Organizational Controls
37 controls
A.5.1
Policies for information security
Applicable
View implementation context
The organisation maintains an Information Security Policy and additional security-related policies, including Access Control, Backup and Recovery, and Cloud Security. These policies are currently in development and pending formal approval. The organisation has established a framework of security policies that are regularly updated.
A.5.2
Information security roles and responsibilities
Applicable
View implementation context
Information security roles and responsibilities are formally defined within the organisations authorization matrix. Six distinct roles have been established with seven role assignments across users, ensuring clear accountability for security functions. Documentation of these roles is currently in development.
A.5.3
Segregation of duties
Applicable
View implementation context
Segregation of duties is implemented through the authorization matrix, with distinct roles separating conflicting responsibilities. Documentation for these roles is currently in development.
A.5.4
Management responsibilities
Applicable
View implementation context
Management responsibilities for information security are defined within the governance framework. The authorization matrix assigns security accountabilities across the organisation.
A.5.5
Contact with authorities
Applicable
View implementation context
Contact information for authorities is documented and managed through centralised systems. The contact list is currently in development and pending formal approval.
A.5.6
Contact with special interest groups
Applicable
View implementation context
Implementation details for contact with special interest groups are pending documentation within the governance platform.
A.5.7
Threat intelligence
Applicable
View implementation context
The organisation maintains a risk management programme that includes threat intelligence gathering and analysis. Risks are formally tracked in a risk register with mitigation strategies defined, though recent remediation activities are needed.
A.5.8
Information security in project management
Applicable
View implementation context
Implementation details for this control are pending documentation within the governance platform.
A.5.9
Inventory of information and other associated assets
Applicable
View implementation context
The organisation maintains an inventory of information and associated assets. Assets are documented and tracked within the governance platform, including highly confidential data.
A.5.10
Acceptable use of information and other associated assets
Applicable
View implementation context
Implementation details for this control are pending documentation within the governance platform.
A.5.11
Return of assets
Applicable
View implementation context
The organisation maintains an asset inventory that tracks information and associated assets. Assets are documented and managed throughout their lifecycle, including return procedures upon termination of employment or contract.
A.5.12
Classification of information
Applicable
View implementation context
The organisation classifies information according to its sensitivity and business value. The Information Security Policy defines classification schemes that are applied consistently across the organisation, including for highly confidential data.
A.5.13
Labelling of information
Applicable
View implementation context
Information assets are labelled according to their classification. The Information Security Policy outlines labelling procedures to ensure appropriate handling and protection throughout the asset lifecycle.
A.5.14
Information transfer
Applicable
View implementation context
Implementation details for information transfer procedures are pending documentation within the governance platform.
A.5.15
Access control
Applicable
View implementation context
Access control is managed through the organisations authorization matrix, defining role-based permissions across systems. Access rights are granted based on documented business requirements and role assignments.
A.5.16
Identity management
Applicable
View implementation context
User identities are managed through the governance platform with user accounts tracked. Identity lifecycle processes cover provisioning, modification, and deprovisioning.
A.5.17
Authentication information
Applicable
View implementation context
Authentication mechanisms verify user identities. Multi-factor authentication is implemented with a low adoption rate for enhanced security.
A.5.18
Access rights
Applicable
View implementation context
Access rights are managed through the organisations authorization matrix. Role-based access control ensures that permissions are granted according to documented business requirements.
A.5.19
Information security in supplier relationships
Applicable
View implementation context
The organisation maintains a vendor management programme through which third-party relationships are identified and assessed. Suppliers are evaluated for security risk before engagement.
A.5.20
Addressing information security within supplier agreements
Applicable
View implementation context
Implementation details for addressing information security within supplier agreements are pending documentation within the governance platform.
A.5.21
Managing information security in the ICT supply chain
Applicable
View implementation context
The organisation actively manages information security in the ICT supply chain through its vendor management programme. Suppliers are tracked and assessed for security risk, with a moderate number of vendors currently under management.
A.5.22
Monitoring, review and change management of supplier services
Applicable
View implementation context
Supplier services are monitored and reviewed through the organisations vendor management system. The third-party risk management module tracks vendor relationships and supports change management processes.
A.5.23
Information security for use of cloud services
Applicable
View implementation context
Information security requirements for cloud service providers are managed through the organisations vendor management framework. The TPRM module ensures cloud services are assessed and monitored for security compliance.
A.5.24
Information security incident management planning and preparation
Applicable
View implementation context
Information security incident management planning is in development with a draft company information document. The organisation actively tracks and manages security events through defined processes.
A.5.25
Assessment and decision on information security events
Applicable
View implementation context
Security incidents are assessed and classified according to defined criteria. Response priorities are determined based on impact and urgency. An incident assessment document is in development.
A.5.26
Response to information security incidents
Applicable
View implementation context
Response procedures for information security incidents are in development. The organisation tracks and manages incidents through formal processes, with positive trends in resolution times.
A.5.27
Learning from information security incidents
Applicable
View implementation context
Lessons learned from information security incidents are being documented. The organisation uses incident data to improve security controls and procedures, demonstrating active management.
A.5.28
Collection of evidence
Applicable
View implementation context
Evidence collection procedures are established for security incidents. Records are maintained to support investigation and analysis.
A.5.29
Information security during disruption
Applicable
View implementation context
A business continuity plan is in development. The organisation identifies critical systems and prepares for information security during disruptions.
A.5.30
ICT readiness for business continuity
Applicable
View implementation context
ICT readiness for business continuity is documented in a draft strategy and OKRs document. The organisation identifies and tracks critical assets to support continuity planning.
A.5.31
Legal, statutory, regulatory and contractual requirements
Applicable
View implementation context
The organisation maintains a draft document titled ℹ️ Company information that addresses legal, statutory, regulatory, and contractual requirements. This documentation is currently under development and pending formal approval.
A.5.32
Intellectual property rights
Applicable
View implementation context
Implementation details for intellectual property rights management are pending documentation.
A.5.33
Protection of records
Applicable
View implementation context
Implementation details for protection of records are pending documentation within the governance platform.
A.5.34
Privacy and protection of PII
Applicable
View implementation context
Implementation details for privacy and protection of personally identifiable information (PII) are pending documentation within the governance platform.
A.5.35
Independent review of information security
Applicable
View implementation context
The organisation conducts periodic independent reviews of its information security practices through its internal audit management system. Audits assess compliance with policies and identify improvement opportunities.
A.5.36
Compliance with policies, rules and standards for information security
Applicable
View implementation context
Compliance with security policies and standards is monitored through regular internal audits. Non-conformities are tracked and addressed through corrective actions.
A.5.37
Documented operating procedures
Applicable
View implementation context
The organisation maintains an approved Information Security Policy along with other documented operating procedures. These documents are reviewed and updated periodically to ensure continued relevance.
People Controls
8 controls
A.6.1
Screening
Applicable
View implementation context
Implementation details for background verification of candidates are pending documentation within the governance platform.
A.6.2
Terms and conditions of employment
Applicable
View implementation context
Implementation details for employment terms and conditions related to information security are pending documentation within the governance platform.
A.6.3
Information security awareness, education and training
Applicable
View implementation context
Implementation details for security awareness and training programmes are pending documentation within the governance platform.
A.6.4
Disciplinary process
Applicable
View implementation context
Implementation details for this control are pending documentation within the governance platform.
A.6.5
Responsibilities after termination or change of employment
Applicable
View implementation context
Implementation details for this control are pending documentation within the governance platform.
A.6.6
Confidentiality or non-disclosure agreements
Applicable
View implementation context
Implementation details for this control are pending documentation within the governance platform.
A.6.7
Remote working
Applicable
View implementation context
Implementation details for this control are pending documentation within the governance platform.
A.6.8
Information security event reporting
Applicable
View implementation context
The organisation has established guidelines in draft form for reporting information security events. The ℹ️ Company information document is currently in development.
Physical Controls
14 controls
A.7.1
Physical security perimeters
Applicable
View implementation context
Implementation details for this control are pending documentation within the governance platform.
A.7.2
Physical entry
Applicable
View implementation context
Implementation details for this control are pending documentation within the governance platform.
A.7.3
Securing offices, rooms and facilities
Applicable
View implementation context
Offices, rooms, and facilities are secured and managed through centralised asset tracking. Critical assets are identified and protected according to their classification.
A.7.4
Physical security monitoring
Applicable
View implementation context
Implementation details for this control are pending documentation within the governance platform.
A.7.5
Protecting against physical and environmental threats
Applicable
View implementation context
Implementation details for this control are pending documentation within the governance platform.
A.7.6
Working in secure areas
Applicable
View implementation context
The organisation manages security in working areas through centralised systems. Critical assets are identified and protected according to their security requirements.
A.7.7
Clear desk and clear screen
Applicable
View implementation context
Implementation details for clear desk and clear screen policies are pending documentation within the governance platform.
A.7.8
Equipment siting and protection
Applicable
View implementation context
Implementation details for equipment siting and protection are pending documentation within the governance platform.
A.7.9
Security of assets off-premises
Applicable
View implementation context
The organisation manages the security of assets used off-premises. Controls are in place to protect equipment and information when used outside of organisation facilities.
A.7.10
Storage media
Applicable
View implementation context
Implementation details for storage media management are pending documentation within the governance platform.
A.7.11
Supporting utilities
Applicable
View implementation context
Implementation details for supporting utilities protection are pending documentation within the governance platform.
A.7.12
Cabling security
Applicable
View implementation context
Implementation details for cabling security are pending documentation within the governance platform.
A.7.13
Equipment maintenance
Applicable
View implementation context
Implementation details for equipment maintenance are pending documentation within the governance platform.
A.7.14
Secure disposal or re-use of equipment
Applicable
View implementation context
The organisation maintains procedures for the secure disposal or re-use of equipment. Assets are tracked and managed through centralised systems to ensure proper handling throughout their lifecycle.
Technological Controls
34 controls
A.8.1
User endpoint devices
Applicable
View implementation context
Implementation details for user endpoint devices are pending documentation within the governance platform.
A.8.2
Privileged access rights
Applicable
View implementation context
Privileged access rights are controlled through the organisations authorization matrix, which defines distinct roles for administrative functions. The matrix includes six roles with eight role assignments, ensuring that administrative access is granted only to authorised personnel.
A.8.3
Information access restriction
Applicable
View implementation context
Information access is restricted based on defined roles within the authorization matrix. Access rights are granted according to the principle of least privilege, ensuring users have access only to necessary information.
A.8.4
Access to source code
Applicable
View implementation context
Access to source code and development tools is controlled through defined roles. Developer access is managed within the authorization framework.
A.8.5
Secure authentication
Applicable
View implementation context
Secure authentication is implemented across the organisation. Multi-factor authentication is in use with 7% adoption rate, enhancing the security of user access.
A.8.6
Capacity management
Applicable
View implementation context
Implementation details for capacity management are pending documentation within the governance platform.
A.8.7
Protection against malware
Applicable
View implementation context
Implementation details for protection against malware are pending documentation within the governance platform.
A.8.8
Management of technical vulnerabilities
Applicable
View implementation context
Technical vulnerabilities are identified through regular scanning and assessment. Vulnerabilities are prioritized and tracked through remediation. The organization maintains an active vulnerability management program.
A.8.9
Configuration management
Applicable
View implementation context
Implementation details for this control are pending documentation within the governance platform.
A.8.10
Information deletion
Applicable
View implementation context
Implementation details for information deletion are pending documentation within the governance platform.
A.8.11
Data masking
Applicable
View implementation context
Implementation details for data masking are pending documentation within the governance platform.
A.8.12
Data leakage prevention
Applicable
View implementation context
Implementation details for data leakage prevention are pending documentation within the governance platform.
A.8.13
Information backup
Applicable
View implementation context
Implementation details for information backup procedures are pending documentation within the governance platform.
A.8.14
Redundancy of information processing facilities
Applicable
View implementation context
Implementation details for redundancy of information processing facilities are pending documentation within the governance platform.
A.8.15
Logging
Applicable
View implementation context
Implementation details for logging activities are pending documentation within the governance platform.
A.8.16
Monitoring activities
Applicable
View implementation context
Security monitoring includes vulnerability detection and alerting. Systems are monitored for security events and potential compromises. Vulnerability scanning is active with significant issues tracked and an improving trend demonstrated by recent remediation activities.
A.8.17
Clock synchronization
Applicable
View implementation context
Implementation details for clock synchronization are pending documentation within the governance platform.
A.8.18
Use of privileged utility programs
Applicable
View implementation context
Implementation details for the use of privileged utility programs are pending documentation within the governance platform.
A.8.19
Installation of software on operational systems
Applicable
View implementation context
Implementation details for the installation of software on operational systems are pending documentation within the governance platform.
A.8.20
Networks security
Applicable
View implementation context
Implementation details for network security are pending documentation within the governance platform.
A.8.21
Security of network services
Applicable
View implementation context
Implementation details for the security of network services are pending documentation within the governance platform.
A.8.22
Segregation of networks
Applicable
View implementation context
Implementation details for network segregation are pending documentation within the governance platform.
A.8.23
Web filtering
Applicable
View implementation context
Implementation details for web filtering are pending documentation within the governance platform.
A.8.24
Use of cryptography
Applicable
View implementation context
Implementation details for cryptography usage are pending documentation within the governance platform.
A.8.25
Secure development life cycle
Applicable
View implementation context
The organisation implements secure development lifecycle practices with code security monitoring in place. Secure development principles are applied across 2 active projects.
A.8.26
Application security requirements
Applicable
View implementation context
Application security requirements are defined and implemented through the organisations secure development practices. Code security analysis ensures compliance with these requirements.
A.8.27
Secure system architecture and engineering principles
Applicable
View implementation context
Secure system architecture principles guide system design within the organisations development processes. Security is considered from the initial design phase across 2 active projects.
A.8.28
Secure coding
Applicable
View implementation context
Secure coding practices are enforced through code security monitoring. Code reviews and analysis help identify and address security issues during development.
A.8.29
Security testing in development and acceptance
Applicable
View implementation context
Security testing is integrated into the development lifecycle. Code security analysis is performed for two active projects to identify vulnerabilities.
A.8.30
Outsourced development
Applicable
View implementation context
Outsourced development is secured through code security monitoring. Security controls are applied to two active projects, ensuring protection throughout the development lifecycle.
A.8.31
Separation of development, test and production environments
Applicable
View implementation context
Development, testing, and production environments are separated and access controlled. Changes are tested before deployment to production across 2 active projects.
A.8.32
Change management
Applicable
View implementation context
The organisation maintains a Change Management Procedure that is approved by management. Changes to information systems are formally documented and reviewed to ensure security requirements are met.
A.8.33
Test information
Applicable
View implementation context
Implementation details for test information protection are pending documentation within the governance platform.
A.8.34
Protection of information systems during audit testing
Applicable
View implementation context
Implementation details for this control are pending documentation within the governance platform.