Gap Asse

Statement of Applicability of ISO/IEC 27001 Annex A controls

Compliant/ Non
Annex A
Sub- Control Control Title Control Description Compliant/
Reference Partially Compliant

A.5 Security Policy

A.5.1 Information To provide management
security policy direction and support for
information security in
accordance with business
requirements and relevant
laws and regulations.

A.5.1.1 Information An information security policy Compliant

security policy document shall be approved
document by management, and
published and communicated
to all employees and relevant
external parties.

A.5.1.2 Review of the The information security policy Compliant

information shall be reviewed at planned
security policy intervals or if significant
changes occur to ensure its
continuing suitability,
adequacy, and effectiveness.
Gap Assessment

Current Practice Gaps

 Post Recheck

Compliant/ Non
Recommendations/ Best Practice Current Status Compliant/ Partially
Compliant

Compliant

Compliant

Compliant
k

Further Actions
Recommended
 Gap Asse
Statement of Applicability of ISO/IEC 27001 Annex A controls

Compliant/ Non
Annex A
Sub- Control Control Title Control Description Compliant/
Reference Partially Compliant

A.6
Organization of
information
security
A.6.1 Internal To manage information
Organization security within the
organization.
A.6.1.1 Information Management shall actively Compliant
security policy support security within the
document organization through clear
direction, demonstrated
commitment, explicit
assignment, and
acknowledgement of
information security
responsibilities.

A.6.1.2 Information Information security activities Compliant

security shall be co-ordinated by
coordination representatives from different
parts of the organization with
relevant roles and job function

A.6.1.3 Allocation of All information security Compliant

information responsibilities shall be clearly
security defined.
responsibilities

A.6.1.4 Authorization A management authorization Compliant

process for process for new information
information processing facilities shall be
processing defined and implemented.
facilities
 A.6.1.5 Confidentiality Requirements for Compliant
agreements confidentiality or non-
disclosure agreements
reflecting the organization's
needs for the protection of
information shall be identified
and regularly reviewed.

A.6.1.6 Contact with Appropriate contacts with Compliant

authorities relevant authorities shall be
maintained.
A.6.1.7 Contact with Appropriate contacts with Compliant
special interest special interest groups or other
groups specialist security forums and
professional associations shall
be maintained.

A.6.1.8 Independent The organization's approach to Compliant

review of managing information security
information and its implementation (i.e.
security control objectives, controls,
policies, processes, and
procedures for information
security) shall be reviewed
independently at planned
intervals, or when significant
changes to the security
implementation occur.

A.6.2 External External parties Compliant

parties
A.6.2.1 Identification The risks to the organization's Compliant
of risks related information and information
to external processing facilities from
parties business processes involving
external parties shall be
identified and appropriate
controls implemented before
granting access
A.6.2.2 Addressing All identified security Compliant
security when requirements shall be
dealing with addressed before giving
customers customers access to the
organization's information or
assets.

A.6.2.3 Addressing Agreements with third parties Compliant

security in third involving accessing,
party contracts processing, communicating or
managing the organization's
information or information
processing facilities, or adding
products or services to
information processing
facilities shall cover all relevant
security requirements.
Gap Assessment

Current Practice Gaps

 Post Recheck

Compliant/ Non
Recommendations/ Best Practice Current Status Compliant/ Partially
Compliant

Compliant

Compliant

Compliant

Compliant

Compliant
Compliant

Compliant

Compliant

Compliant

Compliant

Compliant
Compliant

Compliant
k

Further Actions
Recommended
 Gap Asse
Statement of Applicability of ISO/IEC 27001 Annex A controls

Compliant/ Non
Annex A
Sub- Control Control Title Control Description Compliant/
Reference Partially Compliant

A.7 Asset
Management
A.7.1 Responsibility To achieve and maintain
for assets appropriate protection of
organizational assets.
A.7.1.1 Inventory of All assets shall be clearly Compliant
assets identified and an inventory of
all important assets drawn up
and maintained.

A.7.1.2 Ownership of All information and assets Compliant

assets associated with information
processing facilities shall be
owned by a designated part of
the organization.

A.7.1.3 Acceptable use Rules for the acceptable use of Compliant

of assets information and assets
associated with information
processing facilities shall be
identified, documented, and
implemented.

A.7.2 Information To ensure that information

classification receives an appropriate level
of protection.
A.7.2.1 Classification Information shall be classified Compliant
guidelines in terms of its value, legal
requirements, sensitivity and
criticality to the organization.

A.7.2.2 Information An appropriate set of Compliant

labelling and procedures for information
handling labelling and handling shall be
developed and implemented in
accordance with the
classification scheme adopted
by the organization.
Gap Assessment

Current Practice Gaps

 Post Recheck

Compliant/ Non
Recommendations/ Best Practice Current Status Compliant/ Partially
Compliant

Compliant

Compliant

Compliant

Compliant

Compliant

Compliant

Compliant
k

Further Actions
Recommended
 Gap Asse
Statement of Applicability of ISO/IEC 27001 Annex A controls

Compliant/ Non
Annex A
Sub- Control Control Title Control Description Compliant/
Reference Partially Compliant

A.8 Human
resources
security
A.8.1 Prior to To ensure that employees,
employment contractors and third party
users understand their
responsibilities, and are
suitable for the roles they are
considered for, and to reduce
the risk of theft, fraud or
misuse of facilities.

A.8.1.1 Roles and Security roles and Compliant

responsibilitie responsibilities of employees,
contractors and third party
users shall be defined and
documented in accordance
with the organization's
information security policy.

A.8.1.2 Screening Background verification checks Compliant

on all candidates for
employment, contractors, and
third party users shall be
carried out in accordance with
relevant laws, regulations and
ethics, and proportional to the
business requirements, the
classification of the
information to be accessed,
and the perceived risks.
 A.8.1.3 Terms and As part of their contractual Compliant
conditions of obligation, employees,
employment contractors and third party
users shall agree and sign the
terms and conditions of their
employment contract, which
shall state their and the
organization's responsibilities
for information security.

A.8.2 During To ensure that all employees,

employment contractors and third party
users are aware of
information security threats
and concerns, their
responsibilities and liabilities,
and are equipped to support
organizational security policy
in the course of their normal
work, and to reduce the risk
of human error.

A.8.2.1 Management Management shall require Compliant

responsibilities employees, contractors and
third party users to apply
security in accordance with
established policies and
procedures of the
organization.

A.8.2.2 Information All employees of the Compliant

security organization and, where
awareness, relevant, contractors and
education and third-party users, shall receive
training appropriate awareness training
and regular updates in
organizational policies and
procedures, as relevant for
their job function.

A.8.2.3 Disciplinary There shall be a formal Compliant

process disciplinary process for
employees who have
committed a security breach.
A.8.3 Termination or To ensure that employees,
change of contractors and third party
employment users exit an organization or
change employment in an
orderly manner.

A.8.3.1 Termination Responsibilities for performing Compliant

responsibilities employment termination or
change of employment shall be
clearly defined and assigned.

A.8.3.2 Return of All employees, contractors and Compliant

assets third party users shall return
all of the organization's assets
in their possession upon
termination of their
employment, contract or
agreement.

A.8.3.3 Removal of The access rights of all Compliant

access rights employees, contractors and
third party users to
information and information
processing facilities shall be
removed upon termination of
their employment, contract or
agreement, or adjusted upon
change.
Gap Assessment

Current Practice Gaps

 Post Recheck

Compliant/ Non
Recommendations/ Best Practice Current Status Compliant/ Partially
Compliant

Compliant

Compliant

Compliant

Compliant
Compliant

Compliant

Compliant

Compliant

Compliant
Compliant

Compliant

Compliant

Compliant
k

Further Actions
Recommended
 Gap Asse
Statement of Applicability of ISO/IEC 27001 Annex A controls

Compliant/ Non
Annex A
Sub- Control Control Title Control Description Compliant/
Reference Partially Compliant

A.9 Physical and

environmental
security
A.9.1 Secure areas To prevent unauthorized
physical access, damage and
interference to the
organization's premises and
information.

A.9.1.1 Physical Security perimeters (barriers Compliant

security such as walls, card controlled
perimeter entry gates or manned
reception desks) shall be used
to protect areas that contain
information and information
processing facilities.

A.9.1.2 Physical entry Secure areas shall be Compliant

controls protected by appropriate entry
controls to ensure that only
authorized personnel are
allowed access.

A.9.1.3 Securing Physical security for offices, Compliant

offices, rooms rooms, and facilities shall be
and facilities designed and applied
A.9.1.4 Protecting Physical protection against
against damage from fire, flood,
external and earthquake, explosion, civil
environmental unrest, and other forms of
threats natural or man-made disaster
shall be designed and applied.

A.9.1.5 Working in Physical protection and Compliant

secure areas guidelines for working in
secure areas shall be designed
and applied.
 A.9.1.6 Public access, Access points such as delivery Compliant
delivery and and loading areas and other
loading areas points where unauthorized
persons may enter the
premises shall be controlled
and, if possible, isolated from
information processing
facilities to avoid unauthorized
access.

A.9.2 Equipment To prevent loss, damage, theft

security or compromise of assets and
interruption to organization's
activities.

A.9.2.1 Equipment Equipment shall be sited or Compliant

siting and protected to reduce the risks
protection from environmental threats
and hazards, and opportunities
for unauthorized access.

A.9.2.2 Supporting Equipment shall be protected Compliant

utilities from power failures and other
disruptions caused by failures
in supporting utilities.

A.9.2.3 Cabling security Power and Compliant

telecommunications cabling
carrying data or supporting
information services shall be
protected from interception or
damage.

A.9.2.4 Equipment Equipment shall be correctly Compliant

maintenance maintained to enable its
continued availability and
integrity.

A.9.2.5 Security of Security shall be applied to off- Compliant

equipment off- site equipment taking into
premises account the different risks of
working outside the
organization's premises.
A.9.2.6 Secure disposal All items of equipment Compliant
or containing storage media shall
re-use of be checked to ensure that any
equipment sensitive data and licensed
software has been removed or
securely overwritten prior to
disposal.

A.9.2.7 Removal of Equipment, information or Compliant

property software shall not be taken off-
site without prior
authorization.
Gap Assessment

Current Practice Gaps

 Post Recheck

Compliant/ Non
Recommendations/ Best Practice Current Status Compliant/ Partially
Compliant

Compliant

Compliant

Compliant

Compliant

Compliant

Compliant

Compliant
Compliant

Compliant

Compliant

Compliant

Compliant

Compliant

Compliant
Compliant

Compliant
k

Further Actions
Recommended
 Gap Asse
Statement of Applicability of ISO/IEC 27001 Annex A controls

Compliant/ Non
Annex A
Sub- Control Control Title Control Description Compliant/
Reference Partially Compliant

A.10 Communicatio
ns and
operations
management

A.10.1 Operational To ensure the correct and

procedures secure operation of
and information processing
responsibilities facilities.

A.10.1.1 Documented Operating procedures shall be Compliant

operating documented, maintained, and
procedures made available to all users
who need them.

A.10.1.2 Change Changes to information Compliant

management processing facilities and
systems shall be controlled.
A.10.1.3 Segregation of Duties and areas of Compliant
duties responsibility shall be
segregated to reduce
opportunities for unauthorized
or unintentional modification
or misuse of the organization's
assets.

A.10.1.4 Separation of Development, test and Compliant

development, operational facilities shall be
test and separated to reduce the risks
operational of unauthorized access or
facilities changes to the operational
system
A.10.2 Third party To implement and maintain
service the appropriate level of
delivery information security and
management service delivery in line with
third party service delivery
agreements.

A.10.2.1 Service It shall be ensured that the Compliant

Delivery security controls, service
definitions, and delivery levels
included in the third party
service delivery agreement are
implemented, operated, and
maintained by the third party.

A.10.2.2 Monitoring and The services, reports and

review of third records provided by the third
party services party shall be regularly
monitored and reviewed, and
audits shall be carried out
regularly.

A.10.2.3 Managing Changes to the provision of Compliant

changes to services, including maintaining
third party and improving existing
services information security policies,
procedures and controls, shall
be managed, taking account of
the criticality of business
systems and processes
involved and re-assessment of
risks.

A.10.3 System To minimize the risk of

planning and systems failure.
acceptance
A.10.3.1 Capacity The use of resources shall be Compliant
management monitored, tuned, and
projections made of future
capacity requirements to
ensure the required system
performance
 A.10.3.2 System Acceptance criteria for new Compliant
acceptance information systems,
upgrades, and new versions
shall be established and
suitable tests of the system's)
carried out during
development and prior to
acceptance.

A.10.4 Protection
against
malicious and
mobile code

A.10.4.1 Controls Detection, prevention, and Compliant

against recovery controls to protect
malicious code against malicious code and
appropriate user awareness
procedures shall be
implemented

A.10.4.2 ontrols against Where the use of mobile code Compliant

mobile code is authorized, the configuration
shall ensure that the
authorized mobile code
operates according to a clearly
defined security policy, and
unauthorized mobile code
shall be prevented from
executing.

A.10.5 Back-up To maintain the integrity and

availability of information and
information processing
facilities.

A.10.5.1 Information Back-up copies of information Compliant

back-up and software shall be taken
and tested regularly in
accordance with the agreed
backup policy.

A.10.6 Network To ensure the protection of

security information in networks and
management the protection of the
supporting infrastructure.
 A.10.6.1 Network Networks shall be adequately Compliant
controls managed and controlled, in
order to be protected from
threats, and to maintain
security for the systems and
applications using the network,
including information in
transit.

A.10.6.2 Security of Security features, service Compliant

network levels, and management
services requirements of all network
services shall be identified and
included in any network
services agreement, whether
these services are provided in-
house or outsourced.

A.10.7 Media To prevent unauthorized

handling disclosure, modification,
removal or destruction of
assets, and interruption to
business activities.

A.10.7.1 Management There shall be procedures in Compliant

of removable place for the management of
media removable media.
A.10.7.2 Disposal of Media shall be disposed of Compliant
media securely and safely when no
longer required, using formal
procedures.

A.10.7.3 Information Procedures for the handling Compliant

handling and storage of information
procedures shall be established to protect
this information from
unauthorized disclosure or
misuse.

A.10.7.4 Security of System documentation shall be Compliant

system protected against
documentation unauthorized access.
A.10.8 Exchange of To maintain the security of
information information and software
exchanged within an
organization and with any
external entity.

A.10.8.1 Information Formal exchange policies, Compliant

exchange procedures, and controls shall
policies and be in place to protect the
procedures exchange of information
through the use of all types of
communication facilities.

A.10.8.2 Exchange Agreements shall be Compliant

agreements established for the exchange
of information and software
between the organization and
external parties.

A.10.8.3 Physical media Media containing information Compliant

in transit shall be protected against
unauthorized access, misuse or
corruption during
transportation beyond an
organization's physical
boundaries.

A.10.8.4 Electronic Information involved in Compliant

messaging electronic messaging shall be
appropriately protected.
A.10.8.5 Business Policies and procedures shall Compliant
information be developed and
systems implemented to protect
information associated with
the interconnection of
business information systems.

A.10.9 Electronic To ensure the security of

commerce electronic commerce services,
services and their secure use.
 A.10.9.1 Electronic nformation involved in Compliant
commerce electronic commerce passing
over public networks shall be
protected from fraudulent
activity, contract dispute, and
unauthorized disclosure and
modification.

A.10.9.2 On-line Information involved in on-line Compliant

transactions transactions shall be protected
to prevent incomplete
transmission, mis-routing,
unauthorized message
alteration, unauthorized
disclosure, unauthorized
message duplication or replay.

A.10.9.3 Publicly The integrity of information Compliant

available being made available on a
information publicly available system shall
be protected to prevent
unauthorized modification.

A.10.10 Monitoring To detect unauthorized

information processing
activities.
A.10.10.1 Audit logging Audit logs recording user Compliant
activities, exceptions, and
information security events
shall be produced and kept for
an agreed period to assist in
future investigations and
access control monitoring.

A.10.10.2 Monitoring Procedures for monitoring use Compliant

system use of information processing
facilities shall be established
and the results of the
monitoring activities reviewed
regularly.

A.10.10.3 Protection of Logging facilities and log Compliant

log information information shall be protected
against tampering and
unauthorized access.
A.10.10.4 Administrator System administrator and Compliant
and operator system operator activities shall
logs be logged.
A.10.10.5 Fault logging Faults shall be logged, Compliant
analyzed, and appropriate
action taken.
A.10.10.6 Clock The clocks of all relevant Compliant
synchronization information processing
systems within an organization
or security domain shall be
synchronized with an agreed
accurate time source.
Gap Assessment

Current Practice Gaps

 Post Recheck

Compliant/ Non
Recommendations/ Best Practice Current Status Compliant/ Partially
Compliant

Compliant

Compliant

Compliant

Compliant

Compliant

Compliant
Compliant

Compliant

Compliant

Compliant

Compliant

Compliant
Compliant

Compliant

Compliant

Compliant

Compliant

Compliant

Compliant
Compliant

Compliant

Compliant

Compliant

Compliant

Compliant

Compliant
Compliant

Compliant

Compliant

Compliant

Compliant

Compliant

Compliant
Compliant

Compliant

Compliant

Compliant

Compliant

Compliant

Compliant
Compliant

Compliant

Compliant
k

Further Actions
Recommended
 Gap Asse
Statement of Applicability of ISO/IEC 27001 Annex A controls

Compliant/ Non
Annex A
Sub- Control Control Title Control Description Compliant/
Reference Partially Compliant

A.11 Access Control

A.11.1 Business To control access to
requirement information.
for access
control

A.11.1.1 Access control An access control policy shall Compliant

policy be established, documented,
and reviewed based on
business and security
requirements for access.

A.11.2 User access To ensure authorized user

management access and to prevent
unauthorized access to
information systems.

A.11.2.1 User There shall be a formal user Compliant

registration registration and de-registration
procedure in place for granting
and revoking access to all
information systems and
services.

A.11.2.2 Privilege The allocation and use of Compliant

management privileges shall be restricted
and controlled.
A.11.2.3 User password The allocation of passwords Compliant
management shall be controlled through a
formal management process.
A.11.2.4 Review of user Management shall review Compliant
access rights users' access rights at regular
intervals using a formal
process.
A.11.3 User To prevent unauthorized user
responsibilities access, and compromise or
theft of information and
information processing
facilities.

A.11.3.1 Password use Users shall be required to Compliant

follow good security practices
in the selection and use of
passwords.

A.11.3.2 Unattended Users shall ensure that Compliant

user unattended equipment has
equipment appropriate protection.
A.11.3.3 Clear desk and A clear desk policy for papers Compliant
clear screen and removable storage media
policy and a clear screen policy for
information processing
facilities shall be adopted.

A.11.4 Network To prevent unauthorized

access control access to networked services.
A.11.4.1 Policy on use of Users shall only be provided Compliant
network with access to the services that
services they have been specifically
authorized to use.

A.11.4.2 User Appropriate authentication Compliant

authentication methods shall be used to
for external control access by remote
connections users.

A.11.4.3 Equipment Automatic equipment Compliant

identification in identification shall be
networks considered as a means to
authenticate connections from
specific locations and
equipment.

A.11.4.4 Remote Physical and logical access to Compliant

diagnostic and diagnostic and configuration
configuration ports shall be controlled.
port protection
 A.11.4.5 Segregation in Groups of information Compliant
networks services, users and information
systems shall be segregated on
networks.

A.11.4.6 Network For shared networks, Compliant

connection especially those extending
control across the organization's
boundaries, the capability of
users to connect to the
network shall be restricted, in
line with the access control
policy and requirements of the
business applications (see
11.1).

A.11.4.7 Network Routing controls shall be Compliant

routing control implemented for networks to
ensure that computer
connections and information
flows do not breach the access
control policy of the business
applications.

A.11.5 Operating To prevent unauthorized

system access access to operating systems.
control
A.11.5.1 Secure log-on Access to operating systems Compliant
procedures shall be controlled by a secure
log-on procedure.
A.11.5.2 User All users shall have a unique Compliant
identification identifier (user ID) for their
and personal use only, and a
authentication suitable authentication
technique shall be chosen to
substantiate the claimed
identity of a user.

A.11.5.3 Password Systems for managing Compliant

management passwords shall be interactive
system and shall ensure quality
passwords.
 A.11.5.4 Use of system The use of utility programs Compliant
utilities that might be capable of
overriding system and
application controls shall be
restricted and tightly
controlled.

A.11.5.5 Session time- Inactive sessions shall be shut Compliant

out down after a defined period of
inactivity.
A.11.5.6 Limitation of Restrictions on connection Compliant
connection times shall be used to provide
time additional security for high-risk
applications.

A.11.6 Application To prevent unauthorized

and access to information held in
information application systems.
access control

A.11.6.1 Information Access to information and Compliant

access application system functions
restriction by users and support
personnel shall be restricted in
accordance with the defined
access control policy.

A.11.6.2 Sensitive Sensitive systems shall have a Compliant

system dedicated (isolated) computing
isolation environment.
A.11.7 Mobile To ensure information
computing and security when using mobile
Teleworking computing and teleworking
facilities.

A.11.7.1 Mobile A formal policy shall be in Compliant

computing and place, and security measures
communication shall be adopted to protect
s against the risks of using
mobile computing and
communication facilities.

A.11.7.2 Teleworking A policy, operational plans and Compliant

procedures shall be developed
and implemented for
teleworking activities.
Gap Assessment

Current Practice Gaps

 Post Recheck

Compliant/ Non
Recommendations/ Best Practice Current Status Compliant/ Partially
Compliant

Compliant
Compliant

Compliant

Compliant

Compliant

Compliant

Compliant

Compliant
Compliant

Compliant

Compliant

Compliant

Compliant

Compliant

Compliant

Compliant

Compliant
Compliant

Compliant

Compliant

Compliant

Compliant

Compliant

Compliant
Compliant

Compliant

Compliant

Compliant

Compliant

Compliant

Compliant

Compliant

Compliant
k

Further Actions
Recommended
 Gap Asse
Statement of Applicability of ISO/IEC 27001 Annex A controls

Compliant/ Non
Annex A
Sub- Control Control Title Control Description Compliant/
Reference Partially Compliant

A.12 Information
systems
acquisition,
development
and
maintenance

A.12.1 Security To ensure that security is an

requirements integral part of information
of information systems.
systems

A.12.1.1 Security Statements of business Compliant

requirements requirements for new
analysis and information systems, or
specification enhancements to existing
information systems shall
specify the requirements for
security controls.

A.12.2 Correct To prevent errors, loss,

processing in unauthorized modification or
applications misuse of information in
application.

A.12.2.1 Input data Data input to applications shall Compliant

validation be validated to ensure that this
data is correct and
appropriate.

A.12.2.2 Control of Validation checks shall be Compliant

internal incorporated into applications
processing to detect any corruption of
information through
processing errors or deliberate
acts.
 A.12.2.3 Message Requirements for ensuring Compliant
integrity authenticity and protecting
message integrity in
applications shall be identified,
and appropriate controls
identified and implemented.

A.12.2.4 Output data Data output from an Compliant

validation application shall be validated
to ensure that the processing
of stored information is correct
and appropriate to the
circumstances.

A.12.3 Cryptographic To protect the confidentiality,

controls authenticity or integrity of
information by cryptographic
means.

A.12.3.1 Policy on the A policy on the use of Compliant

use of cryptographic controls for
cryptographic protection of information shall
controls be developed and
implemented.

A.12.3.2 Key Key management shall be in Compliant

management place to support the
organization's use of
cryptographic techniques.

A.12.4 Security of To ensure the security of

system files system files
A.12.4.1 Control of There shall be procedures in Compliant
operational place to control the installation
software of software on operational
systems

A.12.4.2 Protection of Test data shall be selected Compliant

system test carefully, and protected and
data controlled.
A.12.4.3 Access control Access to program source code Compliant
to program shall be restricted.
source code
A.12.5 Security in To maintain the security of
development application system software
and support and information.
processes

A.12.5.1 Change control The implementation of Compliant

procedures changes shall be controlled by
the use of formal change
control procedures.

A.12.5.2 Technical When operating systems are Compliant

review of changed, business critical
applications applications shall be reviewed
after operating and tested to ensure there is
system changes no adverse impact on
organizational operations or
security.

A.12.5.3 Restrictions on Modifications to software Compliant

changes to packages shall be discouraged,
software limited to necessary changes,
packages and all changes shall be strictly
controlled.

A.12.5.4 Information Opportunities for information Compliant

leakage leakage shall be prevented.
A.12.5.5 Outsourced Outsourced software Compliant
software development shall be
development supervised and monitored by
the organization.

A.12.6 Technical To reduce risks resulting from

Vulnerability exploitation of published
Management technical vulnerabilities.
A.12.6.1 Control of Timely information about Compliant
technical technical vulnerabilities of
vulnerabilities information systems being
used shall be obtained, the
organization's exposure to
such vulnerabilities evaluated,
and appropriate measures
taken to address the
associated risk.
Gap Assessment

Current Practice Gaps

 Post Recheck

Compliant/ Non
Recommendations/ Best Practice Current Status Compliant/ Partially
Compliant

Compliant

Compliant

Compliant

Compliant

Compliant

Compliant
Compliant

Compliant

Compliant

Compliant

Compliant

Compliant

Compliant

Compliant

Compliant
Compliant

Compliant

Compliant

Compliant

Compliant

Compliant

Compliant

Compliant
k

Further Actions
Recommended
 Gap Asse
Statement of Applicability of ISO/IEC 27001 Annex A controls

Compliant/ Non
Annex A
Sub- Control Control Title Control Description Compliant/
Reference Partially Compliant

A.13 Information
security
incident
management

A.13.1 Reporting To ensure information

information security events and
security events weaknesses associated with
and information systems are
weaknesses communicated in a manner
allowing timely corrective
action to be taken.

A.13.1.1 Reporting Information security events Compliant

information shall be reported through
security events appropriate management
channels as quickly as possible.

A.13.1.2 Reporting All employees, contractors and Compliant

security third party users of
weaknesses information systems and
services shall be required to
note and report any observed
or suspected security
weaknesses in systems or
services.

A.13.2 Management To ensure a consistent and

of information effective approach is applied
security to the management of
incidents and information security incidents.
improvements

A.13.2.1 Responsibilities Management responsibilities Compliant

and procedures and procedures shall be
established to ensure a quick,
effective and orderly response
to information security
incidents.
A.13.2.2 Learning from There shall be mechanisms in Compliant
information place to enable the types,
security volumes, and costs of
incidents information security incidents
to be quantified and
monitored.

A.13.2.3 Collection of Where a follow-up action Compliant

evidence against a person or
organization after an
information security incident
involves legal action (either
civil or criminal), evidence shall
be collected, retained, and
presented to conform to the
rules for evidence laid down in
the relevant jurisdiction(s).
Gap Assessment

Current Practice Gaps

 Post Recheck

Compliant/ Non
Recommendations/ Best Practice Current Status Compliant/ Partially
Compliant

Compliant

Compliant

Compliant

Compliant

Compliant

Compliant
Compliant

Compliant
k

Further Actions
Recommended
 Gap Asse
Statement of Applicability of ISO/IEC 27001 Annex A controls

Compliant/ Non
Annex A
Sub- Control Control Title Control Description Compliant/
Reference Partially Compliant

A.14 Business
continuity
management
A.14.1 Information To counteract interruptions to
security business activities and to
aspects of protect critical business
business processes from the effects of
continuity major failures of information
management systems or disasters and to
ensure their timely
resumption.

A.14.1.1 Including A managed process shall be Compliant

information developed and maintained for
security in the business continuity throughout
business the organization that
continuity addresses the information
management security requirements needed
process for the organization's business
continuity.

A.14.1.2 Business Events that can cause Compliant

continuity and interruptions to business
risk analysis processes shall be identified,
along with the probability and
impact of such interruptions
and their consequences for
information security.

A.14.1.3 Developing and Plans shall be developed and Compliant

implementing implemented to maintain or
continuity restore operations and ensure
plans including availability of information at
information the required level and in the
security required time scales following
interruption to, or failure of,
critical business processes.
A.14.1.4 Business A single framework of business Compliant
continuity continuity plans shall be
planning maintained to ensure all plans
framework are consistent, to consistently
address information security
requirements, and to identify
priorities for testing and
maintenance.

A.14.1.5 Testing, Business continuity plans shall Compliant

maintaining be tested and updated
and re- regularly to ensure that they
assessing are up to date and effective.
business
continuity
plans
Gap Assessment

Current Practice Gaps

 Post Recheck

Compliant/ Non
Recommendations/ Best Practice Current Status Compliant/ Partially
Compliant

Compliant

Compliant

Compliant

Compliant

Compliant
Compliant

Compliant
k

Further Actions
Recommended
 Gap Asse
Statement of Applicability of ISO/IEC 27001 Annex A controls

Compliant/ Non
Annex A
Sub- Control Control Title Control Description Compliant/
Reference Partially Compliant

A.15 Compliance
A.15.1 Compliance To avoid breaches of any law,
with legal statutory, regulatory or
requirements contractual obligations, and of
any security requirements.

A.15.1.1 Identification All relevant statutory, Compliant

of applicable regulatory and contractual
legislation requirements and the
organization's approach to
meet these requirements shall
be explicitly defined,
documented, and kept up to
date for each information
system and the organization.

A.15.1.2 Intellectual Appropriate procedures shall Compliant

property rights be implemented to ensure
(IPR) compliance with legislative,
regulatory, and contractual
requirements on the use of
material in respect of which
there may be intellectual
property rights and on the use
of proprietary software
products.

A.15.1.3 Protection of Important records shall be Compliant

organizational protected from loss,
records destruction and falsification, in
accordance with statutory,
regulatory, contractual, and
business requirements.

A.15.1.4 Data protection Data protection and privacy Compliant

and privacy of shall be ensured as required in
personal relevant legislation,
information regulations, and, if applicable,
contractual clauses.
 A.15.1.5 Prevention of Users shall be deterred from Compliant
misuse of using information processing
information facilities for unauthorized
processing purposes.
facilities

A.15.1.6 Regulation of Cryptographic controls shall be Compliant

cryptographic used in compliance with all
controls relevant agreements, laws, and
regulations.

A.15.2 Compliance To ensure compliance of

with security systems with organizational
policies and security policies and standards
standards, and
technical
compliance

A.15.2.1 Compliance Managers shall ensure that all Compliant

with security security procedures within
policies and their area of responsibility are
standards carried out correctly to achieve
compliance with security
policies and standards.

A.15.2.2 Technical Information systems shall be

compliance regularly checked for
checking compliance with security
implementation standards.

A.15.3 Information To maximize the effectiveness

system audit of and to minimize
considerations interference to/from the
information systems audit
process.

A.15.3.1 Information Audit requirements and Compliant

systems audit activities involving checks on
controls operational systems shall be
planned carefully and agreed
to minimize the risk of
disruptions to business
processes.
A.15.3.2 Protection of Access to information systems Compliant
information audit tools shall be protected
systems audit to prevent any possible misuse
tools or compromise.
Gap Assessment

Current Practice Gaps

 Post Recheck

Compliant/ Non
Recommendations/ Best Practice Current Status Compliant/ Partially
Compliant

Compliant

Compliant

Compliant

Compliant

Compliant
Compliant

Compliant

Compliant

Compliant

Compliant

Compliant

Compliant
Compliant
k

Further Actions
Recommended