xi. 11 | Supplier relationships | Supplier relationships policy in place. | Capturing, Processing, Storage, Transmission | Administrative control | √ | √ | √ | √ |
xii. 12 | Information security incident management | Information security incident management policy in place. | Capturing, Processing, Storage, Transmission | Administrative control | √ | √ | √ | √ |
xii (a) | Management of information security incidents and improvements
| There should be responsibilities and procedures to manage (report, assess, respond to and learn from) information security events, incidents and weaknesses consistently and effectively, and to collect forensic evidence. | Capturing, Processing, Storage, Transmission | Administrative control | √ | √ | √ | √ |
xiii. 13 | Information security aspects of business continuity management | Business continuity plan document in place. | Capturing, Processing, Storage, Transmission | Administrative control | √ | √ | √ | √ |
xiii (a) | Redundancies | IT facilities should have sufficient redundancy to satisfy availability requirements. | Capturing, Processing, Storage, Transmission | Technical control | √ | √ | √ | √ |
xiv. 14 | Compliance
| Compliance policy in place. | Capturing, Processing, Storage, Transmission | Administrative control | √ | √ | √ | √ |
xiv (a) | Compliance with legal and contractual requirements
| The organisation must identify and document its obligations to external authorities and other third parties in relation to information security. | Capturing, Processing, Storage, Transmission | Compliance control | √ | √ | √ | √ |
xv. 15 | Risk Management | Risks registered developed, operational and updated. | Capturing, Processing, Storage, Transmission | Compliance control | √ | √ | √ | √ |