ISO 27001:2022 Statement of Applicability

by Pretesh Biswas

 ISO/IEC 27001:2022 Annex A controlsAppliedControl applied/Justification of InclusionJustification for exclusionResponsibility
5Organization control    
5.1Policies for information securityYesExistence of a Policy is a demonstration of management intent, approach to manage ISMS. To be controlled by  Annual ReviewNAGeneral Manager
5.2Information security roles and responsibilitiesYesExistence of  ISMS organization structure provides defined roles & responsibilities to management staff. To be documented in Organization chart/JDNAISMR
5.3Segregation of dutiesYesSegregation of duties to be done to protect against any kind of fraud. It is to be demonstrated in the  organization chart/JDNAISMR
5.4Management responsibilitiesYesThis is to ensure all personnel do not misuse the information made available to them for the purpose of operations.It is Part of GM roles, IS policies and Objectives, Training in IS to employeesNA EM
5.5Contact with authoritiesYesPart of GM and EM Roles to ensure availability of emergency servicesNAISMR
5.6Contact with special interest groupsYesPart of IT role to ensure access to latest security information/vulnerabilitiesNAIT department
5.7Threat intelligenceYesPart of IT role to collect information about existing and emerging threat environment  and take appropriate mitigation actionNAIT department
5.8Information security in project managementYesPart of PM role to ensure security ‘of, by and for’ projectsNAPM and IT
5.9Inventory of information and other associated assetsYesTo ensure all informations and assets are identified and reasonable security controls are appliesNAEM and IT
5.10Acceptable use of information and other associated assetsYesTo ensure all personnel have accountability of secure usage of information and assetsNAAll users
5.11Return of assetsYesTo ensure all assets are returned to the ownerNAIT department
5.12Classification of informationYesTo provide appropriate level of security sensitivity to the Information/AssetsNAISMR
5.13Labelling of informationYesTo ensure labeling of Information/Assets in line with classificationNAISMR
5.14Information transferYesTo protect information from misuse from information recipients and the medium of information tranferNAPM and IT
5.15Access controlYesTo ensure ‘need to know’ principle in each access to prevent unauthorized access to information and other associated assets.NAEM and IT
5.16Identity managementYesTo ensure identification of individuals and systems accessing the organization’s informationNAEM and IT
5.17Authentication informationYesTo protect sensitive authentication informationNAIT department
5.18Access rightsYesto ensure access to information/ assets is defined and authorizedNAEM and IT
5.19Information security in supplier relationshipsYesTo protect organization interest in dealing with vendorsNAAdmin/Accounts
5.20Addressing information security within supplier agreementsYesTo protect organization interest in dealing with vendorsNAAdmin/Accounts
5.21Managing information security in the ICT supply chainYesTo protect organization interest in dealing with vendorsNAIT
5.22Monitoring, review and change management of supplier servicesYesTo protect organization interest in dealing with vendorsNAAdmin/Accounts
5.23Information security for use of cloud servicesN/ANACloud service not in use 
5.24Information security incident management planning and preparationYesTo ensure incidents are reported and managedNAISMR
5.25Assessment and decision on information security eventsYesTo ensure incidents are reported and managedNAISMR
5.26Response to information security incidentsYesTo ensure incidents are reported and managedNAISMR
5.27Learning from information security incidentsYesTo ensure incidents are reported and managedNAISMR
5.28Collection of evidenceYesTo ensure incidents are reported and managedNAISMR
5.29Information security during disruptionYesTo ensure security in crisisNAISMR
5.30ICT readiness for business continuityYesTo ensure security in crisisNAISMR and IT
5.31Legal, statutory, regulatory and contractual requirementsYesTo protect organization against any legal non compliance from copyright violationNAISMR
5.32Intellectual property rightsYesTo protect organization against any legal non compliance from copyright violationNAISMR
5.33Protection of recordsYesTo ensure availability of historical recordsNAISMR
5.34Privacy and protection of PIIYesTo protect organization against any legal non compliance related to privacyNAISMR
5.35Independent review of information securityYesTo ensure effectivness of the ISMSNAISMR
5.36Compliance with policies, rules and standards for information securityYesTo ensure accountability of managersNAISMR
5.37Documented operating proceduresYesTo ensure processing integrity/process availabilityNAISMR
 6 People control    
6.1ScreeningYesTo ensure people joining the organization are free from any criminal backgroundNAHR/Admin
6.2Terms and conditions of employmentYesEnsure all personnel do not misuse the information made available to them for the purpose of operations.NAHR/Admin
6.3Information security awareness, education and trainingYesEnsure all personnel do not misuse the information made available to them for the purpose of operations.NAHR/Admin
6.4Disciplinary processYesTo ensure a process of appropriate disciplinary action  in case someone is found guilty of information misusage.NAEM
6.5Responsibilities after termination or change of employmentYesProcess of termination involves information/access returnNAHR/Admin
6.6Confidentiality or non-disclosure agreementsYesTo ensure information protection from business partners/employeesNAEM
6.7Remote workingN/ANARemote working not permitted 
6.8Information security event reportingYesTo ensure security events are reported and managed All users
 7Physical control   
7.1Physical security perimetersyesTo ensure physical protection against unauthorized accessNAEM and IT
7.2Physical entryyesTo ensure physical protection against unauthorized accessNAEM and IT
7.3Securing offices, rooms and facilitiesyesTo protect against external and environmental controlsNAIT
7.4Physical security monitoringyesTo protect against external and environmental controlsNAAdmin
7.5Protecting against physical and environmental threatsyesTo protect against external and environmental controlsNAIT
7.6Working in secure areasyesTo protect against external and environmental controlsNAEM and IT
7.7Clear desk and clear screenyesTo protect against unauthorized access/shoulder surfingNAAll users
7.8Equipment siting and protectionyesTo protect physical infrastructureNAIT/Admin
7.9Security of assets off-premisesyesTo protect physical infrastructure PM
7.10Storage mediayesTo ensure only authorized disclosure, modification, removal or destruction of information on storage
media.
NAIT
7.11Supporting utilitiesyesTo ensure continuous power availabilityNAIT
7.12Cabling securityyesTo ensure protection of telecom and network cablesNAIT
7.13Equipment maintenanceyesTo protect physical infrastructureNAIT
7.14Secure disposal or re-use of equipmentyesTo ensure longer life of equipment/Environment protectionNAIT
8Technological Controls    
8.1User endpoint devicesyesTo ensure all information in Endpoint device are secureNAIT
8.2Privileged access rightsyesTo ensure ‘need to know’ principle in each access by ensuring priviledged access right is restricted.NAIT/EM
8.3Information access restrictionyesTo ensure ‘need to know’ principle in each access by ensuring priviledged access right is restricted.NAIT
8.4Access to source codeN/ANASource Code is not maintained by hence this control is not applicable. 
8.5Secure authenticationYesTo protect sensitive authentication informationNAIT/All users
8.6Capacity managementYesTo ensure high availability of Data storageNAIT
8.7Protection against malwareYesTo protect against new malware threatsNAIT
8.8Management of technical vulnerabilitiesYesTo ensure secure operating environmentNAIT
8.9Configuration managementyesTo ensure hardware, software, services and networks function correctlyNAIT
8.10Information deletionYesInformation stored in information systems should be deleted when no longer required.NAAll users
8.11Data maskingN/ANASensitive data not transferred 
8.12Data leakage preventionyesprevent the unauthorized disclosure and extraction of information by individuals or systemsNAIT
8.13Information backupYesTo ensure higher availability of data/associated configurationNAIT
8.14Redundancy of information processing facilitiesYesTo ensure redundancy in information processing infrastructure minimizing failureNAIT
8.15LoggingYesTo ensure accountability and non-repudiationNAIT
8.16Monitoring activitiesYesTo detect anomalous behaviour for potential security incidentNAIT
8.17Clock synchronizationYesTo ensure accountability and non-repudiationNAIT
8.18Use of privileged utility programsYesTo protect network from unauthorized accessNAIT
8.19Installation of software on operational systemsYesTo ensure secure and ligimate software are installed in  secure operating environmentNAIT
8.20Networks securityYesTo ensure protection of networksNAIT
8.21Security of network servicesYesTo ensure protection of networksNAIT
8.22Segregation of networksYesTo ensure minimal impact of network in case of a security attackNAIT
8.23Web filteringyesprevent access to unauthorized web resources and malwareNAIT
8.24Use of cryptographyN/ANACryptographic keys are not proceured or generated and their life cycle is not managed 
8.25Secure development life cycleN/ANANo software development. 
8.26Application security requirementsN/ANANo application 
8.27Secure system architecture and engineering principlesN/ANANo software development. 
8.28Secure codingN/ANANo software development. 
8.29Security testing in development and acceptanceN/ANANo software development. 
8.30Outsourced developmentN/ANANo software development. 
8.31Separation of development, test and production environmentsN/ANANo software development. 
8.32Change managementYesTo ensure control of changesNAISMR
8.33Test informationN/ANANo software development. 
8.34Protection of information systems during audit testingYesTo ensure accountability and non-repudiationNAISMR

Back to Home Page

If you need assistance or have any doubt and need to ask any questions contact me at preteshbiswas@gmail.com. You can also contribute to this discussion and I shall be happy to publish them. Your comments and suggestion are also welcome.

Leave a Reply