Statement of Applicability (SoA)

Date: 20.10.2021

IDControlMeasureControl Included
A.5Information security policies
A.5.1Management direction for information security
A.5.1.1.Policies for information SecurityInformation security policy must be established by the Management Board, and be made clear to all employees and relevant external parties.Yes
A.5.1.2Review of the policies for information securityThe information security policy must be reviewed periodically or in the event of any changes.Yes
A.6Organization of information security
A.6.1Internal Organization
A.6.1.1Information security roles and responsibilitiesAll responsibilities related to information security must be defined and assigned.Yes
A.6.1.2Segregation of dutiesConflicting duties and responsibilities must be separated to minimise the possibility of unauthorised or unintentional modification or misuse of the organisation's assets.Yes
A.6.1.3Contact with authoritiesAppropriate contacts with the relevant authorities must be ensured.Yes
A.6.1.4Contact with special interest groupsAppropriate contacts with relevant groups of specialists or other specialised security forums and trade associations must be ensured.Yes
A.6.1.5Information security in project managementProject management must consider information security regardless of the project type.Yes
A.6.2Mobile devices and teleworking
A.6.2.1Mobile device policyThe appropriate policy and the security controls supporting it must be adopted to manage risks related to the use of mobile devices.Yes
A.6.2.2TeleworkingInformation retrieved, processed or stored at teleworking locations must be protected by adopting the appropriate policy and security controls supporting it.Yes
A.7Human resource security
A.7.1Prior to employment
A.7.1.1ScreeningThe background of all job candidates must be checked in accordance with the applicable legislation, rules and ethical norms, and the scope of this checking must be in the right proportion to the requirements for the duties performed, information made available and risks perceived.Yes
A.7.1.2Terms of conditions of employmentContracts concluded with employees and subcontractors must formulate their and the organisation's responsibilities regarding information security.Yes
A.7.2During employment
A.7.2.1Management responsibilitiesThe Management must require employees and subcontractors to implement information security in accordance with the policies and procedures established in the organisation.Yes
A.7.2.2Information Security awareness, education and trainingAll employees of the organisation and also subcontractors, if applicable, must receive relevant awareness training appropriate for their duties, and regular update notifications regarding the organisation’s policies and procedures.Yes
A.7.2.3Disciplinary processA formal disciplinary process must be established and communicated to the employees for the purpose of disciplining employees who have compromised information security.Yes
A.7.3Termination and change of employment
A.7.3.1Termination or change of employment responsibilitiesInformation security responsibilities remaining in force after terminating or modifying the employment relationship must be defined and communicated to the employees or subcontractors, and their fulfilment ensured.Yes
A.8Asset management
A.8.1Responsibility for assets
A.8.1.1Inventory of assetsInformation assets and other assets related to information and information processing tools must be defined and an inventory list of these assets must be maintained.Yes
A.8.1.2Ownership of assetsThe inventory list must reflect the ownership of the assets included in the list.Yes
A.8.1.3Acceptable use of assetsThe rules establishing the acceptable use of information and information processing tools must be defined and documented.Yes
A.8.1.4Return of assetsAll employees and external users must return all assets in their possession at the end of their employment relationship, contract or agreement.Yes
A.8.2Information classification
A.8.2.1Classification of informationInformation should be classified based on legal requirements, values, criticality and sensitivity to unauthorised disclosure or modification.Yes
A.8.2.2Labelling of informationAn appropriate procedure must be created and established for labelling information according to the information security classification scheme used in the organisation.Yes
A.8.2.3Handling of assetsAppropriate asset handling procedures must be created and implemented in accordance with the information classification scheme used in the organisation.Yes
A.8.3Media handling
A.8.3.1Management of removable mediaGuidelines must be defined for external media (memory sticks, hard disks, etc.) management.Yes
A.8.3.2Disposal of mediaMedia no longer needed must be securely and safely disposed of in accordance with formal procedures.Yes
A.8.3.3Physical media transferMedia containing information must be protected against unacceptable misuse and tampering during transport.Yes
A.9Access Control
A.9.1Business requirements for access control
A.9.1.1Access control PolicyAccess control policy must be established, documented and reviewed based on business-related and information security requirements.Yes
A.9.1.2Access to networks and network servicesUsers may only have access to the network and network services that they are specifically permitted to use.Yes
A.9.2User access management
A.9.2.1User registration and de-registrationA formal user registration and de-registration process must be established for granting access rights.Yes
A.9.2.2User access provisioningA formal user registration and de-registration process must be established for all user types for granting and revoking access to all systems and services.Yes
A.9.2.3Management of privileged access rightsGranting and use of priority access rights must be restricted and controlled.Yes
A9.2.4Management of secret authentication information usersDistribution of confidential audit information must be controlled with a formal management process.Yes
A.9.2.5Review of user access rightsAsset owners must review the users’ access rights at regular intervals.Yes
A.9.2.6Removal or adjustment of access rightsAccess rights to information and information processing tools granted to employees and external users must be removed upon termination of their employment relationship or contract. The rights must be adjusted when the employment relationship changes, or the contract or agreement is modified.Yes
A.9.3User responsibilities
A.9.3.1Use of secret authentication informationUsers must be required to follow the organisation's practices when using secret authentication information.Yes
A.9.4System and application access control
A.9.4.1Information access restrictionAccess to information and the functionalities of application systems must be restricted in accordance with the access control policy.Yes
A.9.4.2Secure log-on proceduresWhere required by the access control policy, access to systems and applications must be controlled by secure log-on procedures.Yes
A.9.4.3Password management systemPassword management systems must be interactive and ensure high-quality passwords.Yes
A.9.4.4Use of privileged utility programsThe use of utilities capable of bypassing system and application security controls must be restricted and strictly controlled.Yes
A.9.4.5Access control to program source codeAccess to the source code of the programs must be restricted.Yes
A.10Cryptography
A.10.1Cryptographic controls
A.10.1.1Policy of the use of cryptographic controlsA policy of the use of cryptographic controls must be created and enforced to secure information.Yes
A.10.1.2Key managementA policy on the use, security, and lifetime of cryptographic keys should be created and enforced over their entire lifecycle.Yes
A.11Physical and environmental security
A.11.1Secure areas
A.11.1.1Physical security perimeterSecurity perimeters should be established in order to secure areas containing either sensitive or critical information and information processing facilities.Yes
A.11.1.2Physical entry controlsSecure areas must be protected by appropriate access controls to ensure that only authorised employees are allowed access.Yes
A.11.1.3Securing offices, rooms and facilitiesPhysical security must be designed and implemented for offices, rooms, and facilities.Yes
A.11.1.4Protecting against external and environmental threatsPhysical protection must be designed and implemented against natural disasters, malicious attacks or accidents.Yes
A.11.1.5Working in secure areasProcedures must be designed and adopted for working in secure areas.Yes
A.11.1.6Delivery and loading areasDelivery and loading areas and other such access points and other locations where unauthorised persons might enter the premises must be monitored to prevent unauthorised access and, where possible, isolated from information processing facilities.No
A.11.2Equipment
A.11.2.1Equipment Siting & ProtectionEquipment must be appropriately sited and secured to mitigate the risk of environmental hazards, risks and unauthorised access.Yes
A.11.2.2Supporting UtilitiesEquipment must be secured or power and communication cables supporting information services must be safeguarded from data capture, interferences and damage.Yes
A.11.2.3Cabling SecurityPower and communication cables used for carrying data or providing services must be safeguarded from data capture, interferences and damage.Yes
A.11.2.4Equipment MaintenanceEquipment should be correctly maintained to ensure its continued availability and integrity.Yes
A.11.2.5Removal of AssetsEquipment, information or software must not be taken off-premises without prior authorisation.Yes
A.11.2.6Security of Equipment & Assets Off-PremisesThe security of assets located off-premises must be implemented taking into account various risks of working outside the premises of the organisation.Yes
A.11.2.7Secure Disposal or Re-Use of EquipmentAll units of equipment containing storage media should be inspected prior to disposal or reuse to ensure that all sensitive data and licensed software has been removed or securely overwritten.Yes
A.11.2.8Unattended User EquipmentUsers must ensure adequate protection for their unattended equipment.Yes
A.11.2.9Clear Desk & Screen PolicyA clean desk policy must be adopted for paper documents and removable storage media, and a clear screen policy must be adopted for information processing tools.Yes
A.12Operations security
A.12.1Operational procedures and responsibilities
A.12.1.1Documented operating proceduresOperating procedures must be documented and made available to all users who need them.Yes
A.12.1.2Change managementChanges to the organisation, business processes, information processing tools and systems affecting information security must be controlled.Yes
A.12.1.3Capacity managementIn order to ensure the required system performance, the use of resources must be monitored and adjusted and future capacity requirements must be prognosed.Yes
A.12.1.4Separation of development, testing and operational environmentsTo reduce the risks of unauthorised access to or modification of the operational environment, development, testing and operational environments must be separated.Yes
A.12.2Protection from malware
A.12.2.1Controls against malwareDetection, prevention and recovery controls must be adopted to protect against malware, accompanied by appropriate user awareness.Yes
A.12.3Backup
A.12.3.1Information backupBackup copies of information, software and system images must be regularly created and tested according to the agreed-upon backup policy.Yes
A.12.4Logging and monitoring
A.12.4.1Event loggingEvent logs must be created to record user activities, errors and information security events, and these must be maintained and regularly reviewed.Yes
A.12.4.2Protection of log informationLogging tools and logging information must be protected against tampering and unauthorised access.Yes
A.12.4.3Administrator and operator logsThe activities of the system administrator and system operator must be logged and these logs must be protected and regularly reviewed.Yes
A.12.4.4Clock synchronizationThe clocks of all relevant information processing systems within the organisation or security domain must be synchronised with an agreed-upon reference source.Yes
A.12.5Control of operational software
A.12.5.1Installation of software on operational systemsProcedures must be established to control the installation of software on operating systems.Yes
A.12.6Technical vulnerability management
A.12.6.1Management of technical vulnerabilitiesInformation on technical vulnerabilities of information systems used must be obtained promptly, exposure of the organisation to such vulnerabilities must be assessed and appropriate measures taken to mitigate the risk involved.Yes
A.12.6.2Restriction on software installationRules governing software installation must be established for the users and implemented.Yes
A.12.7Information systems audit considerations
A.12.7.1Information systems audit controlsThe audit criteria and activities related to the checking of operational systems must be carefully designed and agreed upon in order to minimise interruption of operational processes.Yes
A.13Communications security
A.13.1Network security management
A.13.1.1Network controlsNetworks must be managed and controlled to protect information contained in systems and applications.Yes
A.13.1.2Security of network servicesSecurity mechanisms, service levels and management measures must be defined and included in all network service agreements, regardless of whether the services are obtained from the organisation itself or outsourced.Yes
A.13.1.3Segregation of networksGroups of information services, users and information systems must be segregated within networks.Yes
A.13.2Information transfer
A.13.2.1Information transfer policiesFormal transfer policies, procedures and security controls must be established to protect information transfer via all types of communication equipment.Yes
A.13.2.2Agreements of information transferAgreements must be concluded between the organisation and external parties for transferring information related to business activities.Yes
A.13.2.3Electronic messagingThe information contained in electronic messaging must be handled appropriately.Yes
A.13.2.4Confidentiality or nondisclosure agreementsRequirements for confidentiality and non-disclosure agreements must be defined and reviewed regularly, reflecting the information protection needs of the organisation.Yes
A.14System acquisition, development and maintenance
A.14.1Security requirements of information systems
A.14.1.1Information security requirements analysis and specificationInformation security requirements must be included in the requirements established for new information systems or improvements to existing information systems.Yes
A.14.1.2Securing application services on public networksApplication services running on public networks must be protected against fraud, disputes, and unauthorised disclosure and modification.Yes
A.14.1.3Protecting application services transactionsInformation contained in application services transactions must be protected against partial transfer, misrouting, unauthorised modification of messages, unauthorised disclosure, unauthorised duplication or reproduction of messages.Yes
A.14.2Security in development and support processes
A.14.2.1Secure development policySoftware and system development rules must be established and adopted for development works performed in the organisation.Yes
A.14.2.2System change control proceduresChanges to systems during the development lifecycle must be managed through formal change control procedures.Yes
A.14.2.3Technical review of applications after operating platform changesIn the event of major updates and changes to operating platforms, applications critical for the core business activities must be reviewed and tested to verify that the change does not adversely affect the activities or security of the organisation.Yes
A.14.2.4Restrictions on change to software packagesChanges to software packages must be controlled, restricted and regulated, as necessary.Yes
A.14.2.5Secure system engineering principlesPrinciples must be established for technological solutions of secure systems, and documented, maintained and adopted for all attempts to implement information systems.Yes
A.14.2.6Secure development environmentOrganisations must establish and appropriately protect secure development environments for the development and integration of systems covering the entire system development lifecycle.Yes
A.14.2.7Outsourced developmentThe organisation must supervise and monitor outsourced system development works.No
A.14.2.8System security testingTesting of security functionalities must be performed during the development works.Yes
A.14.2.9System acceptance testingAcceptance criteria programmes and the related criteria must be established for new information systems, updates and new versions.Yes
A.14.3Test data
A.14.3.1Protection of test dataTest data must be carefully selected, protected and controlled.Yes
A.15Supplier relationships
A.15.1Information security in supplier relationships
A.15.1.1Information security policy for supplier relationshipsInformation security requirements for mitigating the risks associated with the supplier's access to the organisation's assets must be agreed with the supplier and documented.Yes
A.15.1.2Addressing security within supplier agreementsRelevant information security requirements must be established and agreed with each supplier who accesses the organisation's information and processes or creates IT infrastructure components for it.Yes
A.15.1.3Information and communication technology supply chainAgreements with suppliers must include requirements to address information security risks related to the supply chain of ICT services and products.Yes
A.15.2 Supplier service delivery management
A.15.2.1Monitoring and review of supplier servicesOrganisations must regularly monitor, review and audit the delivery of supplier services.Yes
A.15.2.2Managing changes to supplier servicesChanges in the provision of services by suppliers, including the maintenance and improvement of existing information security policies, procedures and controls, must be managed, focusing on the criticality of the relevant enterprise information and production systems and processes, as well as the reassessment of risks.Yes
A.16Information security incident management
A.16.1Management of information security incidents & improvements
A.16.1.1Responsibilities and proceduresManaging responsibilities and procedures must be established to ensure a swift, effective and proper response to information security incidents.Yes
A.16.1.2Reporting information security eventsInformation security events should be reported as soon as possible via appropriate administrative channels.Yes
A.16.1.3Reporting information security weaknessesEmployees and subcontractors using the organisation's information systems and services should be required to notice vulnerabilities of the systems or services and report any occurrences or vulnerabilities.Yes
A.16.1.4Assessment of and decision on information security eventsInformation security events should be assessed and their classification as information security incidents should determined.Yes
A.16.1.5Response to information security incidentsInformation security incidents must be responded to in accordance with documented procedures.Yes
A.16.1.6Learning from information security incidentsInformation obtained from analysing and resolving information security incidents must be used to reduce the possibility or impact of future incidents.Yes
A.16.1.7Collection of evidenceThe organisation must define and implement procedures for the identification, collection, acquisition and storage of information suitable to be used as evidence.Yes
A.17Information security aspects of business continuity management
A.17.1Information security continuity
A.17.1.1Planning information security continuityThe organisation must define its requirements for security and the continuity of information security management in adverse situations, such as a crisis or disaster.Yes
A.17.1.2Implementing information security continuityThe organisation must establish, document, implement and maintain processes to ensure the required level of information security continuity in adverse situations.Yes
A.17.1.3Verify, review and evaluate information security continuityThe organisation must review the information security continuity controls established and implemented at regular intervals to ensure that they are adequate and effective in adverse situations.Yes
A.17.2Redundancies
A.17.2.1Availability of information processing facilitiesInformation processing tools should be implemented with sufficient duplication to meet availability requirements.Yes
A.18Compliance
A.18.1Compliance with legal and contractual requirements
A.18.1.1Identification of applicable legislation and contractual requirementsAll applicable requirements arising from legislation and contracts, and the method used by the organisation to comply with them must be clearly outlined, documented and kept appropriate for every information system and the organisation.Yes
A.18.1.2Intellectual property rightsAppropriate procedures must be adopted to ensure compliance with legislative, regulatory and contractual requirements and the requirements of the core business.Yes
A.18.1.3Protection of recordsDatasets must be protected against loss, destruction, falsification, unauthorised access, and disclosure in accordance with legislation, regulations and contractual obligations. Yes
A.18.1.4Privacy and protection of personally identifiable informationPrivacy and protection of personal data must be ensured in accordance with applicable legislation and regulations where appropriate.Yes
A.18.1.5Regulation of cryptographic controlsCryptographic security controls must be used in accordance with all applicable agreements, legislation and rules.Yes
A.18.2Information security reviews
A.18.2.1Independent review of information securityAn independent review of the organisation's approach to the management and implementation of information security (policies, procedures, rules) should be carried out at scheduled intervals or in the event of significant changes.Yes
A.18.2.2Compliance with security policies and standardsManagers must regularly review the compliance of information processing and procedures with relevant security policies and other requirements within their area of responsibility.Yes
A.18.2.3Technical compliance reviewThe compliance of information systems with the organisation’s guiding information security policy and standards must be regularly checked.Yes