Statement of Applicability (SoA)

Document control

Document type:	Supporting document
Process owner:
Scope:
Affected roles:

Valid:	Not valid
Approval:	not approved
Page status:	First draft

implemented: 1
partially implemented: 0
not implemented: 0
not checked: 96

Organizational controls

Annex A Control	Selection	Implementation status
5.1 Policies for information security	included	implemented
5.2 Information security roles and responsibilities	not checked	not checked
5.3 Segregation of duties	not checked	not checked
5.4 Management responsibilities	not checked	not checked
5.5 Contact with authorities	not checked	not checked
5.6 Contact with special interest groups	not checked	not checked
5.7 Threat intelligence	not checked	not checked
5.8 Information security in project management	not checked	not checked
5.9 Inventory of information and other associated assets	not checked	not checked
5.10 Acceptable use of information and other associated assets	not checked	not checked
5.11 Return of assets	not checked	not checked
5.12 Classification of information	not checked	not checked
5.13 Labelling of information	not checked	not checked
5.14 Information transfer	not checked	not checked
5.15 Access control	not checked	not checked
5.16 Identity management	not checked	not checked
5.17 Authentication information	not checked	not checked
5.18 Access rights	not checked	not checked
5.19 Information security in supplier relationships	not checked	not checked
5.20 Addressing information security within supplier agreements	not checked	not checked
5.21 Managing information security in the ICT supply chain	not checked	not checked
5.22 Monitoring, review and change management of supplier services	not checked	not checked
5.23 Information security for use of cloud services	not checked	not checked
5.24 Information security incident management planning and preparation	not checked	not checked
5.25 Assessment and decision on information security events	not checked	not checked
5.26 Response to information security incidents	not checked	not checked
5.27 Learning from information security incidents	not checked	not checked
5.28 Collection of evidence	not checked	not checked
5.29 Information security during disruption	not checked	not checked
5.30 ICT readiness for business continuity	not checked	not checked
5.31 Identification of legal, statutory, regulatory, and contractual requirements	not checked	not checked
5.32 Intellectual property rights	not checked	not checked
5.33 Protection of records	not checked	not checked
5.34 Privacy and protection of PII	not checked	not checked
5.35 Independent review of information security	not checked	not checked
5.36 Compliance with policies and standards for information security	not checked	not checked
5.37 Documented operating procedures	not checked	not checked

People controls

Annex A Control	Selection	Implementation status
6.1 Screening	not checked	not checked
6.2 Terms and conditions of employment	not checked	not checked
6.3 Information security awareness, education and training	not checked	not checked
6.4 Disciplinary process	not checked	not checked
6.5 Responsibilities after termination or change of employment	not checked	not checked
6.6 Confidentiality or non-disclosure agreements	not checked	not checked
6.7 Remote working	not checked	not checked
6.8 Information security event reporting	not checked	not checked

Physical controls

Annex A Control	Selection	Implementation status
7.1 Physical security perimeter	not checked	not checked
7.2 Physical entry controls	not checked	not checked
7.3 Securing offices, rooms and facilities	not checked	not checked
7.4 Physical security monitoring	not checked	not checked
7.5 Protecting against physical and environmental threats	not checked	not checked
7.6 Working in secure areas	not checked	not checked
7.7 Clear desk and clear screen	not checked	not checked
7.8 Equipment siting and protection	not checked	not checked
7.9 Security of assets off-premises	not checked	not checked
7.10 Storage media	not checked	not checked
7.11 Supporting utilities	not checked	not checked
7.12 Cabling security	not checked	not checked
7.13 Equipment maintenance	not checked	not checked
7.14 Secure disposal or re-use of equipment	not checked	not checked

Technological controls

Annex A Control	Selection	Implementation status
8.1 User endpoint devices	not checked	not checked
8.2 Privileged access rights	not checked	not checked
8.3 Information access restriction	not checked	not checked
8.4 Access to source code	not checked	not checked
8.5 Secure authentication	not checked	not checked
8.6 Capacity management	not checked	not checked
8.7 Protection against malware	not checked	not checked
8.8 Management of technical vulnerabilities	not checked	not checked
8.9 Configuration management	not checked	not checked
8.10 Information deletion	not checked	not checked
8.11 Data masking	not checked	not checked
8.12 Data leakage prevention	not checked	not checked
8.13 Information backup	not checked	not checked
8.14 Redundancy of information processing facilities	not checked	not checked
8.15 Logging	not checked	not checked
8.16 Monitoring activities	not checked	not checked
8.17 Clock synchronization	not checked	not checked
8.18 Use of privileged utility programs	not checked	not checked
8.19 Installation of software on operational systems	not checked	not checked
8.20 Network controls	not checked	not checked
8.21 Security of network services	not checked	not checked
8.22 Segregation in networks	not checked	not checked
8.23 Web filtering	not checked	not checked
8.24 Use of cryptography	not checked	not checked
8.25 Secure development lifecycle	not checked	not checked
8.26 Application security requirements	not checked	not checked
8.27 Secure system architecture and engineering principles	not checked	not checked
8.28 Secure coding	not checked	not checked
8.29 Security testing in development and acceptance	not checked	not checked
8.30 Outsourced development	not checked	not checked
8.31 Separation of development, test and production environments	not checked	not checked
8.32 Change management	not checked	not checked
8.33 Test information	not checked	not checked
8.34 Protection of information systems during audit and testing	not checked	not checked