kt - iso 27001 statement of applicability
TRANSCRIPT
-
8/3/2019 KT - IsO 27001 Statement of Applicability
1/37
-
8/3/2019 KT - IsO 27001 Statement of Applicability
2/37
KT- Statement of applicability for ISO 27001 :2005
Organisation:
ISMS:
Published:
KT Consultancy
KT Consultancy
02/11/200815:37:
14
Classification: Private
Version: 1.0
Published By: Hakimuddin
Gheewala
-
8/3/2019 KT - IsO 27001 Statement of Applicability
3/37
KT- Statement of applicability for ISO 27001 :2005
Organisation: KT Consultancy
ISMS: KT Consultancy
Published: 02/11/200815:37:14
Classification: Private
Version: 1.0
Published By: Hakimuddin Gheewala
A.5.1 Information security policy
Objective: To provide management direction and support for information security inaccordance with business requirements and relevant laws and regulations.
A.5.1.1 Information security policy An information security policy No /Yes
document document shall be approved bymanagement, and published
and communicated to allem ployees and relevant
external parties.
A.5.1.2 Review of the information The information security policy No /Yes
security policy shall be reviewed at plannedintervals or if significantchanges occur to ensure itscontinuing suitability,adequacy, and effectiveness.
A.6.1 Internal organization
Objective: To manage information security within the organization.
A.6.1.1 Management commitment Management shall actively No /Yes
to information security support security within theorganization through cleardirection, demonstratedcommitment, explicitassignment, andacknowledgment of informationsecurity responsibilities.
-
8/3/2019 KT - IsO 27001 Statement of Applicability
4/37
KT- Statement of applicability for ISO 27001 :2005
Organisation: KT Consultancy
ISMS: KT Consultancy
Published: 02/11/200815:37:14
Classification: Private
Version: 1.0
Published By: Hakimuddin Gheewala
A.6.1.2 Information security Information security activities No /Yes
coordination shall be co-ordinated by
representatives from different
parts of the organization with
relevant roles and job
functions.
A.6.1.3 Allocation of information All information security No
security responsibilitie responsibilities shall be clearly
defined.
A.6.1.4 Authorization process for A management authorization No
information processing f process for new information
processing facilities shall be
defined and implemented.
A.6.1.5 Confidentiality agreements Requirements for No
confidentiality or non-
disclosure agreementsreflecting the organization's
needs for the protection of
information shall be identified
and regularly reviewed.
A.6.1.6 Contact with authorities Appropriate contact with No
relevant authorities shall be
maintained.
A.6.1.7 Contact with special Appropriate contacts with No
interest groups special interest groups or other
specialist security forums and
professional associations shall
be maintained.
-
8/3/2019 KT - IsO 27001 Statement of Applicability
5/37
KT- Statement of applicability for ISO 27001 :2005
Organisation: KT Consultancy
ISMS: KT Consultancy
Published: 02/11/200815:37:14
Classification: Private
Version: 1.0
Published By: Hakimuddin Gheewala
A.6.1.8 I ndependent review of The organization's approach to No /Yes
information security managing information security
and its implementation (Le.
control objectives, controls,
policies, processes, and
procedures for information
security) shall be reviewed
independently at planned
intervals, or when significant
changes to the security
implementation occur.
-
8/3/2019 KT - IsO 27001 Statement of Applicability
6/37
KT- Statement of applicability for ISO 27001 :2005
Organisation: KT Consultancy
ISMS: KT Consultancy
Published: 02/11/200815:37:14
Classification: Private
Version: 1.0
Published By: Hakimuddin Gheewala
A.6.2 External Parties
Objective: To maintain the security of the organization's information and informationprocessing facilities that are accessed, processed, communicated to, or managedby external parties
A.6.2.1 Identification of risks The risks to the organization's No
related to external partie information and information
processing facilities from
business processes involvingexternal parties shall be
identified and appropriate
controls implemented before
granting access.
A.6.2.2 Addressing security when All identified security No
dealing with customers requirements shall be
addressed before giving
customers access to the
organization's information orassets.
A.6.2.3 Addressing security in third Agreements with third parties No
party agreements involving accessing,
processing, communicating or
managing the organization'sinformation or information
processing facilities, or adding
products or services to
information processing facilities
shall cover all relevant securityrequirements.
-
8/3/2019 KT - IsO 27001 Statement of Applicability
7/37
KT- Statement of applicability for ISO 27001 :2005
Organisation: KT Consultancy
ISMS: KT Consultancy
Published: 02/11/200815:37:14
Classification: Private
Version: 1.0
Published By: Hakimuddin Gheewala
A.7.1 Responsibility for assets
Objective: To achieve and maintain appropriate protection of organization assets
A.7.1.1 I nventory of assets All assets shall be clearly No
identified and an inventory ofall important assets drawn up
and maintained.
A.7.1.2 Ownership of assets All information and assets No
associated with informationprocessing facilities should be
'owned' by a designated part ofthe organization.
A.7.1.3 Acceptable use of assets Rules for the acceptable use of Noinformation and assetsassociated with information
processing facilities should be
identified, documented andimplemented.
-
8/3/2019 KT - IsO 27001 Statement of Applicability
8/37
KT- Statement of applicability for ISO 27001 :2005
Organisation: KT Consultancy
ISMS: KT Consultancy
Published: 02/11/200815:37:14
Classification: Private
Version: 1.0
Published By: Hakimuddin Gheewala
A.7.2 Information classification
Objective: To ensure that information receives an appropriate level of protection
A.7.2.1 Classification guidelines Information should be No
classified in terms of its value,legal requirements, sensitivity
and criticality to theorganization
A.7.2.2 Information labelling and An appropriate set of No
handling procedures for informationlabelling and handling shouldbe developed andin accordance with theclassification scheme adopted
by the organization
-
8/3/2019 KT - IsO 27001 Statement of Applicability
9/37
KT- Statement of applicability for ISO 27001 :2005
Organisation: KT Consultancy
ISMS: KT Consultancy
Published: 02/11/200815:37:14
Classification: Private
Version: 1.0
Published By: Hakimuddin Gheewala
A.8.1 Prior to employment
Objective: To ensure that employees, contractors and third party users understand theirresponsibilities, and are suitable for the roles they are considered for, to reduce the risk oftheft, fraud or misuse of facilities.
A.8.1.1 Roles and responsibilities Security roles and No
responsibilities of employees,
contractors and third party
users should be defined anddocumented in accordance
with the organization's
information security policy.
A.8.1.2 Screening Background verification checks No
on all candidates for
employment, contractors and
third party users should becarried out in accordance with
relevant laws, regulations andethics, and proportional to the
business requirements, the
classification of the informationto be accessed, and the
perceived risks.
A.8.1.3 Terms and conditions of As part of their contractual No
employment obligation, employees,
contractors and third party
users should agree and sign
the terms and conditions oftheir employment contract,
which should state their andthe organization's responsibility
for information security.
-
8/3/2019 KT - IsO 27001 Statement of Applicability
10/37
KT- Statement of applicability for ISO 27001 :2005
Organisation: KT Consultancy
ISMS: KT Consultancy
Published: 02/11/200815:37:14
Classification: Private
Version: 1.0
Published By: Hakimuddin Gheewala
A.8.2 During employment
Objective: To ensure that employees, contractors and third party users are aware of informationsecurity threats and concerns, their responsibilities and liabilities, and are equippedto support organizational security policy in the course of their normal work, and toreduce the risk of human error.
@l:.11 WtIA.8.2.1 Management Management should require No
responsibilities em ployees, contractors andthird party users to applysecurity in accordance with theestablished policies andprocedures of the organization.
A.8.2.2 Information security All employees of the No
awareness, education and organization and, wheretrai relevant, contractors and third
party users should receiveappropriate awareness trainingand regular updates in
organizational policies andprocedures, as relevant fortheir job function.
A.8.2.3 Disciplinary process There should be a formal No
disciplinary process foremployees who havecommitted a security breach.
-
8/3/2019 KT - IsO 27001 Statement of Applicability
11/37
KT- Statement of applicability for ISO 27001 :2005
Organisation: KT Consultancy
ISMS: KT Consultancy
Published: 02/11/200815:37:14
Classification: Private
Version: 1.0
Published By: Hakimuddin Gheewala
A.8.3 Termination or change of employment
Objective: To ensure that employees, contractors and third party users exit an organization orchange employment in an orderly manner
A.8.3.1 Termination responsibilities Responsibilities for performing No
employment termination shouldbe clearly defined and
assigned.
A.8.3.2 Return of assets All employees, contractors and No
third party users should returnall of the organization's assetsin their possession upontermination of theiremployment, contract or
agreement.
A.8.3.3 Removal of access rights The access rights of all No
em ployees, contractors andthird party users of informationand information processingfacilities should be removedupon termination of their
employment, contract oragreement, or adjusted uponchange.
A.9.1 Secure areas
Objective: To prevent unauthorized physical access, damage and interference to theorganization's premises and information.
-
8/3/2019 KT - IsO 27001 Statement of Applicability
12/37
KT- Statement of applicability for ISO 27001 :2005
Organisation: KT Consultancy
ISMS: KT Consultancy
Published: 02/11/200815:37:14
Classification: Private
Version: 1.0
Published By: Hakimuddin Gheewala
@l:.11 WtIA.9.1.1 Physical security perimeter Security perimeters (barriers No
such as walls, card controlled
entry gates or manned
reception desks) should be
used to protect areas that
contain information and
information processing
facilities.
A.9.1.2 Physical entry controls Secure areas should be No
protected by appropriate entry
controls to ensure that only
authorized personnel are
allowed access.
A.9.1.3 Securing offices, rooms Physical security for offices, No
and facilities rooms and facilities should be
designed and applied.
A.9.1.4 Protect against external Physical protection against No
and environmental threats damage from fire, flood,
earthquake, explosion, civil
unrest, and other forms ofnatural or man-made disaster
should be designed and
applied.
A.9.1.5 Working in secure areas Physical protection and No
guidelines for working in
secure areas should be
designed and applied.
A.9.1.6 Public access, delivery and Access points such as delivery No
loading areas and loading areas and other
points where unauthorized
persons may enter the
premises should be controlled
and, if possible, isolated frominformation processing facilities
to avoid unauthorized access.
-
8/3/2019 KT - IsO 27001 Statement of Applicability
13/37
KT- Statement of applicability for ISO 27001 :2005
Organisation: KT Consultancy
ISMS: KT Consultancy
Published: 02/11/200815:37:14
Classification: Private
Version: 1.0
Published By: Hakimuddin Gheewala
A.9.2 Equipment Security
Objective: To prevent loss, damage, theft or compromise of assets and interruption to theorganization's activities.
A.9.2.1 Equipment siting and Equipment should be sited or No
protection protected to reduce the risks
from environmental threats andhazards, and opportunities for
unauthorized access.
A.9.2.2 Supporting utilities Equipment should be protected No
from power failures and other
disruptions caused by failures
in supporting utilities.
A.9.2.3 Cabling security Power and telecommunications No
cabling carrying data or
supporting information services
should be protected from
interception or damage.
A.9.2.4 Equipment maintenance Equipment should be correctly No
maintained to ensure itscontinued availability and
integrity.
A.9.2.5 Security of equipment off- Security should be applied to No
premises off-site equipment taking into
account the different risks
working outside the
organization's premises.
-
8/3/2019 KT - IsO 27001 Statement of Applicability
14/37
KT- Statement of applicability for ISO 27001 :2005
Organisation: KT Consultancy
ISMS: KT Consultancy
Published: 02/11/200815:37:14
Classification: Private
Version: 1.0
Published By: Hakimuddin Gheewala
A.9.2.6 Secure disposal or re-use All items of equipment No
of equipment containing storage media
should be checked to ensure
that any sensitive data and
licensed software has been
removed or securely
overwritten prior to disposal.
A.9.2.7 Removal of property Equipment, information or No
software should not be taken
off-site without priorauthorization.
-
8/3/2019 KT - IsO 27001 Statement of Applicability
15/37
KT- Statement of applicability for ISO 27001 :2005
Organisation: KT Consultancy
ISMS: KT Consultancy
Published: 02/11/200815:37:14
Classification: Private
Version: 1.0
Published By: Hakimuddin Gheewala
A.10.1 Operational procedures and responsibilities
Objective: To ensure the correct and secure operation of information processing facilities.
A.10.1.1 Documented operating Operating procedures should No
procedures be documented, maintained
and made available to all users
who need them.
A.10.1.2 Change management Changes to information No
processing facilities and
systems should be controlled.
A.10.1.3 Segregation of duties Duties and areas of No
responsibility should be
segregated to reduceopportunities for unauthorized
or unintentional modification or
misuse of the organization's
assets.
A.10.1.4 Separation of Development, test and No
development, test and operational facilities should be
operational fa separated to reduce the risks
of unauthorized access or
changes to the operationalsystem.
-
8/3/2019 KT - IsO 27001 Statement of Applicability
16/37
KT- Statement of applicability for ISO 27001 :2005
Organisation: KT Consultancy
ISMS: KT Consultancy
Published: 02/11/200815:37:14
Classification: Private
Version: 1.0
Published By: Hakimuddin Gheewala
A.10.2 Third party service delivery management
Objective: To implement and maintain the appropriate level of information security and servicedelivery in line with third party service delivery agreements.
A.10.2.1 Service delivery It should be ensured that the No
security controls, service
definitions and delivery levels
included in the third partyservice delivery agreement are
implemented, operated and
maintained by the third party.
A.10.2.2 Monitoring and review of The services, reports and No
third party services records provided by the third
party should regularly
monitored and reviewed andaudits should be carried our
regularly.
A.10.2.3 Managing changes to third Changes to the provision of No
party services services, including maintaining
and improving existing
information security policies,
procedures and controls,
should be managed, taking
account of the criticality of
business systems and
processes involved and re-
assessment of risks.
-
8/3/2019 KT - IsO 27001 Statement of Applicability
17/37
KT- Statement of applicability for ISO 27001 :2005
Organisation: KT Consultancy
ISMS: KT Consultancy
Published: 02/11/200815:37:14
Classification: Private
Version: 1.0
Published By: Hakimuddin Gheewala
A.10.3 System planning and acceptance
Objective: To minimize the risks of systems failures
A.10.3.1 Capacity management The use of resources should No
be monitored, tuned, andprojections made of future
capacity requirements toensure the required systemperformance.
A.10.3.2 System acceptance Acceptance criteria for new No
information systems, upgradesand new versions should beestablished and suitable testsof the system(s) carried out
during development and prior
to acceptance.
-
8/3/2019 KT - IsO 27001 Statement of Applicability
18/37
KT- Statement of applicability for ISO 27001 :2005
Organisation: KT Consultancy
ISMS: KT Consultancy
Published: 02/11/200815:37:14
Classification: Private
Version: 1.0
Published By: Hakimuddin Gheewala
A.10.4 Protection against malicious and mobile code
Objective: To protect the integrity of software and information
A.10.4.1 Controls against malicious Detection, prevention and No
code recovery controls to protectagainst malicious code and
appropriate user awarenessprocedures should beimplemented.
A.10.4.2 Controls against mobile Where the use of mobile code No
code is authorized, the configurationshould ensure that theauthorized mobile code
operates according to a clearly
defined security policy, and
unauthorized mobile codeshould be prevented from
executing ..
A.10.5 Back-up
Objective: To maintain the integrity and availability of information and informationprocessing facilities
A.10.5.1 Information back-up Back-up copies of information No
and software should be takenand tested regularly in
accordance with the agreedback-up policy.
-
8/3/2019 KT - IsO 27001 Statement of Applicability
19/37
KT- Statement of applicability for ISO 27001 :2005
Organisation: KT Consultancy
ISMS: KT Consultancy
Published: 02/11/200815:37:14
Classification: Private
Version: 1.0
Published By: Hakimuddin Gheewala
A.10.6 Network Security management
Objective: To ensure the protection of information in networks and the protection of thesupporting infrastructure.
A.10.6.1 Network controls Networks should be adequately No
managed and controlled, inorder to be protected from
threats, and to maintainsecurity for the systems andapplications using the network,including information in transit
A.10.6.2 Security of network Security features, service No
services levels and managementrequirements of all networkservices should be identifiedand included in any network
services agreement, whetherthose services are provided in-house or outsourced
-
8/3/2019 KT - IsO 27001 Statement of Applicability
20/37
KT- Statement of applicability for ISO 27001 :2005
Organisation: KT Consultancy
ISMS: KT Consultancy
Published: 02/11/200815:37:14
Classification: Private
Version: 1.0
Published By: Hakimuddin Gheewala
A.10.7 Media Handling
Objective: To prevent the unauthorized disclosure, modification, removal or destruction of assetsand interruption to business activities
A.10.7.1 Management of removable There should be procedures in No
media place for the management of
removable media.
A.10.7.2 Disposal of media Media should be disposed of No
securely and safely when no
longer required, using formal
procedures.
A.10.7.3 Information handling Procedures for the handling No
procedures and storage of information
should be established toprotect this information from
unauthorized disclosure or
misuse.
A.10.7.4 Security of system System documentation should No
documentation be protected against
unauthorized access.
-
8/3/2019 KT - IsO 27001 Statement of Applicability
21/37
KT- Statement of applicability for ISO 27001 :2005
Organisation: KT Consultancy
ISMS: KT Consultancy
Published: 02/11/200815:37:14
Classification: Private
Version: 1.0
Published By: Hakimuddin Gheewala
A.10.8 Exchange of information
Objective: To maintain the security of information and software exchanged within anorganization and with any external entity
A.10.8.1 Information exchange Formal exchange policies, No
policies and procedures procedures and controls should
be in place to protect the
exchange of informationthrough the use of all types of
communication facilities.
A.10.8.2 Exchange agreements Agreements should be No
established for the exchange of
information and software
between the organization and
external parties.
A.10.8.3 Physical media in transit Media containing information No
should be protected against
unauthorized access, misuse
or corruption during
transportation beyond an
organization's physical
boundaries.
A.10.8.4 Electronic messaging Information involved in Noelectronic messaging should
be appropriately protected.
A.10.8.5 Business information Policies and procedures should No
systems be developed and implemented
to protect information
associated with theinterconnection of business
information systems.
-
8/3/2019 KT - IsO 27001 Statement of Applicability
22/37
KT- Statement of applicability for ISO 27001 :2005
Organisation: KT Consultancy
ISMS: KT Consultancy
Published: 02/11/200815:37:14
Classification: Private
Version: 1.0
Published By: Hakimuddin Gheewala
A.10.9 Electronic commerce services
Objective: To ensure the security of electronic commerce services, and their secure use
A.10.9.1 Electronic commerce Information involved in No
electronic commerce passing
over public networks should be
protected from fraudulentactivity, contract dispute, andunauthorized disclosure andmodification.
A.10.9.2 On-line transactions Information involved in on-line Notransactions should be
protected to prevent
incomplete transmission, mis-routing, unauthorized message
alteration, unauthorizedmessage duplication or replay.
A.10.9.3 Publicly available The integrity of information No
information being made available on apublicly available systemshould be protected to preventunauthorized modification.
A.10.10 Monitoring
Objective: To detect unauthorized information processing activities
-
8/3/2019 KT - IsO 27001 Statement of Applicability
23/37
KT- Statement of applicability for ISO 27001 :2005
Organisation: KT Consultancy
ISMS: KT Consultancy
Published: 02/11/200815:37:14
Classification: Private
Version: 1.0
Published By: Hakimuddin Gheewala
@l:.11 WtIA.10.10. Audit logging Audit logs recording user No
1 activities, exceptions and
information security events
should be produced and kept
for an agreed period to assist
in future investigations and
access control monitoring
A.10.10. Monitoring system use Procedures for monitoring use No2 of information processing
facilities should be establishedand the results of the
monitoring activities reviewed
regularly
A.10.10. Protection of log Logging facilities and log No
3 information information should be
protected against tampering
and unauthorized access
A.10.10. Administrator and operator System administrator and No
4 logs system operator activities
should be logged
A.10.10. Fault logging Faults should be logged, No
5 analysed and appropriate
action taken
A.10.10. Clock synchronization The clocks of all relevant No
6 information processing
systems within an organization
or security domain should be
synchronized with an agreed
accurate time source
-
8/3/2019 KT - IsO 27001 Statement of Applicability
24/37
KT- Statement of applicability for ISO 27001 :2005
Organisation: KT Consultancy
ISMS: KT Consultancy
Published: 02/11/200815:37:14
Classification: Private
Version: 1.0
Published By: Hakimuddin Gheewala
A.11.1 Business requirement for access control
Objective: To control access to information
A.11.1.1 Access control policy An access control policy should No
be established, documentedand reviewed based on
business and securityrequirements for access.
-
8/3/2019 KT - IsO 27001 Statement of Applicability
25/37
KT- Statement of applicability for ISO 27001 :2005
Organisation: KT Consultancy
ISMS: KT Consultancy
Published: 02/11/200815:37:14
Classification: Private
Version: 1.0
Published By: Hakimuddin Gheewala
A.11.2 User Access Management
Objective: To ensure authorized users access and to prevent unauthorized access toinformation systems
A.11.2.1 User registration There should be a formal user No
registration and de-registrationprocedure for granting and
revoking access to allinformation systems andservices.
A.11.2.2 Privilege management The allocation and use of No
privileges should be restrictedand controlled.
A.11.2.3 User password The allocation of passwords Nomanagement should be controlled through a
formal management process.
A.11.2.4 Review of user access Management should review No
rights users' access rights at regular
intervals using a formal
process.
-
8/3/2019 KT - IsO 27001 Statement of Applicability
26/37
KT- Statement of applicability for ISO 27001 :2005
Organisation: KT Consultancy
ISMS: KT Consultancy
Published: 02/11/200815:37:14
Classification: Private
Version: 1.0
Published By: Hakimuddin Gheewala
A.11.3 User responsibilities
Objective: To prevent unauthorized user access, and compromise or theft of information andinformation processing facilities.
A. 11.3. Password use Users should be required to No
follow good security practices
in the selection and use of
passwords.
A.11.3.2 Unattended user Users should ensure that No
equipment unattended equipment has
appropriate protection.
A.11.3.3 Clear desk and clear A clear desk policy for papers No
screen policy and removable storage media
and a clear screen policy forinformation processing facilities
should be adopted.
A.11.4 Network access control
Objective: To prevent unauthorized access to networked services.
mIl f---
I::J rn!9 1 i1 : I - - - I t3A. 11.4. Policy on use of network Users should only be provided No
services with access to the services that
they have been specifically
authorized to use.
A.11.4.2 User authentication for Appropriate authentication No
external connections methods should be used tocontrol access by remote
users.
-
8/3/2019 KT - IsO 27001 Statement of Applicability
27/37
KT- Statement of applicability for ISO 27001 :2005
Organisation: KT Consultancy
ISMS: KT Consultancy
Published: 02/11/200815:37:14
Classification: Private
Version: 1.0
Published By: Hakimuddin Gheewala
A.11.4.3 Equipment identification in Automatic equipment No
the network identification should beconsidered as a means to
authenticate connections from
specific locations and
equipment.
A. 11.4.4 Remote diagnostic and Physical and logical access to No
configuration port protectio diagnostic and configuration
ports should be controlled.
A.11.4.5 Segregation in networks Groups of information services, No
users and information systems
should be segregated on
networks.
A.11.4.6 Network connection control For shared networks, No
especially those extending
across the organization'sboundaries, the capability of
users to connect to the network
should be restricted, in line with
the access control policy and
requirements of the business
applications.
A. 11.4.7 Network routing control Routing controls should be No
implemented for networks to
ensure that computerconnections and informationflows do not breach the access
control policy of the business
applications.
A.11.5 Operating system access control
Objective: To prevent unauthorized access to operating systems.
-
8/3/2019 KT - IsO 27001 Statement of Applicability
28/37
KT- Statement of applicability for ISO 27001 :2005
Organisation: KT Consultancy
ISMS: KT Consultancy
Published: 02/11/200815:37:14
Classification: Private
Version: 1.0
Published By: Hakimuddin Gheewala
@l:.11 WtIA. 11.5. Secure log-on procedures Access to operating systems No
should be controlled by a
secure log-on procedure.
A.11.5.2 User identification and All users should have a unique No
authentication identifier (user ID) for their
personal use only, and a
suitable authentication
technique should be chosen tosubstantiate the claimed
identity of a user.
A.11.5.3 Password management Systems for managing No
system passwords should be
interactive and should ensure
quality passwords.
A. 11.5.4 Use of system utilities The use of utility programs that No
might be capable of overriding
system and application controls
should be restricted and tightly
controlled.
A.11.5.5 Session time-out Inactive sessions should be No
shut down after a defined
period of inactivity.
A.11.5.6 Limitation of connection Restrictions on connection No
time times should be used to
provide additional security for
high-risk applications.
-
8/3/2019 KT - IsO 27001 Statement of Applicability
29/37
KT- Statement of applicability for ISO 27001 :2005
Organisation: KT Consultancy
ISMS: KT Consultancy
Published: 02/11/200815:37:14
Classification: Private
Version: 1.0
Published By: Hakimuddin Gheewala
A.11.6
Application and information access control
Objective: To prevent unauthorized access to information held in application systems.
A.11.6.1 Information access Access to information and No
restriction application system functions by
users and support personnel
should be restricted inaccordance with the defined
access control policy.
A.11.6.2 Sensitive system isolation Sensitive systems should have No
a dedicated (isolated)computing environment.
A.11.7
Mobile computing and teleworking
Objective: To ensure information security when using mobile computing and teleworkingfacilities.
@l:.11 WtIA.11.7.1 Mobile computing and A formal policy should be in No
communications place and appropriate security
measures should be adoptedto protect against the risks ofusing mobile computing and
communication facilities.
A.11.7.2 Teleworking A policy, operational plans and No
procedures should bedeveloped for teleworkingactivities.
-
8/3/2019 KT - IsO 27001 Statement of Applicability
30/37
KT- Statement of applicability for ISO 27001 :2005
Organisation: KT Consultancy
ISMS: KT Consultancy
Published: 02/11/200815:37:14
Classification: Private
Version: 1.0
Published By: Hakimuddin Gheewala
A.12.1 Security requirements of information systems
Objective: To ensure that security is an integral party of information systems.
A.12.1.1 Security requirements Statements of business No
analysis and specification requirements for newinformation systems, or
enhancements to existinginformation systems, shouldspecify the requirements forsecurity controls.
-
8/3/2019 KT - IsO 27001 Statement of Applicability
31/37
KT- Statement of applicability for ISO 27001 :2005
Organisation: KT Consultancy
ISMS: KT Consultancy
Published: 02/11/200815:37:14
Classification: Private
Version: 1.0
Published By: Hakimuddin Gheewala
A.12.2 Correct processing in applications
Objective: To prevent errors, loss, unauthorized modification or misuse of information inapplications.
A.12.2.1 Input data validation Data input to applications No
should be validated to ensurethat this data is correct and
appropriate.
A.12.2.2 Control on internal Validation checks should be No
processing incorporated into applications
to detect any corruption of
information through processing
errors or deliberate acts.
A.12.2.3 Message integrity Requirements for ensuring Noauthenticity and protecting
message integrity in
applications should be
identified, and appropriate
controls identified and
implemented.
A.12.2.4 Output data validation Data output from an application No
should be validated to ensure
that the processing of storedinformation is correct and
appropriate to the
circumstances.
-
8/3/2019 KT - IsO 27001 Statement of Applicability
32/37
KT- Statement of applicability for ISO 27001 :2005
Organisation: KT Consultancy
ISMS: KT Consultancy
Published: 02/11/200815:37:14
Classification: Private
Version: 1.0
Published By: Hakimuddin Gheewala
A.12.3 Cryptographic controls
Objective: To protect the confidentiality, authenticity or integrity of information bycryptographic means.
A.12.3.1 Policy on the use of A policy on the use of No
cryptographic controls cryptographic controls forprotection of its information
should be developed andimplemented.
A.12.3.2 Key management Key management should be in No
place to support theorganization's use ofcryptographic techniques.
A.12.4 Security of system files
Objective: To ensure the security of system files.
@l:.11 WtIA.12.4.1 Control of operational There should be procedures in No
software place to control the installation
of software on operationalsystems.
A.12.4.2 Protection of system test Test data should be selected No
data carefully, and protected andcontrolled.
Access control to program Access to program source
source code code should be restricted.
KT- Statement of applicability for ISO 27001 :2005
Organisation: KT Consultancy
ISMS: KT Consultancy
Published: 02/11/200815:37:14
Classification: Private
Version: 1.0
Published By: Hakimuddin Gheewala
A.12.5 Security in development and support processes
Objective: To maintain the security of application system software and information.
A.12.5.1 Change control procedures The implementation of changes No
should be controlled by the use
of formal change control
procedures.
A.12.5.2 Technical review of When operating systems are No
applications after operating changed, business critical
s applications should be
reviewed and tested to ensure
there is no adverse impact on
organizational operations or
security.
A.12.5.3 Restrictions on changes to Modifications to software No
software packages packages should be
discouraged, limited to
necessary changes and all
changes should be strictly
controlled.
Opportunities for informationleakage should be prevented.
A.12.5.5 Outsourced software Outsourced software No
development development should be
supervised and monitored by
the organization.
-
8/3/2019 KT - IsO 27001 Statement of Applicability
33/37
KT- Statement of applicability for ISO 27001 :2005
Organisation: KT Consultancy
ISMS: KT Consultancy
Published: 02/11/200815:37:14
Classification: Private
Version: 1.0
Published By: Hakimuddin Gheewala
A.12.6 Technical vulnerability management
Objective: To reduce risks resulting from exploitation of published technicalvulnerabilities.
A.12.6.1 Control of technical Timely information about No
vulnerabilities technical vulnerabilities ofinformation systems being
used should be obtained, theorganization's exposure tosuch vulnerabilities evaluated,and the appropriate measurestaken to address theassociated risk.
A.13.1 Reporting information security events and weaknesses
Objective: To ensure information security events and weaknesses associated with informationsystems are communicated in a manner allowing timely corrective action to betaken.
Cen:ll f---I::J
A. 13.1. Reporting information Information security events No
security events should be reported throughappropriate managementchannels as quickly aspossible.
A.13.1.2 Reporting security All employees, contractors and No
weaknesses third party users of informationsystems and services shouldbe required to note and reportany observed or suspectedweaknesses in systems orservices.
-
8/3/2019 KT - IsO 27001 Statement of Applicability
34/37
KT- Statement of applicability for ISO 27001 :2005
Organisation: KT Consultancy
ISMS: KT Consultancy
Published: 02/11/200815:37:14
Classification: Private
Version: 1.0
Published By: Hakimuddin Gheewala
A.13.2 Management of information security incidents and improvements
Objective: To ensure a consistent and effective approach is applied to the management ofinformation security incidents
A.13.2.1 Responsibilities and Management responsibilities No
procedures and procedures should beestablished to ensure a quick,
effective and orderly responseto information securityincidents.
A.13.2.2 Learning from information There should be mechanisms No
security incidents in place to enable the types,volumes and costs ofinformation security incidents
to be quantified and monitored.
A.13.2.3 Collection of evidence Where a follow-up action No
against a person ororganization after aninformation security incidentinvolves legal action (eithercivil or criminal) evidenceshould be collected, retainedand presented to conform to
the rules for evidence laiddown in the relevant
(s).
A.14.1 Information security aspects of business continuity management
Objective: To counteract interruptions to business activities and to protect critical businessprocesses from the effects of major failures of information systems or disasters andto ensure their timely resumption.
-
8/3/2019 KT - IsO 27001 Statement of Applicability
35/37
KT- Statement of applicability for ISO 27001 :2005
Organisation: KT Consultancy
ISMS: KT Consultancy
Published: 02/11/200815:37:14
Classification: Private
Version: 1.0
Published By: Hakimuddin Gheewala
@l:.11 WtIA.14.1.1 Including information A managed process should be No
security in the business developed and maintained for
con business continuity throughout
the organization that addresses
the information security
requirements needed for the
organization's business
continuity.
A.14.1.2 Business continuity and Events that can cause No
risk assessment interruptions to business
processes should be identified,
along with the probability and
impact of such interruptions
and their consequences for
information security.
A.14.1.3 Developing and Plans should be developed and No
implementing continuity implemented to maintain or
plans inclu restore operations and ensureavailability of information at the
required level and in the
required time scales following
interruption to, of failure of,
critical business processes.
A.14.1.4 Business continuity A single framework of business No
planning framework continuity plans should be
maintained to ensure all plans
are consistent, to consistentlyaddress information security
requirements, and to identify
priorities for testing and
maintenance.
A.14.1.5 Testing, maintaining and re Business continuity plans No
-assessing business con should be tested and updated
regularly to ensure that they
are up to date and effective.
A.15.1
-
8/3/2019 KT - IsO 27001 Statement of Applicability
36/37
KT- Statement of applicability for ISO 27001 :2005
Organisation: KT Consultancy
ISMS: KT Consultancy
Published: 02/11/200815:37:14
Classification: Private
Version: 1.0
Published By: Hakimuddin Gheewala
Compliance with legal requirements
Objective: To avoid breaches of any law, statutory, regulatory or contractual obligations, and ofany security requirements.
A. 15.1. Identification of applicable All relevant statutory, No
legislation regulatory and contractual
requirements and the
organization's approach tomeet these requirements
should be explicitly defined,
documented and kept up todate for each information
system and the organization.
A.15.1.2 Intellectual property rights Appropriate procedures should No
(IPR) be implemented to ensure
compliance with legislative,
regulatory and contractualrequirements on the user of
material in respect of which
there may be intellectual
property rights and on the use
of proprietary software
products.
A.15.1.3 Protection of organizational Important records should be No
records protected from loss, destruction
and falsification, in accordance
with statutory, regulatory ,contractual and business
requirements
A. 15.1.4 Data protection and privacy Data protection and privacy No
of personal informatio should be ensured as required
in relevant legislation,
regulations and, if applicable,
contractual clauses.
-
8/3/2019 KT - IsO 27001 Statement of Applicability
37/37
KT- Statement of applicability for ISO 27001 :2005
Organisation: KT Consultancy
ISMS: KT Consultancy
Published: 02/11/200815:37:14
Classification: Private
Version: 1.0
Published By: Hakimuddin Gheewala
A.15.1.5 Prevention of misuse of Users should be deterred from No
information processing fac using information processing
facilities for unauthorized
purposes.
A.15.1.6 Regulation of cryptographic Cryptographic controls should No
controls be used in compliance with all
relevant agreements, laws and
regulations.
A.15.2 Compliance with security policies and standards and technical compliance
Objective: To ensure compliance of systems with organizational security policies andstandards.
mIl f---
I::J rn!9 1 i1 : I - - - I t3
A.15.2.1 Compliance with security Managers should ensure that No
policy and standards all security procedures within
their area of responsibility are
carried out correctly to achieve
compliance with security
policies and standards.
A.15.2.2 Technical compliance Information systems should be No
checking regularly checked for
compliance with security
implementation standards.
KT- Statement of applicability for ISO 27001 :2005
Organisation: KT Consultancy
ISMS: KT Consultancy
Published: 02/11/200815:37:14
Classification: Private
Version: 1.0
Published By: Hakimuddin Gheewala
A.15.3 Information systems audit considerations
Objective: To maximise the effectiveness of and to minimize interference to/from theinformation systems audit process.
A.15.3.1 Information systems audit Audit requirements and No
controls activities involving checks on
operational systems should becarefully planned and agreedto minimize the risk ofdisruptions to business
processes.
A.15.3.2 Protection of information Access to information systems No
systems audit tools audit tools should be protectedto prevent any possible misuseor compromise.