Aimes Grid Services (CIC)

Issue Date: 06-Dec-2007

SOA ISO 27001 2005 Statement of Applicability A.5

A .5.1
Control A.5.1.1 A.5.1.2

Security Policy
Information Security Policy
Description Information sec rit! "o#ic! doc ment )evie* of t&e information sec rit! "o#ic! Adopted $ $ ustification Sec rit! %o#ic! &as 'een a""roved '! t&e Data Centre mana(er. +&e Sec rit! %o#ic! is revie*ed for contin in( a""#ica'i#it! at interva#s not e,ceedin( 12 mont&s.

A.!
A.!.1
Control A.6.1.1

Or"anisation of Information Security

Internal Or"ani#ation
Description -ana(ement Commitment to Information Sec rit! Information Sec rit! Co-ordination Adopted $ ustification -ana(ement &ave demonstrated t&eir commitment to information sec rit! '! t&e a##ocation of reso rces and investment in t&eir "eo"#e. .it&in t&e data centre/ a## information sec rit! activities are co-ordinated. 1

A.6.1.2

Document $ame% IS0270011SC01Statement0fA""#ica'i#it!102.doc Security Classification% % '#ic

Aimes Grid Services (CIC)

Issue Date: 06-Dec-2007

A.6.1.2 A.6.1.3 A.6.1.5 A.6.1.6

A##ocation of Information Sec rit! )es"onsi'i#ities A t&orisation %rocess for Information %rocessin( 4aci#ities Confidentia#it! A(reements Contact *it& A t&orities Contact *it& s"ecia# interest (ro "s Inde"endent revie* of information sec rit!

$ $ $ 6 6 $

A## Staff need to f ##! nderstand t&eir res"onsi'i#ities and "roced res re#ated to information sec rit!. A c&an(e re5 est is re5 ired for an! ne* "rocessin( faci#ities Confidentia#it! A(reements for t&e "rotection of information are identified and re( #ar#! revie*ed 7nnecessar! o*in( to sco"e of re(istration 7nnecessar! o*in( to sco"e of re(istration ( re#! on a tomatic "date for sec rit! and anti-vir s "rotection ) +&is is cond cted at #east once a !ear '! an interna#9 e,terna# inde"endent 'od!.

A.6.1.7 A.6.1.8

A.!.2

&'ternal Parties
Description Identification of )is:s re#ated to e,terna# %arties Addressin( sec rit! *&en dea#in( *it& c stomers Addressin( sec rit! in t&ird "art! a(reements Adopted $ $ $ ustification ;,terna# "arties &ave access to t&e data centre. C stomers &ave access to t&e data centre. +&ird "art! contro#s em"#o!ed.

Control
A.6.2.1 A.6.2.2 A.6.2.2

Document $ame% IS0270011SC01Statement0fA""#ica'i#it!102.doc Security Classification% % '#ic

Aimes Grid Services (CIC)

Issue Date: 06-Dec-2007

A.7
A.7.1 Control A.7.1.1 A.7.1.2 A.7.1.2

Asset (ana"ement
)esponsibility for Assets Description Inventor! of assets 0*ners&i" of assets Acce"ta'#e se of assets Adopted $ $ $ ustification A record of a## information assets are :e"t on-site A## assets in t&e sco"e of t&is re(istration are o*ned '! t&e Data Centre -ana(er. Acce"ta'#e se of assets is #aid do*n in t&e "o#icies < "roced res of t&e s!stem.

A.7.2 Control A.7.2.1 A.7.2.2

Information Classification Description C#assification ( ide#ines Information #a'e##in( and &and#in( Adopted $ $ ustification A## data is &e#d e#ectronica##! and is a""#ication s"ecific Im"ractica# and nnecessar!

Document $ame% IS0270011SC01Statement0fA""#ica'i#it!102.doc Security Classification% % '#ic

Aimes Grid Services (CIC)

Issue Date: 06-Dec-2007

A.*
A.*.1 Control A.8.1.1

+uman )esources Security

Prior to employment Description )o#es and res"onsi'i#ities Adopted $ ustification A## em"#o!ees &ave =o' descri"tions definin( t&eir ro#es and res"onsi'i#ities. Data centre standards re5 ire inde"endent references 'e so (&t "rior to commencement of em"#o!ment. >erification of t&e acc rac! of C>s is a#so nderta:en and identit! c&ec:s. A## em"#o!ees &ave ?o' sec rit! res"onsi'i#ities inc# ded in t&eir terms and conditions of em"#o!ment

A.8.1.2

Screenin(

A.8.1.2

+erms and conditions of em"#o!ment

A.*.2 Control A.8.2.1 A.8.2.2 A.8.2.2

Durin" employment Description -ana(ement res"onsi'i#ities Information sec rit! a*areness/ ed cation and trainin( Disci"#inar! "rocess Adopted $ $ $ ustification A## a""#ica'#e "ersona# made a*are of t&eir res"onsi'i#ities *it& re(ard to sec rit! A## staff receive on-site sec rit! trainin( *it& re(ards to IS027001 *&ere needed A## staff &ave 'een made f ##! a*are of t&eir res"onsi'i#ities re(ardin( information sec rit!

Document $ame% IS0270011SC01Statement0fA""#ica'i#it!102.doc Security Classification% % '#ic

Aimes Grid Services (CIC)

Issue Date: 06-Dec-2007

A.*.,

-ermination or c.an"e of employment Description +ermination res"onsi'i#ities )et rn of assets )emova# of access ri(&ts Adopted $ $ $ ustification +o "revent na t&ori@ed access fo##o*in( termination of em"#o!ment contract. +o ens re ret rn of a## com"an! assets +o ens re no na t&ori@ed access fo##o*in( termination of em"#o!ment contract.

Control A.8.2.1 A.8.2.2 A.8.2.2

A./ P.ysical and en0ironmental security

A./.1 Secure areas Description %&!sica# Sec rit! %erimeter %&!sica# ;ntr! Contro#s Sec rin( 0ffices < )ooms and faci#ities %rotectin( a(ainst e,terna# and environmenta# t&reats .or:in( in Sec re Areas % '#ic access/ de#iver! and #oadin( areas Adopted $ $ $ $ $ $ ustification +&e ' i#din( is sit ated in a ' siness "ar: and "erimeter contro#s are in "#ace. Contro##ed access to a## areas is necessar! +o "revent na t&orised access to sensitive e5 i"ment +o ens re contin it! of service %rotection of 'ot& staff and e5 i"ment De#iveries are made to t&e data centre. Control A.A.1.1 A.A.1.2 A.A.1.2 A.A.1.3 A.A.1.5 A.A.1.6

A./.2

&1uipment Security 5

Document $ame% IS0270011SC01Statement0fA""#ica'i#it!102.doc Security Classification% % '#ic

Aimes Grid Services (CIC)

Issue Date: 06-Dec-2007

Control A.A.2.1 A.A.2.2 A.A.2.2 A.A.2.3 A.A.2.5 A.A.2.6 A.A.2.7

Description ;5 i"ment sitin( and "rotection S ""ortin( ti#ities Ca'#in( sec rit! ;5 i"ment maintenance Sec rit! 0f e5 i"ment off "remises Sec re dis"osa# or re- se of e5 i"ment )emova# of "ro"ert!

Adopted $ $ $ $ $ $ $

ustification +o "rotect a(ainst environmenta# and "&!sica# t&reats ;5 i"ment r nnin( t*ent! fo r &o rs seven da!s a *ee: 4a#se f#oors to carr! I+ ca'#in( Data centre re5 irement B ;5 i"ment needs to 'e maintained to ens re contin ed avai#a'i#it!. Come *or:in( '! some staff. A## c#ient data &e#d e#ectronica##! needs to 'e dis"osed of sec re#!. A t&orised staff &ave remova'#e I+ e5 i"ment.

A.10 Communications and operations mana"ement

A.10.1 Operational procedures and responsibilities Control A.10.1.1 A.10.1.2 A.10.1.2 A.10.1.3 Description Doc mented o"eratin( "roced res C&an(e mana(ement Se(re(ation of d ties Se"aration of deve#o"ment/ test and o"erationa# faci#ities Adopted $ $ $ 6 ustification AGS em"#o!ees *i## fo##o* a""ro"riate o"eratin( instr ctions Ado"ted as 'est "ractice. +o "revent na t&orised modification of I+ s!stems or a' se of "osition 6o deve#o"ment done at9'! t&e Data Centre.

A.10.2

-.ird party ser0ice deli0ery mana"ement

Document $ame% IS0270011SC01Statement0fA""#ica'i#it!102.doc Security Classification% % '#ic

Aimes Grid Services (CIC)

Issue Date: 06-Dec-2007

Control A.10.2.1 A.10.2.2 A.10.2.2

Description Service de#iver! -onitorin( and revie* of t&ird "art! services -ana(in( c&an(es to t&ird "art! services

Adopted $ $ $
rd

ustification 2 "art! services are sed -onitorin( < revie* ta:e "#ace to ens re contin it! of service -ana(in( c&an(es to ens re contin it! of service.

A.10., Control A.10.2.1 A.10.2.2

System plannin" and acceptance Description Ca"acit! mana(ement S!stem acce"tance Adopted $ $ ustification Gro*t& is core to t&e ' siness. +o ens re a## s!stems are acce"ta'#e "rior to insta##ation

A.10.2 Control A.10.3.1 A.10.3.2

Protection a"ainst malicious and mobile code Description Contro#s a(ainst ma#icio s code Contro#s a(ainst mo'i#e code Adopted $ $ ustification %rotection a(ainst ma#icio s code S!stem administrators &as access to D-D @ones

A.10.5 Control A.10.5.1

3ac45 up Description Information 'ac:- " Adopted $ ustification +o "revent t&e "ermanent #oss of im"ortant information 7

Document $ame% IS0270011SC01Statement0fA""#ica'i#it!102.doc Security Classification% % '#ic

Aimes Grid Services (CIC)

Issue Date: 06-Dec-2007

assets A.10.! Control A.10.6.1 A.10.6.2 $et6or4 security mana"ement Description 6et*or: contro#s Sec rit! of net*or: services Adopted $ 6 ustification Safe( ardin( of information in net*or:s Do not "rovide an! net*or: services

A.10.7 Control A.10.7.1 A.10.7.2 A.10.7.2 A.10.7.3 A.10.* Control A.10.8.1 A.10.8.2 A.10.8.2 A.10.8.3 A.10.8.5

(edia +andlin" Description -ana(ement of )emova'#e -edia Dis"osa# of -edia Information Cand#in( %roced res Sec rit! of S!stem Doc mentation &'c.an"e of information Description Information e,c&an(e "o#icies and "roced res ;,c&an(e a(reements %&!sica# media in transit ;#ectronic messa(in( F siness information s!stems Adopted $ $ ! $ 6 Contracts re5 irement Contracts re5 irement +a"e 'ac: " trans"orted to AGS 4ire Safe A## staff &ave access to a com"an! e-mai# acco nt 6o interconnected ' siness s!stems ustification Adopted $ $ $ $ ustification +&ere are times *&en information is stored tem"orar! on remova# media s c& as Ea"to"s. 6eed to ma:e s re t&at no confidentia# information is #ea:ed. +o ens re ' siness contin it! and "revent disr "tion Doc mentation &e#d in 'ot& &ard and e#ectronic format

Document $ame% IS0270011SC01Statement0fA""#ica'i#it!102.doc Security Classification% % '#ic

Aimes Grid Services (CIC)

Issue Date: 06-Dec-2007

A.10./ Control A.10.A.1 A.10.A.2 A.10.A.2

&lectronic commerce ser0ices Description ;#ectronic Commerce 0n-#ine transactions % '#ic#! avai#a'#e information Adopted 6 6 $ ustification 6o ;-commerce faci#ities sed in IS-S 6o ;-commerce faci#ities sed in IS-S A## information &as a sec rit! c#assification

A.10.10 (onitorin" Control A.10.10.1 Description A dit #o((in( Adopted $ ustification

User activities, exceptions, and information security events are recorded and kept for an agreed period to assist in future investigations and access control monitoring. Procedures have been developed for monitoring system use. Generated #o( information are *e## "rotected a(ainst tam"erin( and na t&ori@ed access
S!stem9Data'ase Administrator activities are monitored and #o((ed A #o( of a## fa #ts is :e"t in t&e I+ de"artment A## c#oc:s are s!nc&ronised to G-+

A.10.10.2 A.10.10.2 A.10.10.3 A.10.10.5 A.10.10.6

-onitorin( s!stem se %rotection of #o( information Administrator and o"erator #o(s 4a #t #o((in( C#oc: s!nc&roni@ation

$ $ $ $ $

Document $ame% IS0270011SC01Statement0fA""#ica'i#it!102.doc Security Classification% % '#ic

Aimes Grid Services (CIC)

Issue Date: 06-Dec-2007

A.11
A.11.1 Control A.11.1.1 A.11.2 Control A.11.2.1 A.11.2.2 A.11.2.2 A.11.2.3 A.11., Control A.11.2.1 A.11.2.2 A.11.2.2

Access control
3usiness re1uirement for access control Description Access contro# "o#ic! 7ser access mana"ement Description 7ser re(istration %rivi#e(e mana(ement 7ser "ass*ord mana(ement )evie* of ser access ri(&ts 7ser responsibilities Description %ass*ord se 7nattended ser e5 i"ment C#ear des: and c#ear screen "o#ic! Adopted $ $ $ ustification +o ens re avai#a'i#it! of s!stems F! 7ser ;5 i"ment *e mean t&e administratorsG *or:stations. A#t&o (& assets are sited in a sec re area/ information dis"#a!ed on screen (or on "a"er) ma! 'e confidentia#. Adopted $ $ $ $ ustification +o "revent na t&orised access to information s!stems Certain "ositions carr! "rivi#e(es A## a""#ications need "ass*ord "rotection )e5 ired to 'e revie*ed "eriodica##! Adopted $ ustification 4or t&e "rotection of sensitive data and s!stems.

A.11.2

$et6or4 access control

Document $ame% IS0270011SC01Statement0fA""#ica'i#it!102.doc 10 Security Classification% % '#ic

Aimes Grid Services (CIC)

Issue Date: 06-Dec-2007

Control A.11.3.1 A.11.3.2 A.11.3.2 A.11.3.3 A.11.3.5 A.11.3.6 A.11.3.7

Description %o#ic! on se of net*or: services 7ser a t&entication for e,terna# connections ;5 i"ment identification in net*or:s )emote dia(nostic and confi( ration "ort "rotection Se(re(ation in net*or:s 6et*or: connection contro# 6et*or: ro tin( contro#

Adopted $ $ $ $ $ $ $

ustification 6et*or:ed services avai#a'#e to a t&orised "ersonne# Come *or:ers se Dia# in services for remote access A tomatic identification is sed for servers and net*or:s )emote dia(nostic and confi( ration access/ via De## o"en mana(ed 6et*or:s se(re(ated for t&e contro# of na t&orised access +o contro# access in accordance *it& t&e access contro# "o#ic! +o "revent na t&orised access in s&ared net*or:s

A.11.5 Control A.11.5.1 A.11.5.2 A.11.5.2 A.11.5.3 A.11.5.5

Operatin" system access control Description Sec re #o( on "roced res 7ser identification and a t&entication %ass*ord mana(ement s!stem 7se of s!stem ti#ities Session time o t Adopted $ $ 6 6 6 ustification +o contro# and mana(e ser access +o maintain records and monitor na t&orised activities +o contro# and mana(e ser "ass*ords 6o ti#it! "ro(rams are a##o*ed to r n on a""#ication servers 0n#! administrators can access t&e o"eratin( s!stems of t&e servers via t&eir des: to"s. +&e Des:to" are sited in a sec re environment *it& contro##ed access. Cence &avin( a session time-o t "o#ic! is not deemed necessar! at t&is time. 0n#! administrators can access t&e o"eratin( s!stems of

A.11.5.6

Eimitation of connection time

Document $ame% IS0270011SC01Statement0fA""#ica'i#it!102.doc 11 Security Classification% % '#ic

Aimes Grid Services (CIC)

Issue Date: 06-Dec-2007

t&e servers via t&eir des: to"s. +&e Des:to" are sited in a sec re environment *it& contro##ed access. Cence &avin( a connection time #imit is not deemed necessar! at t&is time.

A.11.! Control A.11.6.1 A.11.6.2 A.11.7 Control A.11.7.1

Application and information access control Description Information access restriction Sensitive s!stem iso#ation (obile Computin" and tele6or4in" Description -o'i#e Com" tin( and comm nications Adopted $ ustification 7sed '! s!stem administrators to identif! s!stem fai# res and restart essentia# services after fai# re Adopted $ $ ustification A need to :no* "o#ic! is em"#o!ed A## s!stems are treated as sensitive

A.11.7.2

+e#e*or:in(

AGS staff do not do te#e*or:in(.

Document $ame% IS0270011SC01Statement0fA""#ica'i#it!102.doc 12 Security Classification% % '#ic

Aimes Grid Services (CIC)

Issue Date: 06-Dec-2007

A.12 Information systems ac1uisition8 de0elopment and maintenance

A.12.1 Control A.12.1.1 Security re1uirements of information systems Description Sec rit! )e5 irements Ana#!sis and S"ecification Adopted $ ustification Data centre does not do an! deve#o"ment maintenance or s ""ort of a""#ication s!stem soft*are. Co*ever an! en&ancements to &ard*are (i.e. e,tra dis:s/ etc) re5 ire a c&an(e re5 est. )eference C&an(e )e5 est

A.12.2 Control A.12..2.1 A.12.2.2 A.12.2.2

correct processin" in applications Description In" t Data >a#idation Contro# of Interna# %rocessin( -essa(e inte(rit! Adopted 6 6 6 ustification Data centre does not do an! deve#o"ment maintenance or s ""ort of a""#ication s!stem soft*are Data centre does not do an! deve#o"ment maintenance or s ""ort of a""#ication s!stem soft*are Data centre does not do an! deve#o"ment maintenance or s ""ort of a""#ication s!stem soft*are Data centre does not do an! deve#o"ment maintenance or s ""ort of a""#ication s!stem soft*are )eference n9a n9a n9a n9a

A.12.2.3

0 t" t Data >a#idation

A.12., Control A.12.2.1 A.12.2.2

Crypto"rap.ic controls Description %o#ic! on t&e 7se of Cr!"to(ra"&ic Contro#s He! -ana(ement Adopted 6
6

ustification Cr!"to(ra"&ic Contro#s are a""#ication s"ecific and not s ""orted '! AGS Cr!"to(ra"&ic Contro#s are a""#ication s"ecific and not s ""orted '! AGS

)eference n9a
n9a

Document $ame% IS0270011SC01Statement0fA""#ica'i#it!102.doc 12 Security Classification% % '#ic

Aimes Grid Services (CIC)

Issue Date: 06-Dec-2007

A.12.2 Control A.12.3.1 A.12.3.2 A.12.3.2 A.12.5 Control A.12.5.1

Security of system files Description Contro# of 0"erationa# Soft*are %rotection of S!stem +est Data Access Contro# to %ro(ram So rce code Security in de0elopment and support processes Description C&an(e Contro# %roced res Adopted $ ustification An! data centre asset c&an(e re5 ires a c&an(e re5 est. )eference C&an(e contro# "o#ic! -aintenance sc&ed #es And Eo(s Adopted $ 6 $ ustification +o "revent na t&orised c&an(e contro# Data centre does not do an! deve#o"ment maintenance or s ""ort of a""#ication s!stem soft*are So rce code &e#d as 'ac: " on#! . )eference C&an(e contro# "o#ic! n9a Fac: " %roced re

A.12.5.2

+ec&nica# )evie* of a""#ications after 0"eratin( S!stem C&an(es )estrictions on C&an(es to Soft*are %ac:a(es Information #ea:a(e 0 tso rced Soft*are Deve#o"ment
-ec.nical 0ulnerability mana"ement Description

6ot in remit of data centre ' t do inform o*ners of a""#ications of *&en o"eratin( s!stems c&an(es &ave 'een made. Soft*are "ac:a(es are not sed '! AGS. ( A""#ication soft*are contro##ed '! c&an(e contro# "roced re ) 0""ort nities for information #ea:a(e need to 'e "revented Soft*are deve#o"ment is not done '! AGS.

A.12.5.2

n9a

A.12.5.3 A.12.5.5
A.12.! Control

$ 6

Access contro# "o#ic! 69a

Adopted

ustification

)eference

Document $ame% IS0270011SC01Statement0fA""#ica'i#it!102.doc 13 Security Classification% % '#ic

Aimes Grid Services (CIC)

Issue Date: 06-Dec-2007

A.12.6.1

Contro# of tec&nica# v #nera'i#ities

+ec&nica# v #nera'i#ities need to 'e mana(ed

)is: Assessment

A.1, Information security incident mana"ement

A.1,.1 Control A.12.1.1 A.12.1.2 )eportin" information security e0ents and 6ea4nesses Description )e"ortin( information sec rit! events )e"ortin( sec rit! *ea:nesses Adopted $ $ ustification A## sec rit! "ro'#ems are notified to t&e Data Centre -ana(er. A## sec rit! "ro'#ems are notified to t&e Data Centre -ana(er. )eference )e"ortin( Sec rit! Incidents %roced re )e"ortin( Sec rit! Incidents %roced re

A.1,.2 Control A.12.2.1

(ana"ement of information security incidents and impro0ements Description )es"onsi'i#ities and "roced res Adopted $ ustification )es"onsi'i#ities and "roced res need to 'e c#ear#! defined )eference )o#es and )es"onsi'i#ities )e"ortin( Sec rit! Incidents %roced re

A.12.2.2 A.12.2.2

Eearnin( from information sec rit! incidents Co##ection of evidence

$ $

Eessons #earned need eva# atin( to "revent f rt&er incidents Co##ection of evidence is re5 ired

Eearnin( from Sec rit! Incidents Eearnin( from Sec rit! Incidents

Document $ame% IS0270011SC01Statement0fA""#ica'i#it!102.doc 15 Security Classification% % '#ic

Aimes Grid Services (CIC)

Issue Date: 06-Dec-2007

A.12 3usiness Continuity (ana"ement

A.12.1 Control A.13.1.1 A.13.1.2 A.13.1.2 A.13.1.3 A.13.1.5 Information security aspects of business continuity mana"ement Description Inc# din( information sec rit! in t&e ' siness contin it! mana(ement "rocess F siness contin it! and ris: assessment Deve#o"in( and im"#ementin( contin it! "#ans inc# din( information sec rit! F siness contin it! "#annin( frame*or: +estin(/ maintainin( and re-assessin( ' siness contin it! "#ans Adopted $ $ $ 6 $ ustification +o co nteract ma=or fai# res or Catastro"&es +o :no* t&at t&e strate(! ado"ted is feasi'#e/ "#anned and effective +o ens re a str ct red and mana(ed a""roac& to restorin( ' siness f nctiona#it! Sin(#e FC% in "#ace at Aimes Grid Services (CIC) 4or on-(oin( verification and va#idation of an effective a""roac& to FC% )eference F siness Contin it! %#ans )is: Assessment %roced re F siness Contin it! %#ans n9a F siness Contin it! %#an +est %o#ic!

A.15 Compliance
A.15.1 Control A.15.1.1 A.15.1.2 Compliance 6it. le"al re1uirements Description Identification of a""#ica'#e #e(is#ation Inte##ect a# "ro"ert! ri(&ts (I%)) Adopted $ $ ustification Ee(a#9-andator! re5 irement IS-S on#! ses #e(a# 9 #icensed soft*are )eference Com"#iance *it& Ee(a# )e5 irements Com"#iance *it& Ee(a# )e5 irements

Document $ame% IS0270011SC01Statement0fA""#ica'i#it!102.doc 16 Security Classification% % '#ic

Aimes Grid Services (CIC)

Issue Date: 06-Dec-2007

A.15.1.2 A.15.1.3 A.15.1.5 A.15.1.6

%rotection of or(ani@ationa# records Data "rotection and "rivac! of "ersona# information %revention of mis se of information "rocessin( faci#ities )e( #ation of cr!"to(ra"&ic contro#s

$ $ $ 6

IS-S com"#ies *it& ind str!/ #e(a# and contract re5 irements IS-S is #e(a##! re5 ired to re(ister a## "ersonne# records nder t&e data "rotection act 1AA8 +o ens re t&at a## em"#o!ees are a*are of t&e "o#ic! on t&e se of com"an! information "rocessin( faci#ities Cr!"to(ra"&! not sed

Com"#iance *it& Ee(a# )e5 irements Com"#iance *it& Ee(a# )e5 irements Com"#iance *it& Ee(a# )e5 irements 69a

A.15.2 Control A.15.2.1

Compliance 6it. security policies and standards8 and tec.nical compliance Description Com"#iance *it& sec rit! "o#icies and standards +ec&nica# com"#iance c&ec:in( Adopted $ ustification -ana(ement ens re a## sec rit! "roced res are carried o t to correct#! to ac&ieve com"#iance *it& sec rit! "o#icies and standards Cond cted '! an A dit s"ecia#ists to ens re com"#iance *it& sec rit! "o#icies and standards )eference A dit "roced re

A.15.2.2

A dit Com"#iance

A.15., Control A.15.2.1

Information systems audit considerations Description Information s!stems a dit contro#s Adopted $ ustification Interna# a dit team cond ct re( #ar a dits of a## "o#icies and "roced res ado"ted '! t&e com"an! to ens re effective im"#ementation Contro##ed '! I+ mana(er to "revent mis se or com"romise )eference n9a

A.15.2.2

%rotection of information s!stem a dit too#s

n9a

Document $ame% IS0270011SC01Statement0fA""#ica'i#it!102.doc 17 Security Classification% % '#ic