Statement of Applicability

Last modified January 25, 2024

Summary and purpose of the document

This document describes:

  • which technical and organizational measures from ISO 27001 Annex A are implemented by SQUAE (and why);
  • which technical and organizational measures from ISO 27001 Annex A SQUAKE does not implement (and why not).

SQUAKE does not exclude any Controls from ISO 27001:2022 Annex A.

The CISO will be happy to answer any queries.

Technical and organizational controls applied and not applied

SQUAKE generally implements all measures from Annex A of ISO 27001:2022 Annex A, as they reduce information security risks.

ControlApplicationReason for application or exclusion
A 5.01YesRole-specific guidelines enable effective interaction between all employees and external parties involved in ensuring information security.
A 5.02YesRole assignments help us to determine who has which rights & responsibilities with regard to information security measures in which situations.
A 5.03YesConflicts of interest between different roles assigned to one person can affect information security goals and should thus be detected and minimized to the amount possible.
A 5.04YesInformation security is only taken seriously if the management is behind it and demands compliance in the long term. That's why the management is our duty.
A 5.05YesContacts with relevant authorities provide us with early information on vulnerabilities, threats and legislative developments that could be relevant to information security.
A 5.06YesContacts with relevant special interest groups provide us with early information on vulnerabilities, threats and sector specific developments that could be relevant to information security.
A 5.07YesFuture developments must also be included in decisions at an early stage to uphold the goals of information security over the long run; this is why the threat landscape must be reassessed from time to time.
A 5.08YesBy considering planned information security requirements in our projects, we can introduce and implement them in a targeted and timely manner.
A 5.09YesDevices (and in general other assets such as tools) can only be operated safely if they are registered & documented.
A 5.10YesSecuring devices (and other assets) is only possible if it is clear for each device which use is permitted - i.e. "secure". We therefore ensure that assets are only used securely.
A 5.11YesTo ensure that devices are not left unattended when the employee responsible for them leaves the company, there is an obligation to return them in a regulated manner.
A 5.12YesDifferent types of information are critical in different ways. We have therefore classified the types of information that we need to protect.
A 5.13YesThe information is labeled so that it is clear to everyone which information is classified and how.
A 5.14YesTo uphold the information security objectives, employees are trained to only use secure means of messaging and information transfer. Contracts with partners must take this aspect into account, too.
A 5.15YesOnly if we restrict, technologically enforce and track access controls can we effectively create an information-secure environment.
A 5.16YesImplementing the full life cycle management of identities ensures comprehensive control, security, and accountability throughout every stage of user access.
A 5.17YesProper management of authentication information ensures that access to systems is secure and restricted to authorized personnel only. Including this into the employee trainings makes employees aware of processes in force and ensures its adoption.
A 5.18YesRegular review and modification of access rights help maintain the CIA of information, all the while ensuring that individuals have the necessary permissions for their roles.
A 5.19YesManaging information security risks in supplier relationships is crucial for ensuring the security of products or services acquired from external sources, addressing potential vulnerabilities early on.
A 5.20YesDefining and agreeing upon information security requirements relevant for the nature of a supplier allows for tailoring security measures and ensures appropriate protection.
A 5.21YesManaging information security risks in the ICT supply chain contributes to the resilience of the organization, reducing the likelihood of disruptions caused by security incidents caused by ICT suppliers, such as cloud providers.
A 5.22YesRegular monitoring and review of supplier services ensure that information security practices remain effective over time, identifying and addressing potential weaknesses. Managing changes in supplier information security practices is crucial for adapting to evolving threats and maintaining a high level of security.
A 5.23YesEstablishing processes for cloud service acquisition, usage and exit ensures that the organization's information security requirements are applied consistently, safeguarding data stored or processed in cloud environments.
A 5.24YesPlanning and preparing for information security incidents ensures a swift and effective response, minimizing potential damage and disruption to operations.
A 5.25YesDetermining whether an event should be categorized as an incident helps prioritize response efforts, allocating resources to address the most critical security threats.
A 5.26YesTimely and well-coordinated responses help minimize the impact of security incidents, reducing the potential damage to information assets and the organization's reputation.
A 5.27YesLearning from incidents provides valuable insights for enhancing information security controls, enabling the organization to adapt and improve its security posture over time.
A 5.28YesProper collection and preservation of evidence support forensic analysis, aiding in the investigation and understanding of the scope and impact of information security events. Furthermore, it enhances the organization's ability to attribute responsibility for security incidents and take appropriate corrective actions.
A 5.29YesContingency planning helps identify potential security risks during disruptions, allowing the organization to implement proactive measures to mitigate these risks.
A 5.30YesRegular testing and maintenance of ICT readiness measures help identify and address potential vulnerabilities, minimizing the risk of ICT-related disruptions.
A 5.31YesIdentifying and documenting legal, regulatory, and contractual requirements ensures that the organization aligns its information security practices with external obligations, fostering compliance.
A 5.32YesImplementing procedures to protect intellectual property rights safeguards valuable assets, ensuring the organization's innovations and creations are secure from unauthorized use.
A 5.33YesSafeguarding records from unauthorized release, falsification or destruction supports compliance with legal and regulatory requirements, and anchors compliance in the organization.
A 5.34YesAdhering to applicable laws and contractual requirements mitigates legal risks associated with the mishandling of personal identifiable information, protecting the organization from potential legal consequences. It furthermore anchors the approach of treating personal data carefully within the organization.
A 5.35YesPeriodic independent reviews help assess the effectiveness of information security controls, contributing to a proactive identification and mitigation of potential risks.
A 5.36YesRegular reviews of compliance with information security policies, rules, and standards ensure that the organization's practices align with established frameworks, promoting consistency and adherence to guidelines and vice versa.
A 5.37YesProviding access to documented procedures facilitates knowledge transfer among personnel, ensuring that critical processes are understood and followed, even in the absence of specific individuals.
A 6.01YesScreening candidates through background verification helps mitigate the risk of hiring individuals with a history of fraudulent or malicious activities, safeguarding the organization's integrity.
A 6.02YesClearly defined information security responsibilities contribute to risk reduction by establishing expectations and standards for personnel, reducing the likelihood of inadvertent security breaches.
A 6.03YesProviding awareness, education, and training helps prevent security incidents by ensuring that personnel understand the importance of information security and are equipped with the knowledge to act securely.
A 6.04YesA formalized disciplinary process serves as a deterrent, discouraging personnel from engaging in activities that violate information security policies and jeopardize the organization's security.
A 6.05YesDefining and enforcing information security responsibilities after termination safeguards against potential data breaches or unauthorized access by former employees, protecting organizational assets.
A 6.06YesConfidentiality agreements legally bind personnel and interested parties to protect sensitive information, providing a legal basis for action in case of unauthorized disclosure.
A 6.07YesImplementing security measures for remote working ensures the protection of information accessed or processed outside the organization's premises, mitigating the risk of data breaches.
A 6.08YesReports from personnel contribute to effective incident investigations, helping the organization to timely respond to the security event understand its nature, and implement necessary corrective actions.
A 7.01YesDefining physical security perimeters helps protect critical areas containing information and assets, preventing unauthorized access and safeguarding against physical threats.
A 7.02YesPhysical entry control ensure that only authorized personnel can access work areas, minimizing the risk of unauthorized entry and unwanted overhearing of conversations.
A 7.03YesPhysical security measures for offices, rooms, and facilities safeguard against unauthorized access, theft, and tampering, protecting valuable assets.
A 7.04YesKnowing that premises are continuously monitored discourages individuals (from within and external) from attempting unauthorized physical access.
A 7.05YesProtection against physical threats preserves critical assets and infrastructure, reducing the risk of damage or loss and ensuring business continuity.
A 7.06YesImplementing security measures for working in secure areas ensures the protection of information and assets, minimizing the risk of unauthorized access or data exposure.
A 7.07YesEnforcing clear desk and clear screen rules fosters a security-conscious culture, promoting responsible handling of information and reducing the risk of unauthorized disclosure.
A 7.08YesProper equipment siting and protection measures contribute to the preservation of organizational assets, reducing the risk of equipment failure or loss.
A 7.09YesProtecting off-site assets safeguards organizational resources, reducing the risk of theft, damage, or unauthorized access to critical information and equipment.
A 7.10YesManaging storage media throughout its life cycle ensures the secure handling of sensitive information, minimizing the risk of unauthorized access or data exposure, even after the asset is no longer in use and gets “forgotten”.
A 7.11YesProtecting against utility failures ensures the availability and continuity of information processing facilities, minimizing disruptions caused by power outages or other utility failures.
A 7.12YesWhere needed, protecting cables from interception or interference ensures the integrity of data transmission, reducing the risk of unauthorized access or tampering.
A 7.13YesProper maintenance supports the availability, integrity and confidentiality of information by preventing malfunctions or vulnerabilities that could compromise the security of stored data.
A 7.14YesVerifying the secure disposal or re-use of equipment with storage media ensures the complete removal of sensitive data, minimizing the risk of data breaches or unauthorized access.
A 8.01YesImplementation of security measures on user endpoint devices is a crucial contribution to overall reducing the vulnerability of devices to cyber threats, unauthorized access and breach of information.
A 8.02YesProper management of privileged access rights minimizes the risk of insider threats and unauthorized activities that could compromise the security of organizational assets.
A 8.03YesAdhering to topic-specific access control policies ensures alignment with organizational security objectives and regulatory requirements.
A 8.04YesRestricting access to source code ensures the integrity of software development by preventing unauthorized changes that could introduce vulnerabilities or compromise functionality. Furthermore, it reduces the likelihood for theft of IP.
A 8.05YesSecure authentication ensures that users are who they claim to be, reducing the risk of unauthorized access and protecting sensitive information.
A 8.06YesMonitoring and adjusting resource usage ensure optimal operational efficiency, preventing performance bottlenecks and downtime.
A 8.07YesImplementing malware protection measures safeguards against malicious software that could compromise the confidentiality and integrity of organizational data. User awareness contributes to effective adoption of using malware protection.
A 8.08YesRegular evaluation of the organization's exposure to vulnerabilities fosters a culture of continuous improvement in information security practices. Taking appropriate measures in response to technical vulnerabilities demonstrates proactive risk management.
A 8.09YesConfiguration management minimizes the risk of unauthorized changes or misconfigurations that could introduce vulnerabilities or compromise the integrity of information systems.
A 8.10YesDeleting information in accordance with organizational and regulatory requirements demonstrates responsible data management practices and reduces the risk of unauthorized access to sensitive or outdated information.
A 8.11YesData masking protects sensitive information by replacing, encrypting, or obfuscating certain data elements, minimizing the risk of unauthorized (intentional and unintentional) disclosure.
A 8.12YesData leakage prevention measures safeguard prevents unauthorized disclosure or loss that could compromise confidentiality, and should therefore be built-in as of the introduction of a new asset.
A 8.13YesMaintaining backup copies mitigates the risk of data loss due to accidental deletion, hardware failures, or other unforeseen events, enhancing overall risk management. Regular test that backups can indeed be restored support business continuity by providing a means to recover critical data and systems in case a data loss or system failures realizes.
A 8.14YesImplementing redundancy safeguards against downtime by providing alternative paths for data processing, minimizing the impact of potential failures.
A 8.15YesLogging facilitates the monitoring of activities, allowing organizations to detect and respond to security incidents, anomalies, or unauthorized access.
A 8.16YesProactive monitoring allows to respond swiftly to potential security incidents, mitigating the impact and preventing further compromise.
A 8.17YesClock synchronization ensures accurate time-stamping of events in logs, supporting accurate analysis and correlation of security events.
A 8.18YesTightly controlling privileged utility programs prevents unauthorized modifications of settings or access that could compromise information security.
A 8.19YesSecure software installation procedures ensure that only authorized and vetted software is installed on operational systems, reducing the risk of security vulnerabilities.
A 8.20YesSecuring networks protects the confidentiality of information by preventing unauthorized access and interception of data during transmission.
A 8.21YesMonitoring SLAS and other service requirements ensures the reliability and availability of network services, supporting uninterrupted business operations.
A 8.22YesNetwork segregation protects from potentially interfering information streams, and thus prevents from data breaches.
A 8.23YesWeb filtering reduces the risk of users accessing malicious websites or content that could introduce malware, enhancing overall cybersecurity measures.
A 8.24YesEffective use of cryptography protects the confidentiality of data by encrypting sensitive information, preventing unauthorized access or interception.
A 8.25YesSecure development practices contribute to the protection of code and data by minimizing the potential for security flaws or weaknesses in software applications.
A 8.26YesIdentifying and specifying security requirements before application development or acquisition minimizes the risk of security vulnerabilities.
A 8.27YesApplying secure system architecture and engineering principles enhances the resilience of the Application Architechture against potential threats and vulnerabilities.
A 8.28YesApplying secure coding principles helps prevent vulnerabilities in software, reducing the risk of exploitation by malicious or simply naive actors.
A 8.29YesSecurity testing in development and acceptance helps detect and address vulnerabilities early in the software development life cycle, minimizing the risk of security incidents once the code is live for operational systems.
A 8.30YesDirecting, monitoring, and reviewing outsourced development activities enables effective risk management by ensuring that security requirements are met and implemented by external parties.
A 8.31YesSeparating development, test, and production environments helps prevent unintended consequences or disruptions to operational systems during testing or development activities. Overmore, it opens the possibility for diligent testing of new code, potentially affecting information security aspects.
A 8.32YesChange management procedures help control and mitigate risks associated with modifications to information processing, ensuring changes are implemented in a secure and controlled manner.
A 8.33YesAppropriate selection and protection of test information contribute to maintaining confidentiality over original and real data where needed.
A 8.34YesPlanning and agreement between the tester and management ensure that audit testing activities do not disrupt normal operational systems, supporting business continuity.