isae 3402 type 2 report on it general controls regarding ... · 3,7 complementary user entity...
TRANSCRIPT
ISAE 3402 Type 2 Report on IT General Controls regarding Datal0n for the period 1 January - 30 September 2019
E.Y
Contents
1 lndepenøent Service Audltor's Report 2
2 Visma Data Løn 's Management Stater:nent, 4
3 Descrlption of internal controls 6 3,1 Purpose and applicablllty of thls report 6 3,2 Overview of Visma Dataløn's operations 6 3,3 Audit scope 7 3,4 Risk assessment 8
3,5 Major changes during 2019 8
3,6 Control environment 8
3,7 Complementary user entity control consideratlons 12
4 Testlng performed by EY 14 4,1 Objective and scope 14 4.2 Control objectives tested 14
4,3 Descrlption of tests performed 14 4.4 The results of the testing 15
Ernst & Young P/S - Dirch Passers Alle 36 - P.O. Box 250 - 2000 Frederiksberg - Denmark - CVR no. 30 70 02 28
EY
1 lndependent Service Auditor's Report
To Management of Visma Data Løn A/S, Denmark
Scope
We have been engaged to report on Visma Dataløn A/S's descriptlon in Section 3 of its system (Dataløn) for used for processing customers' payroll transactions (Description) throughout the p�riod 1 January to 30 September 2019, and on the design and operation of controls related to the control objectives stated in the description.
Visma Dataløn uses the subservice organizations Nets Denmark A/S, ATEA A/S and Visma IT & Communications (VITC) for the delivery of payroll services. Management's description of controls does not include control objectives and associated controls at the su?service organizations.
This report is prepared as carve-out for the subservice organizations, and our testing does not include controls at these subservlce organizations.
The description in section 3 indicates that certain complementary user entity controls must be sultably deslgned and implemented at Visma Dataløn for related controls at the service organization to be considered suitably designed to achieve the related control objectives. Our engagement did not extend to such complementary user entlty controls, and we have not evaluated the design or operating effectiveness of such complementary user entity controls.
Vlsma Dataløn's responsibilities
Visma Dataløn is responslble for preparing the description and accompanying statement in Section 2, lncluding the completeness, accuracy and method of presentation of the descriptlon and statement; providing the services covered by the description; stating the control objectives; and designing, implementlng and effectively operating controls to achieve the stated control objectives.
Our independence and quality control
We have camplied with the lndependence and other ethical requirements of the Code of Ethics for Professional Accountants issued by the International Ethics Standards Board for Accountants, which is founded an fundamental principles of integrity, objectivity, professional competence and due care, and professional behaviour. Furthermore, we have camplied with requirements for independence and other ethlcal requirements of FSR - Danish Audltors' guidelines for ethical conduct of Auditor based on the fundamental principles of integrity, objectivity, professional competences and necessary care, confidentlality and professional conduct.
Ernst & Young Godkendt Revisionspartnerselskab applies International Standard on Ouallty Control 11 and accordingly maintains a comprehensive system of quality control, including documented policies and procedures regarding compliance with ethical requirements, professional standards and applicable legal and regulatory requirements.
Service auditor's responsibilities
Our responsibility is to express an opinion on Visma Dataløn's description and on the design and operation of controls related to the control objectlves stated in that descrlption based on our procedures. We conducted our engagement in accordance with International Standard on Assurance Engagements 3402, "Assurance Reports on Controls at a Service Organization," issued by the International Auditlng and Assurance Standards Board. That standard requires that we plan and perform our procedures to obtain reasonable assurance about whether, in all material respects, the description is fairly presented, and the controls are suitably designed and operating effectively.
An assurance engagement to report on the description, design and operating effectiveness of controls at a service organization involves performing procedures to obtain evidence about the disclosures in the service organizatlon's description of its system, and the design and operating effectlveness of controls. The procedures selected depend on the service auditor's judgment, including the assessment of the
1 "ISQC 1, Quality Control for Firms that Perform Audits and Reviews of Financial Statements, and Other Assurance and Related Services Engagements"
2
EY
risks that the description is not fairly presented, and that controls are not suitably designed or operating effectively. Our procedures included testing the operating effectiveness af those controls that we consider necessary to provide reasonable assurance that the control objectives stated in the description were achieved. An assurance engagement af this type also includes evaluating the overall presentation af the description, the suitabilfty af the objectives stated therein, and the suitabllity af the criteria specified by the service organization and described in Management's description in sectlon 3.
We believe that the evidence we have obtained is sufficient and appropriate to provide a basis for our opinion.
Basis for !imitations af controls at a service organizatlon
Visma Dataløn's description is prepared to meet the common needs af a broad range af customers and their auditors and may not. therefore, include every aspect af the system that each individual customer may consider important in its own particular environment. Also; because af their nature, controls at a service organization may not prevent ar detect all errors ar omissions in processing ar reporting transactions. Also, the projection of any evaluation of effectiveness to future perlods is subject to the risk that controls at a service organization may become inadequate ar fail.
Opinion
Our opinion has been formed on the basis of the matters outlined In this report. The criteria we used in forming our opinion are those described in Management's statement in Section 2. In our opinion, in all material respects:
A) The description fairly presents the Visma Dataløn's system for processing customers' payrolltransactions as designed and implemented throughout the perlod from 1 January to 30 September2019
B) The controls related to the control objectives stated in the descriptlon were suitably designedthroughout the period from 1 January to 30 September 2019; and
C) The controls tested, which were those necessary to provide reasonable assurance that the controlobjectives stated in the description were achieved, operated effectively throughout the period from1 January to 30 September 2019.
Descriptlon af tests of controls
The speclfic controls tested, and the nature, timing and results af those tests are listed in Section 4.
lntended users and purpose
This report and the description af tests af controls in Section 4 are intended only for customers who have used Visma DataLØn's system for processing customers' payroll transactions, and their auditors, who have a sufficient understanding to consider it, along with other information, including information about controls operated by customers themselves, when assessing the risks af material misstatement of customers' financial statements.
Capenhagen, 13 December 2019 ERNST & YOUNG
ansen
Public Accountant mne19675
Andreas Uldahl Manager, CISA
3
EY
2 Visma Dataløn's Management Statement
The accompanying description has been prepared for customers who have used Visma Datal.øn's system for processing customers' payroll transactions ("Description") and their auditors who have a sufficient understanding to consider the descrip�ion, along with ether information including information about controls operated by customers themselves, when assessing the risks of material misstatements of customers' financial statements.
Visma Dataløn uses the subservice organizations Nets Denmark A/S, ATEA A/S and Visma IT & ..
Communications (VITC) in delivery of payroll services. The accompanying description of controls does not include control objectives and assoclated centrals at the subservice organlzations.
This report is prepared as carve-out for the subservice organizatlons, and our testing does not include controls at these subservice organlzations.
Visma Data Løn confirms that:
A) The accompanying description in Section 3 fairly presents Visma Dataløn's system for processingcustomers' payroll transactions throughout the period 1 January to 30 September 2019. Thecriteria used in making this statement were that the accompanying description:
Presents how the system was designed and implemented, including:
The types of services provlded, lncludlng, as approprlate, classes of transactions processed.
The procedures, within both information technology and manual systems, by which those transactions were initiated, recorded, processed, corrected as necessary, and transferred to the reports prepared for customers.
The related accounting records, supporting information and specific accounts that were used to initiate, record, process and report transactions; this includes the correction of lncorrect information and how information was transferred to the reports prepared for customers.
How the system dealt with significant events and conditions, ether than transactions.
Relevant control objectives and controls designed to achieve these objectives.
Controls that we assumed, In the design of the system, would be lmplemented by user entlties, and which, if necessary to achieve control objectives stated in the accompanying description, are identifled in the descrlption along with the speciflc control objectives that cannot be achieved by ourselves alone.
Other aspects af our control envlronment. risk assessment process, information system (including the related business processes) and communication, control activities and monitering controls that were relevant to processing and reporting customers' transactions.
lncludes relevant details of changes to the service organization's system during the period 1 January to 30 September 2019
Does not omit or dlstort Information relevant to the scope of the system belng described, while acknowledging that the description is prepared to meet the common needs of a broad range af customers and their auditors and may not, therefore, include every aspect of the system that each individual customer may consider important in its own particular environment.
4
EY
B) The controls related to the control objectives stated in the accompanying description were suitablydeslgned and operated effectlvely throughout the period 1 January to 30 September 2019
The criteria used in making this statement were that:
The risks that threatened achievement of the control objectives stated in the description were identlfied;
The ldentifled controls would, lf operated as described, provide reasonable assurance that those risks did not prevent the stated control objectives from being achieved; and
The controls were consistently applied as designed, including that manual controls were applied by lndlvlduals who have the appropriate competence and authorlty, throughout the period 1 January to 30 September 2019.
5
EY
3 Description af internal controls
3.1 Purpose and applicability of this report
The report has been prepared in accordance with:
International Standard on Assurance Engagements (ISAE) 3402:
"Assurance Reports on Controls at a Service Organization"
The purpose of this report is to provide information to auditors of user organizations on Visma Datal.øn A/S provlded services and lnternal controls related to the payroll solution in scope for the period 1 January - 30 September 2019.
This section provides an overview of relevant control objectives.
The report on services, related control objectives and controls placed in operation and tests of their operating effectiveness is intended to provide interested parties with sufficient information to understand the transaction flows in arder for the lnterested parties to rely on certain controls in place at Visma Dataløn.
The examlnation has been performed in accordance with ISAE 3402. Each user organization is responsible for evaluating this information In relation to the internal control structure in place in their organization in arder to assess the total internal contra! structure. lf an effective user organization does not have an internal contra! structure in place, the related Visma Dataløn internal control structure may not compensate for such weaknesses.
3.2 Overview of Visma Dataløn's operations
Visma Dataløn provides payroll and HR application services to companies.
The services include:
Appllcation development
Maintenance and updates
Application operations
IT operations
Payroll productlon
Support and service, training and consulting
External reporting (public authorities/trade organizations)
6
EY
The illustration below (figure 1) shows the division of responsibillties for six major areas, same of which are covered by this report:
Responsibility
User
organization•
Visma
Bluegarden
Subservice
provider
IT -operation
Employee (address, salary, bank acc., ect)
Compa11v (nrg,1111,,111",,. 1�u,, r111_•n1:... )
National legislation and regulations (tax, pensions, ... )
'J1,111a Rlw,l,'.,Hdlc'n Aµpl,c,t,on, l,lrJt)lll.r\tllll\ 11111 (),1l,l1 lrl"il,! '1.11 ,lllll {1•r::-,)
Database (DBMS parameters)
In f, ,i�lr ultur �
(N, l�•11u1t HW, U�,. �1<1<.;1� SWJ
• li outsourced, it is still the user 01j(�nIz�t1011 s ,..._spon,!blllly
Flgure 1: Divisions of responsiblllties
3.3 Audit scope
Thls Service Auditor's' Assurance Report exclusively deals with the aforementloned services related to the payroll solution Datal.øn at Vlsma Dataløn A/S In Denmark.
Registratlon applicatlons used by employees ('Smartløn" app) for the payroll solution are not covered by thls Service Auditor's' Assurance Report.
BPO (Business Process Outsourclng) services are not covered by this Service Auditor's Assurance Report.
3.3.1 Datal.øn
Data Løn (The name of the payroll system provided by Vlsma Dataløn) is a framework system deslgned for small and medium size companies based on a number of well-tested functlons, whlch are adapted to the user organization·s specific needs.
The solution is an online/batch payroll system. This means that data is contalned in one system and the company reports data uslng a web-based user interface. The actual payroll run is done each afternoon/night.
The services offered in the solution include:
Standard set-up to cover the user organlzation's needs
Access to perform an unlimlted number of pre-calculations
Update and malntenance of the solution in order to comply wlth Danlsh legislatlon
Access to perform payroll processing wlth mandatory and optlonal dellveries to thlrd parties within the specified time limits
Return of data - in printed as well as electronic form - to the user organization
Transfer of payroll payments. taxes, public services and pensions
Support In connection wlth payroll processing and system functions
Reporting of data to pension funds, tax and other authorities
7
EY
A native Smartphone App is avallable for each employee to register working hours, mileage reimbursement and disbursements. The registrations must be approved by the accountant responsible for all tasks related to the payroll solution befare they are imported into the payroll solution. As mentioned, the app is not covered by this report.
3.4 Risk assessment
Rlsk assessments are conducted as part of daily operations at all levels in the organization. lssues-are discussed at management level as well as at board level, as deemed necessary.
An overall information security risk assessment is conducted according to the Security Policy. This risk assessment camprises physicai security, personnel security, technical security and administrative security.
In addition, In case of serious security incidents, or if serious seturity flaws are detected, a securlty risk assessment process wlll be carrled out.
Security risk assessments are conducted in accordance with recommendations from the Danish Data Protection Agency (Datatilsynet) and IS027001. In general, security risk issues are mapped in matrices measuring the probability of a certain risk occurrence (likelihood) and the degree of impact (DKK, time, reputation, laws and regulatlons, etc.). Risk is determlned as a produet of llkellhood and impact.
In situations where, continuous security risk mapping is relevant. the mavement of security risk issues is monitored. When security risk issues are characterized as having a high probabiiity and a serious impact, or when the expected risk exceeds an agreed level, counter measures are discussed and decided upon. Security risks are avoided, transferred, mitigated, or accepted. Security risks can only be accepted at certain management levels based on the security risk severity. Unresolved security risk issues will be escalated to the appropriate management level and, in grave instances, to board level, as deemed necessary by the Information Securlty Officer.
3. 5 Major changes during 2019
As of 1 July 2019, the handling of IT operations was insourced from Visma IT & Communication. An IT Operations department was established under Enterprise (produet development). Local Support (facilitates workstations and equipment) remains a part of Visma IT & Communication. The insourcing of Vlsma IT & Communications has had no impact on established contra! objectives or lmplemented controls
3.6 Control environment
The contra! environment at Visma Dataløn is based on ISO/IEC 27002:2013. To ensure the dellvery of Visma Dataløn's services and the quaiity thereof, as well as fuifilling customer needs to ensure an effective suppiier follow-up, key control objectives and controls related to the services are selected and covered in this report. The controls are reviewed and updated on an ongolng basis.
The speclflc contra! objectives and contra! activities supporting processes are descrlbed in Sectlon 4
3 .6.1 Information security policies
Based on a risk assessment, a set of information security policies has been established and approved by Management. The pollcies have been publlshed and communicated to employees and relevant externai parties. The policies are reviewed on an annual basis or when requlred due to significant changes to ensure their continuing appropriateness, adequacy and effectiveness.
The related contra! objective is A.5.1 (A.5.1.1, A.5.1.2).
3.6.2 Organizatlon of information securlty
Vlsma Dataløn's Management has defined and allocated all information security responsibilities appointed an Information Security Officer, and established an Information Security Board.
Figure 2 below shows the business structure of Visma Data løn at 30 September 2019.
8
EY
Datalon
"""""' I
°""""'' C"'lome, =:J-,,s= Development Suppotl Care Consulling &.Marketing
�-�
Marketing
Produet I- Ma,kcling
Churn ---An11),J R.,....,nll•
Assurance
j Customer - Car�- Holl1nc
l&studenls
J Custonl<!r ""i Care-Hotline
I &Support
Relalkmship Se1l1ng
Vl5m3 IBluegard.n
I
HR& Legal
Enterp,ise I
Information I Produet Security
Developmenl
Dat.i lan Operaliims Produet Produet
Development Development
Business Automation
CollaboratilfC! Payroll
Mainframe& IP\alform
Shared Services Fmance
Flgure 2: Organization chart af Vlsma Dataløn located in Visma Bluegarden at 30 September 2019
Conflicting duties between crltical functions af Visma Data løn and areas of responsibillty have been segregated. This includes segregation af duties internally between development. test. and production with proper consideration af the use af subservice organizations.
Visma Dataløn addresses information security in its project management.
The related control objective isA.6.1 (A.6.1.1, A.6.1.2, A.6.1.5).
3.6.3 Human resource securlty
Prior to employment, Visma Dataløn ensures that employees and external consultants understand their responsibilities and that they are suitable for the roles for which they are considered. This includes screening af criminal records and contractual agreements (including non-disclosure agreement) with employees and external consultants stating their and the organlzation's information security responsibilities.
During employment, Visma Dataløn ensures that employees and external consultants are aware af their information security responsibilities. This includes information security awareness, training, and education.
The related control objectives are A. 7 .1 (A. 7 .1.1, A. 7.1.2) and A. 7 .2 (A. 7 .2.1, A. 7 .2.2).
3.6.4 Asset management
Visma Dataløn has identified organizational assets and defined appropriate protection responsibllities. An asset inventory has been drawn up and is maintained, including acceptable use af information and assets like return, transfer, disposal etc.
Visma Dataløn ensures that information receives an appropriate level of protection in accordance with lts importance to the organization. This includes classlflcation af Information in terms af legal requirements, value, criticality, and sensitlvity to unauthorized dlsclosure or modiflcation. Procedures for handling assets have been established and implemented.
Procedures for physlcal media transfer and for disposal af media have been established and lmplemented to prevent unauthorized disclosure, modification, removal, ar destruction of information stored on media.
9
E.Y
The related control objectives are A.8.1 (A.8.1.1, A.8.1.3, A.8.1.4) and A.8.2 (A.8.2.1, A.8.2.3) and A.8.3 (A.8.3.2, A.8.3.3).
3.6.5 Access control (Visma employees)
Visma Dataløn ensures that access to information and Information processing facilitles is limited. An access control policy, based on business and Information security requirements, has been establlshed and documented and Is reviewed on a regular basis. Users are only provided with access to services thatthey have been speclfically authorized to use.
..
Visma Dataløn ensures authorized user access to prevent unauthorized access to systems and services. A process for user reglstration, de-registratlon and user access provisioning has been established and implemented. Privileged access rights as domain administrators are restricted and controlled. User access rights to restricted information are reviewed at regular intervals.
The access rights to information and information processing facilities are removed upon terminatlon of employment.
Visma Datal.øn employees are accountable for safeguarding their authentication information. Users are instructed to follow the organization's practices in the use of secret authentication information.
Vlsma Dataløn ensures that unauthorized access to systems and applications is prevented. Access to information and appllcatlon system functlons is restricted and controlled by a secure log-an procedure, and password management systems ensures quality passwords.
The related control objectives are A.9.1 (A.9.1.1, A.9.1.2) and A.9.2 (A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.5, A.9.2.6) and A.9.3 (A.9.3.1) and A.9.4 (A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.5).
3.6.6 Cryptography
Visma Dataløn ensures proper and effective use of cryptography on selected areas to protect the confidentiality, authenticity, and lntegrity of information. A policy on the use of cryptographic controls and the use of cryptographic keys has been established and implemented.
Use of cryptographic controls and cryptographic keys is registered and reviewed on a regular basis.
The related control objective is A.10.1 (A.10.1 .1, A.10 .1.2).
3.6. 7 Physical and environmental securlty
Vlsma Dataløn ensures that unauthorized access to the organization's information and information processing facilities is prevented. Security perimeters are defined, and offices, rooms, and facilities are secured by physical entry controls.
A policy regarding clear desk, clear screen and removable storage media has been established and implemented.
The related control objectives are A.11.1 (A.11 .1 .1, A.11.1.2, A.11.1.3) and A.11 .2 (A.11.2. 7, A.11.2.9).
3.6.8 Operations security
Vlsma Dataløn ensures correct and secure operation of information processing facllltles. A pollcy on operational procedures has been established, and a change management workflow has been implemented to ensure the control of changes to the production environments. Development, testing, and operational environments are separated, and changes to production environments must be planned and tested.
Visma Dataløn ensures that information is protected against malware. Visma Dataløn has implemented and communicated an acceptable use policy.
Vlsma Dataløn ensures the protection agalnst loss of data. Backup and backup-restore tests are performed on a regular basis.
Vlsma Dataløn ensures logging to record events and generate evidence. Event lags recording user activlties, exceptions, faults, and Information security events are generated and kept. Lags for proactive
10
E.Y
use as well as reactive use is generated. Logs for proactive use are monitored regularly. Log information is protected against tampering and unauthorized access, and a correct timestamp is ensured.
Visma Data Løn minimizes the risk of exploitation of technical vulnerabillties by an effective patch procedure as well as regular vulnerability Seans:
A software requisition process has been established in arder to limit the Installation of software. The number of workstation administrators is limited and reviewed on a regular basis.
The related control objectives are A.12.1 (A.12.1.2, A.12.1.4) and A.12.2 (A.12.2.1) and A.12.3 (A.12.3.1) and A.12.4 (A.12.4.1, A.12.4.2) and A.12.6 (A.12.6.1, A.12.6.2).
3.6.9 Communications security
3.6.10
3.6.11
Vlsma Dataløn ensures the protection of information in networks and its supporting information processing facilities. Networks are managed and controlled, and groups of information services and users are segregated on networks
The related control objectives are A.13.1 (A.13.1.1, A.13.1 .3).
System acquisition development and malntenance
Vlsma Dataløn ensures that information systems are designed and implemented according to the system development and security life cycle, which ensures a structured and well-controlled environment. A system development and maintenance policy has been established and implemented and is supported by an established system development and security life cycle (SDLC) and by the use of an established change management workflow.
The established system development and life cycle provides requirements to:
Review of applications after changes to the operating platforms
Restrictions on changes to software packages
Secure system engineering prlnciples
Secure development environment
Outsourced development
System security testing and system acceptance testing.
Vlsma Dataløn ensures the protection of data used for testlng. An approach to testing as well as strateg les and design techniques for testing has been established.
The related control objectives are A.14.2 (A.14.2.1, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.5, A.14.2.6, A.14.2.7, A.14.2.8, A.14.2.9) and A.14.3 (A.14.3.1).
Supplier relationships
Vlsma Data løn utllizes subservice organlzations for certain purposes.
Below is a descrlptlon of the most signiflcant subservlce organizatlons handled by supplier relatlonship management.
Nets Denmark A/S
Visma has outsourced part of its operations of the IT infrastructure supporting the solutions in scope to Nets Denmark A/S, who has outsourced operations to IBM Danmark ApS. Visma receives an lndependent Service Auditor·s Report from IBM covering the operations delivered specifically to Visma by the subservice provider. The report is prepared in accordance wlth ISRS 4400. In addition, Vlsma receives an lndependent Service Audltor·s Report from Nets covering the operations delivered by the subservlce provider. The report is prepared in accordance with ISAE 3402.
ATEA A/S
11
3.6.12
3.6.13
3.6.14
EY
Visma Datal.øn has outsourced part of its operation to ATEA A/S.
Visma Datal.øn receives an lndependent Service Auditor's Report covering the operations delivered by the subservice provider. The report is prepared in accordance with ISAE 3402.
Visma IT & Communications
Visma Dataløn has outsourced part of its operation to Visma IT & Communications (VITC). Vlsma Dataløn recelves an lndependent Service Audltor's Report covering the operations delivered by the subservice provider. The report is prepared in accordance with ISAE 3402.
Visma DataLøn ensures the protectlon of the organization's assets that are accessible by suppliers. A suppller relatlonshlp pollcy has been lmplemented. A process for supplier acceptance has been establlshed to ensure classification of suppliers and, if applicable, to ensure supplier acceptance of securlty requlrements.
Visma Datal.øn maintains an agreed level of information securlty and service delivery in line wlth supplier agreements by monltoring, revlewing and audltlng suppller service delivery on a regular basis. Information securlty requirements have been laid down for the suppliers. Visma Dataløn reviews the supplier's fulfilment of the information securlty requirements.
The related control objectives are A.15.1 (A.15.1. 1, A.15.1.2) and A.15.2 (A.15.2.1 ).
Information security incident management
Visma Dataløn ensures a conslstent and effective approach to the management of information security or privacy incidents, includlng communication on securlty or privacy events and weaknesses. A process for information security or prlvacy events or weaknesses has been established and implemented. Reported information security or privacy events and weaknesses are reviewed and classified on a regular basis.
The related control objective is A.16.1 (A.16.1.1, A.16.1.2, A.16.1.4).
Information security aspects of business continuity management
A business continuity management policy has been established. Business continuity plans and action cards are established and implemented and tested on a regular basis.
The related control objective is A.17.1 (A.17.1.1, A.17.1.2, A.17 .1.3).
Compliance
In cooperation with Visma Datal.øn's legal department, Visma Dataløn avoids breaches of legal, statutory, regulatory, or contractual obligations related to Information securlty and of any security requirements. Processes for identlfying legislative or contractual requlrements have been established and implemented, and a register of contractual deviations as well as legislative requirements has been established and is maintained by Visma Datal.øn's legal department.
Compliance with legislative or contractual requirements regarding intellectual property rights is ensured by Visma Datal.øn's legal department and is stated in customer contracts and employment contracts.
To ensure the privacy and protection of personally identifiable information, a privacy policy has been established, maintained, and communicated.
The related control objectives are A.18.1 (A.18.1. 1, A.18.1 .2, A.18.1 .4).
3.7 Complementary user entity control considerations
Vlsma Dataløn's applications were deslgned on the assumption that certain controls would be implemented and operated effectively by user organizations.
In certaln situations, the appllcation af speclflc controls of the user organizations is necessary to achieve certaln control objectives included in this report.
The list below describes additional controls that should be in operation In user organizations to complement the controls at Visma Datal.øn.
12
EY
The list does not represent, and should not be considered, an exhaustive llsting af the control policies and procedures which would provide a basis for the assertions underlying cllents' financial statements.
User organizations' auditors should consider whether the foliowing controls have been implemented and operated effectively at the user organizations:
Controls to provide reasonable assurance that physical access to the user organization's premises is restricted to authorized individuals
Controls to provide reasonable assurance that access to Visma Dataløn's system via termlnals/interfaces at user locations is restrlcted to authorized indivlduals
Controls to provide reasonable assurance that the user organization has proper control over the use af IDs and passwords that are used for accessing and transmitting payroll information, and over preparation af worksheets and that they notify Visma Dataløn af authorized contacts
Controls to provide reasonable assurance that the user organization takes action on access in case of reslgnations, retirements, ar Job rotations
Controls to provide reasonable assurance that output reports are reviewed by appropriate individuals for completeness and accuracy
Controls to provide reasonable assurance that the user organization reviews the log files from the system and ensures that the staff uses thelr access as intended
Controls to provide reasonable assurance that changes to processing options (parameters) are appropriately authorlzed, approved, and implemented.
User organizations should review the sample payroll transfer (pre-run/test calculation) produced by the Dataløn system prior to Initial payroll processing to determine that all information is complete and accurate ar notify Visma when there is a change.
13
EY
4 Testing performed by EY
4.1 Objective and scope
0ur examination was performed in accordance with the International Auditing and Assurance Standards Board's International standard on Assurance Engagements (ISAE) 3402 Assurance Reports on Controls at a Service Organlzation.
Our examination of the operating effectiveness of controls was restricted to the control objectives and the related controls specified by Vlsma Dataløn in Section 4 and was not extended to controls in operation at user organizations or controls which may be described in Section 3, but not listed in Section 4.
Our examination of the operating effectiveness inciuded such tests as were considered necessary in the circumstances to evaluate whether those controls, and the extent of compliance with them, were sufficient to provide reasonable, but not absolute, assurance that the specified controls objectives were achieved in the period 1 January- 30 September 2019.
4.2 Control objectives tested
4.3
Controls described in this section are defined by Visma Dataløn in accordance with the control environment.
Control objective Control oblectlve 5.1 Management directlon for 12.2 Protection from malware
information security 6.1 Orqanization of information security 12.3 Backup 7.1 Human resource securitv 12.4 Loaainq and monltorlnq 7.2 Durinq emolovment 12.6 Technical vulnerabllity manaaement 8.1 Resoonsibility for assets 13.1 Network securltv manaQement 8.2 Information classification 14.2 Security in development and support
orocesses 8.3 Media handlinQ 14.3 Test data 9.1 Business requirement of access 15.1 Information security in supplier relationships
control 9.2 User access manaqement 15.2 Suoolier service deliverv manaaement 9.3 User responsibilities 16.1 Management of information security
incidents and imorovements 9.4 System and appiication access 17 .1 Information security continuity
controi 10.1 Cryptographic controls 18.1 Compliance with legal and contractual
requirements 11.1 Secure areas 11.2 Eauipment 12.1 Operationai procedures and
responsibllities
Description of tests performed
Tests related to determining the effectiveness of controls have been performed using the methods described below:
lnspection Read documents and reports that contain an indication of performance of the control. This includes reading reports and other documentation. Furthermore, it includes physical inspection of assets and comparlng the results with Visma Dataløn's data.
14
EY
lnquiries
Observation
lnquire of appropriate Visma Dataløn personnel. lnquiries were used to obtain, among other things, knowledge and additional information about the control.
Observed the application of a specific control.
4.4 The results of the testing
The foliowing table summarizes the testing performed by EY to assess the internal control environment at Visma Data løn and the results of the tests performed tests.
15
EY
# Controls specified by Visma Dataløn Test performed by EY Result of test
5 Information security policies
5.1 Management direction for information security
Control objective Management must establish a set of policies for information security. The policies must be reviewed and approved at regular basis and published and communicated to relevant parties
5.1.1 A set of policies for information security are lnspected that information security policies are formal No deviations noted. defined, approved by management, published and and documented. communicated to employees and relevant external
lnspected that the information security policies are parties.
communicated to employees and relevant parties.
5.1.2 The policies for information security are reviewed at lnspected that the information security policy is No deviations noted. planned intervals or if significant changes occur to reviewed and approved by Management. ensure their continuing suitability , adequacy and effectiveness.
6 Organization of information security
6.1 Organization of information security
Control objective Management must establish an organization in which roles and responsibilities regarding Information security are defined and allocated. The implementation of the organization must ensure segregation of conflicting duties and areas.
6.1.1 Information security responsibilities are defined and lnspected that information security roles and No deviations noted. allocated. responsibilities are defined and made available to
employees.
6.1.2 Conflicting duties and areas af responsibility are lnspected that areas with segregation of duties are No deviations noted. segregated to reduce opportunities for defined and reviewed. unauthorized or unintentional modification or misuse af the organization's assets.
16
EY
6.1.5 Information security shall be addressed in project lnspected that a process is in place to ensure that No deviations noted. management, regardless of the type of the project. projects consider information security.
lnspected that projects consider information security.
7 Human resource security
7 .1 Prior to employment
Control objective Employees and contractors must be screened and made aware of their roles and responsibilities regarding information security
7. 1 .1 Background verification checks on candidates for lnspected that an HR process is in place to ensure No deviations noted. employment are carried out in accordance with that criminal records are presented befare relevant laws, regulations and ethics in proportion employment starts for both employees and external to the business requirements, the classification of consultants. the information to be accessed and the perceived
lnspected from a sample of 5 new hi res that criminal risks. records were acquired before employment start.
7.1.2 The contractual agreements with employees and lnspected that employment contracts include No deviations noted. contractors state their and the organization's requirements for information security. responslbllities for information security.
lnspected from a sample af new employees tliat employees have signed that they comply with the NOA during and after employment, security policy and "ophavsret" in their contract.
lnspected from a sample that external consultants have signed that they cornply with the NDA during and after ernployrnent, security policy and "ophavsret" in their contract
7.2 During ernployment
Control objective Management requires employees and contractors to be aware af their information security responsibilities. Awareness and training in information security responsibilities must be performed.
17
EY
7.2.1 Management requires employees and contractors to lnspected that management information security No deviations noted. apply information security in accordance with the responsibilities are communicated through the established pollcies and procedures of the awareness training. organization.
7.2.2 Employees of the organization and, where relevant, lnspected that an awareness and communication plan No deviations noted. contractors receive appropriate awareness has been prepared and approved by Management. education and training according to agreed upon
lnspected that Visma Datal.øn employees receive levels and regular updates in organizational policies and procedures, as relevant for their job function.
appropriate awareness training according to agreed-upon levels of completion.
8 Asset Management
8.1 Responsibillty for assets
Control Information assets that are a part of the supply chain must be identified, and the owner and the acceptable use of such assets must be defined Objective and implemented.
8.1.1 Assets associated with information and information lnspected that an asset register is maintained that No deviations noted. processing facilities shall be identified and an includes relevant information and information inventory of these assets shall be drawn up and processing assets. maintained.
lnspected that the asset register is reviewed annually.
8.1.3 Rules for the acceptable use of information and of lnspected that all types of identified assets are listed No deviations noted. assets associated with information and information In the acceptable use policy. processing facilities shall be identified, documented
lnspected that updates to the acceptable use pollcy is and implemented.
communicated to employees.
lnspected that a process is in place to maintain an approved whitelist of allowed services and applications.
8.1.4 Employees and external party users shali return all lnspected that a procedure is in place to ensure that No deviations noted. of the organizational assets in their possession upon assets are returned upon termination.
18
EY termination of their employment, contract or lnspected from a sample of terminated employees agreement. that there is documentation of confirmation that
assets have been returned upon termination.
8.2 Information classificatlon
Control objective Classification of information must be implemented to ensure the proper protection according to legal requirements and according to the value, sensitivity and criticality to the organization. Assets must be handled according to their classification.
8.2.1 Information shall be classified in terms of legal lnspected that a ctassification scheme is maintained No deviations noted, requirements, value, criticality and sensitivity to and has been made available for employees. unauthorised disclosure or rnodification.
lnspected that the classification scheme has been reviewed and approved.
8.2,3 Procedures for handling assets shall be developed lnspected that a register is maintained that lists: No deviations noted. and implemented in accordance with the
confidentiality level information classification scheme adopted by the organization. ' how access is managed
. who can grant access .
lnspected that the register has been reviewed and approved.
8.3 Media handling
Control objective Media that are a part of the supply chain must be protected and disposed in a secure way,
8.3.2 Media shall be disposed of securely when no longer lnspected that a formal policy for the disposal of No deviations noted. required, using formal procedures. media is maintained.
lnspected that access to media for disposal is limited to appropriate individuals.
19
EY
8.3.3 Media containing information shall be protected lnspected that an acceptable use policy describes the No deviations noted. against unauthorized access, misuse or corruption requirements for use of removable media. during transportatlon.
lnquired whether a process is in place to attach a guideline on how to encrypt data on removable media when a removable media device is provided.
9 Access control
9.1 Business requirements of access control
Control objective Requirements to the access control of systems, networks and network services must be identified, reviewed and implemented.
9.1.1 An access control policy is established, documented lnspected that an access control policy that defines No deviations noted. and reviewed based on business and information the responsibilities and centrals for access control is security requirements. maintained.
lnspected that the access control policy has been reviewed and approved.
9.1.2 Users are only provided with access to the network lnspected that an access control policy that defines We have been informed that Visma and network services that they are specifically the responsibilities and controls for access control is Dataløn does not have access to authorized to use. maintained. network and network services.
No deviations noted.
9.2 User access management
Control objective User access administration procedures must be established to prevent unauthorized access to systems and services.
9.2.1 A formal user registration and de-registration lnspected that a procedure for providing and No deviations noted. process is implemented to enable assignment of removing access to systems and applications is access rights. maintained.
lnspected from a sample of access provision requests that the user registration and de-registration process has been implemented.
:
20
EY
9.2.2 A formal user access provisioning process is lnspected that a procedure for providing and No deviations noted. implemented to assign or revoke access rights for removing access to systems and applications is user types to systems and services. maintained.
lnspected from a sample of access provision requests that the user registration and de-registration process has been lmplemented.
9.2.3 The allocation and use of privileged access rights lnspected that privileged access rights are restricted No deviations noted. are restricted and controlled. to users with a work-related need.
lnspected that a periodic review of users with privileged access rights has been performed.
9.2.5 Asset owners review users' access rights at regular lnspected that a formal process for reviewing users No deviations noted. intervals. and their access rights is maintained.
lnspected that a user review has been performed.
9.2.6 The access rights of employees and external party lnspected from a sample of terminated employees No deviations noted. users to information and information processing that their access has been removed. facilities are removed upon termination of their employment, contract ar agreement, or adjusted upon change.
9.3 User responsibilities
Control objective Visma employees are required to comply to their responsibilities regarding password confidentiality and protection.
9.3.1 Users are requlred to follow the organization's lnspected that Visma Dataløn employees receive No deviations noted. practices in the use of secret authentication appropriate awareness training that includes the use information. of secret authentication information.
lnspected that password settings are compliant with the requirements defined in the password policy.
9.4 System and application access control
21
EY
Control Visma employee's access to information and systems is limited to users with a work-related need and is controlled by a secure log-on procedure. objective
9.4.1 Access to information and applicatlon system lnspected that a formal policy for access control that No deviations noted. functions is restricted in accordance with the access defines allowed technical solutions for authentication control policy. is maintained.
lnspected that the access control policy has been reviewed and approved.
lnspected from samples of access provision requests that the user registration and de-registration process has been implemented.
9.4.2 Where required by the access control policy, access lnspected that a formal policy for access control that No deviations noted. to systems and applications is controlled by a defines allowed technical solutions for authentication secure log-on procedure. is maintained.
lnspected that the access control policy has been reviewed and approved.
Observed that applicatlons and systems in scope enforce secure log-on procedures.
9.4.3 Password management systems are interactive and lnspected that a formal policy for access control that No deviations noted. ensure quality passwords. defines allowed technical solutions for authentication
is malntained.
lnspected that the access control policy has been reviewed and approved.
lnspected that password settings are enforced and compliant with the defined requirements in the password policy.
9.4.5 Access to program source code is restricted. lnspected that access to program source code is We have noted that access to limited. Dataløn program source code is
granted to developers in Visma Bluegarden, but not limited to developers with a work-related need.
22
EY lnspected that changes in source code cannot be No further deviations noted. deployed into production outside change management control.
10 Cryptography
10.1 Cryptographic controls
Control objective Requirements on the use of cryptography and key management are established and implemented.
10.1.1 A policy on the use of cryptographic controls for lnspected that a formal cryptography policy is No deviations noted. protection of information shall be developed and maintained and has been approved by Management. implemented.
lnspected that an encryption baseline is maintained and has been approved of allowed encryption methods.
lnspected that a list of services and used encryption is maintained and reviewed.
10.1.2 A policy on the use, protection and lifetime of lnspected that a formal cryptography policy is No deviations noted. cryptographic keys shall be developed and malntained and has been approved by Management. lmplemented through their whole lifecycle.
lnspected that an encryption baseline for allowed encryption methods is maintained and has been approved.
lnspected that a list of services and used encryption is maintained and reviewed.
11 Physical and environmental security
11.1 Secure areas
Control objective Physical security requirements must be defined and established to prevent unauthorized physical access to the organization's facilities.
11.1.1 Security perimeters shall be defined and used to lnspected that a formal physical access and security No deviations noted. protect areas that contain either sensitive or critical policy is maintained. information and information processing facilities.
23
EY lnspected that the formal physical access and security policy has been reviewed and approved.
11.1.2 Secure areas shall be protected by appropriate lnspected that a formal physical access and security No deviations noted. entry controls to ensure that only authorized policy is malntained. personnel are allowed access.
Observed that the physical facilitles are protected by appropriate entry controls.
11.1.3 Physical security for offices, rooms and facilities lnspected that a formal physical access and security No deviations noted. shall be des i gned and applied. policy is maintained.
Observed that the physical facilities are protected by appropriate entry controls.
11.2 Equipment
Control objective A process for secure re-use or disposal of storage media must be established and implemented. Requirements on the use of removable storage media, papers and clear screen must be established and implemented.
11.2.7 Items of equipment containing storage media shall lnspected that a formal policy for disposal of No deviations noted. be verified to ensure that any sensitive data and removable media is maintained. licensed software has been removed or securely
lnspected that the formal policy for disposal of overwritten prior to disposal or re-use. removable media has been reviewed and approved.
11.2.9 A clear desk policy for papers and removable lnspected that a clean desk policy has been No deviations noted. storage media and a clear screen policy for implemented as part of the acceptable use policy and information processing facilities shall be adopted. that it is available to employees.
lnspected that updates to the policy are communicated to employees.
12 Operations security
12.1 Operational procedures and responsibilities
Control objective Changes that affect information security are controlled. Development, test and operational environments are separated.
24
EY
12.1.2 Changes to the organization, business processes, lnspected that a formal policy for changes to the No deviations noted. information processing facilities and systems that organization, business processes, information affect information securlty shall be controlled. processing facilities, and systems is maintalned.
lnspected that a formal policy for changes to the organlzation, business processes, information processing facilities, and systems has been reviewed and approved
lnspected from samples of changes to systems and applications that the formal development procedure has been lmplemented.
12.1.4 Development, testing, and operational lnspected that development, testing, and operational No deviations noted. environments shall be separated to reduce the risks environments are logically separated. of unauthorized access or changes to the
lnspected that separation of development, testlng. operational environment.
and operational environments has been enforced to a sample of changes.
12.2 Protection from malware
Control objective Regulations on software installation are defined and communicated. A software acquisition process is established and implemented.
12.2.1 Detection, prevention and recovery controls to lnspected that anti-malware is part of the image No deviations noted. protect against malware shall be implemented, installed on pc's. combined with appropriate user awareness.
lnspected that a whitelist is maintained of allowed applications and services.
lnspected that anti-malware is presented when awareness training is provided on acceptable use.
12.3 Backup
Control objective Backup of information and software is taken regularly and restore of backups is tested.
25
EY
12.3.1 Backup copies of information, software and system lnspected that requirements regarding backup and No deviations noted. images shall be taken and tested regularly in backup restore test have been established in the accordance with an agreed backup policy. contract with sub-contractors that provide services
where backup is relevant.
lnspected that controls related to backup restore tests are covered by audits reports from sub-contractors that provides services where backup is relevant.
12.4 Logging and monitoring
Control objective Requirements an lags for tracing information security events and suspicious user activity must be defined and implemented. Lags must be reviewed and requirements an the protection af lags must be defined.
12.4.1 Event lags recording user activities, exceptions, lnspected that event logging of user activities, No deviations noted. faults, and information security events are exceptions, faults, and information security events produced, kept and reviewed according to has been configured. requirements stipulated in the established log
lnspected that a log documentation overview documentation overview.
stipulates when log reviews must be performed.
12.4.2 Logging facilitles and log information are protected lnspected that access to event lags is restricted to No deviations noted. against tampering and unauthorized access. appropriate users.
lnspected that access to event lags. is requested and must be approved.
12.6 Technical vulnerability management
Control objective Applications and systems must be protected against vulnerabilities by regular vulnerability scans and follow-up. User software installation governance must be implemented.
12.6.1 Information about technical vulnerabilities af lnspected that an annua! cycle for the activities No deviations noted. information systems being used is obtained in a regarding management af technical vulnerabilities is timely fashion, the organization's exposure to such maintained. :
26
EY vulnerabilities evaluated and appropriate measures lnspected that penetration tests are performed based taken to address the associated rlsk. an the annua! cycle.
lnspected that results from penetratlon tests are reviewed and follow-up actions are performed.
12.6.2 Rutes goveming the installation af software by lnspected that installation af software is restricted to No deviations noted. users shall be established and implemented. users with a work-related need.
lnspected that a whitelist is maintained af allowed appllcations and services.
13 Communications security
13.1 Network securlty management
Control objective Networks must be managed and segregated to ensure protection against unauthorized access.
13.1.1 Networks shall be managed and controlled to lnspected that a formal network security policy is in We have been informed that protect information in systems and applications. place. management af networks are
lnspected that network diagrams are maintained. outsourced to a supplier.
lnspected that Visma Datal.øn follows up an delivered No deviations noted.
services from suppliers.
13.1.3 Groups af information services, users and lnspected that a formal network security policy is in We have been informed that information systems shall be segregated an place. management af networks are networks.
lnspected that network diagrams are maintained, outsourced to a supplier.
which shows that networks are segregated. No deviations noted.
lnspected that Visma Datal.øn follows up an delivered services from suppliers.
14 System acquisition, development and maintenance
14.2 Security In development and support processes
27
EY
Control objective Requirements on information security within the development lifecycle must be defined and implemented. Changes must be tested and approved in a secure development environment prior to implementation and verified after implementation.
14.2.1 Ru les for the development of software and systems lnspected that a formal policy for secure development No deviations noted. are established and applied to developments within of changes to systems and applications is maintained. the organization.
lnspected that the formal policy for secure development has been reviewed and approved.
14.2.2 Changes to systems within the development lnspected that a formal policy for secure development No deviations noted. lifecycle are controlled by the use of formal change of changes to systems and applications has been control procedures. i mplemented.
lnspected from a sample of changes to systems and applications that the formal development procedure has been implemented.
14.2.3 When operating platforms are changed, business lnspected that a formal policy for secure development No deviations noted. critical applications are reviewed and tested to of changes to systems and applications has been ensure there is no adverse impact on organizational implemented. operations or security.
lnspected from a sample of changes to systems and applications that technical reviews are perforrned.
14.2.4 Modifications to software packages are lnspected that a formal policy for secure development No deviations noted. discouraged, limited to necessary changes and of changes to systems and applications has been changes shall be strictly controlled. i mplemented.
lnspected from a sample of changes to systems and applications that changes are authorized.
14.2.5 Principles for engineering secure systems are lnspected that secure principles and requirements No deviations noted. established, documented, maintained and applied to have been established, documented, maintained, and any information system implementation efforts. applied to the change management process.
lnspected from a sample of changes to systems and applications that an assessment of security and privacy is performed. :
28
EY
14.2.6 Organizations have established and appropriately lnspected that a formal pollcy for secure development No deviations noted. protected secure development environments for of changes to systems and appllcatlons has been system development and integration efforts that implemented, including segregation of duties related cover the entire system development lifecycle. to development, testing, and deployment.
lnspected that access to development, testing, and operational environments establishes segregation of duties.
lnspected from a sample of changes to systems and applications that segregation of duties is enforced in the secure development life cycle.
14.2.7 The organization supervises and monitors the lnspected that a template has been created to ensure We have been informed that Visma activity of outsourced system development. that outsourced development follows Visma Data Løn is not outsourcing system
Dataløn's SDLC. development.
No deviations noted.
14.2.8 Testing of security functionality is carried out lnspected that a formal polley for secure development No deviations noted. during development. of changes to systems and applications has been
implemented, including testing of security functionality.
lnspected from a sample of changes to systems and applications that testing has been performed.
14.2.9 Acceptance testing programs and related criteria lnspected that a formal pollcy for secure development No deviations noted. are established for new information systems, of changes to systems and applications has been upgrades and new versions. implemented, including user acceptance and system
acceptance testing.
lnspected from a sample of changes to systems and applications that testing has been performed.
14.3 Test data
Control objective Requirements to the selection, use and protection of test data must be defined and implemented. '
29
EY
14.3.1 Test data shall be selected carefully, protected and lnspected that test data is not allowed on No deviations noted. controlled. development and test environments.
lnquired and received a confirmation that data from production environments are not used as test data in the development and testing of environments.
15 Supplier relationships
15.1 Information security in supplier relationships
Control objective Information security requirements on acquisition and use of suppliers must be defined and implemented. Information security requirements towards suppliers must be established and accepted by suppliers.
15.1.1 Information security requirements for mitigating the lnspected that a formal documented procedure is in No deviations noted. risks associated with supplier's access to the place to ensure that new or renegotiated application organization's assets are agreed with the supplier or service supplier contracts are validated against a and documented. list of defined information security requirements.
lnspected from a sample of signed contracts that information security requirements have been contractually agreed.
lnspected from a sample of months that Visma Dataløn audits key suppliers on a periodic basis, based on agreed information security requirements.
lnspected that third-party audit reports have been received and processed by Visma Data løn for key suppliers.
15.1.2 Relevant information security requirements are lnspected that a formal documented procedure is in No deviations noted. established and agreed with each supplier that may place to ensure that new or renegotiated application access, process, store, communicate, or provide IT or service supplier contracts are validated against a infrastructure components for, the organization's list of defined information security requirements. information.
lnspected from a sample of slgned contracts that information security requirements have been !
contractually agreed.
30
EY lnspected from a sample of months that Visma Data løn audits key suppliers on a periodic basis, based on agreed information security requirements.
lnspected that third-party audit reports have been received and processed by Visma Dataløn for key suppliers.
15.2 Supplier service delivery management
Control objective Supplier service deliveries must be monitored, reviewed and audited on regular basis.
15.2.1 Organizations shall regularly monitor, review and lnspected that a formal documented procedure is in No deviations noted. audit supplier service delivery. place to ensure that new or renegotiated application
or service suppller contracts are valldated against a list of defined information security requirements.
lnspected from a sample of signed contracts that information security requirements have been contractually agreed.
lnspected from a sample of months that Visma Dataløn audits key suppliers on a periodic basis, based on agreed information security requirements.
lnspected that third-party audit reports have·been received and processed by Visma Dataløn for key suppliers.
16 Information security incident management
16.1 Management of information security incidents and improvements
Control objective A process for managing information security events must be established and implemented to ensure timely assessment, classification, handling and response.
16.1.1 Management responsibilities and procedures are lnspected that a formal and documented incident No deviations noted. established to ensure a quick, effective and orderly management process has been reviewed and response to information security incidents. approved.
31
EY lnspected that a formal and documented incident management process has been implemented.
lnspected that the incident management process has been communicated to employees.
lnspected that incidents have been registered, that necessary actions have been performed, and that the solutions have been documented in an incident management system.
16.l .2 Information security events are reported through lnspected that a formal and documented incident No deviations noted. appropriate management channels as quickly as management process has been implemented. possible.
lnspected that the incident management process has been communicated to employees.
lnspected that incidents have been reglstered, that necessary actions have been performed, and that the solutions have been documented in an incident management system and reported through the Information Security Board.
16.1.4 Information security events are assessed, and it is lnspected that a formal process for assessment and No deviations noted. decided lf they are to be classified as information analysis of information security incidents is security incidents. maintained.
lnspected from a sample af monthly Information Security Board reviews and analyses incidents that are classified as information security incidents.
17 Information security aspects of business continuity management
17.1 Information security continuity
Control objective Requirements an information security continuity must be defined and implemented. Plans for business continuity must be verified and evaluated at regular intervals.
32
EY
17 .1.1 The organizatlon has determined its requirements lnspected that a formal and documented Business No deviations noted. for information security and the continuity of Continuity Plan is maintained, reviewed and approved information security management in adverse annually. situations, e.g. during a crisis or disaster.
lnspected that a Business lmpact Assessment has been performed to establish the requirements of a Business Continuity Plan.
lnspected that underlying procedures related to the business continuity plan have been reviewed and approved by appropriate personnel.
17.1.2 The organization establishes, documents, lnspected that a formal and documented Business No deviations noted. implements and maintains processes, procedures Continuity Plan is maintained, reviewed and approved and controls to ensure the required level of annually. continuity for information security during an
lnspected that a Business lmpact Assessment has adverse situation.
been performed to establish the requirements of the Business Continuity Plan.
17,1.3 The organization verifies the established and lnspected that underlying procedures for the business No deviations noted. implemented information security continuity continuity are reviewed and updated. controls at regular intervals in order to ensure that
lnspected that the underlying procedures have been they are valid and effective during adverse situations.
tested to ensure that they are valid and effective during adverse situations.
18 Compliance
18.1 Compliance with legal and contractual requirements
Control objective Applicable legislative, statutory, regulatory and contractual requirements must be identified and communicated within the organization.
18.1.1 Relevant legislative statutory, regulatory, lnspected that a formal policy for complying with No deviations noted. contractual requirements and the organization's relevant legislation is maintained, reviewed and approach to meet these requirements shall be approved. explicitly identified, documented and kept up to date
t
for each information system and the organization.
33
EY
18,1,2 Approprlate procedures shall be implemented to lnspected that formal meetings have been scheduled No deviations noted. ensure compliance with legislative, regulatory and to investigate relevant legislation and regulatory contractual requirements related to intellectual requirements. property rights and use of proprietary software
lnspected from a sample of meetings that meetings produets.
regarding legal matter have been held.
18.1.4 Privacy and protection of personally identifiable lnspected that a formal privacy pollcy is maintained, No deviations noted. information shall be ensured as required in relevant reviewed and approved. legislation and regulation where applicable.
lnspected that an updated record of processing activities is maintained.
34