Microlise Group Plc ISO 27001 Statement of Applicability

‘ISO 27001:2022 Controls App Reason
Section Control Control Objective/Control
A5 Organisational Controls A.5.1 Policies for information security Y BR/BP
A.5.2 Information security roles and responsibilities Y BR/BP
A.5.3 Segregation of duties Y BR/BP
A.5.4 Management responsibilities Y BR/BP
A.5.5 Contact with authorities Y BR/BP
A.5.6 Contact with special interest groups Y BR/BP
A.5.7 Threat intelligence Y BR/BP/RRA
A.5.8 Information security in Project Management Y BR/BP
A.5.9 Inventory of information and other associated assets Y BR/BP/RRA
A.5.10 Acceptable use of information and other associated assets Y BR/BP
A.5.11 Return of assets Y BR/BP
A.5.12 Classification of information Y BR/BP
A.5.13 Labelling of information Y BR/BP
A.5.14 Information transfer Y BR/BP
A.5.15 Access control Y BR/BP
A.5.16 Identity management Y BR/BP
A.5.17 Authentication information Y BR/BP
A.5.18 Access rights Y BR/BP
A.5.19 Information security in supplier relationships Y BR/BP
A.5.20 Addressing information security within supplier agreements Y BR/BP
A.5.21 Managing information security in the information and communication technology (ICT) supply-chain Y BR/BP
A.5.22 Monitoring, review and change management of supplier services Y BR/BP
A.5.23 Information security for use of cloud services Y BR/BP
A.5.24 Information security incident management planning and preparation Y BR/BP
A.5.25 Assessment and decision on information security events Y BR/BP
A.5.26 Response to information security incidents Y BR/BP/CO
A.5.27 Learning from information security incidents Y BR/BP
A.5.28 Collection of evidence Y BR/BP
A.5.29 Information security during disruption Y BR/BP
A.5.30 ICT readiness for business continuity Y BR/BP
A.5.31 Legal, statutory, regulatory and contractual requirements Y BR/BP
A.5.32 Intellectual property rights Y BR/BP
A.5.33 Protection of records Y BR/BP
A.5.34 Privacy and protection of personal identifiable information (PII) Y BR/BP
A.5.35 Independent review of information security Y BR/BP
A.5.36 Compliance with policies, rules and standards for information security Y BR/BP
A.5.37 Documented operating procedures Y BR/BP
A6 People Controls A.6.1 Screening Y BR/BP/CO
A.6.2 Terms and conditions of employment Y BR/BP/CO
A.6.3 Information security awareness, education and training Y BR/BP/RRA
A.6.4 Disciplinary process Y BR/BP/CO
A.6.5 Responsibilities after termination or change of employment Y BR/BP/CO
A.6.6 Confidentiality or non-disclosure agreements Y BR/BP/CO
A.6.7 Remote working Y BR/BP/CO
A.6.8 Information security event reporting Y BR/BP/CO
A7 Physical Controls A.7.1 Physical security perimeters Y BR/BP
A.7.2 Physical entry Y BR/BP
A.7.3 Securing offices, rooms and facilities Y RRA
A.7.4 Physical security monitoring Y RRA
A.7.5 Protecting against physical and environmental threats Y RRA
A.7.6 Working in secure areas Y RRA
A.7.7 Clear desk and clear screen Y BR/BP
A.7.8 Equipment siting and protection Y RRA
A.7.9 Security of assets off-premises Y RRA
A.7.10 Storage media Y BR/BP
A.7.11 Supporting utilities Y RRA
A.7.12 Cabling security Y RRA
A.7.13 Equipment maintenance Y RRA
A.7.14 Secure disposal or re-use of equipment Y RRA
A8 Technological Controls A.8.1 User end point devices Y BR/BP
A.8.2 Privileged access rights Y BR/BP/RRA
A.8.3 Information access restriction Y BR/BP
A.8.4 Access to source code Y BR/BP
A.8.5 Secure authentication Y BR/BP
A.8.6 Capacity management Y BR/BP
A.8.7 Protection against malware Y BR/BP
A.8.8 Management of technical vulnerabilities Y BR/BP/RRA
A.8.9 Configuration management Y BR/BP
A.8.10 Information deletion Y BR/BP
A.8.11 Data masking Y BR/BP
A.8.12 Data leakage prevention Y BR/BP
A.8.13 Information backup Y BR/BP
A.8.14 Redundancy of information processing facilities Y BR/BP/RRA
A.8.15 Logging Y BR/BP/RRA
A.8.16 Monitoring activities Y BR/BP
A.8.17 Clock synchronization Y BR/BP
A.8.18 Use of privileged utility programs Y BR/BP
A.8.19 Installation of software on operational systems Y BR/BP
A.8.20 Networks security Y BR/BP/RRA
A.8.21 Security of network services Y BR/BP
A.8.22 Segregation of networks Y BR/BP
A.8.23 Web filtering Y BR/BP
A.8.24 Use of cryptography Y BR/BP
A.8.25 Secure development life cycle Y BR/BP
A.8.26 Application security requirements Y BR/BP
A.8.27 Secure system architecture and engineering principles Y BR/BP
A.8.28 Secure coding Y BR/BP
A.8.29 Security testing in development and acceptance Y BR/BP
A.8.30 Outsourced development Y BR/BP
A.8.31 Separation of development, test and production environments Y BR/BP
A.8.32 Change management Y BR/BP
A.8.33 Test information Y BR/BP
A.8.34 Protection of information systems during audit testing Y BR/BP