Statement of Applicability (SoA)

ISO/IEC 27001:2013

Disediakan Oleh: Disemak Oleh: Diluluskan Oleh:

..................................... ..................................... ..........................................

 STATEMENT OF APPLICABILITY (SoA)

REKOD PINDAAN DOKUMEN

KELUARAN / MUKA DILULUSKAN OLEH

BIL. TARIKH KETERANGAN PINDAAN
PINDAAN SURAT

Muka Surat: 1
 STATEMENT OF APPLICABILITY (SoA)

I. Overview of Statement of Applicability

The Statement of Applicability (SoA) provides a summary of decisions concerning risk treatment. The SoA
documents the control objectives and controls selected from Annex A of ISO/IEC 27001:2013.

The SoA is a table in which each control from Annex A is listed with its description and corresponding
columns that indicate whether that control was adopted by ……………………. The corresponding columns
are:-

a) Applicable: represent the answer Yes (Y) or No (N); and

b) Implemented: represent the answer Yes (Y) or Partial (P) or No (N).

The justification for adopting or not adopting the control, and a reference identifies the location where the
statement of policy or detailed procedure related to the implementation of the control is documented.

Muka Surat: 2
 STATEMENT OF APPLICABILITY (SoA)

II. Identify applicable objectives and controls

The SoA that was prepared includes the following:

a) The control objectives and controls selected to meet the requirements identified by the risk
assessment and risk treatment process, and reasons for their selection;

b) The control objectives and controls currently implemented; and

c) The exclusion of any control objectives and controls in ISO/IEC 27001:2013 specified in Annex A:
Control objectives and controls.

Muka Surat: 3
 STATEMENT OF APPLICABILITY (SoA)

Jadual 1: SoA

Applicable Implemented Justification Implementation/

Control Reference
(Y/N) (Y/P/N)

A.5 INFORMATION SECURITY POLICIES

Objective: To provide management direction and support for information security in

A.5.1 Management directions for information security
accordance with business requirements and relevant laws and regulations.

A.5.1.1 Policies for information security

Control:

A set of policies for information security shall be

defined, approved by management, published and
communicated to employees and relevant external
parties.
A.5.1.2 Review of the policies for information security

Control:

The policies for information security shall be

reviewed at planned intervals or if significant
changes occur to ensure their continuing suitability,
adequacy and effectiveness.
Muka Surat: 4
 STATEMENT OF APPLICABILITY (SoA)

Applicable Implemented Justification Implementation/

Control Reference
(Y/N) (Y/P/N)

A.6 ORGANIZATION OF INFORMATION SECURITY

Objective: To establish a management framework to initiate and control the

A.6.1 Internal organization
implementation and operation of information security within the organization.

A.6.1.1 Information security roles and responsibilities

Control:

All information security responsibilities shall be

defined and allocated.

A.6.1.2 Segregation of duties

Control:

Conflicting duties and areas of responsibility shall

be segregated to reduce opportunities for
Muka Surat: 5
 STATEMENT OF APPLICABILITY (SoA)

Applicable Implemented Justification Implementation/

Control Reference
(Y/N) (Y/P/N)

unauthorized or unintentional modification or

misuse of the organization’s assets.

A.6.1.3 Contact with authorities

Control:

Appropriate contacts with relevant authorities shall

be maintained.
A.6.1.4 Contact with special interest groups

Control:

Appropriate contacts with special interest groups or

other specialist security forums and professional
associations shall be maintained.
A.6.1.5 Information security in project management

(New Control in ISMS 2013)

Control:

Information security shall be addressed in project

management, regardless of the type of the project.

Muka Surat: 6
 STATEMENT OF APPLICABILITY (SoA)

Applicable Implemented Justification Implementation/

Control Reference
(Y/N) (Y/P/N)

A.6.2 Objective: To ensure the security of teleworking and use of mobile devices.
Mobile devices and teleworking

A.6.2.1 Mobile device policy

Control:

A policy and supporting security measures shall be

adopted to manage the risks introduced by using
mobile devices.

A.6.2.2 Teleworking

Control:

A policy and supporting security measures shall be

implemented to protect information accessed,
processed, or stored at teleworking sites.

A.7 HUMAN RESOURCES SECURITY

Objective: To ensure that employees and contractors understand their responsibilities, and
A.7.1
Prior to employment are suitable for the roles for which they are considered.

Muka Surat: 7
 STATEMENT OF APPLICABILITY (SoA)

Applicable Implemented Justification Implementation/

Control Reference
(Y/N) (Y/P/N)

A.7.1.1 Screening

Control:

Background verification checks on all candidates for

employment shall be carried out in accordance with
relevant laws, regulations and ethics, and shall be
proportional to the business requirements, the
classification of the information to be accessed, and
the perceived risks.
A.7.1.2 Terms and conditions of employment

Control:

The contractual agreements with employees and

contractors shall state their and the organization’s
responsibilities for information security.
A.7.2 Objective: To ensure that all employees and contractors are aware of and fulfill their
During employment
information security responsibilities.

A.7.2.1 Management responsibilities

Control:

Management shall require all employees and

Muka Surat: 8
 STATEMENT OF APPLICABILITY (SoA)

Applicable Implemented Justification Implementation/

Control Reference
(Y/N) (Y/P/N)

contractors to apply information security in

accordance with the established policies and
procedures of the organization.

A.7.2.2 Information security awareness, education and

training

Control:

All employees of the organization and, where

relevant, contractors shall receive appropriate
awareness education and training and regular
updates in organizational policies and procedures,
as relevant for their job function.

A.7.2.3 Disciplinary process

Control:

There shall be a formal and communicated

disciplinary process in place to take actions against
employees who have committed an information
security breach.
A.7.3 Objective: To protect the organization’s interest as part of the process of changing or
Termination or change of employment
terminating employment.

Muka Surat: 9
 STATEMENT OF APPLICABILITY (SoA)

Applicable Implemented Justification Implementation/

Control Reference
(Y/N) (Y/P/N)

A.7.3.1 Termination or change of employment

responsibilities

Control:

Information security responsibilities and duties that

remain valid after termination or change of
employment shall be clearly defined, communicated
to the employee or contractor and enforced.

A.8 ASSET MANAGEMENT

Objective: To identify organizational assets and define appropriate protection

A.8.1
Responsibility for assets responsibilities.

A.8.1.1 Inventory of assets

Control:

Assets associated with information processing

facilities shall be identified and an inventory of
these assets shall be drawn up and maintained.
A.8.1.2 Ownership of assets

Muka Surat: 10
 STATEMENT OF APPLICABILITY (SoA)

Applicable Implemented Justification Implementation/

Control Reference
(Y/N) (Y/P/N)

Control:

Assets maintained in the inventory shall be owned.

A.8.1.3 Acceptable use of assets

Control:

Rules for the acceptable use of information and of

assets associated with information and information
processing facilities shall be identified, documented,
and implemented.

A.8.1.4 Return of assets

Control:

All employees and external party users shall return

all of the organizational assets in their possession
upon termination of their employment, contract or
agreement.
Information classification Objective: To ensure that information receives an appropriate level of protection in
A.8.2
accordance with its importance to the organization.

Muka Surat: 11
 STATEMENT OF APPLICABILITY (SoA)

Applicable Implemented Justification Implementation/

Control Reference
(Y/N) (Y/P/N)

A.8.2.1 Classification of information

Control:

Information shall be classified in terms of legal

requirements, value, criticality and sensitivity to
unauthorized disclosure or modification.

A.8.2.2 Labeling of information

Control:

An appropriate set of procedures for information

labeling shall be developed and implemented in
accordance with the information classification
scheme adopted by the organization.

A.8.2.3 Handling of assets

Muka Surat: 12
 STATEMENT OF APPLICABILITY (SoA)

Applicable Implemented Justification Implementation/

Control Reference
(Y/N) (Y/P/N)

Control:

Procedures for handling assets shall be developed

and implemented in accordance with the
information classification scheme adopted by the
organization.
Objective: To prevent unauthorized disclosure, modification, removal or destruction of
A.8.3 Media handling
information.

A.8.3.1 Management of removable media

Control:

Procedures shall be implemented for the

management of removable media in accordance
with the classification scheme adopted by the
organization.
A.8.3.2 Disposal of media

Control:

Media shall be disposed of securely when no longer

required, using formal procedures.

Muka Surat: 13
 STATEMENT OF APPLICABILITY (SoA)

Applicable Implemented Justification Implementation/

Control Reference
(Y/N) (Y/P/N)

A.8.3.3 Physical media transfer

Control:

Media containing information shall be protected

against unauthorized access, misuse or corruption
during transportation.

A.9 ACCESS CONTROL

A.9.1 Objective: To limit access to information and information processing facilities.

Business requirement of access control

A.9.1.1 Access control policy

Control:

An access control policy shall be established,

documented, and reviewed based on business and
information security requirements.

Muka Surat: 14
 STATEMENT OF APPLICABILITY (SoA)

Applicable Implemented Justification Implementation/

Control Reference
(Y/N) (Y/P/N)

A.9.1.2 Access to networks and network services

Control:

Users shall only be provided with access to the

network and network services that they have been
specifically authorized to use.

Objective: To ensure authorized user access and to prevent unauthorized access to

A.9.2
User access management systems and services.

A.9.2.1 User registration and de-registration

Control:

A formal user registration and de-registration

process shall be implemented to enable assignment
of access rights.

A.9.2.2 User access provisioning

Control:

Muka Surat: 15
 STATEMENT OF APPLICABILITY (SoA)

Applicable Implemented Justification Implementation/

Control Reference
(Y/N) (Y/P/N)

A formal user access provisioning process shall be

implemented to assign or revoke access rights for
all user types to all systems and services.
A.9.2.3 Management of privileged access rights

Control:

The allocation and use of privileged access rights

shall be restricted and controlled.
A.9.2.4 Management of secret authentication information of
users

Control:

The allocation of secret authentication information

shall be controlled through a formal management
process.
A.9.2.5 Review of user access rights

Control:

Asset owners shall review user’s access rights at

regular intervals.

A.9.2.6 Removal or adjustments of access rights

Muka Surat: 16
 STATEMENT OF APPLICABILITY (SoA)

Applicable Implemented Justification Implementation/

Control Reference
(Y/N) (Y/P/N)

Control:

The access rights of all employees and external

party users to information and information
processing facilities shall be removed upon
termination of their employment, contract or
agreement, or adjusted upon change.

A.9.3 User responsibilities Objective: To make users accountable for safeguarding their authentication information.

A.9.3.1 Use of secret authentication information

Control:

Users shall be required to the organization’s

practices in the use of secret authentication
information.
A.9.4 Objective: To prevent unauthorized access to systems and applications.
System and application access control

A.9.4.1 Information access restriction

Control:

Access to information and application system

functions shall be restricted in accordance with the
access control policy.
Muka Surat: 17
 STATEMENT OF APPLICABILITY (SoA)

Applicable Implemented Justification Implementation/

Control Reference
(Y/N) (Y/P/N)

A.9.4.2 Secure log-on procedures

Control:

Where required by the access control policy,

access to systems and applications shall be
controlled by a secure log-on procedure.

A.9.4.3 Password management system

Control:

Password management systems shall be interactive

and shall ensure quality passwords.

A.9.4.4 Use of privileged utility programs

Control:

The use of utility programs that might be capable of

overriding system and application controls shall be
Muka Surat: 18
 STATEMENT OF APPLICABILITY (SoA)

Applicable Implemented Justification Implementation/

Control Reference
(Y/N) (Y/P/N)

restricted and tightly controlled.

A.9.4.5 Access control to program source code

Control:

Access to program source code shall be restricted.

A.10 CRYPTOGRAPHY

Objective: To ensure proper and effective use of cryptography to protect the confidentiality,
Cryptographic controls authenticity and /or integrity of information.

A.10.1.1 Policy on the use of cryptographic controls

Control:

A policy on the use of cryptographic controls for

protection of information shall be developed and
implemented.
A.10.1.2 Key management

Control:

A policy on the use, protection and lifetime of

Muka Surat: 19
 STATEMENT OF APPLICABILITY (SoA)

Applicable Implemented Justification Implementation/

Control Reference
(Y/N) (Y/P/N)

cryptographic keys shall be developed and

implemented through their whole lifecycle.

A.11 PHYSICAL AND ENVIRONMENTAL SECURITY

Secure areas Objective: To prevent unauthorized physical access, damage and interference to the
A.11.1
organization’s information and information processing facilities.

A.11.1.1 Physical security perimeter

Control:

Security perimeters shall be defined to protect

areas that contain either sensitive or critical,
information and information processing facilities.
A.11.1.2 Physical entry controls

Control:

Secure areas shall be protected by appropriate

entry controls to ensure that only authorized
personnel are allowed access.
A.11.1.3 Securing offices, rooms and facilities

Muka Surat: 20
 STATEMENT OF APPLICABILITY (SoA)

Applicable Implemented Justification Implementation/

Control Reference
(Y/N) (Y/P/N)

Control:

Physical security for offices, rooms, and facilities

shall be designed and applied.
A.11.1.4 Protecting against external and environmental
threats

Control:

Physical protection against natural disasters,

malicious attack or accidents shall be designed and
applied.
A.11.1.5 Working in secure areas

Control:

Procedures for working in secure areas shall be

designed and applied.

A.11.1.6 Delivery and loading areas

Control:

Access points such as delivery and loading areas

and other points where unauthorized persons could

Muka Surat: 21
 STATEMENT OF APPLICABILITY (SoA)

Applicable Implemented Justification Implementation/

Control Reference
(Y/N) (Y/P/N)

enter the premises shall be controlled and, if

possible, isolated from information processing
facilities to avoid unauthorized access.

Objective: To prevent loss, damage, theft or compromise of assets and interruption to the
A.11.2 Equipment
organization’s operations.

A.11.2.1 Equipment siting and protection

Control:

Equipment shall be sited and protected to reduce

the risks from environmental threats and hazards,
and opportunities for unauthorized access.
A.11.2.2 Supporting utilities

Control:

Equipment shall be protected from power failures

and other disruptions caused by failures in
supporting utilities.

Muka Surat: 22
 STATEMENT OF APPLICABILITY (SoA)

Applicable Implemented Justification Implementation/

Control Reference
(Y/N) (Y/P/N)

A.11.2.3 Cabling security

Control:

Power and telecommunications cabling carrying

data or supporting information services shall be
protected from interception or damage.

A.11.2.4 Equipment maintenance

Control:

Equipment shall be correctly maintained to ensure

its continued availability and integrity.

Muka Surat: 23
 STATEMENT OF APPLICABILITY (SoA)

Applicable Implemented Justification Implementation/

Control Reference
(Y/N) (Y/P/N)

A.11.2.5 Removal of assets

Control:

Equipment, information or software shall not be

taken off-site without prior authorization.

A.11.2.6 Security of equipment and assets off-premises

Control:

Security shall be applied to off-site assets taking

into account the different risks of working outside
the organization’s premises.

Muka Surat: 24
 STATEMENT OF APPLICABILITY (SoA)

Applicable Implemented Justification Implementation/

Control Reference
(Y/N) (Y/P/N)

A.11.2.7 Secure disposal or re-use of equipment

Control:

All items of equipment containing storage media

shall be verified to ensure that any sensitive data
and licensed software has been removed or
securely overwritten prior to disposal or re-use.

A.11.2.8 Unattended user equipment

Control:

Users shall ensure that unattended equipment has

appropriate protection.
A.11.2.9 Clear desk and clear screen policy

Control:

A clear desk policy for papers and removable

storage media and a clear screen policy for

Muka Surat: 25
 STATEMENT OF APPLICABILITY (SoA)

Applicable Implemented Justification Implementation/

Control Reference
(Y/N) (Y/P/N)

information processing facilities shall be adopted.

A.12 OPERATION SECURITY

A.12.1 Operational procedures and responsibilities Objective: To ensure correct and secure operation of information processing facilities.

A.12.1.1 Documented operating procedures

Control:

Operating procedures shall be documented,

maintained, and made available to all users who
need them.

A.12.1.2 Change management

Control:

Changes to the organization, business process,

information processing facilities and systems that
affect information security shall be controlled.
A.12.1.3 Capacity Management

Muka Surat: 26
 STATEMENT OF APPLICABILITY (SoA)

Applicable Implemented Justification Implementation/

Control Reference
(Y/N) (Y/P/N)

Control:

The use of resources shall be monitored, tuned,

and projections made of future capacity
requirements to ensure the required system
performance.
A.12.1.4 Separation of development, testing and operational
environments

Control:

Development, testing, and operational

environments shall be separated to reduce the risks
of unauthorized access or changes to the
operational environment.

A.12.2 Objective: To ensure that information and information processing facilities are protected
Protection from malware against malware

A.12.2.1 Controls against malware

Control:

Detection, prevention, and recovery controls to

protect against malware shall be implemented,
combined with appropriate user awareness.

Muka Surat: 27
 STATEMENT OF APPLICABILITY (SoA)

Applicable Implemented Justification Implementation/

Control Reference
(Y/N) (Y/P/N)

A.12.3 Objective: To protect against loss of data.

Back-up

A.12.3.1 Information back-up

Control:

Back-up copies of information, software and system

images shall be taken and tested regularly in
accordance with an agreed backup policy.

A.12.4 Objective: To record events and generate evidence.

Logging and Monitoring

A.12.4.1 Event logging

Control:

Event logs recording user activities, exceptions,

faults and information security events shall be
produced, kept and regularly reviewed.
A.12.4.2 Protection of log information

Control:

Logging facilities and log information shall be

Muka Surat: 28
 STATEMENT OF APPLICABILITY (SoA)

Applicable Implemented Justification Implementation/

Control Reference
(Y/N) (Y/P/N)

protected against tampering and unauthorized

access.

A.12.4.3 Administrator and operator logs

Control:

System administrator and system operator activities

shall be logged and the logs protected and regularly
reviewed.
A.12.4.4 Clock synchronization

Control:

The clocks of all relevant information processing

systems within an organization or security domain
shall be synchronized to a single reference time
source.

A.12.5 Control of operational software Objective: To ensure the integrity of operational systems.

A.12.5.1 Installation of software on operational systems

Control:

Procedures shall be implemented to control the

Muka Surat: 29
 STATEMENT OF APPLICABILITY (SoA)

Applicable Implemented Justification Implementation/

Control Reference
(Y/N) (Y/P/N)

installation of software on operational systems.

A.12.6 Objective: To prevent exploitation of technical vulnerabilities.

Technical Vulnerability Management

A.12.6.1 Management of technical vulnerabilities

Control:

Information about technical vulnerabilities of

information systems being used shall be obtained in
a timely fashion, the organization's exposure to
such vulnerabilities evaluated and appropriate
measures taken to address the associated risk.

A.12.6.2 Restrictions on software installation

(New Control in ISMS 2013)

Control:

Rules governing the installation of software by

users shall be established and implemented.

Muka Surat: 30
 STATEMENT OF APPLICABILITY (SoA)

Applicable Implemented Justification Implementation/

Control Reference
(Y/N) (Y/P/N)

A.12.7
Information systems audit considerations

A.12.7.1 Information systems audit controls

Control:

Audit requirements and activities involving

verification of operational systems shall be carefully
planned and agreed to minimize disruptions to
business processes.

A.13 COMMUNICATIONS SECURITY

A.13.1 Objective: To ensure the protection of information in networks and its supporting
Network security management
information processing facilities.

A.13.1.1 Network controls

Control:

Networks shall be managed and controlled to

protect information in system and applications.
A.13.1.2 Security of network services

Muka Surat: 31
 STATEMENT OF APPLICABILITY (SoA)

Applicable Implemented Justification Implementation/

Control Reference
(Y/N) (Y/P/N)

Control:

Security mechanisms, service levels, and

management requirements of all network services
shall be identified and included in network services
agreement, whether these services are provided in-
house or outsourced.

A.13.1.3 Segregation in networks

Control:

Groups of information services, users and

information systems shall be segregated on
networks.
A.13.2 Objective: To maintain the security of information transferred within an organization and
Information transfer
with any external entity.

A.13.2.1 Information transfer policies and procedures

Control:

Formal transfer policies, procedures, and controls

shall be in place to protect the transfer of
information through the use of all types of
communication facilities.

Muka Surat: 32
 STATEMENT OF APPLICABILITY (SoA)

Applicable Implemented Justification Implementation/

Control Reference
(Y/N) (Y/P/N)

A.13.2.2 Agreements on information transfer

Control:

Agreements shall address the secure transfer of

business information between the organization and
external parties.
A.13.2.3 Electronic messaging

Control:

Information involved in electronic messaging shall

be appropriately protected.
A.13.2.4 Confidentiality or non-disclosure agreements

Control:

Requirements for confidentiality or non-disclosure

agreements reflecting the organization’s needs for
the protection of information shall be identified,
regularly reviewed, and documented.
A.14 SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE

A.14.1 Security requirements of information systems Objective: To ensure that information security is an integral part of information systems
across the entire lifecycle. This also includes the requirements for information systems

Muka Surat: 33
 STATEMENT OF APPLICABILITY (SoA)

Applicable Implemented Justification Implementation/

Control Reference
(Y/N) (Y/P/N)

which provide services over public networks.

A.14.1.1 Information security requirements analysis and

specification

Control:

The information security related requirements shall

be included in the requirements for new information
systems or enhancements to existing information
systems.

A.14.1.2 Securing application services on public networks

Control:

Information involved in application services passing

over public networks shall be protected from
fraudulent activity, contract dispute, and
unauthorized disclosure and modification.

A.14.1.3 Protecting application services transactions

Muka Surat: 34
 STATEMENT OF APPLICABILITY (SoA)

Applicable Implemented Justification Implementation/

Control Reference
(Y/N) (Y/P/N)

Control:

Information involved in application services

transactions shall be protected to prevent
incomplete transmission, mis-routing, unauthorized
message alteration, unauthorized disclosure,
unauthorized message duplication or replay.

Objective: To ensure that information security is designed and implemented within the
A.14.2
Security in development and support processes development lifecycle of information systems.

A.14.2.1 Secure development policy

(New Control in ISMS 2013)

Control:

Rules for the development of software and systems

shall be established and applied to developments
within the organizations.

A.14.2.2 System change control procedures

Control:

Muka Surat: 35
 STATEMENT OF APPLICABILITY (SoA)

Applicable Implemented Justification Implementation/

Control Reference
(Y/N) (Y/P/N)

Changes to system within the development lifecycle

shall be controlled by the use of formal change
control procedures.

A.14.2.3 Technical review of applications after operating

platform changes

Control:

When operating platforms are changed, business

critical applications shall be reviewed and tested to
ensure there is no adverse impact on organizational
operations or security.

A.14.2.4 Restrictions on changes to software packages

Control:

Modifications to software packages shall be

discouraged, limited to necessary changes, and all
changes shall be strictly controlled.

A.14.2.5 Secure system engineering principles

(New Control in ISMS 2013)

Muka Surat: 36
 STATEMENT OF APPLICABILITY (SoA)

Applicable Implemented Justification Implementation/

Control Reference
(Y/N) (Y/P/N)

Control:

Principles for engineering secure systems shall be

established, documented, maintained and applied
to any information system implementation efforts.

A.14.2.6 Secure development environment

(New Control in ISMS 2013)

Control:

Organizations shall establish and appropriately

protect secure development environments for
system development and integration efforts that
cover the entire system development lifecycle.

A.14.2.7 Outsourced development

Control:

The organization shall supervise and monitor the

activity of outsourced system development.

Muka Surat: 37
 STATEMENT OF APPLICABILITY (SoA)

Applicable Implemented Justification Implementation/

Control Reference
(Y/N) (Y/P/N)

A.14.2.8 System security testing

(New Control in ISMS 2013)

Control:

Testing of security functionality shall be carried out

during development.
A.14.2.9 System acceptance testing

Control:

Acceptance testing programs and related criteria

shall be established for new information systems,
upgrades and new versions.
A.14.3 Objective: To ensure the protection of data used for testing.
Test data

A.14.3.1 Protection of test data

Control:

Test data shall be selected carefully, protected and

controlled.
A.15 SUPPLIER RELATIONSHIP

Muka Surat: 38
 STATEMENT OF APPLICABILITY (SoA)

Applicable Implemented Justification Implementation/

Control Reference
(Y/N) (Y/P/N)

A.15.1 Information security in supplier relationship Objective: To ensure protection of the organization’s assets that is accessible by suppliers.

A.15.1.1 Information security policy for supplier relationships 

(New Control in ISMS 2013)

Control:

Information security requirements for mitigating the

risks associated with supplier’s access to the
organization’s assets shall be agreed with the
supplier and documented.

A.15.1.2 Addressing security within supplier agreements

Control:

All relevant information security requirements shall

be established and agreed with each supplier that
may access, process, store, communicate, or
provide IT infrastructure components for, the
organization’s information.

Muka Surat: 39
 STATEMENT OF APPLICABILITY (SoA)

Applicable Implemented Justification Implementation/

Control Reference
(Y/N) (Y/P/N)

A.15.1.3 Information and communication technology supply

chain

(New Control in ISMS 2013)

Control:

Agreements with suppliers shall include

requirements to address the information security
risks associated with information and
communications technology services and product
supply chain.

Objective: To maintain an agreed level of information security and service delivery in line
A.15.2
Supplier service delivery management with supplier agreements.

A.15.2.1 Monitoring and review of supplier services

Control:

Organizations shall regularly monitor, review, and

audits supplier service delivery.
A.15.2.2 Managing changes to supplier services

Control:

Muka Surat: 40
 STATEMENT OF APPLICABILITY (SoA)

Applicable Implemented Justification Implementation/

Control Reference
(Y/N) (Y/P/N)

Changes to the provision of services by supplier,

including maintaining and improving existing
information security policies, procedures and
controls, shall be managed, taking account of the
criticality of business information, system and
processes involved and re-assessment of risks.

A.16 INFORMATION SECURITY INCIDENT MANAGEMENT

A.16.1 Objective: To ensure a consistent and effective approach to the management of

Management of information security incidents and information security incidents, including communication on security events and
improvements weaknesses.

A.16.1.1 Responsibilities and procedures

Control:

Management responsibilities and procedures shall

be established to ensure a quick, effective, and
orderly response to information security incidents.
A.16.1.2 Reporting information security events

Control:

Muka Surat: 41
 STATEMENT OF APPLICABILITY (SoA)

Applicable Implemented Justification Implementation/

Control Reference
(Y/N) (Y/P/N)

Information security events shall be reported

through appropriate management channels as
quickly as possible

A.16.1.3 Reporting information security weaknesses

Control:

Employees and contractors using the organization’s

information systems and services shall be required
to note and report any observed or suspected
information security weaknesses in systems or
services.
A.16.1.4 Assessment of and decision on information security
events

(New Control in ISMS 2013)

Control:

Information security events shall be accessed and it

shall be decide if they are to be classified as
information security incidents.

Muka Surat: 42
 STATEMENT OF APPLICABILITY (SoA)

Applicable Implemented Justification Implementation/

Control Reference
(Y/N) (Y/P/N)

A.16.1.5 Response to information security incidents

(New Control in ISMS 2013)

Control:

Information security incidents shall be responded to

in accordance with the documented procedures.

A.16.1.6 Learning from information security incidents

Control:

Knowledge gained from analyzing and resolving

information security incidents shall be used to
reduce the likelihood or impact of future incidents.

Muka Surat: 43
 STATEMENT OF APPLICABILITY (SoA)

Applicable Implemented Justification Implementation/

Control Reference
(Y/N) (Y/P/N)

A.16.1.7 Collection of evidence

Control:

The organization shall define and apply procedures

for the identification, collection, acquisition and
preservation of information, which can serve as
evidence.

A.17 INFORMATION SECURITY ASPECTS OF BUSINESS CONTINUITY MANAGEMENT

A.17.1 Information security continuity Objective: Information security continuity shall be embedded in the organization’s business
continuity management systems.
A.17.1.1 Planning information security continuity

Control:

The organization shall determine its requirements

for information security management in adverse
situations, e.g. during a crisis or disaster.
A.17.1.2 Implementing information security continuity

Muka Surat: 44
 STATEMENT OF APPLICABILITY (SoA)

Applicable Implemented Justification Implementation/

Control Reference
(Y/N) (Y/P/N)

Control:

The organization shall establish, document,

implement and maintain processes, procedures and
controls to ensure the required level of continuity for
information security during an adverse situations.

A.17.1.3 Verify, review and evaluate information security

continuity

Control:

The organization shall verify the established and

implemented information security continuity controls
at regular intervals in order to ensure that they are
valid and effective during adverse situations.

A.17.2 Redundancies
Objective: To ensure availability of information processing facilities.

A.17.2.1 Availability of information processing facilities

(New Control in ISMS 2013)

Control:

Information processing facilities shall be

Muka Surat: 45
 STATEMENT OF APPLICABILITY (SoA)

Applicable Implemented Justification Implementation/

Control Reference
(Y/N) (Y/P/N)

implemented with redundancy sufficient to meet

availability requirements.

A.18 COMPLIANCE

A.18.1 Objective: To avoid breaches of legal, statutory or contractual obligations related to

Compliance with legal and contractual requirements
information security and of any security requirements.

A.18.1.1 Identification of applicable legislation and

contractual requirements

Control:

All relevant legislative statutory, regulatory,

contractual requirements and the organization’s
approach to meet these requirements shall be
explicitly identified, documented, and kept up to
date for each information system and the
organization.
A.18.1.2 Intellectual property rights

Control:

Appropriate procedures shall be implemented to

ensure compliance with legislative, regulatory, and
contractual requirements related to intellectual
Muka Surat: 46
 STATEMENT OF APPLICABILITY (SoA)

Applicable Implemented Justification Implementation/

Control Reference
(Y/N) (Y/P/N)

property rights and use of proprietary software

products.

A.18.1.3 Protection of records

Control:

Records shall be protected from loss, destruction,

falsification, unauthorized release, in accordance
with legislatory, regulatory, contractual, and
business requirements.
A.18.1.4 Privacy and protection of personally identifiable
information

Control:

Privacy and protection of personally identifiable

information shall be ensured as required in relevant
legislation and regulation where applicable.

A.18.1.5 Regulation of cryptographic controls

Control:

Cryptographic controls shall be used in compliance

Muka Surat: 47
 STATEMENT OF APPLICABILITY (SoA)

Applicable Implemented Justification Implementation/

Control Reference
(Y/N) (Y/P/N)

with all relevant agreements, legislation, and

regulations.

A.18.2 Objective: To ensure that information security is implemented and operated in accordance
Information security reviews with the organizational policies and procedures.

A.18.2.1 Independent review of information security

Control:

The organization’s approach to managing

information security and its implementation (i.e.
control objectives, controls, policies, processes, and
procedures for information security) shall be
reviewed independently at planned intervals, or
when significant changes occur.
A.18.2.2 Compliance with security policies and standards

Control:

Managers shall regularly review the compliance of

information processing and procedures within their
area of responsibility with the appropriate security
policies, standards, and any other security
requirements.

Muka Surat: 48
 STATEMENT OF APPLICABILITY (SoA)

Applicable Implemented Justification Implementation/

Control Reference
(Y/N) (Y/P/N)

A.18.2.3 Technical compliance review

Control:

Information systems shall be regularly reviewed for

compliance with the organization’s information
security policies and standards.

Muka Surat: 49
 STATEMENT OF APPLICABILITY (SoA)

III. CONCLUSION

This report is presented to the senior management of ………… for

consideration and approval.

IV. AUTHORIZATION

This document must be prepared by ……., reviewed by ………. and

approved by ……………..

Muka Surat: 50