Onesitedealswiththeprocessingandre-packagingofbulkfoodstuffsintobrandedpackages(ownbrandandsupermarket).Theothersiteproducesreadymealswhicharesuppliedasfrozenproductstogeneralretailcustomersandtherestaurantchain.OrganisationTherearethreemarketingdivisionswithintheorganisationtoservicetheseparateretail,supermarketandrestaurantmarkets.Eachofthemarketingdivisionshastheirownbusinesstargets,objectivesandprocesses.AninternalITunitisresponsiblefortheprovisionofITserviceswithinEquitableProducts.Eachdivisionusessomespecific,dedicatedITservices,togetherwithacoresetofsharedcorporateITservicestosupporttheirbusinessoperations.Forexample,theEquitableProducts'ITsystemsnowinterfacedirectlywiththesupermarkets’ITsystemstoenable'justintime're-orderinganddelivery.Therestaurantchain'sITsystemsarealsonowconnectedtotheEquitableProducts'ITsystems.AllthenewRestaurantReadyMealproductsaremicrochippedwithaRadioFrequencyIdentificationDevice(RFID).Allrestaurantproductsmustbeconsumedwithinfivedaysofproduction.TheRFIDtechnologyenablestheindividualrestaurants’usagetobemonitoredbyEquitableProducts.Aproductionscheduleisproducedfortherestaurantreadymealproductsinordertoreducewastage.CurrentStatus

Asaresultofinternationalconcernovercontaminationofproducts,EquitableProductsdecidedthattheyshouldtakemorecontroloftheirsupplychain.Theyhaverecentlyacquiredanestablishedchainofdairyfarmswhichwill,inthefuture,providemostoftheirfreshdairyproducts.Thiswillbetterenablethemtotrackingredientsfrom'fieldtoplate'.Theotherproductsandingredientsusedintheprocessingplantsaresourcedfromavarietyofthirdpartysuppliers.WhereverpossiblethecontractswiththosesuppliersrequirethesupplierstomaintainISO/IEC27001certification.ThediagrambelowshowstheinteractionbetweenthevariouspartiesandEquitableProducts’divisions.

Diagram1-TheinteractionbetweenthevariouspartiesandEquitableProducts’divisionsThecontractswiththemajorsupermarketsrequireEquitableProductstomaintainISO/IEC27001certificationandthereisanestablishedISMSinplace.However,thedairyfarmchainhasneverhadISO/IEC27001certificationandneedstobebroughtintothescopeofcertification.EquitableProducts’corporateclientsaresupportiveofthereasonsandobjectivesofacquiringthedairyfarmchain.However,theyrequiretheISO/IEC27001certificationtobeextendedtoincludethisnewbusinessdivision.InformationSecurityManagementStructureTheEquitableProductsChiefFinancialOfficerhastheroleofDirectorofInformationManagement.InthisrolehehasbeengiventheorganisationalresponsibilitytoensurethatISO/IEC27001conformanceismaintained.TheChiefInformationOfficerreportsdirectlytotheDirectorofInformationManagementandhastwoInformationSecurityOfficerswhoworkforhim.TheyareresponsibleforensuringthatthecompanyanditsthirdpartysuppliersmaintaintherequiredISO/IEC

27001certifications.TheHeadoftheITServicesDivisionalsohasanInformationSecuritySpecialistwithinhisteam.ThespecialistisresponsibleforensuringthattheITserviceisdeliveredinaccordancewithISO/IEC27001.InformationSecurityObjectivesInformationsecurityrisksmustbemanagedeffectively,collectivelyandproportionatelyinacosteffectiveway.Asecureandconfidentialworkingenvironmentshouldalsobemaintained.Toachievethis,theinformationsecurityobjectivesofEquitableProductsincludethefollowing:a) Tomaintaintheconfidentiality,integrityandavailabilityofcorporateandcustomer

informationb) TomaintainISO/IEC27001certificationc) Toensurecompliancewithlegalandregulatoryrequirementsd) Tosupporteffectiveandresilientprocessestorespondto,investigateandrecoverfromany

informationsecurityincidentswithnecessarycontrols,identifiedbyformalriskassessment.©TheAPMGroupLtd2014.ThiscasestudyremainsthepropertyofTheAPMGroup(APMG).Thisdocumentisnottobereproducedorre-soldwithoutexpresspermissionfromTheAPMGroupLtd.2.TheAPMG-InternationalISO/IEC27001logoisaTradeMarkofTheAPMGroupLimited.TheAPMG-InternationallogoisaTradeMarkoftheAPMGroupLtd.

1. LeadershipLeadershipScenarioAdditionally,reviewthesupplementarypaperforthisexerciseTheEquitableProductsChiefFinancialOfficerhasjustcompletedanexecutiveboardmeetingandashasbeenappointedtopromoteandco-ordinatetheinformationsecurityprocessaspartofhisroleastheITDirector.Hisfirstactionwastodefinethesecuritystakeholdersofeachdepartmentthatwouldbewiththescopeofthecertification.Themainconsensuswasthatsecurityresponsibilitieswouldbedelegatedtotheindividualroleswiththeorganisationassecurityiseveryone’sresponsibility.TherolesandresponsibilitiesweredecidedasbelowRole BriefDescriptionofresponsibilitySeniorManagement Forvision,strategicdecisionsandcoordinatesactivitiestodirect

andcontroltheorganisation.LineManagers Hasthetopresponsibilityfororganisationalfunctions.LocalITstaff HasoverallresponsibilityoftheforthesecuritytasksSystemAdministrator HasfullaccountabilityofallsecuritybreechesHumanResources Theperson/personswithoverallresponsibilityforthestaff.TheLineManagershavestatedthattheydonotneedtodiscusstheirsecurityissueswithotherdepartments,asthiswouldbeasecurityweaknessandassuchwouldprefertoworkalonewithintheirareaofconcern.1.1 Havetherolesandresponsibilitiesbeendefined?(LE03-01,04-01)

1.2Doyouthinkthattherolesandresponsibilitiesareappropriaterequiredforinformationmanagementandoperation?(LE03-02,04-02)

1.3Doyouthinkthattheconcepts,responsibilitiesandrequirementsaboutthecontextleadershipsupportanISMSperClauses4,5,and7(Contextoftheorganisation,Leadershipandsupport)oftheISO/IEC27001?(LE03-03,04-03)

2. PlanningandOperationoftheISMSPlanningandoperationscenarioTheCFOunderstandsthattheyneedarisktreatmentplanandhaddecidedthatheneededtodefineandestablishthesecurityriskprocessesandthecriteriaforriskacceptance,howtoperformriskassessments,whowouldbetheriskownersandwhowouldanalysetheinformationsecurityrisks.Additionally,theCFOwasverykeentounderstandwhatinformationsecurityrisktreatmentoptionswereavailableandrequiresaStatementofApplicability(SoA)toproduceforcriticalrisks.TheCFOwasalsoadamantthattherehastobeoperationalplanningandcontrolwithintheplanwhichistoincludecontrolplannedchanges.Allrisksandchangesoftheirstatusshouldbemonitored,measured,analysed,andevaluated,additionally,documentationaboutinformationriskassessmentsandinformationrisktreatmentwouldbestoredinlinewiththeinformationpolicies.2.1Whenapplyingtheconcepts,responsibilities,requirementsandprocessesrelatingtoplanningandoperationofanISMSwithinclauses6,8,9and10oftheISO/IEC27001whatareimportantconsiderationstomake?(PL03-07)

2.2Lookingattheplanningandoperationscenario-Doyouthinkthatapplicationoftheconcepts,responsibilities,requirementsandprocessesrelatingtoplanningandoperationofanISMSwithinclauses6,8,9and10oftheISO/IEC27001wherecarriedout,ifnotwhatwasmissingornotcompleted?(PL04-07)

3. InformationSecurityControlObjectivesandControlsInformationsecuritycontrolobjectivesandcontrolsscenarioTheCFOhadrequestedthatareporttobecreateddetailingtheactionscompletedandanyoutstandingareasinrelationtothecontrolswithinISO/IEC27001.Thereportfindingsarebelow:

ISO/IEC27001ControlsReportControl Status

Informationsecuritypolicies

Theboardofdirectorshaveagreedthatinformationsecurityisofthehighestpriorityandsecuritypoliciesmustbedefined,howevertheyalsounderstandthatthesecuritypoliciesshouldnothinderbusinessgrowthorbecomeabusinessdisabler–assuchtheyhavecommissionedafullassessmentonwhatthebusinesssecurityrequirementsandrequiredpolicesareandwillthenrequiretheITsecuritypolicies(including,highlevelgeneralpolicies,highleveltopic-specificpoliciesanddetailspolicies)tobebroughtin-linewiththebusinesssecuritypolicies.

Organisationofinformationpolices

TheCFOactingastheITDirectorhasbeenmadeaccountableofITSecurity,andassuchhasputinplaceapoliceregardingtheorganisationofinformationsecurity.Thisincludesthefollowing• Definingowners,producersandusersofinformation,withthe

associatedRACImatrixhighlightingresponsibilitiesforeachrole

• Asthereallemployeeshavemultipleroleshedoesnotseethevalueinsegregationofduties,andtrustshisteamnottoshareinformation

• Thereisafullcommunicationplaninplacetoensurethatifthereisasecurityincidentthecorrectauthoritiesarenotifiedwithintheagreedtimeframes

• IntergroupcommunicationbetweenEquitableProducts,theretailersandsupermarketshavebeendefinedwithapolicystatingwhatinformationandhowitshouldbepassedbetweenthespecialinterestgroups

• Therehasbeenclearpoliciesandproceduresputinplacethathighlightthemeasuresthatshallbeusedformobiledevicesinclusiveofanyteleworkingequipmentandemployees

Humanresourcessecurity

ThehumanresourcepolicyissplitintothreemaincategoriesasfollowsPriortoemployment:• Allpotentialemployeesarerequiredtogothroughascreen

processofthreeinterviewsandafullbackgroundcheckdependentontheirrole

• Termsandconditionsshouldbetailoredforeachemploymentgradesothatitensurethattheminimumandrequiredinformationsecuritysafeguardsareapplied

Duringemployment• Aninitialorientationsessionshallbeconductedforallnew

employeesthatdefinestheinformationsecurityindividualandmanagementresponsibilities

• Yearlyrefresherinformationsecuritytrainingshallbeconductedtoallemployees,withadditionalspecialisedtrainingconductedalignedwiththeemployees/skill/function/role

• Thepolicydefinesandcommunicatesaformaldisciplinaryprocesstoallemployees

Terminationandchangeofemployment• Thereisadefinedprocessforchangeofroles,including

terminationofaccounts,monitoringofaccessactivitiesandaeducationabouttheemployeestermsandconditions.

Assetmanagement

ThereisasingleinventoryregisterwithinEquitableProductswhichdefinedtheownersofalltheassets.Eachownerofeachassethasdefinedtheacceptableuseoftheirassociatedasset.TheassetpolicystatesthattheassetsandanydataheldwithinthembelongtotheEquitableProducts,andthatuponanemployee/contractorleavingthefirmshouldhandbacktheassetsintact,additionallythepolicystateshowassetsshouldbehandledandstored.Informationassetshaveadefinedclassificationdependentonthecriticalityoftheinformationwithdefinedproceduresforhandlingatthedefinedlevel,whichisasfollows.Alldocumentationisrequiredtohavetheclassificationlabelintheheaderandfooter.

Accesscontrol

TheorganisationusestheITILAccessManagementprocesswhichhasbeendefinedonAccessManagementPolicy,thisincludesdirectionon:• Userregistrationandderegistration• Useraccessprovisioning• Managementofprivilegedaccessrights• Managementofsecretauthenticationinformationofusers• Reviewofusersaccessrights

• Removaloradjustmentofaccessrights• Useofsecretauthenticationinformation• Informationaccessrestriction• Securelogonprocedures• Passwordmanagementsystem• Useofprivilegedutilitysystems• Accesscontroltoprogramsourcecode

Cryptography

Thereisahigh-levelcryptographicpolicythatwasproducedfromanofftheshelftemplatekit.Itcoversallthegenericitemssuchascryptographiccontrolsandkeymanagement

Physicalandenvironmentalsecurity

Thereisamaturepolicythatcoversphysicalandenvironmentalsecuritycontrolsincluding:• Secureareas(allcontrols)• Equipment(allcontrols)Thispolicywaslastupdatedthreeyearsago

Operationssecurity

Ataprocessgovernancelevel,therearemultipleprocessesandproceduresavailablebasedChange,Capacity,AvailabilityIncidentandITServiceContinuitywhicharealignedtoITIL.Thesehavebeentailoredtofocusoninformationsecuritymatters.Atanoperationallevel,thereareestablishedandwelladoptedpolicies,processesandproceduresthatcover• Separationofdutiesandenvironments• Definedcontrolsagainstmalware(basedonchangingrisk

assessments• Grandfather/Father/Soninformationbackuppolicy• Loggingandmonitoringprocedures• DefinitiveMediaLibrary(DML)thatcontrolsoperation

softwareandrestrictionsoninstallation• Patchandtechnicalvulnerabilitiesmanagement• Ahigh-levelpolicyonauditrolesandresponsibilitiesandrule

toconductauditsincludingprocessinganddataretention.Communicationssecurity

Thereisacommunicationpolicythatcoversthefollowingareas• Ensuresthatthereisasegregationofusers,information

systemsandnetworks• Allemployeesandcontractorsareheldtoanondisclosure

agreementthatwillremainineffectfor12monthsaftertheycompleteworkwiththecompany

• Alldigitaldeviceshavetheabilitytoberemotelywiped• Thereareformalpoliciesandproceduresforthetransferof

sensitivematerial• Networkcontrolsareinplacetoprotectsystemsand

applications

Systemacquisitionanddevelopment

ThereisanoldSystemAcquisition,DevelopmentandMaintenancepolicy,whichneedstobeupdatedinlinewiththecurrentorganisationalstrategies.Currentlythepolicycontainsthefollowingcontrols• Securedevelopmentpolicy• Systemchangecontrolprocedures• Technicalreviewofapplicationsafteroperatingplatform

changes• Restrictioninchangestosoftwarepackages• Restrictionsonchangestosoftwarepackages• Outsourcedenvironment• Systemssecuritytesting

Supplierrelationships

ThereisasupplierrelationshippolicythathasbeentailoredinlinewiththeITILsuppliercategories,itishoweverunsurewhetherthisisstillrelevanttothenewvision.Thepolicyincludes:• Anoverarchingpolicyforallsupplierrelationshipsincluding

howsuppliersareallowedaccesstotheorganisationsassets• Detailedprocedureshowthemanagementofinformationwill

bemanagedwithinthesupplier’senvironmentincluding,storage,access,process,andcommunicationofinformation

• Ownershipofinformationthecommunicationtechnologyusedtowithinthesupplychain

• HowsupplierauditsandreviewsareconductedIordertomonitorandreviewsupplierservices

• Contractmanagement,andhowtomanagechangestosupplier’scontractsandservices

Securityincidentmanagement

ITILIncidentManagementprocesshasbeenadopted,andthereisnofurtherrequirementfortailoringtowardsSecurityincidents

Businesscontinuitymanagement

Thereisadisasterrecoveryplaninplacethatcoverstherestorationofbusinessapplicationsandhardwareintheeventofadisaster.Inlinewiththelegislationandcontractualrequirements,thisconsistsofusingamixofhostedservicesfromawell-knownhostingproviderandsomein-houseservices,bothoptionsneedupto24hourstoinstallthelatestbackupwhichiskeptintheparentlocation.Thereisalsoahighavailabilitysolutioninplaceswithfocusonensuringthereisredundancyinplaceformissioncriticalservices.

Compliance

Thereisacompliancepolicywhichcoversallofthecontrolshoweverthisisappliedinanad-hocmanner,andthereislittlegovernancetoshowitisapplied.

3.1Thisquestionisbrokendownintototwoparts–Analysethereportandanswerthefollowing.1. Doyouthinkthatthefollowingaspectshavebeenappliedandtailoredtothesituation

correctly?2. AnalysethereasonstosupportyourdecisionAspect Applied/Tailored ReasonsforyourdecisionInformationsecuritypolices

Organisationofinformationpolices

Humanresourcessecurity

Assetmanagement

Accesscontrol

Cryptography

Physicalandenvironmentalsecurity

Operationssecurity

Communicationssecurity

Systemacquisition,developmentandmaintenance

Supplierrelationships

Informationsecurityincidentmanagement

Informationsecurityaspectsofbusinesscontinuitymanagement

Compliance

AnswersHerearesomehigh-levelanswersfortheexercises,pleasenotethatthisisnotsomucharightorwrongtypeofexercise,butmoreofapracticalwayforyoutointernalisesomeoftheconceptstaughtinthiscourse.LeadershipQuestion1Pointsyoushouldhavenoticedare:

1. TheCFOhasbeenappointedtopromotetheinformationsecurityprocess2. Thestakeholdershavebeendefined(representativesofeachdepartmenthavebeen

identifiedwiththescope3. Roleshavebeenallocatedwithintheorganisation

Question2Pointsyoushouldhavenoticedare:

1. TheSystemadministratorshouldnothavefullaccountabilityofallsecuritybreaches2. TheLocalITstaffshouldnothaveoverallresponsibilityofthetasks,asthisremains

theresponsibilityatthemanagementlevelQuestion3Pointsyoushouldhavenoticedare:Concepts–Theconceptshavebeenad-hocapplied,howeverthereislittlestructureevidencedwiththestructure.Requirements–themostimportantconsiderationsasdefinedinthesupplementarypaperhavebeenaddressedb) Overallresponsibilityforthetasksremainsatthemanagementlevel,c) Oneperson(usuallytheChiefInformationSecurityOfficer)isappointedtopromoteandco-

ordinatetheinformationsecurityprocess,d) Eachemployeeisequallyresponsibleforhisorheroriginaltaskandformaintaining

informationsecurityintheworkplaceandintheorganisation.Leadership–

TheCFOhasbeenappointedtopromoteandcoordinateactivitiestheinformationsecurityprocesses.However,thereseemstobelittlemiddlemanagementleadershipwhichcanbeseenbytheLocalITstaffbeingmadeoverallresponsibleforthetasks–whichshouldremainatmanagementlevel.Additionally,theCFOshouldensurethatthereiscollaborationwiththeappropriatebusinessspecialists(thislookstobeabsentwiththesoiledworkingoftheLinemanagersPlanningandOperationsoftheISMSQuestion1Importantconsiderationstomakewouldinclude• Actionstoaddressrisksandopportunities

o Informationsecurityriskassessmento Informationsecurityrisktreatment

• Informationsecurityobjectivesandplanningtoachievethem• Operationplanningandcontrol• Informationsecurityriskassessment• Informationsecurityrisktreatment• Monitoring,measurement,analysisandevaluation• Internalaudits• Managementreview• Non-conformityandcorrectiveaction• ContinualimprovementQuestion2Concepts-Planning–TheCFOhasdecidedtoestablishriskmanagementprocessesbyplanningthecriteriaforhowriskisdefined,acceptedandwhatrisktreatmentoptionsareavailablewithaviewofformulatingarisktreatmentplan.Therewasnoevidencetoseehoweverthattheriskplanandactionswerealignedwiththeorganisationssecuritypolicy–thishowevermayhavebeenassumed.Additionally,therewaslittleornoevidenceshownofhowtherequirementsandresultsoftheassessmentandrisktreatmentwouldbecommunicated.Responsibilities–Fromtheinformationshowntherewasnoapparentdelegationofresponsibilitiesgivenwithinthisscenario.Requirements–Planning–TheCFOhadshownthattherehadtobeplanningacontrol,andhighlightedthatchangecontrolandcontrolofdocumentationwasimportant.

Performanceevaluation–Planning–TheCFOdidstateatahighlevelthatallrisksandchangestotheirstatusshouldbemonitored,measured,analysedandevaluated.Processes–Planning–TheCFOdiddiscusstheChangeProcessandthatalldocumentationshouldhavebeenstoredin-linewiththeinformationpolicies.Improvement–Planning–Noimprovementactivitieswerediscussed.InformationSecurityControlObjectivesandControlsQuestion1Aspect Applied/Tailored ReasonsforyourdecisionInformationsecuritypolices

Yes

A.5.1.1ThebusinesshasrequestedthattheITsecuritypoliciesarebroughtinlinewiththebusinesspolicies(tailoring).A.5.1.2Thebusinesshasaskedforreviewoftheinformationsecuritypoliciesagainstthebusinesspolicies

Organisationofinformationpolices

Partially

A.6.1.1Informationroleshavebeendefined(atahighlevel),andaRACImatrixshowingtheresponsibilitieshasbeendevelopedA.6.1.2Segregationofduties,hasnotbeenapproached,andwillbeariskA.6.1.3Thereisacommunicationplanhighlightwhenandhowcontactswithauthoritiesshouldtakeplace.A.6.1.4GroupshavebeensetupthataregovernedbycommunicationpoliciesA.6.1.5NothingismentionedregardinginformationsecurityisprojectmanagementA.6.2.1&A.6.2.2Thereisapolicythatsupportstheuseofmobiledevicesandteleworkers

Humanresourcessecurity

Yes

A.7.1.1EmployeesarescreenedA.7.1.2Therearedefinedtermsandconditionsofemployment

A.7.2.1BothmanagementandemployeesresponsibilitiesaredefinedandcommunicatedA.7.2.2thereisperiodicgenericandspecialisedtraininggivenA.7.2.3ThereisadefineddisciplinaryprocessA.7.3.1Thereisadefinedterminationprocedure

Assetmanagement

Partially

A.8.1.1ThereisaninventoryofassetsA.8.1.2ThereareownersfortheassetsA.8.1.3Eachassetownerdefinestheacceptableuseoftheasset–thismaycauseconflictandareasofweakinformationsecurityA.8.1.4ThereisadefinedreturnofassetpolicyA.8.2.1thereisadefinedclassificationforinformationA.8.2.2AllinformationshouldbelabelledwithitsclassificationA.8.2.3ThereisinformationabouthandlingandstorageThereisnoinformationshownregardingmediahandlingA.8.3.1,A.8.3.2,A.8.3.3

Accesscontrol Yes

Atahighlevel–theaccesspolicydirectsalltheA.9Accessmanagementclauses

Cryptography No

Thereisacryptographicpolicybasedonagenerictemplate,howeverthishasnotbeentailoredtotheorganisationandmaynotbealignedtotheregulationsandnationalrestrictionsthatmightapply.

Physicalandenvironmentalsecurity

Partially

ThereisamaturepolicythatdoescoverallofthecontrolsstatedwithinA.11physicalandenvironmentalsecurity.However,thishasnotbeenupdatedforthreeyears,whichcouldmeanthatitisnotalignedtothechangingbusinessneeds.Additionally,thishighlightsalackofgovernanceoverthecontrols.

Operationssecurity

Yes

AllofthecontrolswithinA.12OperationsSecurityhavebeencovered,withvariouslevelsofdetail

Communicationssecurity

Partially

A.13CommunicationsecuritycontrolsareaddressedapartfromA.13.1.2Securityofnetworkservices

Systemacquisition,developmentandmaintenance

Partially

Thereisapolicyhere,butitisoutofdateandisalsomissingthefollowingcontrols• A.14.2.5Securesystemengineeringprinciples• A.14.2.6Securedevelopmentenvironment• A.14.2.9Systemsacceptancetesting• A.14.3.1Protectionoftestdata

Supplierrelationships

Yes

AllthecontrolswithinA.15Supplierrelationshipsareshown.However,wouldrecommendedthatthecontrolsareassessedtodefineiftheyarestillalignedwiththebusinessobjectives.

Informationsecurityincidentmanagement

No

EventhoughtheITILIncidentManagementprocesshasbeenadopted,thereisnoevidenceseentoshowthatthefollowingcontrolsareinplace:• A.16.1.1Responsibilitiesandprocedures• A.16.1.2Reportinginformationsecurityevents• A.16.1.3Reportinginformationsecurity

weaknesses• A.16.1.4Assessmentofanddecisionon

informationsecurityevents• A.16.1.5Responsetoinformationsecurity

incidents• A.16.1.6Learningfrominformationsecurity

incidents• A.16.1.7Collectionofevidence

Informationsecurityaspectsofbusinesscontinuitymanagement

Thisstatementhasthefollowingpositiveelements• Thereisadisasterrecoveryplaninplace• Thereisredundancyformissioncritical

services.• Thereisalignmentwithlegislationand

contractualagreementsThereishowevernomentionof• Intellectualpropertyrightsasthereisa

hostingserviceusedwithinthesolution• Availabilityofinformationprocessingfacilities

• Verify,reviewandevaluateinformationsecuritycontinuity

Compliance No

Eventhoughthereisacompliancepolicythatdoescoverallthestatedcontrols,thereisalsoconcernaboutthegovernanceandapplicationofthecontrols