DraftInternalISO 27001
SW-ISMS-FRM-001
Statement of Applicability Template
Version
1.0
Owner
CISO
Effective Date
2024-01-15
Review Date
2025-01-15
Statement of Applicability Template
Purpose
This form documents which ISO 27001:2022 Annex A controls are applicable to Swedwise's Information Security Management System, the justification for each decision, and the implementation status.
Instructions
- Review each control in ISO 27001:2022 Annex A (93 controls across 4 themes)
- Determine applicability based on risk assessment and business context
- Provide clear justification for inclusion or exclusion
- Document implementation status and evidence location
- Review annually or when significant changes occur
- Approved by CISO and Management Team
Form Template
Document Information
| Field | Value |
|---|---|
| SoA Version | |
| Review Date | |
| Reviewed By | |
| Approved By | |
| Approval Date | |
| Next Review Date |
Annex A Controls Assessment
Theme 1: Organizational Controls (37 controls)
5.1 Policies for Information Security
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.5.1 | Policies for information security | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
5.2 Information Security Roles and Responsibilities
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.5.2 | Information security roles and responsibilities | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
5.3 Segregation of Duties
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.5.3 | Segregation of duties | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
5.4 Management Responsibilities
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.5.4 | Management responsibilities | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
5.5 Contact with Authorities
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.5.5 | Contact with authorities | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
5.6 Contact with Special Interest Groups
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.5.6 | Contact with special interest groups | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
5.7 Threat Intelligence
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.5.7 | Threat intelligence | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
5.8 Information Security in Project Management
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.5.8 | Information security in project management | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
5.9 Inventory of Information and Other Associated Assets
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.5.9 | Inventory of information and other associated assets | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
5.10 Acceptable Use of Information and Other Associated Assets
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.5.10 | Acceptable use of information and other associated assets | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
5.11 Return of Assets
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.5.11 | Return of assets | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
5.12 Classification of Information
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.5.12 | Classification of information | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
5.13 Labelling of Information
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.5.13 | Labelling of information | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
5.14 Information Transfer
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.5.14 | Information transfer | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
5.15 Access Control
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.5.15 | Access control | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
5.16 Identity Management
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.5.16 | Identity management | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
5.17 Authentication Information
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.5.17 | Authentication information | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
5.18 Access Rights
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.5.18 | Access rights | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
5.19 Information Security in Supplier Relationships
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.5.19 | Information security in supplier relationships | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
5.20 Addressing Information Security Within Supplier Agreements
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.5.20 | Addressing information security within supplier agreements | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
5.21 Managing Information Security in the ICT Supply Chain
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.5.21 | Managing information security in the ICT supply chain | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
5.22 Monitoring, Review and Change Management of Supplier Services
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.5.22 | Monitoring, review and change management of supplier services | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
5.23 Information Security for Use of Cloud Services
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.5.23 | Information security for use of cloud services | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
5.24 Information Security Incident Management Planning and Preparation
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.5.24 | Information security incident management planning and preparation | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
5.25 Assessment and Decision on Information Security Events
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.5.25 | Assessment and decision on information security events | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
5.26 Response to Information Security Incidents
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.5.26 | Response to information security incidents | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
5.27 Learning from Information Security Incidents
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.5.27 | Learning from information security incidents | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
5.28 Collection of Evidence
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.5.28 | Collection of evidence | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
5.29 Information Security During Disruption
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.5.29 | Information security during disruption | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
5.30 ICT Readiness for Business Continuity
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.5.30 | ICT readiness for business continuity | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
5.31 Legal, Statutory, Regulatory and Contractual Requirements
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.5.31 | Legal, statutory, regulatory and contractual requirements | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
5.32 Intellectual Property Rights
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.5.32 | Intellectual property rights | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
5.33 Protection of Records
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.5.33 | Protection of records | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
5.34 Privacy and Protection of PII
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.5.34 | Privacy and protection of PII | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
5.35 Independent Review of Information Security
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.5.35 | Independent review of information security | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
5.36 Compliance with Policies, Rules and Standards for Information Security
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.5.36 | Compliance with policies, rules and standards for information security | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
5.37 Documented Operating Procedures
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.5.37 | Documented operating procedures | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
Theme 2: People Controls (8 controls)
6.1 Screening
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.6.1 | Screening | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
6.2 Terms and Conditions of Employment
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.6.2 | Terms and conditions of employment | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
6.3 Information Security Awareness, Education and Training
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.6.3 | Information security awareness, education and training | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
6.4 Disciplinary Process
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.6.4 | Disciplinary process | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
6.5 Responsibilities After Termination or Change of Employment
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.6.5 | Responsibilities after termination or change of employment | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
6.6 Confidentiality or Non-Disclosure Agreements
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.6.6 | Confidentiality or non-disclosure agreements | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
6.7 Remote Working
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.6.7 | Remote working | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
6.8 Information Security Event Reporting
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.6.8 | Information security event reporting | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
Theme 3: Physical Controls (14 controls)
7.1 Physical Security Perimeters
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.7.1 | Physical security perimeters | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
7.2 Physical Entry
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.7.2 | Physical entry | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
7.3 Securing Offices, Rooms and Facilities
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.7.3 | Securing offices, rooms and facilities | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
7.4 Physical Security Monitoring
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.7.4 | Physical security monitoring | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
7.5 Protecting Against Physical and Environmental Threats
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.7.5 | Protecting against physical and environmental threats | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
7.6 Working in Secure Areas
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.7.6 | Working in secure areas | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
7.7 Clear Desk and Clear Screen
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.7.7 | Clear desk and clear screen | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
7.8 Equipment Siting and Protection
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.7.8 | Equipment siting and protection | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
7.9 Security of Assets Off-Premises
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.7.9 | Security of assets off-premises | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
7.10 Storage Media
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.7.10 | Storage media | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
7.11 Supporting Utilities
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.7.11 | Supporting utilities | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
7.12 Cabling Security
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.7.12 | Cabling security | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
7.13 Equipment Maintenance
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.7.13 | Equipment maintenance | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
7.14 Secure Disposal or Re-use of Equipment
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.7.14 | Secure disposal or re-use of equipment | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
Theme 4: Technological Controls (34 controls)
8.1 User Endpoint Devices
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.8.1 | User endpoint devices | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
8.2 Privileged Access Rights
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.8.2 | Privileged access rights | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
8.3 Information Access Restriction
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.8.3 | Information access restriction | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
8.4 Access to Source Code
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.8.4 | Access to source code | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
8.5 Secure Authentication
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.8.5 | Secure authentication | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
8.6 Capacity Management
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.8.6 | Capacity management | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
8.7 Protection Against Malware
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.8.7 | Protection against malware | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
8.8 Management of Technical Vulnerabilities
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.8.8 | Management of technical vulnerabilities | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
8.9 Configuration Management
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.8.9 | Configuration management | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
8.10 Information Deletion
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.8.10 | Information deletion | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
8.11 Data Masking
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.8.11 | Data masking | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
8.12 Data Leakage Prevention
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.8.12 | Data leakage prevention | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
8.13 Information Backup
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.8.13 | Information backup | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
8.14 Redundancy of Information Processing Facilities
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.8.14 | Redundancy of information processing facilities | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
8.15 Logging
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.8.15 | Logging | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
8.16 Monitoring Activities
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.8.16 | Monitoring activities | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
8.17 Clock Synchronization
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.8.17 | Clock synchronization | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
8.18 Use of Privileged Utility Programs
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.8.18 | Use of privileged utility programs | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
8.19 Installation of Software on Operational Systems
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.8.19 | Installation of software on operational systems | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
8.20 Networks Security
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.8.20 | Networks security | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
8.21 Security of Network Services
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.8.21 | Security of network services | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
8.22 Segregation of Networks
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.8.22 | Segregation of networks | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
8.23 Web Filtering
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.8.23 | Web filtering | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
8.24 Use of Cryptography
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.8.24 | Use of cryptography | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
8.25 Secure Development Life Cycle
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.8.25 | Secure development life cycle | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
8.26 Application Security Requirements
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.8.26 | Application security requirements | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
8.27 Secure System Architecture and Engineering Principles
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.8.27 | Secure system architecture and engineering principles | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
8.28 Secure Coding
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.8.28 | Secure coding | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
8.29 Security Testing in Development and Acceptance
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.8.29 | Security testing in development and acceptance | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
8.30 Outsourced Development
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.8.30 | Outsourced development | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
8.31 Separation of Development, Test and Production Environments
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.8.31 | Separation of development, test and production environments | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
8.32 Change Management
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.8.32 | Change management | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
8.33 Test Information
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.8.33 | Test information | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
8.34 Protection of Information Systems During Audit Testing
| Control ID | Control Name | Applicable | Justification | Implementation Status | Evidence Reference |
|---|---|---|---|---|---|
| A.8.34 | Protection of information systems during audit testing | ☐ Yes ☐ No | ☐ Not Started ☐ In Progress ☐ Implemented ☐ Verified |
Notes:
Summary Statistics
| Metric | Count | Percentage |
|---|---|---|
| Total Controls | 93 | 100% |
| Applicable | ||
| Not Applicable | ||
| Not Started | ||
| In Progress | ||
| Implemented | ||
| Verified |
Approval Section
| Role | Name | Signature | Date |
|---|---|---|---|
| Prepared By | |||
| Reviewed By (CISO) | |||
| Approved By (CEO) |
Document Control
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | Initial version |
Notes
Use this section to document overall observations, trends, or improvement areas identified during the SoA review.