Controls

Control	Applicable	Reason	Status
A.10.1.1 Policy on the use of cryptographic controls	YES	Risk assessment	Implemented
A.10.1.2 Key management	YES	Risk assessment	Implemented
A.11.1.1 Physical security perimeter	YES	Risk assessment	Implemented
A.11.1.2 Physical entry controls	YES	Risk assessment	Implemented
A.11.1.3 Securing offices, rooms and facilities	YES	Risk assessment	Implemented
A.11.1.4 Protecting against external and environmental threats	YES	Risk assessment	Implemented
A.11.1.5 Working in secure areas	YES	Risk assessment	Implemented
A.11.1.6 Delivery and loading areas	YES	Risk assessment	Implemented
A.11.2.1 Equipment siting and protection	YES	Best practice	Implemented
A.11.2.2 Supporting utilities	YES	Best practice	Implemented
A.11.2.3 Cabling security	YES	Best practice	Implemented
A.11.2.4 Equipment maintenance	YES	Risk assessment	Implemented
A.11.2.5 Removal of assets	YES	Best practice	Implemented
A.11.2.6 Security of equipment and assets off-premises	YES	Best practice	Implemented
A.11.2.7 Secure disposal or re-use of equipment	YES	Best practice	Implemented
A.11.2.8 Unattended user equipment	YES	Best practice	Implemented
A.11.2.9 Clear desk and clear screen policy	YES	Risk assessment	Implemented
A.12.1.1 Documented operating procedures	YES	Risk assessment	Implemented
A.12.1.2 Change management	YES	Risk assessment	Implemented
A.12.1.3 Capacity management	YES	Best practice	Implemented
A.12.1.4 Separation of development, testing and operational environments	YES	Best practice	Implemented
A.12.2.1 Controls against malware	YES	Best practice	Implemented
A.12.3.1 Information backup	YES	Risk assessment	Implemented
A.12.4.1 Event logging	YES	Risk assessment	Implemented
A.12.4.2 Protection of log information	YES	Risk assessment	Implemented
A.12.4.3 Administrator and operator logs	YES	Risk assessment	Implemented
A.12.4.4 Clock synchronization	YES	Risk assessment	Implemented
A.12.5.1 Installation of software on operational systems	YES	Best practice	Implemented
A.12.6.1 Management of technical vulnerabilities	YES	Best practice	Implemented
A.12.6.2 Restrictions on software installation	YES	Risk assessment	Implemented
A.12.7.1 Information system audit controls	YES	Best practice	Implemented
A.13.1.1 Network controls	YES	Best practice	Implemented
A.13.1.2 Security of network services	YES	Best practice	Implemented
A.13.1.3 Segregation in networks	YES	Risk assessment	Implemented
A.13.2.1 Information transfer policies and procedures	YES	Best practice	Implemented
A.13.2.2 Agreements on information transfer	YES	Risk assessment	Implemented
A.13.2.3 Electronic messaging	YES	Risk assessment	DKIM and SPF are implemented within Google Mail. DMARC still needs to be implemented.
A.13.2.4 Confidentiality or non-disclosure agreements	YES	Risk assessment	Implemented
A.14.1.1 Security requirements of information systems	YES	Best practice	Implemented
A.14.1.2 Securing application services on public networks	YES	Best practice	Implemented
A.14.1.3 Protecting application services transactions	YES	Best practice	Implemented
A.14.2.1 Secure development policy	YES	Best practice	Implemented
A.14.2.2 System change control procedures	NO	-	Not Implemented
A.14.2.3 Technical review of applications after operating platform changes	YES	Best practice	Implemented
A.14.2.4 Restrictions on changes to software packages	YES	Best practice	Implemented
A.14.2.5 Secure system engineering principles	YES	Risk assessment	Implemented
A.14.2.6 Secure development environment	NO	-	Not Implemented
A.14.2.7 Outsourced development	YES	Best practice	Implemented
A.14.2.8 System security testing	NO		Not Implemented
A.14.2.9 System acceptance testing	YES	Best practice	Implemented
A.14.3.1 Protection of test data	YES	Best practice	Implemented
A.15.1.1 Information security policy for supplier relationships	YES	Risk assessment	Implemented
A.15.1.2 Addressing security within supplier agreements	YES	Risk assessment	Implemented
A.15.1.3 Information and communication technology supply chain	YES	Best practice	Implemented
A.15.2.1 Monitoring and review of supplier services	YES	Risk assessment	Implemented
A.15.2.2 Managing changes to supplier services	YES	Best practice	Implemented
A.16.1.1 Responsibilities and procedures	YES	Risk assessment	Implemented
A.16.1.2 Reporting information security events	YES	Risk assessment	Implemented
A.16.1.3 Reporting information security weaknesses	YES	Best practice	Implemented
A.16.1.4 Assessment of and decision on information security events	YES	Best practice	Implemented
A.16.1.5 Response to information security incidents	YES	Best practice	Implemented
A.16.1.6 Learning from information security incidents	YES	Best practice	Implemented
A.16.1.7 Collection of evidence	YES	Best practice	Implemented
A.17.1.1 Planning information security continuity	YES	Risk assessment	Implemented
A.17.1.2 Implementing information security continuity	YES	Risk assessment	Implemented
A.17.1.3 Verify, review and evaluate information security continuity	YES	Risk assessment	Implemented
A.17.2.1 Availability of information processing facilities	YES	Best practice	Implemented
A.18.1.1 Identification of applicable legislation and contractual requirements	YES	Legal and contractual requirements and Risk assessment	Implemented
A.18.1.2 Intellectual property rights	YES	Legal and contractual requirements	Implemented
A.18.1.3 Protection of records	YES	Legal and contractual requirements and Risk assessment	Implemented
A.18.1.4 Privacy and protection of personally identifiable information	YES	Legal and contractual requirements	Implemented
A.18.1.5 Regulation of cryptographic controls	YES	Legal and contractual requirements	Implemented
A.18.2.1 Independent review of information security	YES	Best practice	Implemented
A.18.2.2 Compliance with security policies and standards	YES	Best practice	Implemented
A.18.2.3 Technical compliance review	YES	Risk assessment	Implemented
A. 5.1.1 Policies for information security	YES	Risk assessment	Implemented
A. 5.1.2 Review of the policies for information security	YES	Best practice	Implemented
A. 6.1.1 Information security roles and responsibilities	YES	Best practice	Implemented
A. 6.1.2 Segregation of duties	YES	Risk assessment	Implemented
A. 6.1.3 Contact with authorities	YES	Risk assessment	Implemented
A. 6.1.4 Contact with special interest groups	YES	Best practice	Implemented
A. 6.1.5 Information security in project management	YES	Risk assessment	Implemented
A. 6.2.1 Mobile device policy	YES	Risk assessment	Implemented
A. 6.2.2 Teleworking	YES	Risk assessment	Implemented
A. 7.1.1 Screening	YES	Risk assessment	Implemented
A. 7.1.2 Terms and conditions of employment	YES	Best practice	Implemented
A. 7.2.1 Management responsibilities	YES	Risk assessment	Implemented
A. 7.2.2 Information security awareness, education and training	YES	Risk assessment	Implemented
A. 7.2.3 Disciplinary process	YES	Best practice	Implemented
A. 7.3.1 Termination or change of employment responsibilities	YES	Risk assessment	Implemented
A. 8.1.1 Inventory of assets	YES	Risk assessment	Implemented
A. 8.1.2 Ownership of assets	YES	Risk assessment	Implemented
A. 8.1.3 Acceptable use of assets	YES	Best practice	Implemented
A. 8.1.4 Return of assets	YES	Best practice	Implemented
A. 8.2.1 Classification of information	YES	Risk assessment	Implemented
A. 8.2.2 Labelling of information	YES	Risk assessment	Implemented
A. 8.2.3 Handling of assets	YES	Risk assessment	Implemented
A. 8.3.1 Management of removable media	YES	Best practice	Implemented
A. 8.3.2 Disposal of media	YES	Best practice	Implemented
A. 8.3.3 Physical media transfer	YES	Best practice	Implemented
A. 9.1.1 Access control policy	YES	Risk assessment	Implemented
A. 9.1.2 Access to networks and network services	YES	Risk assessment	Implemented
A. 9.2.1 User registration and de-registration	YES	Risk assessment	Implemented
A. 9.2.2 User access provisioning	YES	Risk assessment	Implemented
A. 9.2.3 Management of privileged access rights	YES	Risk assessment	Implemented
A. 9.2.4 Management of secret authentication information of users	YES	Risk assessment	Implemented
A. 9.2.5 Review of user access rights	YES	Risk assessment	Implemented
A. 9.2.6 Removal or adjustment of access rights	YES	Risk assessment	Implemented
A. 9.3.1 Use of secret authentication information of users	YES	Risk assessment	Implemented
A. 9.4.1 Information access restriction	YES	Risk assessment	Implemented
A. 9.4.2 Secure log-on procedures	YES	Risk assessment	Implemented
A. 9.4.3 Password management system	YES	Risk assessment	Implemented
A. 9.4.4 Use of privileged utility programs	YES	Risk assessment	Implemented
A. 9.4.5 Access control to program source code	YES	Risk assessment	Implemented

Extract of 10/10/2022