Last modified January 25, 2024
This document describes:
SQUAKE does not exclude any Controls from ISO 27001:2022 Annex A.
The CISO will be happy to answer any queries.
SQUAKE generally implements all measures from Annex A of ISO 27001:2022 Annex A, as they reduce information security risks.
Control | Application | Reason for application or exclusion |
---|---|---|
A 5.01 | Yes | Role-specific guidelines enable effective interaction between all employees and external parties involved in ensuring information security. |
A 5.02 | Yes | Role assignments help us to determine who has which rights & responsibilities with regard to information security measures in which situations. |
A 5.03 | Yes | Conflicts of interest between different roles assigned to one person can affect information security goals and should thus be detected and minimized to the amount possible. |
A 5.04 | Yes | Information security is only taken seriously if the management is behind it and demands compliance in the long term. That's why the management is our duty. |
A 5.05 | Yes | Contacts with relevant authorities provide us with early information on vulnerabilities, threats and legislative developments that could be relevant to information security. |
A 5.06 | Yes | Contacts with relevant special interest groups provide us with early information on vulnerabilities, threats and sector specific developments that could be relevant to information security. |
A 5.07 | Yes | Future developments must also be included in decisions at an early stage to uphold the goals of information security over the long run; this is why the threat landscape must be reassessed from time to time. |
A 5.08 | Yes | By considering planned information security requirements in our projects, we can introduce and implement them in a targeted and timely manner. |
A 5.09 | Yes | Devices (and in general other assets such as tools) can only be operated safely if they are registered & documented. |
A 5.10 | Yes | Securing devices (and other assets) is only possible if it is clear for each device which use is permitted - i.e. "secure". We therefore ensure that assets are only used securely. |
A 5.11 | Yes | To ensure that devices are not left unattended when the employee responsible for them leaves the company, there is an obligation to return them in a regulated manner. |
A 5.12 | Yes | Different types of information are critical in different ways. We have therefore classified the types of information that we need to protect. |
A 5.13 | Yes | The information is labeled so that it is clear to everyone which information is classified and how. |
A 5.14 | Yes | To uphold the information security objectives, employees are trained to only use secure means of messaging and information transfer. Contracts with partners must take this aspect into account, too. |
A 5.15 | Yes | Only if we restrict, technologically enforce and track access controls can we effectively create an information-secure environment. |
A 5.16 | Yes | Implementing the full life cycle management of identities ensures comprehensive control, security, and accountability throughout every stage of user access. |
A 5.17 | Yes | Proper management of authentication information ensures that access to systems is secure and restricted to authorized personnel only. Including this into the employee trainings makes employees aware of processes in force and ensures its adoption. |
A 5.18 | Yes | Regular review and modification of access rights help maintain the CIA of information, all the while ensuring that individuals have the necessary permissions for their roles. |
A 5.19 | Yes | Managing information security risks in supplier relationships is crucial for ensuring the security of products or services acquired from external sources, addressing potential vulnerabilities early on. |
A 5.20 | Yes | Defining and agreeing upon information security requirements relevant for the nature of a supplier allows for tailoring security measures and ensures appropriate protection. |
A 5.21 | Yes | Managing information security risks in the ICT supply chain contributes to the resilience of the organization, reducing the likelihood of disruptions caused by security incidents caused by ICT suppliers, such as cloud providers. |
A 5.22 | Yes | Regular monitoring and review of supplier services ensure that information security practices remain effective over time, identifying and addressing potential weaknesses. Managing changes in supplier information security practices is crucial for adapting to evolving threats and maintaining a high level of security. |
A 5.23 | Yes | Establishing processes for cloud service acquisition, usage and exit ensures that the organization's information security requirements are applied consistently, safeguarding data stored or processed in cloud environments. |
A 5.24 | Yes | Planning and preparing for information security incidents ensures a swift and effective response, minimizing potential damage and disruption to operations. |
A 5.25 | Yes | Determining whether an event should be categorized as an incident helps prioritize response efforts, allocating resources to address the most critical security threats. |
A 5.26 | Yes | Timely and well-coordinated responses help minimize the impact of security incidents, reducing the potential damage to information assets and the organization's reputation. |
A 5.27 | Yes | Learning from incidents provides valuable insights for enhancing information security controls, enabling the organization to adapt and improve its security posture over time. |
A 5.28 | Yes | Proper collection and preservation of evidence support forensic analysis, aiding in the investigation and understanding of the scope and impact of information security events. Furthermore, it enhances the organization's ability to attribute responsibility for security incidents and take appropriate corrective actions. |
A 5.29 | Yes | Contingency planning helps identify potential security risks during disruptions, allowing the organization to implement proactive measures to mitigate these risks. |
A 5.30 | Yes | Regular testing and maintenance of ICT readiness measures help identify and address potential vulnerabilities, minimizing the risk of ICT-related disruptions. |
A 5.31 | Yes | Identifying and documenting legal, regulatory, and contractual requirements ensures that the organization aligns its information security practices with external obligations, fostering compliance. |
A 5.32 | Yes | Implementing procedures to protect intellectual property rights safeguards valuable assets, ensuring the organization's innovations and creations are secure from unauthorized use. |
A 5.33 | Yes | Safeguarding records from unauthorized release, falsification or destruction supports compliance with legal and regulatory requirements, and anchors compliance in the organization. |
A 5.34 | Yes | Adhering to applicable laws and contractual requirements mitigates legal risks associated with the mishandling of personal identifiable information, protecting the organization from potential legal consequences. It furthermore anchors the approach of treating personal data carefully within the organization. |
A 5.35 | Yes | Periodic independent reviews help assess the effectiveness of information security controls, contributing to a proactive identification and mitigation of potential risks. |
A 5.36 | Yes | Regular reviews of compliance with information security policies, rules, and standards ensure that the organization's practices align with established frameworks, promoting consistency and adherence to guidelines and vice versa. |
A 5.37 | Yes | Providing access to documented procedures facilitates knowledge transfer among personnel, ensuring that critical processes are understood and followed, even in the absence of specific individuals. |
A 6.01 | Yes | Screening candidates through background verification helps mitigate the risk of hiring individuals with a history of fraudulent or malicious activities, safeguarding the organization's integrity. |
A 6.02 | Yes | Clearly defined information security responsibilities contribute to risk reduction by establishing expectations and standards for personnel, reducing the likelihood of inadvertent security breaches. |
A 6.03 | Yes | Providing awareness, education, and training helps prevent security incidents by ensuring that personnel understand the importance of information security and are equipped with the knowledge to act securely. |
A 6.04 | Yes | A formalized disciplinary process serves as a deterrent, discouraging personnel from engaging in activities that violate information security policies and jeopardize the organization's security. |
A 6.05 | Yes | Defining and enforcing information security responsibilities after termination safeguards against potential data breaches or unauthorized access by former employees, protecting organizational assets. |
A 6.06 | Yes | Confidentiality agreements legally bind personnel and interested parties to protect sensitive information, providing a legal basis for action in case of unauthorized disclosure. |
A 6.07 | Yes | Implementing security measures for remote working ensures the protection of information accessed or processed outside the organization's premises, mitigating the risk of data breaches. |
A 6.08 | Yes | Reports from personnel contribute to effective incident investigations, helping the organization to timely respond to the security event understand its nature, and implement necessary corrective actions. |
A 7.01 | Yes | Defining physical security perimeters helps protect critical areas containing information and assets, preventing unauthorized access and safeguarding against physical threats. |
A 7.02 | Yes | Physical entry control ensure that only authorized personnel can access work areas, minimizing the risk of unauthorized entry and unwanted overhearing of conversations. |
A 7.03 | Yes | Physical security measures for offices, rooms, and facilities safeguard against unauthorized access, theft, and tampering, protecting valuable assets. |
A 7.04 | Yes | Knowing that premises are continuously monitored discourages individuals (from within and external) from attempting unauthorized physical access. |
A 7.05 | Yes | Protection against physical threats preserves critical assets and infrastructure, reducing the risk of damage or loss and ensuring business continuity. |
A 7.06 | Yes | Implementing security measures for working in secure areas ensures the protection of information and assets, minimizing the risk of unauthorized access or data exposure. |
A 7.07 | Yes | Enforcing clear desk and clear screen rules fosters a security-conscious culture, promoting responsible handling of information and reducing the risk of unauthorized disclosure. |
A 7.08 | Yes | Proper equipment siting and protection measures contribute to the preservation of organizational assets, reducing the risk of equipment failure or loss. |
A 7.09 | Yes | Protecting off-site assets safeguards organizational resources, reducing the risk of theft, damage, or unauthorized access to critical information and equipment. |
A 7.10 | Yes | Managing storage media throughout its life cycle ensures the secure handling of sensitive information, minimizing the risk of unauthorized access or data exposure, even after the asset is no longer in use and gets “forgotten”. |
A 7.11 | Yes | Protecting against utility failures ensures the availability and continuity of information processing facilities, minimizing disruptions caused by power outages or other utility failures. |
A 7.12 | Yes | Where needed, protecting cables from interception or interference ensures the integrity of data transmission, reducing the risk of unauthorized access or tampering. |
A 7.13 | Yes | Proper maintenance supports the availability, integrity and confidentiality of information by preventing malfunctions or vulnerabilities that could compromise the security of stored data. |
A 7.14 | Yes | Verifying the secure disposal or re-use of equipment with storage media ensures the complete removal of sensitive data, minimizing the risk of data breaches or unauthorized access. |
A 8.01 | Yes | Implementation of security measures on user endpoint devices is a crucial contribution to overall reducing the vulnerability of devices to cyber threats, unauthorized access and breach of information. |
A 8.02 | Yes | Proper management of privileged access rights minimizes the risk of insider threats and unauthorized activities that could compromise the security of organizational assets. |
A 8.03 | Yes | Adhering to topic-specific access control policies ensures alignment with organizational security objectives and regulatory requirements. |
A 8.04 | Yes | Restricting access to source code ensures the integrity of software development by preventing unauthorized changes that could introduce vulnerabilities or compromise functionality. Furthermore, it reduces the likelihood for theft of IP. |
A 8.05 | Yes | Secure authentication ensures that users are who they claim to be, reducing the risk of unauthorized access and protecting sensitive information. |
A 8.06 | Yes | Monitoring and adjusting resource usage ensure optimal operational efficiency, preventing performance bottlenecks and downtime. |
A 8.07 | Yes | Implementing malware protection measures safeguards against malicious software that could compromise the confidentiality and integrity of organizational data. User awareness contributes to effective adoption of using malware protection. |
A 8.08 | Yes | Regular evaluation of the organization's exposure to vulnerabilities fosters a culture of continuous improvement in information security practices. Taking appropriate measures in response to technical vulnerabilities demonstrates proactive risk management. |
A 8.09 | Yes | Configuration management minimizes the risk of unauthorized changes or misconfigurations that could introduce vulnerabilities or compromise the integrity of information systems. |
A 8.10 | Yes | Deleting information in accordance with organizational and regulatory requirements demonstrates responsible data management practices and reduces the risk of unauthorized access to sensitive or outdated information. |
A 8.11 | Yes | Data masking protects sensitive information by replacing, encrypting, or obfuscating certain data elements, minimizing the risk of unauthorized (intentional and unintentional) disclosure. |
A 8.12 | Yes | Data leakage prevention measures safeguard prevents unauthorized disclosure or loss that could compromise confidentiality, and should therefore be built-in as of the introduction of a new asset. |
A 8.13 | Yes | Maintaining backup copies mitigates the risk of data loss due to accidental deletion, hardware failures, or other unforeseen events, enhancing overall risk management. Regular test that backups can indeed be restored support business continuity by providing a means to recover critical data and systems in case a data loss or system failures realizes. |
A 8.14 | Yes | Implementing redundancy safeguards against downtime by providing alternative paths for data processing, minimizing the impact of potential failures. |
A 8.15 | Yes | Logging facilitates the monitoring of activities, allowing organizations to detect and respond to security incidents, anomalies, or unauthorized access. |
A 8.16 | Yes | Proactive monitoring allows to respond swiftly to potential security incidents, mitigating the impact and preventing further compromise. |
A 8.17 | Yes | Clock synchronization ensures accurate time-stamping of events in logs, supporting accurate analysis and correlation of security events. |
A 8.18 | Yes | Tightly controlling privileged utility programs prevents unauthorized modifications of settings or access that could compromise information security. |
A 8.19 | Yes | Secure software installation procedures ensure that only authorized and vetted software is installed on operational systems, reducing the risk of security vulnerabilities. |
A 8.20 | Yes | Securing networks protects the confidentiality of information by preventing unauthorized access and interception of data during transmission. |
A 8.21 | Yes | Monitoring SLAS and other service requirements ensures the reliability and availability of network services, supporting uninterrupted business operations. |
A 8.22 | Yes | Network segregation protects from potentially interfering information streams, and thus prevents from data breaches. |
A 8.23 | Yes | Web filtering reduces the risk of users accessing malicious websites or content that could introduce malware, enhancing overall cybersecurity measures. |
A 8.24 | Yes | Effective use of cryptography protects the confidentiality of data by encrypting sensitive information, preventing unauthorized access or interception. |
A 8.25 | Yes | Secure development practices contribute to the protection of code and data by minimizing the potential for security flaws or weaknesses in software applications. |
A 8.26 | Yes | Identifying and specifying security requirements before application development or acquisition minimizes the risk of security vulnerabilities. |
A 8.27 | Yes | Applying secure system architecture and engineering principles enhances the resilience of the Application Architechture against potential threats and vulnerabilities. |
A 8.28 | Yes | Applying secure coding principles helps prevent vulnerabilities in software, reducing the risk of exploitation by malicious or simply naive actors. |
A 8.29 | Yes | Security testing in development and acceptance helps detect and address vulnerabilities early in the software development life cycle, minimizing the risk of security incidents once the code is live for operational systems. |
A 8.30 | Yes | Directing, monitoring, and reviewing outsourced development activities enables effective risk management by ensuring that security requirements are met and implemented by external parties. |
A 8.31 | Yes | Separating development, test, and production environments helps prevent unintended consequences or disruptions to operational systems during testing or development activities. Overmore, it opens the possibility for diligent testing of new code, potentially affecting information security aspects. |
A 8.32 | Yes | Change management procedures help control and mitigate risks associated with modifications to information processing, ensuring changes are implemented in a secure and controlled manner. |
A 8.33 | Yes | Appropriate selection and protection of test information contribute to maintaining confidentiality over original and real data where needed. |
A 8.34 | Yes | Planning and agreement between the tester and management ensure that audit testing activities do not disrupt normal operational systems, supporting business continuity. |