Statement of Applicability

Legend (for Selected Controls and Reasons for controls selection)

LR: legal requirements, CO: contractual obligations, BR/BP: business requirements/adopted best practices, RRA: results of risk a

ISO/IEC 27001:2013 Annex A controls

Clause
5 Security
Policies

Control Objective/Control
Sec
5.1 Management direction for information security
5.1.1 Policies for information
5.1.2 Review of the policies for information security

6.1 Internal organisation

6.1.1 Information security roles and responsibilities
6.1.2 Segregation of duties
6
Organisation 6.1.3 Contact with authorities
6.1.4 Contact with special interest groups
of
information 6.1.5 Information security in project management
security
6.2 Mobile devices and teleworking
6.2.1 Mobile device policy
6.2.2 Teleworking

7 Human
resource
security

7.1 Prior to employment

7.1.1 Screening
7.1.2 Terms and conditions of employment
7.2 During employment
Management
responsibilities
7.2.1 Information
security
awareness, education and
7.2.2 training
7.2.3 Disciplinary process
and
change
employment
7.3 Termination or
change
ofof
employment
7.3.1 responsibilities

Current
control
s

Remarks (with
justification for
exclusions)

Selected controls
and reasons for
selection
LR CO

8.1 Responsibility for assets

8.1.1 Inventory of assets
8.1.2 Ownership of assets
8.1.3 Acceptable use of assets
8.1.4 Return of assets
8.2 Information classification
8 Asset
8.2.1 Classification of information
management
8.2.2 Labeling of information
8.2.3 Handling of assets
8.3 Media handling
8.3.1 Management of removable media
8.3.2 Disposal of media
8.3.3 Physical media transfer

9 Access
control

9.1 Business requirements of access control

9.1.1 Access control policy
9.1.2 Access to networks and network services
9.2 User access management
9.2.1 User registration and de-registration
9.2.2 User access provisioning
privileged
access rights
9.2.3 Management of secret
authentication
information of
9.2.4 users
9.2.5 Review of user access rights
9.2.6 Removal or adjustment of access rights
9.3 User responsibilities
9.3.1 Use of secret authentication information
9.4 System and application access control
9.4.1 Information access restriction
9.4.2 Secure log-on procedures
9.4.3 Password management system
9.4.4 Use of privileged utility programs
9.4.5 Access control to program source code

10.1 Cryptographic controls

10
10.1.1 Policy on the use of cryptographic controls
Cryptography
10.1.2 Key management
11.1 Secure areas
11.1.1 Physical security perimeter
11.1.2 Physical entry controls
Securing office,
room
and facilities
11.1.3 Protecting
against
external
end environmental
11.1.4 threats
11.1.5 Working in secure areas
11.1.6 Delivery and loading areas
11 Physical
11.2 Equipment
and
11.2.1 Equipment siting and protection
environmenta
11.2.2 Supporting utilities
l security
11.2.3 Cabling security
11.2.4 Equipment maintenance
11.2.5 Removal of assets
11.2.6 Security of equipment and assets off-premises
11.2.7 Secure disposal or re-use of equipment
11.2.8 Unattended user equipment
11.2.9 Clear desk and clear screen policy
12.1 Operational procedures and responsibilities
12.1.1 Documented operating procedures
12.1.2 Change management
12.1.3 Capacity management
Separation of development, testing and operational
12.1.4
environments
12.2 Protection from malware
12.2.1 Controls against malware
12.3 Backup
12.3.1 Information backup
12 Operations
security

12 Operations 12.4 Logging and monitoring

security
12.4.1 Event logging
12.4.2 Protection of log information
12.4.3 Administrator and operator logs
12.4.4 Clock synchronisaton
12.5 Control of operational software
12.5.1 Installation of software on operational systems
12.6 Technical vulnerability management
12.6.1 Management of technical vulnerabilities
12.6.2 Restrictions on software installation
12.7 Information systems audit considerations
12.7.1 Information systems audit controls
13.1 Network security management
13.1.1 Network controls
13.1.2 Security of network services
13.1.3 Segregation in networks
13
Communicatio 13.2 Information transfer
ns security 13.2.1 Information transfer policies and procedures
13.2.2 Agreements on information transfer
13.2.3 Electronic messaging
13.2.4 Confidentiality or non-disclosure agreements
requirements
of information
systems
14.1 Security
Information
security requirements
analysis
and
14.1.1 specification
14.1.2 Securing applications services on public networks
14.1.3 Protecting application services transactions
14.2 Security in development and support processes
14.2.1 Secure development policy
14 System 14.2.2 System change control procedures
acquisition,
Technical review of applications after operating
14.2.3
development
platform changes
and
14.2.4 Restrictions on changes to software packages
maintenance

acquisition,
development
and
maintenance 14.2.5 Secure system engineering principles
14.2.6 Secure development environment
14.2.7 Outsourced development
14.2.8 System security testing
14.2.9 System acceptance testing
14.3 Test data
14.3.1 Protection of test data
15.1 Information security in supplier relationships
15.1.1 Information security policy for supplier relationships
Addressing security
within supplier
agreements
15.1.2 Information
and communication
technology
supply
15 Supplier
15.1.3 chain
relationships
15.2 Supplier service delivery management
15.2.1 Monitoring and review of supplier services
15.2.2 Managing changes to supplier services
Management of information security incidents and
16.1 improvements
16
Information
security
incident
management

16.1.1 Responsibilities and procedures

16.1.2 Reporting information security events
Reporting information
security
16.1.3 Assessment
of and decision
on weaknesses
information security
16.1.4 events
16.1.5 Response to information security incidents
16.1.6 Learning from information security incidents
16.1.7 Collection of evidence

17
Information
security
aspects of
business
continuity
management

17.1 Information security continuity

17.1.1 Planning information security continuity
information
continuity
17.1.2 Implementing
Verify, review and
evaluatesecurity
information
security
17.1.3 continuity
17.2 Redundancies
17.2.1 Availability of information processing facilities

Compliance with legal and contractual

18.1 requirements
Identification of applicable legislation and
18.1.1
contractual requirements
18.1.2 Intellectual property rights
records of personally identifiable
18.1.3 Protection
Privacy andofprotection
18
18.1.4 information
Compliance
18.1.5 Regulation of cryptographic controls
18.2 Information security reviews
18.2.1 Independent review of information security
18.2.2 Compliance with security policies and standards
18.2.3 Technical compliance review

Current as of: DD/MM/YYYY

RA: results of risk assessment, TSE: to some extent

Selected controls
and reasons for
selection
BR/BP RRA

Remarks (overview of
implementation)

ISO 27001:2005 Standards Implementation - Status by Classification in number and percentage

1600%; 14%
100%; 1%
100%; 1%
6500%; 55%
3500%; 30%

Process Comply w ith Standard and documented

Process is implemented and must be documented
Process is not comply w ith standard and must be redesigned
Process is not in place / not implemented
Process is not applicable

Status :- Process Implementation comply with ISO 27001:2005 standard and documented

In Percent

1
0.9
0.8
0.7
0.6
0.5
0.4
0.3
0.2
0.1
0

ISO 27001:2005 Annexure-A Controls Implementation Status by Classification in number and percentage

700%; 5% 2300%; 17%

4900%; 37%
500%; 4%
4900%; 37%

ISO 27001:2005 Annexure-A Controls Implementation Status by Classification in number and percentage

4900%; 37%

700%; 5% 2300%; 17%

500%; 4%
4900%; 37%

Controls documented and implemented

Controls implemented must be documented
Controls implemented not comply w ith standards, needs to redesign
Control not implemented & documented
Controls not applicable

and percentage

ISO 27001:2005 Standards Implementation - Status by Classification in number

80
65
60
35

40
16

20

Process Comply with Process

Standardisand
implemented
documented
Processand
is not
must
comply
be documented
with standard
Process
and must
is notbe
in redesigned
place / not implemented
Process is not applicable

d documented

Status :- Process Implementation comply with ISO 27001:2005 standard and documented
1
0.9
0.8
Compliance
0.7 percentage
0.6
Complianc e %

0.5

Goal

0.4
0.3
0.2
0.1
0

number and percentage

Annexure - A Controls Implementation Status by Domain

1.2
1
0.8
0.6
0.4

Compliance %
Goal

number and percentage

Annexure - A Controls Implementation Status by Domain

1.2
1
0.8
0.6
0.4
0.2
0
Organization
Security Policy
ofAsset
information
Human
Physical
Management
Communications
resources
security
Information
and environmental
security
systems
and operations
Access
Information
security
acquisition,
Control
management
Business
security
development
incident
continuity
and
management
Compliance
management
maintenance

Compliance %
Goal

ication in number

65

en redesigned
place / not implemented
Process is not applicable

ard and documented

Complianc e %
Goal

main

Compliance %
Goal

main

tuity
and
management
Compliance
management
maintenance

Compliance %
Goal

Implementation Status by ISO 27001:2005 - Clauses

Reference

Process Comply with Standard

and documented

ISO Clauses

16

Process is
Process is not
implemented and
comply with
must be
standard and must
documented
be redesigned

35

Implementation status by ISO 27001:2005 - Annexure - A Controls

Reference

Controls documented and

implemented

Controls

23

Controls
Controls
implemented not
implemented must
comply with
be documented
standards, needs
to redesign

49

Implementation Adequacy Status against ISO 27001 Clauses

Count
ISO Clause

1
5
8
0
1
0
0
0
0
0
1
0

Compliance %
100%
17%
31%
0%
8%
0%
0%
0%
0%
0%
14%
0%

2
11
5
9
13
32
25
5
5
5
11

Compliance %
100%
100%
100%
100%
100%
100%
100%
100%
100%
100%
100%

4.1 - General Requirements

4.2 - Establishing and managing the ISMS
4.3 - Documentation requirements
5.1 - Management Commitment
5.2 - Resource Management
6 - Internal ISMS Audit
7.1 - General
7.2 - Review Input
7.3 - Review Output
8.1 - Continual Improvement
8.2 - Corrective action
8.3 - Preventive action

Implementation Adequacy Status against ISO 27001 Annexure - A Controls

Domain description
Count
5 Security Policy
6 Organization of information security
7 Asset Management
8 Human resources security
9 Physical and environmental security
10 Communications and operations management
11 Access Control
12 Information systems acquisition, development and mai
13 Information security incident management
14 Business continuity management
15 Compliance

Annexure - A Controls and Objectives - ISO 27002:2005 - Security Techniques

Function

Administration
CISO
Finance

No. of controls
16
34
3

Compliance %
38%
3%
0%

Goal

100.00%
100.00%
100.00%

HR
IT
S/W
Top Management
Training

9
52
7
4
1

44%
15%
57%
0%
0%

100.00%
100.00%
100.00%
100.00%
100.00%

Clauses
Process is not in
Process is
place / not
not applicable
implemented

65

Control not
implemented &
documented

Controls not
applicable

49

ure - A Controls

Goal

100%
100%
100%
100%
100%
100%
100%
100%
100%
100%
100%
100%

Goal

100%
100%
100%
100%
100%
100%
100%
100%
100%
100%
100%

118