| A.5 |
Information security
policies |
| A.5.1 |
Management
direction for information security |
| A.5.1.1 |
Policies for information security |
Information security policies are
established, approved by management, and reviewed at least annually to
ensure suitability and effectiveness. |
| A.5.1.2 |
Review of the policies for information
security |
Each policy has a designated owner
who must review the document at planned intervals to ensure its continued
adequacy and effectiveness. |
| A.6 |
Organization of
information security |
| A.6.1 |
Internal
organization |
| A.6.1.1 |
Information security roles and
responsibilities |
Roles are clearly defined; the CEO
holds ultimate accountability for the ISMS, while the CTO manages
operational technical controls. |
| A.6.1.2 |
Segregation of duties |
Conflicting duties and areas of
responsibility are segregated to reduce opportunities for unauthorized
modification or misuse of assets. |
| A.6.1.3 |
Contact with authorities |
The CEO is responsible for
notifying police or relevant regulatory bodies in the event of a significant
security breach or legal issue. |
| A.6.1.4 |
Contact with special interest groups |
The CTO is responsible for
monitoring security forums and groups for emerging threat information and
security best practices. |
| A.6.1.5 |
Information security in project management
|
Project managers must integrate
information security requirements into all project planning and execution
phases to mitigate risks. |
| A.6.2 |
Mobile devices
and teleworking |
| A.6.2.1 |
Mobile device policy |
Mobile devices are allowed while
special care must be taken when offsite to ensure no confidential data is
read or accessed accidentally. |
| A.6.2.2 |
Teleworking |
Remote work is permitted provided
that the organization's security standards for endpoint encryption and
secure access are strictly maintained. |
| A.7 |
Human resource
security |
| A.7.1 |
Prior to
employment |
| A.7.1.1 |
Screening |
HR conducts background checks,
including CV verification and criminal record checks, for all new candidates
prior to hiring. |
| A.7.1.2 |
Terms and conditions of employment |
Employment agreements must include
a Statement of Acceptance of ISMS documents and a binding confidentiality
clause. |
| A.7.2 |
During employment
|
| A.7.2.1 |
Management responsibilities |
Management ensures that all
personnel and suppliers implement and adhere to established security
policies and procedures. |
| A.7.2.2 |
Information security awareness, education
and training |
Employees receive regular security
awareness training to ensure they understand their roles and the latest
security threats. |
| A.7.2.3 |
Disciplinary process |
A formal disciplinary process is in
place to address security violations and non-compliance by employees or
contractors. |
| A.7.3 |
Termination and
change of employment |
| A.7.3.1 |
Termination or change of employment
responsibilities |
Confidentiality and security
responsibilities remain valid even after the termination or change of an
individual's employment status. |
| A.8 |
Asset management
|
| A.8.1 |
Responsibility
for assets |
| A.8.1.1 |
Inventory of assets |
An inventory of all information
assets is maintained, identifying their owners, location, and classification
levels. |
| A.8.1.2 |
Ownership of assets |
All identified assets are assigned
a specific owner who is responsible for their protection and lifecycle
management. |
| A.8.1.3 |
Acceptable use of assets |
Assets are used only for business
purposes and in accordance with the rules defined in the Acceptable Use
Policy. |
| A.8.1.4 |
Return of assets |
All company-owned assets must be
returned by employees and contractors immediately upon termination of their
relationship. |
| A.8.2 |
Information
classification |
| A.8.2.1 |
Classification of information |
Information is classified as
Public, Internal, Confidential, or PII based on its value, legal
requirements, and sensitivity. |
| A.8.2.2 |
Labelling of information |
Information is labeled according to
its classification level to ensure it is handled with the appropriate level
of protection. |
| A.8.2.3 |
Handling of assets |
Procedures are established for
handling assets based on their classification to prevent unauthorized
disclosure or loss. |
| A.8.3 |
Media handling
|
| A.8.3.1 |
Management of removable media |
The use of removable media is
restricted and managed to prevent unauthorized data transfer or the
introduction of malware. |
| A.8.3.2 |
Disposal of media |
Media containing sensitive or
confidential information must be disposed of securely to prevent any
possibility of data recovery. |
| A.8.3.3 |
Physical media transfer |
Physical transfer of media must be
secured against unauthorized access and tracked throughout the
transportation process. |
| A.9 |
Access control |
| A.9.1 |
Business
requirements of access control |
| A.9.1.1 |
Access control policy |
Access to information is restricted
based on the "Principle of Least Privilege" and a legitimate business "Need
to Know". |
| A.9.1.2 |
Access to networks and network services
|
Network access is limited to
authorized users and services, with all external connections strictly
controlled and monitored. |
| A.9.2 |
User access
management |
| A.9.2.1 |
User registration and de-registration |
Formal processes are in place for
the registration and de-registration of users to control access to systems
and data. |
| A.9.2.2 |
User access provisioning |
User access is provisioned with the
minimum rights required for their specific job functions to minimize
security risks. |
| A.9.2.3 |
Management of privileged access rights |
The use of privileged access rights
(e.g., administrator) is strictly restricted to authorized users and is
monitored. |
| A.9.2.4 |
Management of secret authentication
information of users |
Management of secret authentication
information (passwords, MFA) follows strict security standards for strength
and rotation. |
| A.9.2.5 |
Review of user access rights |
User access rights are reviewed
every six months to ensure they remain appropriate and necessary for the
current role. |
| A.9.2.6 |
Removal or adjustment of access rights |
Access rights are immediately
adjusted or removed upon changes in employment status, role, or termination.
|
| A.9.3 |
User
responsibilities |
| A.9.3.1 |
Use of secret authentication information
|
Users must use unique credentials
and strong multi-factor authentication (MFA) to access applications and
databases. |
| A.9.4 |
System and
application access control |
| A.9.4.1 |
Information access restriction |
Access to information and
application functions is restricted to authorized users based on established
access policies. |
| A.9.4.2 |
Secure log-on procedures |
A secure log-on process is
mandatory for all network computers to verify identity before granting
access. |
| A.9.4.3 |
Password management system |
Password management systems ensure
the use of strong, unique credentials and periodic rotation to prevent
unauthorized access. |
| A.9.4.4 |
Use of privileged utility programs |
Privileged utility programs capable
of overriding system controls are strictly restricted to authorized
administrators and monitored. |
| A.9.4.5 |
Access control to program source code |
Access to program source code is
restricted to authorized developers following the Secure Development Policy.
|
| A.10 |
Cryptography |
| A.10.1 |
Cryptographic
controls |
| A.10.1.1 |
Policy on the use of cryptographic controls
|
Cryptographic controls protect
sensitive data at rest and in transit, with encryption keys restricted to
authorized users. |
| A.10.1.2 |
Key management |
Encryption keys are managed through
their entire lifecycle, from generation to destruction, to prevent
unauthorized access. |
| A.11 |
Physical and
environmental security |
| A.11.2 |
Equipment |
| A.11.2.4 |
Equipment maintenance |
Hardware equipment is regularly
maintained to ensure continued availability, reliability, and security of
information. |
| A.11.2.5 |
Removal of assets |
|
| A.11.2.6 |
Security of equipment and assets
off-premises |
Security must be maintained for
assets used off-premises, including the use of hard drive encryption and
physical protection. |
| A.11.2.7 |
Secure disposal or reuse of equipment |
Equipment must be securely wiped of
all data before disposal or re-use to prevent data leakage and unauthorized
recovery. |
| A.11.2.8 |
Unattended user equipment |
Users must ensure their equipment
is not left unattended in a state where it can be accessed by unauthorized
persons. |
| A.11.2.9 |
Clear desk and clear screen policy |
Screens must lock after 5 minutes
of inactivity; sensitive data may not be printed or left visible on desks.
|
| A.12 |
Operations security
|
| A.12.1 |
Operational
procedures and responsibilities |
| A.12.1.1 |
Documented operating procedures |
Operational procedures for
information processing and system management are documented and kept
current. |
| A.12.1.2 |
Change management |
Changes to systems and operations
are managed through a formal change control process to minimize security
risks. |
| A.12.1.3 |
Capacity management |
System capacity is monitored and
planned to ensure that required performance and availability levels are
maintained. |
| A.12.1.4 |
Separation of development, testing and
operational environments |
Development, testing, and
production environments are strictly separated to prevent unauthorized
changes to live systems. |
| A.12.2 |
Protection from
malware |
| A.12.2.1 |
Controls against malware |
Endpoint protection, firewalls, and
malware detection tools must be active and up to date on all company
devices. |
| A.12.3 |
Backup |
| A.12.3.1 |
Information backup |
Backups of critical information are
performed daily and tested quarterly to ensure successful restoration when
needed. |
| A.12.4 |
Logging and
monitoring |
| A.12.4.1 |
Event logging |
Security events and user activities
are logged and retained to support monitoring and incident investigation.
|
| A.12.4.2 |
Protection of log information |
Logging facilities and log
information are protected against tampering and unauthorized access to
maintain integrity. |
| A.12.4.3 |
Administrator and operator logs |
System administrator and operator
logs are maintained and reviewed regularly to detect unauthorized actions.
|
| A.12.4.4 |
Clock synchronization |
Clocks on all relevant systems are
synchronized to a single time source to ensure accurate logging and
evidence. |
| A.12.5 |
Control of
operational software |
| A.12.5.1 |
Installation of software on operational
systems |
The installation of software on
operational systems is managed through a formal authorization process and
technical controls to ensure only approved software is deployed. |
| A.12.6 |
Technical
vulnerability management |
| A.12.6.1 |
Management of technical vulnerabilities
|
Technical vulnerabilities are
identified and remediated through regular patching and vulnerability
scanning. |
| A.12.6.2 |
Restrictions on software installation |
Users are restricted from
installing unauthorized software on company endpoint devices to prevent
security risks. |
| A.12.7 |
Information
systems audit considerations |
| A.12.7.1 |
Information systems audit controls |
Audit tests on operational systems
are planned and controlled to minimize disruption to business processes.
|
| A.13 |
Communications
security |
| A.13.1 |
Network security
management |
| A.13.1.1 |
Network controls |
Network controls and security
features are implemented to protect information in systems and applications.
|
| A.13.1.2 |
Security of network services |
Security requirements and service
levels for network services are defined and included in service agreements.
|
| A.13.1.3 |
Segregation in networks |
Network segments (e.g., prod, dev)
are separated to restrict access and contain the impact of potential
breaches. |
| A.13.2 |
Information
transfer |
| A.13.2.1 |
Information transfer policies and
procedures |
Policies and procedures are in
place for the secure transfer of information across all communication types.
|
| A.13.2.2 |
Agreements on information transfer |
Agreements are established with
external parties for the secure transfer of sensitive data to maintain
confidentiality. |
| A.13.2.3 |
Electronic messaging |
Electronic messaging (email, Slack)
is protected against unauthorized access and disclosure using encryption.
|
| A.13.2.4 |
Confidentiality or nondisclosure agreements
|
Non-disclosure agreements (NDAs)
are used to protect the organization's information assets from disclosure by
third parties. |
| A.14 |
System acquisition,
development and maintenance |
| A.14.1 |
Security
requirements of information systems |
| A.14.1.1 |
Information security requirements analysis
and specification |
Security requirements are analyzed
and specified during the acquisition or development of new systems in
Confluence. |
| A.14.1.2 |
Securing application services on public
networks |
All application traffic traversing
public networks is encrypted using strong protocols (TLS 1.2 or higher);
unencrypted HTTP for data transmission is strictly prohibited. |
| A.14.1.3 |
Protecting application services
transactions |
Application transactions involving
sensitive data (PII, payments) utilize anti-replay mechanisms and robust
session management tokens to prevent man-in-the-middle attacks. |
| A.14.2 |
Security in
development and support processes |
| A.14.2.1 |
Secure development policy |
A Secure Development Policy is
followed throughout the entire software development lifecycle to ensure code
security. |
| A.14.2.2 |
System change control procedures |
Formal change control procedures
are applied to ensure that changes to information systems are documented,
tested, and approved before implementation to minimize security risks. |
| A.14.2.3 |
Technical review of applications after
operating platform changes |
Critical business applications
undergo formal review and testing following operating platform changes
(e.g., OS or library updates) to ensure security and functionality are
unaffected. |
| A.14.2.4 |
Restrictions on changes to software
packages |
All modifications to production
code, configurations, or infrastructure must be initiated via a Pull Request
(PR) and require at least one peer or senior developer approval. |
| A.14.2.5 |
Secure system engineering principles |
Developers adhere to formal Secure
Coding Guidelines, including coding against OWASP Top 10 vulnerabilities and
utilizing automated dependency checks like GitHub Dependabot. |
| A.14.2.6 |
Secure development environment |
Development (DEV) and Production
(PROD) environments are logically segregated using Elastic Beanstalk, with
local coding environments managed under the IT Security Policy. |
| A.14.2.7 |
Outsourced development |
Third-party developers must sign
NDAs and contracts mandates adherence to SLVRCLD's Secure Development
Policy, with the CTO reviewing all code before merging. |
| A.14.2.8 |
System security testing |
Automated security and quality
monitoring tools (ES Lint for front-end, Sonarqube for back-end) and unit
tests are integrated into the CI/CD pipeline and run before every
deployment. |
| A.14.2.9 |
System acceptance testing |
Source code must be reviewed by a
different developer via Pull Requests before merging to PROD, and the CTO
verifies the quality of all outsourced code. |
| A.14.3 |
Test data |
| A.14.3.1 |
Protection of test data |
Confidential or personal data is
never used for testing purposes unless it has been thoroughly removed or
obfuscated to prevent the identification of individuals. |
| A.15 |
Supplier
relationships |
| A.15.1 |
Information
security in supplier relationships |
| A.15.1.1 |
Information security policy for supplier
relationships |
Security requirements for suppliers
are documented and agreed upon before granting access to information. |
| A.15.1.2 |
Addressing security within supplier
agreements |
Formal contracts include
confidentiality (NDA) and Code of Conduct adherence; any supplier processing
personal data must sign a Data Processing Agreement (DPA). |
| A.15.1.3 |
Information and communication technology
supply chain |
ICT supplier agreements define
security requirements for products and mandate that suppliers manage their
own sub-contractor risks and notify SLVRCLD of vulnerabilities. |
| A.15.2 |
Supplier service
delivery management |
| A.15.2.1 |
Monitoring and review of supplier services
|
Supplier service levels and
security performance are regularly monitored and reviewed against agreed
requirements. |
| A.15.2.2 |
Managing changes to supplier services |
Suppliers are contractually
required to notify SLVRCLD of significant service changes, which are then
assessed by the CTO for new risks before implementation. |
| A.16 |
Information security
incident management |
| A.16.1 |
Management of
information security incidents and improvements |
| A.16.1.1 |
Responsibilities and procedures |
A comprehensive Information
Security Incident Management Policy is established, defining roles and
procedures for responding to all security events and incidents. |
| A.16.1.2 |
Reporting information security events |
All employees are required to
report security events through designated channels immediately for
assessment. |
| A.16.1.3 |
Reporting information security weaknesses
|
All employees and contractors must
report suspected data breaches or security weaknesses to the DPO/CISO within
one hour of discovery via emergency channels. |
| A.16.1.4 |
Assessment of and decision on information
security events |
The DPO/CISO assesses reported
incidents within four hours to determine if they constitute a "Personal Data
Breach" and to classify their severity risk. |
| A.16.1.5 |
Response to information security incidents
|
The Security Incident Response Team
(SIRT) takes immediate technical steps, such as isolating AWS instances or
revoking credentials, to contain and mitigate incidents. |
| A.16.1.6 |
Learning from information security
incidents |
Following significant incidents,
the DPO/CISO conducts a "lessons learned" review to update policies and
technical controls to prevent recurrence. |
| A.16.1.7 |
Collection of evidence |
All actions taken during incident
response are logged, and logs and digital evidence are preserved for
forensic purposes. |
| A.17 |
Information security
aspects of business continuity management |
| A.17.1 |
Information
security continuity |
| A.17.1.1 |
Planning information security continuity
|
Information security continuity
requirements are identified to maintain security operations during a
disruption. |
| A.17.1.2 |
Implementing information security
continuity |
BCDR plans are implemented and
tested annually to ensure data and service availability after a disaster.
|
| A.17.1.3 |
Verify, review and evaluate information
security continuity |
The organization conducts annual
reviews and testing of the Business Continuity and Disaster Recovery (BCDR)
plans. This includes tabletop exercises or technical simulations to ensure
failover mechanisms work as intended, with results documented to drive
continuous improvement of recovery procedures. |
| A.17.2 |
Redundancies |
| A.17.2.1 |
Availability of information processing
facilities |
High availability for critical
infrastructure is ensured through AWS Multi-AZ deployments, providing
redundant facilities to meet a 4-hour Recovery Time Objective (RTO). |
| A.18 |
Compliance |
| A.18.1 |
Compliance with
legal and contractual requirements |
| A.18.1.1 |
Identification of applicable legislation
and contractual requirements |
A register of legal, regulatory,
and contractual requirements (including GDPR) is maintained and reviewed
annually. |
| A.18.1.2 |
Intellectual property rights |
Unauthorized copying of
company-owned software or third-party materials is prohibited; users are
liable for compliance with relevant intellectual property laws. |
| A.18.1.3 |
Protection of records |
Business-relevant records and ISMS
documents are protected against unauthorized editing and are stored for a
minimum retention period of 3 years. |
| A.18.1.4 |
Privacy and protection of personally
identifiable information |
A dedicated Privacy Policy ensures
that all personal data processing complies with GDPR principles, including
lawfulness, transparency, and data subject rights. |
| A.18.1.5 |
Regulation of cryptographic controls |
Full hard drive encryption is
mandatory for all assets at rest, and any communication of Internal or
Confidential data must occur via encrypted channels. |
| A.18.2 |
Information
security reviews |
| A.18.2.1 |
Independent review of information security
|
The ISMS is subject to regular
independent internal and external audits to ensure compliance with policies
and standards. |
| A.18.2.2 |
Compliance with security policies and
standards |
|
| A.18.2.3 |
Technical compliance review |
|
