q

ISO/IEC27001:2013 S
ver.

La presente opera è c
Attribuzione 4.0 Internazio
http://creativecommon
(http://creativecommons.o
Per distribuire il presente docum
Luciano Quartarone con link a htt
 qSOA
7001:2013 Statement of Applicability
ver. 1.0.0 - 14.04.2016

La presente opera è coperta dalla licenza

Attribuzione 4.0 Internazionale di Creative Commons.
http://creativecommons.org/licenses/by/4.0/
http://creativecommons.org/licenses/by/4.0/deed.it).
tribuire il presente documento bisogna riportarne l'autore
o Quartarone con link a http://www.lucianoquartarone.it).
qSOA ver. 1.0.0 - 14.04.2016

ISO/IEC 27001:2013 - Statement of Applica

N.B.: please note bolded rows mean that the control is mandatory

# Source Clause Section

1
A.5.1 Management
A.5 INFORMATION
direction for
SECURITY POLICY
information security
2

5 A.6.1 Internal
Organization

6 A.6 ORGANIZATION
OF INFORMATION
SECURITY

8
A.6.2 Mobile devices
and teleworking

9
10
A.7.1 Prior to
employment

11

12

A.7 HUMAN
RESOURCE
SECURITY

A.7.2 During
13
employment

14

A.7.3 Termination and

15
change of employment

16

17

A.8.1 Responsibility for

18 assets

19

A.8 ASSET
MANAGEMENT
20

A.8 ASSET
MANAGEMENT

21 A.8.2 Information
classification

22

23

24 A.8.3 Media handling

25

26
A.9.1 Business
requirements of access
control
27

28

29

30
A.9.2 User access
management
31

32

A.9 ACCESS
CONTROL
 A.9.2 User access
management

A.9 ACCESS
CONTROL
33

A.9.3 User
34
responsibilities

35

36

A.9.4 System and

application access
37 control

38

39

40
A.10.1 Cryptographic
A.10 CRYPTOGRAPHY
controls
41

42

43

44

A.11.1 Secure areas

45

46
 A.11.1 Secure areas

47

48

49 A.11 PHYSICAL AND

ENVIRONMENTAL
SECURITY

50

51

52
A.11.2 Equipment

53

54

55

56

57

58

A.12.1 Operational
procedures and
responsibilities
013
 A.12.1 Operational
procedures and
59 responsibilities

ISO/IEC 27001:2013
60

A.12.2 Protection from

61
malware

62 A.12.3 Backup

63

A.12 OPERATIONAL
64 SECURITY

A.12.4 Logging and

monitoring
65

66

A.12.5 Control of
67
operational software

68
A.12.6 Technical
vulnerability
management

69

A.12.7 Information
70 systems audit
considerations
71

A.13.1 Network
72
security management

73

A. 13
COMMUNICATIONS
74 SECURITY

75
A.13.2 Information
transfer
76

77

78

79 A.14.1 Security
requirements of
information systems

80

81

A. 14 SYSTEM
ACQUISITION,
DEVELOPMENT AND
MAINTENENCE
82

A. 14 SYSTEM
83 ACQUISITION,
DEVELOPMENT AND
MAINTENENCE

84

A.14.2 Security in
development and
85 support processes

86

87

88

89

90 A.14.3 Test data

91

A.15.1 Information
92 security in supplier
relationships

93 A.15 SUPPLIER
RELATIONSHIP
 A.15 SUPPLIER
RELATIONSHIP

94

A.15.2 Supplier service

delivery management
95

96

97

98

A.16.1 Management of
A.16 INFORMATION
information security
SECURITY INCIDENT
incidents and
MANAGEMENT
99 improvements

100

101

102

103

A.17 INFORMATION A.17.1 Information

SECURITY ASPECTS security continuity
OF BUSINESS
CONTINUITY
MANAGEMENT
104 A.17 INFORMATION A.17.1 Information
SECURITY ASPECTS security continuity
OF BUSINESS
CONTINUITY
MANAGEMENT

105

106 A.17.2 Redundancies

107

108

A.18.1 Compliance with

legal and contractual
requirements

109

110

A.18 COMPLIANCE

111

112

A.18.2 Information
security reviews
 A.18.2 Information
security reviews

113

114
tement of Applicability

Control Objective Control

A.5.1.1 - Policies for information

To provide management direction security
and support for information security
in accordance with business
requirements and relevant laws and
regulations. A.5.1.2 - Review of the policies
for information security

A.6.1.1 - Information security

roles and responsibilities

A.6.1.2 - Segregation of duties

To establish a management
framework to initiate and control the
A.6.1.3 - Contact with
implementation and operation of
authorities
information security within the
organization.
A.6.1.4 - Contact with special
interest groups

A.6.1.5 - Information security in

project management

A.6.2.1 - Mobile device policy

To ensure the security of teleworking
and use of mobile devices.

A.6.2.2 - Teleworking
To ensure that employees and A.7.1.1 - Screening
contractors understand their
responsibilities and are suitable for
the roles for which they are
considered.

A.7.1.2 - Terms and

conditions of employment

A.7.2.1 - Management
responsibilities

To ensure that employees and

A.7.2.2 - Information security
contractors are aware of and fulfil
awareness, education and
their information security
training
responsibilities.

A.7.2.3 - Disciplinary process

To protect the organization’s

A.7.3.1 - Termination or change
interests as part of the process of
of employment responsibilities
changing or terminating employment.

A.8.1.1 - Inventory of assets

A.8.1.2 - Ownership of assets

To identify organizational assets and

define appropriate protection
A.8.1.3 - Acceptable use of
responsibilities.
assets

A.8.1.4 - Return of assets

 A.8.2.1 - Classification of
information

To ensure that information

A.8.2.2 - Labelling of
receives an appropriate level of
information
protection in accordance with its
importance to the organization.

A.8.2.3 - Handling of assets

A.8.3.1 - Management of
removable media

To prevent unauthorized disclosure,

modification, removal or destruction A.8.3.2 - Disposal of media
of information stored on media.

A.8.3.3 - Physical media

transfer

A.9.1.1 - Access control

policy
To limit access to information and
information processing facilities.
A.9.1.2 - Access to networks
and network services

A.9.2.1 - User registration and

de-registration

A.9.2.2 - User access

provisioning

A.9.2.3 - Management of
To ensure authorized user access and privileged access rights
to prevent unauthorized access to
systems and services. A.9.2.4 - Management of secret
authentication information of
users
A.9.2.5 - Review of user access
rights
to prevent unauthorized access to
systems and services.

A.9.2.6 - Removal or adjustment

of access rights

To make users accountable for

A.9.3.1 - Use of secret
safeguarding their authentication
authentication information
information.

A.9.4.1 - Information access

restriction

A.9.4.2 - Secure log-on

procedures

To prevent unauthorized access to

systems and applications. A.9.4.3 - Password management
system

A.9.4.4 - Use of privileged utility

programs

A.9.4.5 - Access control to

program source code

A.10.1.1 - Policy on the use of

To ensure proper and effective use of cryptographic controls
cryptography to protect the
confidentiality, authenticity
and/or integrity of information. A.10.1.2 - Key management

A.11.1.1 - Physical security

perimeter

A.11.1.2 - Physical entry

controls

A.11.1.3 - Securing offices,

To prevent unauthorized physical rooms and facilities
access, damage and interference to A.11.1.4 - Protecting against
the organization’s information and external and environmental
information processing facilities. threats
A.11.1.5 - Working in secure
areas
To prevent unauthorized physical
access, damage and interference to
the organization’s information and
information processing facilities.

A.11.1.6 - Delivery and loading

areas

A.11.2.1 - Equipment siting and

protection

A.11.2.2 - Supporting utilities

A.11.2.3 - Cabling security

A.11.2.4 - Equipment
maintenance

To prevent loss, damage, theft or

compromise of assets and A.11.2.5 - Removal of assets
interruption to the organization’s
operations.
A.11.2.6 - Security of equipment
and assets off-premises

A.11.2.7 - Secure disposal or

reuse of equipment

A.11.2.8 - Unattended user

equipment

A.11.2.9 - Clear desk and clear

screen policy

A.12.1.1 - Documented
operating procedures

A.12.1.2 - Change management

To ensure correct and secure

operations of information processing
facilities.
To ensure correct and secure
operations of information processing
A.12.1.3 - Capacity
facilities.
management

A.12.1.4 - Separation of
development, testing and
operational environments

To ensure that information and

information processing facilities are A.12.2.1 - Controls against
protected against malware
malware.

To protect against loss of data. A.12.3.1 - Information backup

A.12.4.1 - Event logging

A.12.4.2 - Protection of log

information

To record events and generate

evidence. A.12.4.3 - Administrator and
operator logs

A.12.4.4 - Clock synchronisation

A.12.5.1 - Installation of
To ensure the integrity of operational
software on operational
systems.
systems

A.12.6.1 - Management of
technical vulnerabilities
To prevent exploitation of technical
vulnerabilities.

A.12.6.2 - Restrictions on
software installation

To minimise the impact of audit A.12.7.1 - Information systems

activities on operational systems. audit controls
 A.13.1.1 - Network controls

To ensure the protection of

information in networks and its A.13.1.2 - Security of network
supporting information processing services
facilities.

A.13.1.3 - Segregation in
networks

A.13.2.1 - Information transfer

policies and procedures

A.13.2.2 - Agreements on
To maintain the security of information transfer
information transferred within an
organization and with any external
entity. A.13.2.3 - Electronic messaging

A.13.2.4 - Confidentiality or
nondisclosure agreements

A.14.1.1 - Information security

requirements analysis and
specification

To ensure that information security is

an integral part of information
A.14.1.2 - Securing application
systems across the entire lifecycle.
This also includes the requirements services on public networks
for information systems which
provide services over public
networks.

A.14.1.3 - Protecting application

services transactions

A.14.2.1 - Secure development

policy
 A.14.2.2 - System change
control procedures

A.14.2.3 - Technical review of

applications after operating
platform changes

A.14.2.4 - Restrictions on
changes to software packages

To ensure that information security is

designed and implemented within the
development lifecycle of information A.14.2.5 - Secure system
systems. engineering principles

A.14.2.6 - Secure development

environment

A.14.2.7 - Outsourced
development

A.14.2.8 - System security

testing

A.14.2.9 - System acceptance

testing

To ensure the protection of data used A.14.3.1 - Protection of test

for testing. data

A.15.1.1 - Information
security policy for supplier
relationships

To ensure protection of the A.15.1.2 - Addressing security

organization’s assets that is within supplier agreements
accessible by suppliers.

A.15.1.3 - Information and

communication technology
supply chain
 A.15.2.1 - Monitoring and
review of supplier services

To maintain an agreed level of

information security and service
delivery in line with supplier
agreements. A.15.2.2 - Managing changes to
supplier services

A.16.1.1 - Responsibilities and

procedures

A.16.1.2 - Reporting information

security events

A.16.1.3 - Reporting information

security weaknesses
To ensure a consistent and effective
approach to the management of
information security
incidents, including communication A.16.1.4 - Assessment of and
on security events and weaknesses. decision on information security
events

A.16.1.5 - Response to
information security
incidents

A.16.1.6 - Learning from

information security incidents

A.16.1.7 - Collection of evidence

A.17.1.1 - Planning information

security continuity

Information security continuity shall

be embedded in the organization’s
business continuity management
systems.
Information security continuity shall A.17.1.2 - Implementing
be embedded in the organization’s information security
business continuity management continuity
systems.

A.17.1.3 - Verify, review and

evaluate information security
continuity

To ensure availability of information A.17.2.1 - Availability of

processing facilities. information processing facilities

A.18.1.1 - Identification of
applicable legislation and
contractual requirements

A.18.1.2 - Intellectual property

rights
To avoid breaches of legal, statutory,
regulatory or contractual obligations
related to information
security and of any security
requirements.
A.18.1.3 - Protection of records

A.18.1.4 - Privacy and

protection of personally
identifiable information

A.18.1.5 - Regulation of
cryptographic controls

A.18.2.1 - Independent review

of information security

To ensure that information security is

implemented and operated in
accordance with the
organizational policies and
procedures.
To ensure that information security is
implemented and operated in
accordance with the
organizational policies and
procedures. A.18.2.2 - Compliance with
security policies and standards

A.18.2.3 - Technical compliance

review
 Justification for Inclus

Legal
Contractual
Control Description Necessary Requirement
Obligations
s

A set of policies for information security

shall be defined, approved by
management, published and Yes
communicated to employees and relevant
external parties.
The policies for information security shall
be reviewed at planned intervals or if
significant changes occur to ensure their Yes
continuing suitability, adequacy and
effectiveness.
All information security responsibilities
Yes X X
shall be defined and allocated.
Conflicting duties and areas of
responsibility shall be segregated to
reduce opportunities for unauthorized or Yes
unintentional modification or misuse of
the organization’s assets.
Appropriate contacts with relevant
Yes
authorities shall be maintained.
Appropriate contacts with special interest
groups or other specialist security forums
Yes X
and professional associations shall be
maintained.
Information security shall be addressed in
project management, regardless of the Yes
type of the project.

A policy and supporting security measures

shall be adopted to manage the risks Yes
introduced by using mobile devices.

A policy and supporting security measures

shall be implemented to protect
Yes
information accessed, processed or stored
at teleworking sites.
Background verification checks on all
candidates for employment shall be
carried out in accordance with relevant
laws, regulations and ethics and shall be Yes
proportional to the business requirements,
the classification of the information to be
accessed and the perceived risks.

The contractual agreements with

employees and contractors shall
state their and the organization’s Yes X X
responsibilities for information
security.
Management shall require all employees
and contractors to apply information
security in accordance with the Yes
established policies and procedures of the
organization.

All employees of the organization and,

where relevant, contractors shall receive
appropriate awareness education and
Yes
training and regular updates in
organizational policies and procedures, as
relevant for their job function.

There shall be a formal and communicated

disciplinary process in place to take action
Yes X X
against employees who have committed
an information security breach.

Information security responsibilities and

duties that remain valid after termination
or change of employment shall be defined, Yes
communicated to the employee or
contractor and enforced.
Information, other assets associated
with information and information
processing facilities shall be
Yes
identified and an inventory of these
assets shall be drawn up and
maintained.
Assets maintained in the inventory shall
Yes
be owned.
Rules for the acceptable use of
information and of assets associated
with information and information
Yes
processing facilities shall be
identified, documented and
implemented.
All employees and external party users
shall return all of the organizational assets
Yes
in their possession upon termination of
their employment, contract or agreement.
Information shall be classified in
terms of legal requirements, value,
criticality and sensitivity to Yes X
unauthorised disclosure or
modification.
An appropriate set of procedures for
information labelling shall be
developed and implemented in
Yes X
accordance with the information
classification scheme adopted by the
organization.
Procedures for handling assets shall
be developed and implemented in
accordance with the information Yes X
classification scheme adopted by the
organization.
Procedures shall be implemented for the
management of removable media in
Yes X
accordance with the classification scheme
adopted by the organization.
Media shall be disposed of securely when
no longer required, using formal Yes X
procedures.
Media containing information shall be
protected against unauthorized access,
Yes
misuse or corruption during
transportation.
An access control policy shall be
established, documented and
Yes X
reviewed based on business and
information security requirements.
Users shall only be provided with access
to the network and network services that
Yes X
they have been specifically authorized to
use.

A formal user registration and de-

registration process shall be implemented Yes X
to enable assignment of access rights.

A formal user access provisioning process

shall be implemented to assign or revoke
Yes X
access rights for all user types to all
systems and services.
The allocation and use of privileged
access rights shall be restricted and Yes X
controlled.
The allocation of secret authentication
information shall be controlled through a Yes
formal management process.
Asset owners shall review users’ access
Yes X
rights at regular intervals.
The access rights of all employees and
external party users to information and
information processing facilities shall be
Yes
removed upon termination of their
employment, contract or agreement, or
adjusted upon change.
Users shall be required to follow the
organization’s practices in the use of Yes
secret authentication information.

Access to information and application

system functions shall be restricted in Yes
accordance with the access control policy.

Where required by the access control

policy, access to systems and applications
Yes
shall be controlled by a secure log-on
procedure.
Password management systems shall be
interactive and shall ensure quality Yes
passwords.
The use of utility programs that might be
capable of overriding system and
Yes X
application controls shall be restricted and
tightly controlled.
Access to program source code shall be
No
restricted.
A policy on the use of cryptographic
controls for protection of information shall Yes
be developed and implemented.
A policy on the use, protection and
lifetime of cryptographic keys shall be
Yes
developed and implemented through their
whole lifecycle.
Security perimeters shall be defined and
used to protect areas that contain either
Yes X
sensitive or critical information and
information processing facilities.
Secure areas shall be protected by
appropriate entry controls to ensure that
Yes X
only authorized personnel are allowed
access.
Physical security for offices, rooms and
Yes X
facilities shall be designed and applied.
Physical protection against natural
disasters, malicious attack or accidents Yes X
shall be designed and applied.
Procedures for working in secure areas
Yes X
shall be designed and applied.
Access points such as delivery and loading
areas and other points where
unauthorized persons could enter the
premises shall be controlled and, if Yes X
possible, isolated from information
processing facilities to avoid unauthorized
access.

Equipment shall be sited and protected to

reduce the risks from environmental
Yes X
threats and hazards, and opportunities for
unauthorized access.
Equipment shall be protected from power
failures and other disruptions caused by Yes X
failures in supporting utilities.

Power and telecommunications cabling

carrying data or supporting information
Yes X
services shall be protected from
interception, interference or damage.

Equipment shall be correctly maintained

to ensure its continued availability and Yes X
integrity.
Equipment, information or software shall
not be taken off-site without prior Yes
authorization.
Security shall be applied to off-site assets
taking into account the different risks of
Yes
working outside the organization’s
premises.

All items of equipment containing storage

media shall be verified to ensure that any
sensitive data and licensed software has Yes
been removed or securely overwritten
prior to disposal or re-use.

Users shall ensure that unattended

Yes
equipment has appropriate protection.
A clear desk policy for papers and
removable storage media and a clear
Yes
screen policy for information processing
facilities shall be adopted.
Operating procedures shall be
documented and made available to Yes
all users who need them.
Changes to the organization, business
processes, information processing
Yes X
facilities and systems that affect
information security shall be controlled.
The use of resources shall be monitored,
tuned and projections made of future
Yes X
capacity requirements to ensure the
required system performance.

Development, testing, and operational

environments shall be separated to
Yes X
reduce the risks of unauthorized access or
changes to the operational environment.

Detection, prevention and recovery

controls to protect against malware shall
Yes X
be implemented, combined with
appropriate user awareness.
Backup copies of information, software
and system images shall be taken and
Yes X
tested regularly in accordance with an
agreed backup policy.
Event logs recording user activities,
exceptions, faults and information
Yes X
security events shall be produced,
kept and regularly reviewed.
Logging facilities and log information shall
be protected against tampering and Yes X
unauthorized access.
System administrator and system
operator activities shall be logged
Yes X
and the logs protected and regularly
reviewed.

The clocks of all relevant information

processing systems within an organization
Yes X
or security domain shall be synchronised
to a single reference time source.

Procedures shall be implemented to

control the installation of software on Yes X
operational systems.

Information about technical vulnerabilities

of information systems being used shall be
obtained in a timely fashion, the
organization’s exposure to such Yes X
vulnerabilities evaluated and appropriate
measures taken to address the associated
risk.

Rules governing the installation of

software by users shall be established and Yes
implemented.

Audit requirements and activities involving

verification of operational systems shall be
Yes
carefully planned and agreed to minimise
disruptions to business processes.
Networks shall be managed and controlled
to protect information in systems and Yes X
applications.
Security mechanisms, service levels and
management requirements of all network
services shall be identified and included in
Yes X
network services agreements, whether
these services are provided in-house or
outsourced.
Groups of information services, users and
information systems shall be segregated Yes X
on networks.
Formal transfer policies, procedures and
controls shall be in place to protect the
Yes
transfer of information through the use of
all types of communication facilities.
Agreements shall address the secure
transfer of business information between Yes X X
the organization and external parties.
Information involved in electronic
messaging shall be appropriately Yes
protected.
Requirements for confidentiality or
non-disclosure agreements reflecting
the organization’s needs for the
Yes X X
protection of information shall be
identified, regularly reviewed and
documented.
The information security related
requirements shall be included in the
requirements for new information systems Yes X
or enhancements to existing information
systems.

Information involved in application

services passing over public networks
shall be protected from fraudulent activity, No
contract dispute and unauthorized
disclosure and modification.

Information involved in application service

transactions shall be protected to prevent
incomplete transmission, mis-routing,
No
unauthorized message alteration,
unauthorized disclosure, unauthorized
message duplication or replay.

Rules for the development of software and

systems shall be established and applied Yes X
to developments within the organization.
Changes to systems within the
development lifecycle shall be controlled
Yes
by the use of formal change control
procedures.
When operating platforms are changed,
business critical applications shall be
reviewed and tested to ensure there is no Yes X
adverse impact on organizational
operations or security.
Modifications to software packages shall
be discouraged, limited to necessary
Yes X
changes and all changes shall be strictly
controlled.
Principles for engineering secure
systems shall be established,
documented, maintained and applied Yes X
to any information system
implementation efforts.

Organizations shall establish and

appropriately protect secure development
environments for system development Yes X
and integration efforts that cover the
entire system development lifecycle.

The organization shall supervise and

monitor the activity of outsourced system No
development.
Testing of security functionality shall be
Yes X
carried out during development.
Acceptance testing programs and related
criteria shall be established for new
Yes X
information systems, upgrades and new
versions.
Test data shall be selected carefully,
Yes X
protected and controlled.
Information security requirements for
mitigating the risks associated with
supplier’s access to the Yes X
organization’s assets shall be agreed
with the supplier and documented.
All relevant information security
requirements shall be established and
agreed with each supplier that may
Yes X X
access, process, store, communicate, or
provide IT infrastructure components for,
the organization’s information.

Agreements with suppliers shall include

requirements to address the information
security risks associated with information Yes X X
and communications technology services
and product supply chain.
Organizations shall regularly monitor,
Yes X
review and audit supplier service delivery.

Changes to the provision of services by

suppliers, including maintaining and
improving existing information security
policies, procedures and controls, shall be
Yes X
managed, taking account of the criticality
of business information, systems and
processes involved and re-assessment of
risks.

Management responsibilities and

procedures shall be established to ensure
Yes X
a quick, effective and orderly response to
information security incidents.

Information security events shall be

reported through appropriate
Yes X
management channels as quickly as
possible.

Employees and contractors using the

organization’s information systems and
services shall be required to note and
Yes X
report any observed or suspected
information security weaknesses in
systems or services.

Information security events shall be

assessed and it shall be decided if they
Yes X
are to be classified as information security
incidents.
Information security incidents shall
be responded to in accordance with Yes X
the documented procedures.
Knowledge gained from analysing and
resolving information security incidents
Yes X
shall be used to reduce the likelihood or
impact of future incidents.

The organization shall define and apply

procedures for the identification,
Yes X
collection, acquisition and preservation of
information, which can serve as evidence.

The organization shall determine its

requirements for information security and
the continuity of information security Yes
management in adverse situations, e.g.
during a crisis or disaster.
The organization shall establish,
document, implement and maintain
processes, procedures and controls
Yes
to ensure the required level of
continuity for information security
during an adverse situation.

The organization shall verify the

established and implemented information
security continuity controls at regular
Yes
intervals in order to ensure that they are
valid and effective during adverse
situations.
Information processing facilities shall be
implemented with redundancy sufficient Yes
to meet availability requirements.
All relevant legislative statutory,
regulatory, contractual requirements
and the organization’s approach to
meet these requirements shall be Yes
explicitly identified, documented and
kept up to date for each information
system and the organization.

Appropriate procedures shall be

implemented to ensure compliance with
legislative, regulatory and contractual
Yes X
requirements related to intellectual
property rights and use of proprietary
software products.

Records shall be protected from loss,

destruction, falsification, unauthorized
access and unauthorized release, in Yes X
accordance with legislatory, regulatory,
contractual and business requirements.
Privacy and protection of personally
identifiable information shall be ensured
Yes X
as required in relevant legislation and
regulation where applicable.
Cryptographic controls shall be used in
compliance with all relevant agreements, Yes X
legislation and regulations.

The organization’s approach to managing

information security and its
implementation (i.e. control objectives,
controls, policies, processes and
Yes
procedures for information security) shall
be reviewed independently at planned
intervals or when significant changes
occur.
Managers shall regularly review the
compliance of information processing and
procedures within their area of
Yes
responsibility with the appropriate security
policies, standards and any other security
requirements.

Information systems shall be regularly

reviewed for compliance with the
Yes X
organization’s information security policies
and standards.
fication for Inclusion

Business
Risk
Requirement
Assessment Implemented
s / Best
Results
Practices

X X Yes

X X No

X Yes

X X Yes

X X Yes

X X Yes

X Yes

X X Yes

No
X X Yes

X X Yes

X X Yes

X X Yes

X X Yes

X Yes

X Yes

X Yes

X X Yes

X Yes
X X Yes

X X Yes

X X Yes

X Yes

X Yes

X Yes

X X Yes

X X Yes

X X Yes

X X Yes

X X Yes

X X Yes

X X Yes
X X Yes

X X Yes

X X Yes

X X Yes

X X Yes

X X Yes

No

X X Yes

X X Yes

X Yes

X Yes

X Yes

X Yes

X Yes
X Yes

X Yes

X Yes

X X Yes

X Yes

X Yes

X Yes

X Yes

X X Yes

X X Yes

X X Yes

X Yes
X X Yes

X X Yes

X X Yes

X Yes

X X Yes

X X Yes

X X Yes

X X Yes

X X Yes

X X Yes

X X Yes

X X Yes
X X Yes

X X Yes

X X Yes

X X Yes

X X Yes

X X Yes

X X Yes

X Yes

No

No

X Yes
X Yes

X Yes

X Yes

X Yes

X Yes

No

X Yes

X X Yes

X Yes

X X Yes

X X Yes

X X Yes
X X Yes

X X Yes

X X Yes

X Yes

X X Yes

X Yes

X Yes

X X Yes

X X Yes

X Yes
X Yes

X Yes

X Yes

X X Yes

X X Yes

X X Yes

X X Yes

X X Yes

X X Yes
X X Yes

X X Yes
Justification for exclusion
 Security
Control
Note
Maturity
Level

Optimized

This control in required to address Risck

Initial
n°…

Optimized

Optimized

Managed

Managed

Optimized

Optimized

Not Applicable
Managed

Optimized

Optimized

Managed

Optimized

Optimized

Managed

Managed

Optimized

Optimized
Optimized

Limited

Optimized

Optimized

Optimized

Optimized

Optimized

Optimized

Managed

Managed

Managed

Managed

Optimized
 Optimized

Defined

Optimized

Managed

Optimized

Optimized

Not Applicable

Managed

Optimized

Optimized

Optimized

Optimized

Optimized

Optimized
Optimized

Optimized

Optimized

Optimized

Optimized

Optimized

Optimized

Optimized

Optimized

Managed

Optimized

Optimized
Optimized

Optimized

Optimized

Optimized

Optimized

Optimized

Optimized

Optimized

Optimized

Optimized

Optimized

Optimized
 Optimized

Optimized

Optimized

Optimized

Optimized

Optimized

Optimized

Optimized

Not Applicable

Not Applicable

Optimized
 Optimized

Optimized

Optimized

Optimized

Optimized

Not Applicable

Optimized

Optimized

Optimized

Optimized

Optimized

Optimized
Optimized

Optimized

Optimized

Optimized

Optimized

Optimized

Optimized

Optimized

Optimized

Defined
 Defined

Defined

Optimized

Optimized

Optimized

Optimized

Optimized

Optimized

Optimized
Optimized

Optimized
 Ratio of
Level Meaning Security
Controls

? Unknown ? Has not even been checked yet 0.00%

Non existent Complete lack of recognizable policy, procedure, control etc. 0.00%

Development has barely started and will require significant

Initial 0.00%
work to fulfill the requirements

Limited Progressing nicely but not yet complete 0.88%

Development is more or less complete although detail is

Defined lacking and/or it is not yet implemented, enforced and 3.51%
actively supported by top management

Development is complete, the process/control has been

Managed 10.53%
implemented and recently started operating

The requirement is fully satisfied, is operating fully as

Optimized expected, is being actively monitored and improved, and 76.32%
there is substantial evidence to prove all that to the auditors

Not Applicable N/A 4.39%

checksum 95.61%
Ratio of Security Controls

Not ApplicableLimited Defined Managed

5% 1% 4% 11%

Optimized
80%