| iv (b) | Media handling | -Secure deletion -Destroying or degaussing physical media -Secure disposal or re-use of media | Capturing, Processing, Storage, Transmission | Technical control | √ | √ | √ | √ |
| v. 5 | Access control | Access control policy in place. | Capturing, Processing, Storage, Transmission | Administrative control | √ | √ | √ | √ |
| v (a) | Business requirements of access | -Clearly documented -Restrict network access and connections | Capturing, Processing, Storage, Transmission | Technical control | √ | √ | √ | √ |
| vi. 6 | Cryptography | Cryptographic policy in place. | Capturing, Processing, Storage, Transmission | Administrative control | √ | √ | √ | √ |
| vi (a) | Encryption | Encryption ofdata/information | Capturing, Processing, Storage, Transmission | Technical control | √ | √ | √ | √ |
| vi (b) | Cryptographic authentication and integrity | -Digital signature; -Message authentication code; -Checksum (cryptographic hash function); -Non-repudiation; -Cryptographic key management. | Capturing, Processing, Storage, Transmission | Technical control | √ | √ | √ | √ |
| vii. 7 | Physical and environmental security | Physical security policy in place. | Capturing, Processing, Storage, Transmission | Administrative control | √ | √ | √ | √ |
| vii (a) | Physical security perimeter | -Securing offices, rooms and facilities. -Public access, delivery and loading areas; doors, lock, electric fence, CCTV, smartcard, biometric (e.g. fingerprint). | Capturing, Processing, Storage, Transmission | Physical control | √ | √ | √ | √ |
| vii (b) | Protecting against external and environmental threats | -Protecting against fires, floods, earthquakes, bombs, etc. -Climate protecting system, fire suppression system | Capturing, Processing, Storage, Transmission | Physical control | √ | √ | √ | √ |
| vii (c) | Equipment maintenance | Equipment shall be correctly maintained to ensure its continued availability and integrity. | Capturing, Processing, Storage, Transmission | Physical control | √ | √ | √ | √ |
| viii. 8 | Operations Security | Operations security policy in place | Capturing, Processing, Storage, Transmission | Administrative control | √ | √ | √ | √ |
| viii (a) | Multi-factor authentication | Something you know (PIN/Password)/ something you have (ATM/Smartcard)/ something you are (Biometric, e.g. fingerprint). | Capturing, Processing, Storage, Transmission | Technical control | √ | √ | √ | √ |
| ix. 9 | Communications and operations management | Communications and operations policy in place. | Capturing, Processing, Storage, Transmission | Administrative control | √ | √ | √ | √ |
| ix (a) | Network security management | -Networks and network services should be secured; -Network segmentation/segregation. | Capturing, Processing, Storage, Transmission | Technical control | √ | √ | √ | √ |
| ix (b) | Information transfer
| Policies, procedures and agreements in place (e.g. non-disclosure agreements) for information transfer to/from third parties, including electronic messaging. | Capturing, Processing, Storage, Transmission | Administrative control | √ | √ | √ | √ |
| x. 10 | System acquisition, development and maintenance | System acquisition, development and maintenance policy in place. | Capturing, Processing, Storage, Transmission | Administrative control | √ | √ | √ | √ |
| x (a) | Security requirements of information systems | Security control requirements should be analysed and specified. | Capturing, Processing, Storage, Transmission | Administrative control | √ | √ | √ | √ |