kt - iso 27001 statement of applicability

8/3/2019 KT - IsO 27001 Statement of Applicability

1/37


2/37

KT- Statement of applicability for ISO 27001 :2005

Organisation:

ISMS:

Published:

KT Consultancy

KT Consultancy

02/11/200815:37:

14

Classification: Private

Version: 1.0

Published By: Hakimuddin

Gheewala


3/37


Organisation: KT Consultancy

ISMS: KT Consultancy

Published: 02/11/200815:37:14


Version: 1.0

Published By: Hakimuddin Gheewala

A.5.1 Information security policy

Objective: To provide management direction and support for information security inaccordance with business requirements and relevant laws and regulations.

A.5.1.1 Information security policy An information security policy No /Yes

document document shall be approved bymanagement, and published

and communicated to allem ployees and relevant

external parties.

A.5.1.2 Review of the information The information security policy No /Yes

security policy shall be reviewed at plannedintervals or if significantchanges occur to ensure itscontinuing suitability,adequacy, and effectiveness.

A.6.1 Internal organization

Objective: To manage information security within the organization.

A.6.1.1 Management commitment Management shall actively No /Yes

to information security support security within theorganization through cleardirection, demonstratedcommitment, explicitassignment, andacknowledgment of informationsecurity responsibilities.


4/37




Published: 02/11/200815:37:14


Version: 1.0


A.6.1.2 Information security Information security activities No /Yes

coordination shall be co-ordinated by

representatives from different

parts of the organization with

relevant roles and job

functions.

A.6.1.3 Allocation of information All information security No

security responsibilitie responsibilities shall be clearly

defined.

A.6.1.4 Authorization process for A management authorization No

information processing f process for new information

processing facilities shall be

defined and implemented.

A.6.1.5 Confidentiality agreements Requirements for No

confidentiality or non-

disclosure agreementsreflecting the organization's

needs for the protection of

information shall be identified

and regularly reviewed.

A.6.1.6 Contact with authorities Appropriate contact with No

relevant authorities shall be

maintained.

A.6.1.7 Contact with special Appropriate contacts with No

interest groups special interest groups or other

specialist security forums and

professional associations shall

be maintained.


5/37




Published: 02/11/200815:37:14


Version: 1.0


A.6.1.8 I ndependent review of The organization's approach to No /Yes

information security managing information security

and its implementation (Le.

control objectives, controls,

policies, processes, and

procedures for information

security) shall be reviewed

independently at planned

intervals, or when significant

changes to the security

implementation occur.


6/37




Published: 02/11/200815:37:14


Version: 1.0


A.6.2 External Parties

Objective: To maintain the security of the organization's information and informationprocessing facilities that are accessed, processed, communicated to, or managedby external parties

A.6.2.1 Identification of risks The risks to the organization's No

related to external partie information and information

processing facilities from

business processes involvingexternal parties shall be

identified and appropriate

controls implemented before

granting access.

A.6.2.2 Addressing security when All identified security No

dealing with customers requirements shall be

addressed before giving

customers access to the

organization's information orassets.

A.6.2.3 Addressing security in third Agreements with third parties No

party agreements involving accessing,

processing, communicating or

managing the organization'sinformation or information

processing facilities, or adding

products or services to

information processing facilities

shall cover all relevant securityrequirements.


7/37




Published: 02/11/200815:37:14


Version: 1.0


A.7.1 Responsibility for assets

Objective: To achieve and maintain appropriate protection of organization assets

A.7.1.1 I nventory of assets All assets shall be clearly No

identified and an inventory ofall important assets drawn up

and maintained.

A.7.1.2 Ownership of assets All information and assets No

associated with informationprocessing facilities should be

'owned' by a designated part ofthe organization.

A.7.1.3 Acceptable use of assets Rules for the acceptable use of Noinformation and assetsassociated with information

processing facilities should be

identified, documented andimplemented.


8/37




Published: 02/11/200815:37:14


Version: 1.0


A.7.2 Information classification

Objective: To ensure that information receives an appropriate level of protection

A.7.2.1 Classification guidelines Information should be No

classified in terms of its value,legal requirements, sensitivity

and criticality to theorganization

A.7.2.2 Information labelling and An appropriate set of No

handling procedures for informationlabelling and handling shouldbe developed andin accordance with theclassification scheme adopted

by the organization


9/37




Published: 02/11/200815:37:14


Version: 1.0


A.8.1 Prior to employment

Objective: To ensure that employees, contractors and third party users understand theirresponsibilities, and are suitable for the roles they are considered for, to reduce the risk oftheft, fraud or misuse of facilities.

A.8.1.1 Roles and responsibilities Security roles and No

responsibilities of employees,

contractors and third party

users should be defined anddocumented in accordance

with the organization's

information security policy.

A.8.1.2 Screening Background verification checks No

on all candidates for

employment, contractors and

third party users should becarried out in accordance with

relevant laws, regulations andethics, and proportional to the

business requirements, the

classification of the informationto be accessed, and the

perceived risks.

A.8.1.3 Terms and conditions of As part of their contractual No

employment obligation, employees,

contractors and third party

users should agree and sign

the terms and conditions oftheir employment contract,

which should state their andthe organization's responsibility

for information security.


10/37




Published: 02/11/200815:37:14


Version: 1.0


A.8.2 During employment

Objective: To ensure that employees, contractors and third party users are aware of informationsecurity threats and concerns, their responsibilities and liabilities, and are equippedto support organizational security policy in the course of their normal work, and toreduce the risk of human error.

@l:.11 WtIA.8.2.1 Management Management should require No

responsibilities em ployees, contractors andthird party users to applysecurity in accordance with theestablished policies andprocedures of the organization.

A.8.2.2 Information security All employees of the No

awareness, education and organization and, wheretrai relevant, contractors and third

party users should receiveappropriate awareness trainingand regular updates in

organizational policies andprocedures, as relevant fortheir job function.

A.8.2.3 Disciplinary process There should be a formal No

disciplinary process foremployees who havecommitted a security breach.


11/37




Published: 02/11/200815:37:14


Version: 1.0


A.8.3 Termination or change of employment

Objective: To ensure that employees, contractors and third party users exit an organization orchange employment in an orderly manner

A.8.3.1 Termination responsibilities Responsibilities for performing No

employment termination shouldbe clearly defined and

assigned.

A.8.3.2 Return of assets All employees, contractors and No

third party users should returnall of the organization's assetsin their possession upontermination of theiremployment, contract or

agreement.

A.8.3.3 Removal of access rights The access rights of all No

em ployees, contractors andthird party users of informationand information processingfacilities should be removedupon termination of their

employment, contract oragreement, or adjusted uponchange.

A.9.1 Secure areas

Objective: To prevent unauthorized physical access, damage and interference to theorganization's premises and information.


12/37




Published: 02/11/200815:37:14


Version: 1.0


@l:.11 WtIA.9.1.1 Physical security perimeter Security perimeters (barriers No

such as walls, card controlled

entry gates or manned

reception desks) should be

used to protect areas that

contain information and

information processing

facilities.

A.9.1.2 Physical entry controls Secure areas should be No

protected by appropriate entry

controls to ensure that only

authorized personnel are

allowed access.

A.9.1.3 Securing offices, rooms Physical security for offices, No

and facilities rooms and facilities should be

designed and applied.

A.9.1.4 Protect against external Physical protection against No

and environmental threats damage from fire, flood,

earthquake, explosion, civil

unrest, and other forms ofnatural or man-made disaster

should be designed and

applied.

A.9.1.5 Working in secure areas Physical protection and No

guidelines for working in

secure areas should be

designed and applied.

A.9.1.6 Public access, delivery and Access points such as delivery No

loading areas and loading areas and other

points where unauthorized

persons may enter the

premises should be controlled

and, if possible, isolated frominformation processing facilities

to avoid unauthorized access.


13/37




Published: 02/11/200815:37:14


Version: 1.0


A.9.2 Equipment Security

Objective: To prevent loss, damage, theft or compromise of assets and interruption to theorganization's activities.

A.9.2.1 Equipment siting and Equipment should be sited or No

protection protected to reduce the risks

from environmental threats andhazards, and opportunities for

unauthorized access.

A.9.2.2 Supporting utilities Equipment should be protected No

from power failures and other

disruptions caused by failures

in supporting utilities.

A.9.2.3 Cabling security Power and telecommunications No

cabling carrying data or

supporting information services

should be protected from

interception or damage.

A.9.2.4 Equipment maintenance Equipment should be correctly No

maintained to ensure itscontinued availability and

integrity.

A.9.2.5 Security of equipment off- Security should be applied to No

premises off-site equipment taking into

account the different risks

working outside the

organization's premises.


14/37




Published: 02/11/200815:37:14


Version: 1.0


A.9.2.6 Secure disposal or re-use All items of equipment No

of equipment containing storage media

should be checked to ensure

that any sensitive data and

licensed software has been

removed or securely

overwritten prior to disposal.

A.9.2.7 Removal of property Equipment, information or No

software should not be taken

off-site without priorauthorization.


15/37




Published: 02/11/200815:37:14


Version: 1.0


A.10.1 Operational procedures and responsibilities

Objective: To ensure the correct and secure operation of information processing facilities.

A.10.1.1 Documented operating Operating procedures should No

procedures be documented, maintained

and made available to all users

who need them.

A.10.1.2 Change management Changes to information No

processing facilities and

systems should be controlled.

A.10.1.3 Segregation of duties Duties and areas of No

responsibility should be

segregated to reduceopportunities for unauthorized

or unintentional modification or

misuse of the organization's

assets.

A.10.1.4 Separation of Development, test and No

development, test and operational facilities should be

operational fa separated to reduce the risks

of unauthorized access or

changes to the operationalsystem.


16/37




Published: 02/11/200815:37:14


Version: 1.0


A.10.2 Third party service delivery management

Objective: To implement and maintain the appropriate level of information security and servicedelivery in line with third party service delivery agreements.

A.10.2.1 Service delivery It should be ensured that the No

security controls, service

definitions and delivery levels

included in the third partyservice delivery agreement are

implemented, operated and

maintained by the third party.

A.10.2.2 Monitoring and review of The services, reports and No

third party services records provided by the third

party should regularly

monitored and reviewed andaudits should be carried our

regularly.

A.10.2.3 Managing changes to third Changes to the provision of No

party services services, including maintaining

and improving existing

information security policies,

procedures and controls,

should be managed, taking

account of the criticality of

business systems and

processes involved and re-

assessment of risks.


17/37




Published: 02/11/200815:37:14


Version: 1.0


A.10.3 System planning and acceptance

Objective: To minimize the risks of systems failures

A.10.3.1 Capacity management The use of resources should No

be monitored, tuned, andprojections made of future

capacity requirements toensure the required systemperformance.

A.10.3.2 System acceptance Acceptance criteria for new No

information systems, upgradesand new versions should beestablished and suitable testsof the system(s) carried out

during development and prior

to acceptance.


18/37




Published: 02/11/200815:37:14


Version: 1.0


A.10.4 Protection against malicious and mobile code

Objective: To protect the integrity of software and information

A.10.4.1 Controls against malicious Detection, prevention and No

code recovery controls to protectagainst malicious code and

appropriate user awarenessprocedures should beimplemented.

A.10.4.2 Controls against mobile Where the use of mobile code No

code is authorized, the configurationshould ensure that theauthorized mobile code

operates according to a clearly

defined security policy, and

unauthorized mobile codeshould be prevented from

executing ..

A.10.5 Back-up

Objective: To maintain the integrity and availability of information and informationprocessing facilities

A.10.5.1 Information back-up Back-up copies of information No

and software should be takenand tested regularly in

accordance with the agreedback-up policy.


19/37




Published: 02/11/200815:37:14


Version: 1.0


A.10.6 Network Security management

Objective: To ensure the protection of information in networks and the protection of thesupporting infrastructure.

A.10.6.1 Network controls Networks should be adequately No

managed and controlled, inorder to be protected from

threats, and to maintainsecurity for the systems andapplications using the network,including information in transit

A.10.6.2 Security of network Security features, service No

services levels and managementrequirements of all networkservices should be identifiedand included in any network

services agreement, whetherthose services are provided in-house or outsourced


20/37




Published: 02/11/200815:37:14


Version: 1.0


A.10.7 Media Handling

Objective: To prevent the unauthorized disclosure, modification, removal or destruction of assetsand interruption to business activities

A.10.7.1 Management of removable There should be procedures in No

media place for the management of

removable media.

A.10.7.2 Disposal of media Media should be disposed of No

securely and safely when no

longer required, using formal

procedures.

A.10.7.3 Information handling Procedures for the handling No

procedures and storage of information

should be established toprotect this information from

unauthorized disclosure or

misuse.

A.10.7.4 Security of system System documentation should No

documentation be protected against

unauthorized access.


21/37




Published: 02/11/200815:37:14


Version: 1.0


A.10.8 Exchange of information

Objective: To maintain the security of information and software exchanged within anorganization and with any external entity

A.10.8.1 Information exchange Formal exchange policies, No

policies and procedures procedures and controls should

be in place to protect the

exchange of informationthrough the use of all types of

communication facilities.

A.10.8.2 Exchange agreements Agreements should be No

established for the exchange of

information and software

between the organization and

external parties.

A.10.8.3 Physical media in transit Media containing information No

should be protected against

unauthorized access, misuse

or corruption during

transportation beyond an

organization's physical

boundaries.

A.10.8.4 Electronic messaging Information involved in Noelectronic messaging should

be appropriately protected.

A.10.8.5 Business information Policies and procedures should No

systems be developed and implemented

to protect information

associated with theinterconnection of business

information systems.


22/37




Published: 02/11/200815:37:14


Version: 1.0


A.10.9 Electronic commerce services

Objective: To ensure the security of electronic commerce services, and their secure use

A.10.9.1 Electronic commerce Information involved in No

electronic commerce passing

over public networks should be

protected from fraudulentactivity, contract dispute, andunauthorized disclosure andmodification.

A.10.9.2 On-line transactions Information involved in on-line Notransactions should be

protected to prevent

incomplete transmission, mis-routing, unauthorized message

alteration, unauthorizedmessage duplication or replay.

A.10.9.3 Publicly available The integrity of information No

information being made available on apublicly available systemshould be protected to preventunauthorized modification.

A.10.10 Monitoring

Objective: To detect unauthorized information processing activities


23/37




Published: 02/11/200815:37:14


Version: 1.0


@l:.11 WtIA.10.10. Audit logging Audit logs recording user No

1 activities, exceptions and

information security events

should be produced and kept

for an agreed period to assist

in future investigations and

access control monitoring

A.10.10. Monitoring system use Procedures for monitoring use No2 of information processing

facilities should be establishedand the results of the

monitoring activities reviewed

regularly

A.10.10. Protection of log Logging facilities and log No

3 information information should be

protected against tampering

and unauthorized access

A.10.10. Administrator and operator System administrator and No

4 logs system operator activities

should be logged

A.10.10. Fault logging Faults should be logged, No

5 analysed and appropriate

action taken

A.10.10. Clock synchronization The clocks of all relevant No

6 information processing

systems within an organization

or security domain should be

synchronized with an agreed

accurate time source


24/37




Published: 02/11/200815:37:14


Version: 1.0


A.11.1 Business requirement for access control

Objective: To control access to information

A.11.1.1 Access control policy An access control policy should No

be established, documentedand reviewed based on

business and securityrequirements for access.


25/37




Published: 02/11/200815:37:14


Version: 1.0


A.11.2 User Access Management

Objective: To ensure authorized users access and to prevent unauthorized access toinformation systems

A.11.2.1 User registration There should be a formal user No

registration and de-registrationprocedure for granting and

revoking access to allinformation systems andservices.

A.11.2.2 Privilege management The allocation and use of No

privileges should be restrictedand controlled.

A.11.2.3 User password The allocation of passwords Nomanagement should be controlled through a

formal management process.

A.11.2.4 Review of user access Management should review No

rights users' access rights at regular

intervals using a formal

process.


26/37




Published: 02/11/200815:37:14


Version: 1.0


A.11.3 User responsibilities

Objective: To prevent unauthorized user access, and compromise or theft of information andinformation processing facilities.

A. 11.3. Password use Users should be required to No

follow good security practices

in the selection and use of

passwords.

A.11.3.2 Unattended user Users should ensure that No

equipment unattended equipment has

appropriate protection.

A.11.3.3 Clear desk and clear A clear desk policy for papers No

screen policy and removable storage media

and a clear screen policy forinformation processing facilities

should be adopted.

A.11.4 Network access control

Objective: To prevent unauthorized access to networked services.

mIl f---

I::J rn!9 1 i1 : I - - - I t3A. 11.4. Policy on use of network Users should only be provided No

services with access to the services that

they have been specifically

authorized to use.

A.11.4.2 User authentication for Appropriate authentication No

external connections methods should be used tocontrol access by remote

users.


27/37




Published: 02/11/200815:37:14


Version: 1.0


A.11.4.3 Equipment identification in Automatic equipment No

the network identification should beconsidered as a means to

authenticate connections from

specific locations and

equipment.

A. 11.4.4 Remote diagnostic and Physical and logical access to No

configuration port protectio diagnostic and configuration

ports should be controlled.

A.11.4.5 Segregation in networks Groups of information services, No

users and information systems

should be segregated on

networks.

A.11.4.6 Network connection control For shared networks, No

especially those extending

across the organization'sboundaries, the capability of

users to connect to the network

should be restricted, in line with

the access control policy and

requirements of the business

applications.

A. 11.4.7 Network routing control Routing controls should be No

implemented for networks to

ensure that computerconnections and informationflows do not breach the access

control policy of the business

applications.

A.11.5 Operating system access control

Objective: To prevent unauthorized access to operating systems.


28/37




Published: 02/11/200815:37:14


Version: 1.0


@l:.11 WtIA. 11.5. Secure log-on procedures Access to operating systems No

should be controlled by a

secure log-on procedure.

A.11.5.2 User identification and All users should have a unique No

authentication identifier (user ID) for their

personal use only, and a

suitable authentication

technique should be chosen tosubstantiate the claimed

identity of a user.

A.11.5.3 Password management Systems for managing No

system passwords should be

interactive and should ensure

quality passwords.

A. 11.5.4 Use of system utilities The use of utility programs that No

might be capable of overriding

system and application controls

should be restricted and tightly

controlled.

A.11.5.5 Session time-out Inactive sessions should be No

shut down after a defined

period of inactivity.

A.11.5.6 Limitation of connection Restrictions on connection No

time times should be used to

provide additional security for

high-risk applications.


29/37




Published: 02/11/200815:37:14


Version: 1.0


A.11.6

Application and information access control

Objective: To prevent unauthorized access to information held in application systems.

A.11.6.1 Information access Access to information and No

restriction application system functions by

users and support personnel

should be restricted inaccordance with the defined

access control policy.

A.11.6.2 Sensitive system isolation Sensitive systems should have No

a dedicated (isolated)computing environment.

A.11.7

Mobile computing and teleworking

Objective: To ensure information security when using mobile computing and teleworkingfacilities.

@l:.11 WtIA.11.7.1 Mobile computing and A formal policy should be in No

communications place and appropriate security

measures should be adoptedto protect against the risks ofusing mobile computing and

communication facilities.

A.11.7.2 Teleworking A policy, operational plans and No

procedures should bedeveloped for teleworkingactivities.


30/37




Published: 02/11/200815:37:14


Version: 1.0


A.12.1 Security requirements of information systems

Objective: To ensure that security is an integral party of information systems.

A.12.1.1 Security requirements Statements of business No

analysis and specification requirements for newinformation systems, or

enhancements to existinginformation systems, shouldspecify the requirements forsecurity controls.


31/37




Published: 02/11/200815:37:14


Version: 1.0


A.12.2 Correct processing in applications

Objective: To prevent errors, loss, unauthorized modification or misuse of information inapplications.

A.12.2.1 Input data validation Data input to applications No

should be validated to ensurethat this data is correct and

appropriate.

A.12.2.2 Control on internal Validation checks should be No

processing incorporated into applications

to detect any corruption of

information through processing

errors or deliberate acts.

A.12.2.3 Message integrity Requirements for ensuring Noauthenticity and protecting

message integrity in

applications should be

identified, and appropriate

controls identified and

implemented.

A.12.2.4 Output data validation Data output from an application No

should be validated to ensure

that the processing of storedinformation is correct and

appropriate to the

circumstances.


32/37




Published: 02/11/200815:37:14


Version: 1.0


A.12.3 Cryptographic controls

Objective: To protect the confidentiality, authenticity or integrity of information bycryptographic means.

A.12.3.1 Policy on the use of A policy on the use of No

cryptographic controls cryptographic controls forprotection of its information

should be developed andimplemented.

A.12.3.2 Key management Key management should be in No

place to support theorganization's use ofcryptographic techniques.

A.12.4 Security of system files

Objective: To ensure the security of system files.

@l:.11 WtIA.12.4.1 Control of operational There should be procedures in No

software place to control the installation

of software on operationalsystems.

A.12.4.2 Protection of system test Test data should be selected No

data carefully, and protected andcontrolled.

Access control to program Access to program source

source code code should be restricted.




Published: 02/11/200815:37:14


Version: 1.0


A.12.5 Security in development and support processes

Objective: To maintain the security of application system software and information.

A.12.5.1 Change control procedures The implementation of changes No

should be controlled by the use

of formal change control

procedures.

A.12.5.2 Technical review of When operating systems are No

applications after operating changed, business critical

s applications should be

reviewed and tested to ensure

there is no adverse impact on

organizational operations or

security.

A.12.5.3 Restrictions on changes to Modifications to software No

software packages packages should be

discouraged, limited to

necessary changes and all

changes should be strictly

controlled.

Opportunities for informationleakage should be prevented.

A.12.5.5 Outsourced software Outsourced software No

development development should be

supervised and monitored by

the organization.


33/37




Published: 02/11/200815:37:14


Version: 1.0


A.12.6 Technical vulnerability management

Objective: To reduce risks resulting from exploitation of published technicalvulnerabilities.

A.12.6.1 Control of technical Timely information about No

vulnerabilities technical vulnerabilities ofinformation systems being

used should be obtained, theorganization's exposure tosuch vulnerabilities evaluated,and the appropriate measurestaken to address theassociated risk.

A.13.1 Reporting information security events and weaknesses

Objective: To ensure information security events and weaknesses associated with informationsystems are communicated in a manner allowing timely corrective action to betaken.

Cen:ll f---I::J

A. 13.1. Reporting information Information security events No

security events should be reported throughappropriate managementchannels as quickly aspossible.

A.13.1.2 Reporting security All employees, contractors and No

weaknesses third party users of informationsystems and services shouldbe required to note and reportany observed or suspectedweaknesses in systems orservices.


34/37




Published: 02/11/200815:37:14


Version: 1.0


A.13.2 Management of information security incidents and improvements

Objective: To ensure a consistent and effective approach is applied to the management ofinformation security incidents

A.13.2.1 Responsibilities and Management responsibilities No

procedures and procedures should beestablished to ensure a quick,

effective and orderly responseto information securityincidents.

A.13.2.2 Learning from information There should be mechanisms No

security incidents in place to enable the types,volumes and costs ofinformation security incidents

to be quantified and monitored.

A.13.2.3 Collection of evidence Where a follow-up action No

against a person ororganization after aninformation security incidentinvolves legal action (eithercivil or criminal) evidenceshould be collected, retainedand presented to conform to

the rules for evidence laiddown in the relevant

(s).

A.14.1 Information security aspects of business continuity management

Objective: To counteract interruptions to business activities and to protect critical businessprocesses from the effects of major failures of information systems or disasters andto ensure their timely resumption.


35/37




Published: 02/11/200815:37:14


Version: 1.0


@l:.11 WtIA.14.1.1 Including information A managed process should be No

security in the business developed and maintained for

con business continuity throughout

the organization that addresses

the information security

requirements needed for the

organization's business

continuity.

A.14.1.2 Business continuity and Events that can cause No

risk assessment interruptions to business

processes should be identified,

along with the probability and

impact of such interruptions

and their consequences for

information security.

A.14.1.3 Developing and Plans should be developed and No

implementing continuity implemented to maintain or

plans inclu restore operations and ensureavailability of information at the

required level and in the

required time scales following

interruption to, of failure of,

critical business processes.

A.14.1.4 Business continuity A single framework of business No

planning framework continuity plans should be

maintained to ensure all plans

are consistent, to consistentlyaddress information security

requirements, and to identify

priorities for testing and

maintenance.

A.14.1.5 Testing, maintaining and re Business continuity plans No

-assessing business con should be tested and updated

regularly to ensure that they

are up to date and effective.

A.15.1


36/37




Published: 02/11/200815:37:14


Version: 1.0


Compliance with legal requirements

Objective: To avoid breaches of any law, statutory, regulatory or contractual obligations, and ofany security requirements.

A. 15.1. Identification of applicable All relevant statutory, No

legislation regulatory and contractual

requirements and the

organization's approach tomeet these requirements

should be explicitly defined,

documented and kept up todate for each information

system and the organization.

A.15.1.2 Intellectual property rights Appropriate procedures should No

(IPR) be implemented to ensure

compliance with legislative,

regulatory and contractualrequirements on the user of

material in respect of which

there may be intellectual

property rights and on the use

of proprietary software

products.

A.15.1.3 Protection of organizational Important records should be No

records protected from loss, destruction

and falsification, in accordance

with statutory, regulatory ,contractual and business

requirements

A. 15.1.4 Data protection and privacy Data protection and privacy No

of personal informatio should be ensured as required

in relevant legislation,

regulations and, if applicable,

contractual clauses.


37/37




Published: 02/11/200815:37:14


Version: 1.0


A.15.1.5 Prevention of misuse of Users should be deterred from No

information processing fac using information processing

facilities for unauthorized

purposes.

A.15.1.6 Regulation of cryptographic Cryptographic controls should No

controls be used in compliance with all

relevant agreements, laws and

regulations.

A.15.2 Compliance with security policies and standards and technical compliance

Objective: To ensure compliance of systems with organizational security policies andstandards.

mIl f---

I::J rn!9 1 i1 : I - - - I t3

A.15.2.1 Compliance with security Managers should ensure that No

policy and standards all security procedures within

their area of responsibility are

carried out correctly to achieve

compliance with security

policies and standards.

A.15.2.2 Technical compliance Information systems should be No

checking regularly checked for

compliance with security

implementation standards.




Published: 02/11/200815:37:14


Version: 1.0


A.15.3 Information systems audit considerations

Objective: To maximise the effectiveness of and to minimize interference to/from theinformation systems audit process.

A.15.3.1 Information systems audit Audit requirements and No

controls activities involving checks on

operational systems should becarefully planned and agreedto minimize the risk ofdisruptions to business

processes.

A.15.3.2 Protection of information Access to information systems No

systems audit tools audit tools should be protectedto prevent any possible misuseor compromise.

kt - iso 27001 statement of applicability

Documents