Control | Applicable | Reason | Status |
---|---|---|---|
A.10.1.1 Policy on the use of cryptographic controls | YES | Risk assessment | Implemented |
A.10.1.2 Key management | YES | Risk assessment | Implemented |
A.11.1.1 Physical security perimeter | YES | Risk assessment | Implemented |
A.11.1.2 Physical entry controls | YES | Risk assessment | Implemented |
A.11.1.3 Securing offices, rooms and facilities | YES | Risk assessment | Implemented |
A.11.1.4 Protecting against external and environmental threats | YES | Risk assessment | Implemented |
A.11.1.5 Working in secure areas | YES | Risk assessment | Implemented |
A.11.1.6 Delivery and loading areas | YES | Risk assessment | Implemented |
A.11.2.1 Equipment siting and protection | YES | Best practice | Implemented |
A.11.2.2 Supporting utilities | YES | Best practice | Implemented |
A.11.2.3 Cabling security | YES | Best practice | Implemented |
A.11.2.4 Equipment maintenance | YES | Risk assessment | Implemented |
A.11.2.5 Removal of assets | YES | Best practice | Implemented |
A.11.2.6 Security of equipment and assets off-premises | YES | Best practice | Implemented |
A.11.2.7 Secure disposal or re-use of equipment | YES | Best practice | Implemented |
A.11.2.8 Unattended user equipment | YES | Best practice | Implemented |
A.11.2.9 Clear desk and clear screen policy | YES | Risk assessment | Implemented |
A.12.1.1 Documented operating procedures | YES | Risk assessment | Implemented |
A.12.1.2 Change management | YES | Risk assessment | Implemented |
A.12.1.3 Capacity management | YES | Best practice | Implemented |
A.12.1.4 Separation of development, testing and operational environments | YES | Best practice | Implemented |
A.12.2.1 Controls against malware | YES | Best practice | Implemented |
A.12.3.1 Information backup | YES | Risk assessment | Implemented |
A.12.4.1 Event logging | YES | Risk assessment | Implemented |
A.12.4.2 Protection of log information | YES | Risk assessment | Implemented |
A.12.4.3 Administrator and operator logs | YES | Risk assessment | Implemented |
A.12.4.4 Clock synchronization | YES | Risk assessment | Implemented |
A.12.5.1 Installation of software on operational systems | YES | Best practice | Implemented |
A.12.6.1 Management of technical vulnerabilities | YES | Best practice | Implemented |
A.12.6.2 Restrictions on software installation | YES | Risk assessment | Implemented |
A.12.7.1 Information system audit controls | YES | Best practice | Implemented |
A.13.1.1 Network controls | YES | Best practice | Implemented |
A.13.1.2 Security of network services | YES | Best practice | Implemented |
A.13.1.3 Segregation in networks | YES | Risk assessment | Implemented |
A.13.2.1 Information transfer policies and procedures | YES | Best practice | Implemented |
A.13.2.2 Agreements on information transfer | YES | Risk assessment | Implemented |
A.13.2.3 Electronic messaging | YES | Risk assessment | DKIM and SPF are implemented within Google Mail. DMARC still needs to be implemented. |
A.13.2.4 Confidentiality or non-disclosure agreements | YES | Risk assessment | Implemented |
A.14.1.1 Security requirements of information systems | YES | Best practice | Implemented |
A.14.1.2 Securing application services on public networks | YES | Best practice | Implemented |
A.14.1.3 Protecting application services transactions | YES | Best practice | Implemented |
A.14.2.1 Secure development policy | YES | Best practice | Implemented |
A.14.2.2 System change control procedures | NO | - | Not Implemented |
A.14.2.3 Technical review of applications after operating platform changes | YES | Best practice | Implemented |
A.14.2.4 Restrictions on changes to software packages | YES | Best practice | Implemented |
A.14.2.5 Secure system engineering principles | YES | Risk assessment | Implemented |
A.14.2.6 Secure development environment | NO | - | Not Implemented |
A.14.2.7 Outsourced development | YES | Best practice | Implemented |
A.14.2.8 System security testing | NO | Not Implemented | |
A.14.2.9 System acceptance testing | YES | Best practice | Implemented |
A.14.3.1 Protection of test data | YES | Best practice | Implemented |
A.15.1.1 Information security policy for supplier relationships | YES | Risk assessment | Implemented |
A.15.1.2 Addressing security within supplier agreements | YES | Risk assessment | Implemented |
A.15.1.3 Information and communication technology supply chain | YES | Best practice | Implemented |
A.15.2.1 Monitoring and review of supplier services | YES | Risk assessment | Implemented |
A.15.2.2 Managing changes to supplier services | YES | Best practice | Implemented |
A.16.1.1 Responsibilities and procedures | YES | Risk assessment | Implemented |
A.16.1.2 Reporting information security events | YES | Risk assessment | Implemented |
A.16.1.3 Reporting information security weaknesses | YES | Best practice | Implemented |
A.16.1.4 Assessment of and decision on information security events | YES | Best practice | Implemented |
A.16.1.5 Response to information security incidents | YES | Best practice | Implemented |
A.16.1.6 Learning from information security incidents | YES | Best practice | Implemented |
A.16.1.7 Collection of evidence | YES | Best practice | Implemented |
A.17.1.1 Planning information security continuity | YES | Risk assessment | Implemented |
A.17.1.2 Implementing information security continuity | YES | Risk assessment | Implemented |
A.17.1.3 Verify, review and evaluate information security continuity | YES | Risk assessment | Implemented |
A.17.2.1 Availability of information processing facilities | YES | Best practice | Implemented |
A.18.1.1 Identification of applicable legislation and contractual requirements | YES | Legal and contractual requirements and Risk assessment | Implemented |
A.18.1.2 Intellectual property rights | YES | Legal and contractual requirements | Implemented |
A.18.1.3 Protection of records | YES | Legal and contractual requirements and Risk assessment | Implemented |
A.18.1.4 Privacy and protection of personally identifiable information | YES | Legal and contractual requirements | Implemented |
A.18.1.5 Regulation of cryptographic controls | YES | Legal and contractual requirements | Implemented |
A.18.2.1 Independent review of information security | YES | Best practice | Implemented |
A.18.2.2 Compliance with security policies and standards | YES | Best practice | Implemented |
A.18.2.3 Technical compliance review | YES | Risk assessment | Implemented |
A. 5.1.1 Policies for information security | YES | Risk assessment | Implemented |
A. 5.1.2 Review of the policies for information security | YES | Best practice | Implemented |
A. 6.1.1 Information security roles and responsibilities | YES | Best practice | Implemented |
A. 6.1.2 Segregation of duties | YES | Risk assessment | Implemented |
A. 6.1.3 Contact with authorities | YES | Risk assessment | Implemented |
A. 6.1.4 Contact with special interest groups | YES | Best practice | Implemented |
A. 6.1.5 Information security in project management | YES | Risk assessment | Implemented |
A. 6.2.1 Mobile device policy | YES | Risk assessment | Implemented |
A. 6.2.2 Teleworking | YES | Risk assessment | Implemented |
A. 7.1.1 Screening | YES | Risk assessment | Implemented |
A. 7.1.2 Terms and conditions of employment | YES | Best practice | Implemented |
A. 7.2.1 Management responsibilities | YES | Risk assessment | Implemented |
A. 7.2.2 Information security awareness, education and training | YES | Risk assessment | Implemented |
A. 7.2.3 Disciplinary process | YES | Best practice | Implemented |
A. 7.3.1 Termination or change of employment responsibilities | YES | Risk assessment | Implemented |
A. 8.1.1 Inventory of assets | YES | Risk assessment | Implemented |
A. 8.1.2 Ownership of assets | YES | Risk assessment | Implemented |
A. 8.1.3 Acceptable use of assets | YES | Best practice | Implemented |
A. 8.1.4 Return of assets | YES | Best practice | Implemented |
A. 8.2.1 Classification of information | YES | Risk assessment | Implemented |
A. 8.2.2 Labelling of information | YES | Risk assessment | Implemented |
A. 8.2.3 Handling of assets | YES | Risk assessment | Implemented |
A. 8.3.1 Management of removable media | YES | Best practice | Implemented |
A. 8.3.2 Disposal of media | YES | Best practice | Implemented |
A. 8.3.3 Physical media transfer | YES | Best practice | Implemented |
A. 9.1.1 Access control policy | YES | Risk assessment | Implemented |
A. 9.1.2 Access to networks and network services | YES | Risk assessment | Implemented |
A. 9.2.1 User registration and de-registration | YES | Risk assessment | Implemented |
A. 9.2.2 User access provisioning | YES | Risk assessment | Implemented |
A. 9.2.3 Management of privileged access rights | YES | Risk assessment | Implemented |
A. 9.2.4 Management of secret authentication information of users | YES | Risk assessment | Implemented |
A. 9.2.5 Review of user access rights | YES | Risk assessment | Implemented |
A. 9.2.6 Removal or adjustment of access rights | YES | Risk assessment | Implemented |
A. 9.3.1 Use of secret authentication information of users | YES | Risk assessment | Implemented |
A. 9.4.1 Information access restriction | YES | Risk assessment | Implemented |
A. 9.4.2 Secure log-on procedures | YES | Risk assessment | Implemented |
A. 9.4.3 Password management system | YES | Risk assessment | Implemented |
A. 9.4.4 Use of privileged utility programs | YES | Risk assessment | Implemented |
A. 9.4.5 Access control to program source code | YES | Risk assessment | Implemented |
Extract of 10/10/2022