Last edited one week ago
by WikiSysop

Statement of Applicability (SoA)

Document control
edit
Document type: Supporting document
Process owner:
Scope:
Affected roles:
Valid: Not valid


Approval: not approved
Page status: First draft


  • implemented: 1
  • partially implemented: 0
  • not implemented: 0
  • not checked: 96

Organizational controls

Annex A Control Selection Implementation status Last approval
5.1 Policies for information security included implemented
5.2 Information security roles and responsibilities not checked not checked
5.3 Segregation of duties not checked not checked
5.4 Management responsibilities not checked not checked
5.5 Contact with authorities not checked not checked
5.6 Contact with special interest groups not checked not checked
5.7 Threat intelligence not checked not checked
5.8 Information security in project management not checked not checked
5.9 Inventory of information and other associated assets not checked not checked
5.10 Acceptable use of information and other associated assets not checked not checked
5.11 Return of assets not checked not checked
5.12 Classification of information not checked not checked
5.13 Labelling of information not checked not checked
5.14 Information transfer not checked not checked
5.15 Access control not checked not checked
5.16 Identity management not checked not checked
5.17 Authentication information not checked not checked
5.18 Access rights not checked not checked
5.19 Information security in supplier relationships not checked not checked
5.20 Addressing information security within supplier agreements not checked not checked
5.21 Managing information security in the ICT supply chain not checked not checked
5.22 Monitoring, review and change management of supplier services not checked not checked
5.23 Information security for use of cloud services not checked not checked
5.24 Information security incident management planning and preparation not checked not checked
5.25 Assessment and decision on information security events not checked not checked
5.26 Response to information security incidents not checked not checked
5.27 Learning from information security incidents not checked not checked
5.28 Collection of evidence not checked not checked
5.29 Information security during disruption not checked not checked
5.30 ICT readiness for business continuity not checked not checked
5.31 Identification of legal, statutory, regulatory, and contractual requirements not checked not checked
5.32 Intellectual property rights not checked not checked
5.33 Protection of records not checked not checked
5.34 Privacy and protection of PII not checked not checked
5.35 Independent review of information security not checked not checked
5.36 Compliance with policies and standards for information security not checked not checked
5.37 Documented operating procedures not checked not checked

People controls

Annex A Control Selection Implementation status Last approval
6.1 Screening not checked not checked
6.2 Terms and conditions of employment not checked not checked
6.3 Information security awareness, education and training not checked not checked
6.4 Disciplinary process not checked not checked
6.5 Responsibilities after termination or change of employment not checked not checked
6.6 Confidentiality or non-disclosure agreements not checked not checked
6.7 Remote working not checked not checked
6.8 Information security event reporting not checked not checked

Physical controls

Annex A Control Selection Implementation status Last approval
7.1 Physical security perimeter not checked not checked
7.2 Physical entry controls not checked not checked
7.3 Securing offices, rooms and facilities not checked not checked
7.4 Physical security monitoring not checked not checked
7.5 Protecting against physical and environmental threats not checked not checked
7.6 Working in secure areas not checked not checked
7.7 Clear desk and clear screen not checked not checked
7.8 Equipment siting and protection not checked not checked
7.9 Security of assets off-premises not checked not checked
7.10 Storage media not checked not checked
7.11 Supporting utilities not checked not checked
7.12 Cabling security not checked not checked
7.13 Equipment maintenance not checked not checked
7.14 Secure disposal or re-use of equipment not checked not checked

Technological controls

Annex A Control Selection Implementation status Last approval
8.1 User endpoint devices not checked not checked
8.2 Privileged access rights not checked not checked
8.3 Information access restriction not checked not checked
8.4 Access to source code not checked not checked
8.5 Secure authentication not checked not checked
8.6 Capacity management not checked not checked
8.7 Protection against malware not checked not checked
8.8 Management of technical vulnerabilities not checked not checked
8.9 Configuration management not checked not checked
8.10 Information deletion not checked not checked
8.11 Data masking not checked not checked
8.12 Data leakage prevention not checked not checked
8.13 Information backup not checked not checked
8.14 Redundancy of information processing facilities not checked not checked
8.15 Logging not checked not checked
8.16 Monitoring activities not checked not checked
8.17 Clock synchronization not checked not checked
8.18 Use of privileged utility programs not checked not checked
8.19 Installation of software on operational systems not checked not checked
8.20 Network controls not checked not checked
8.21 Security of network services not checked not checked
8.22 Segregation in networks not checked not checked
8.23 Web filtering not checked not checked
8.24 Use of cryptography not checked not checked
8.25 Secure development lifecycle not checked not checked
8.26 Application security requirements not checked not checked
8.27 Secure system architecture and engineering principles not checked not checked
8.28 Secure coding not checked not checked
8.29 Security testing in development and acceptance not checked not checked
8.30 Outsourced development not checked not checked
8.31 Separation of development, test and production environments not checked not checked
8.32 Change management not checked not checked
8.33 Test information not checked not checked
8.34 Protection of information systems during audit and testing not checked not checked
Retrieved from "https://en.demo.bluespice.com/w/index.php?title=ISO27001:Controls&oldid=3539"