📊 Statement of Applicability (SoA)

Control IDApplicableCategoryControl NameStatusJustification
A.8.1YesA.8 TechnologicalUser endpoint devicesImplementedBYOD endpoint management — key control
A.8.13YesA.8 TechnologicalInformation backupImplementedInformation backup
A.8.20YesA.8 TechnologicalNetworks securityImplementedNetwork security
A.5.11PartialA.5 OrganisationalReturn of assetsImplementedBYOD environment — no physical asset return required. Selective Wipe removes corporate data only
A.8.19PartialA.8 TechnologicalInstallation of software on operational systemsIn ProgressBYOD environment — cannot fully block software installation. Work apps managed via MAM
A.8.24YesA.8 TechnologicalUse of cryptographyImplementedUse of cryptography
A.5.24YesA.5 OrganisationalInformation security incident management planning and preparationImplementedSecurity incident response planning
A.7.14PartialA.7 PhysicalSecure disposal or re-use of equipmentImplementedCorporate data wipe required on BYOD device disposal
A.5.14YesA.5 OrganisationalInformation transferImplementedSEC-POL-COM-001 §5 (public disclosure controls) + §7 (email-based information transfer controls). SEC-PROC-M365-001 §4 (Confidential External Sharing 5-step procedure). SEC-POL-M365-001 §3.3 (SPO external sharing restriction).
A.5.30YesA.5 OrganisationalICT readiness for business continuityIn ProgressICT business continuity readiness
A.5.6YesA.5 OrganisationalContact with special interest groupsIn ProgressParticipation in security communities and threat intelligence groups
A.5.29YesA.5 OrganisationalInformation security during disruptionIn ProgressMaintaining security during disruption
A.5.18YesA.5 OrganisationalAccess rightsImplementedAccess rights provisioning, review, and revocation
A.5.35YesA.5 OrganisationalIndependent review of information securityNot StartedIndependent security review (internal/external audit)
A.7.4NoA.7 PhysicalPhysical security monitoringImplementedNo physical facilities to monitor
A.5.19YesA.5 OrganisationalInformation security in supplier relationshipsImplementedSupplier and third-party security management
A.5.17YesA.5 OrganisationalAuthentication informationImplementedAuthentication information (password, MFA) management
A.5.26YesA.5 OrganisationalResponse to information security incidentsImplementedSecurity incident response procedures
A.6.3YesA.6 PeopleInformation security awareness, education and trainingImplementedSecurity awareness training
A.8.25YesA.8 TechnologicalSecure development life cycleIn ProgressSecure development lifecycle (TT/HVT development)
A.5.10YesA.5 OrganisationalAcceptable use of information and other associated assetsImplementedAcceptable use policy for information assets
A.7.11NoA.7 PhysicalSupporting utilitiesImplementedNo on-premises servers, UPS, or power facilities
A.5.31YesA.5 OrganisationalLegal, statutory, regulatory and contractual requirementsIn ProgressIdentification of legal, regulatory, and contractual requirements
A.5.37YesA.5 OrganisationalDocumented operating proceduresIn ProgressDocumented operating procedures
A.7.6NoA.7 PhysicalWorking in secure areasImplementedNo secure areas. 100% WFA environment
A.5.7YesA.5 OrganisationalThreat intelligenceIn ProgressThreat intelligence collection and analysis required
A.8.33YesA.8 TechnologicalTest informationIn ProgressTest data protection
A.7.13PartialA.7 PhysicalEquipment maintenanceImplementedBYOD device maintenance is user responsibility. Updatest weekly evidence as compensating control
A.8.27YesA.8 TechnologicalSecure system architecture and engineering principlesImplementedSecure architecture principles
A.7.10PartialA.7 PhysicalStorage mediaImplementedCloud-first, physical media minimised. Only CA100 Redkey USB applicable
A.8.9YesA.8 TechnologicalConfiguration managementImplementedConfiguration management
A.5.22YesA.5 OrganisationalMonitoring, review and change management of supplier servicesIn ProgressMonitoring of supplier service changes
A.6.1YesA.6 PeopleScreeningImplementedPre-employment background screening
A.5.5YesA.5 OrganisationalContact with authoritiesIn ProgressContact framework with regulators and law enforcement required
A.6.8YesA.6 PeopleInformation security event reportingImplementedSecurity event reporting framework
A.7.8NoA.7 PhysicalEquipment siting and protectionImplementedNo company-owned equipment or server rooms. BYOD personal devices used
A.7.2NoA.7 PhysicalPhysical entryImplementedNo office space. Physical entry controls not required
A.6.4YesA.6 PeopleDisciplinary processImplementedDisciplinary process for security violations
A.8.26YesA.8 TechnologicalApplication security requirementsIn ProgressApplication security requirements
A.5.2YesA.5 OrganisationalInformation security roles and responsibilitiesImplementedRoles defined in L1 §4 Governance Structure: CEO, CISO, Security Director
A.8.7YesA.8 TechnologicalProtection against malwareImplementedMalware protection
A.7.7PartialA.7 PhysicalClear desk and clear screenImplementedPhysical Clear Desk N/A. Clear Screen applies in remote work environment
A.8.31YesA.8 TechnologicalSeparation of development, test and production environmentsIn ProgressSeparation of development, test, and production environments
A.7.3NoA.7 PhysicalSecuring offices, rooms and facilitiesImplementedNo offices or facilities
A.5.34YesA.5 OrganisationalPrivacy and protection of PIIIn ProgressPrivacy and PII protection (NZ/AU Privacy Act)
A.5.16YesA.5 OrganisationalIdentity managementImplementedUser identity lifecycle management
A.5.25YesA.5 OrganisationalAssessment and decision on information security eventsImplementedSecurity event assessment and incident determination
A.5.20YesA.5 OrganisationalAddressing information security within supplier agreementsIn ProgressSecurity clauses required in supplier agreements
A.8.12YesA.8 TechnologicalData leakage preventionImplementedData leakage prevention
A.5.13PartialA.5 OrganisationalLabelling of informationImplementedPurview labelling not used at SMB scale. Substituted with Teams channel structure
A.8.29YesA.8 TechnologicalSecurity testing in development and acceptanceIn ProgressSecurity testing in development and acceptance
A.5.4YesA.5 OrganisationalManagement responsibilitiesImplementedManagement responsibility for security policy compliance and resource allocation
A.6.6YesA.6 PeopleConfidentiality or non-disclosure agreementsImplementedConfidentiality / non-disclosure agreements
A.7.9YesA.7 PhysicalSecurity of assets off-premisesImplementedAll assets effectively off-premises (BYOD + WFA). Key control
A.7.1NoA.7 PhysicalPhysical security perimetersImplementedNo office space or data centre. 100% WFA, Cloud-only environment
A.8.6YesA.8 TechnologicalCapacity managementImplementedCapacity management (Cloud resources)
A.5.3PartialA.5 OrganisationalSegregation of dutiesIn ProgressFull segregation of duties difficult at 3–5 person SMB scale. Proportionate controls applied
A.8.3YesA.8 TechnologicalInformation access restrictionImplementedSEC-POL-M365-001 §5 (Teams team type model — 4 team types with channel guardrails). §6 CA 3-policy architecture (CA-Require-AllApps-CompliantOrAPP, CA-Restrict-SPO-Unmanaged, CA-Permit-Guest-MFA). Teams membership = SPO site permission scope.
A.8.34YesA.8 TechnologicalProtection of information systems during audit testingIn ProgressProtection of information systems during audit testing
A.5.28YesA.5 OrganisationalCollection of evidenceImplementedSecurity incident evidence collection procedures
A.8.8YesA.8 TechnologicalManagement of technical vulnerabilitiesImplementedTechnical vulnerability management
A.7.12NoA.7 PhysicalCabling securityImplementedNo network cabling facilities. Cloud/SaaS only
A.5.1YesA.5 OrganisationalPolicies for information securityImplementedL1 Master Policy + L2 P1–P9 policy framework in operation. P8/P9 pages created, content drafting pending
A.5.32YesA.5 OrganisationalIntellectual property rightsIn ProgressIntellectual property protection
A.8.5YesA.8 TechnologicalSecure authenticationImplementedSecure authentication mechanisms
A.5.12YesA.5 OrganisationalClassification of informationImplementedSEC-POL-M365-001 §3 (data classification: General / Confidential). §5.2-5.3 (Teams channel structure maps classification to access scope). SEC-POL-ADG-001 §3 (Data Context Isolation — Corporate vs Personal). SEC-POL-ASM-001 (Information Asset Classification).
A.6.5YesA.6 PeopleResponsibilities after termination or change of employmentImplementedSecurity obligations after termination or role change
A.5.33YesA.5 OrganisationalProtection of recordsIn ProgressProtection of records (legal/regulatory requirements)
A.6.7YesA.6 PeopleRemote workingImplemented100% WFA environment — key control. All work is remote
A.8.30YesA.8 TechnologicalOutsourced developmentIn ProgressOutsourced development security (TT and other external development)
A.7.5NoA.7 PhysicalProtecting against physical and environmental threatsImplementedNo physical servers or facilities. Covered by Cloud SLA
A.5.23YesA.5 OrganisationalInformation security for use of cloud servicesImplemented100% Cloud/SaaS infrastructure — key control
A.8.18PartialA.8 TechnologicalUse of privileged utility programsImplementedLimited direct control in BYOD environment
A.6.2YesA.6 PeopleTerms and conditions of employmentImplementedSecurity obligations included in terms of employment
A.5.15YesA.5 OrganisationalAccess controlImplementedAccess control policy required
A.8.4YesA.8 TechnologicalAccess to source codeIn ProgressSource code access control (TT/HVT development activities)
A.8.2YesA.8 TechnologicalPrivileged access rightsImplementedPrivileged access rights management required
A.5.8YesA.5 OrganisationalInformation security in project managementIn ProgressIntegration of security requirements into project management
A.8.22PartialA.8 TechnologicalSegregation of networksImplementedPhysical network segregation N/A. Logical segregation via Zero Trust
A.5.27YesA.5 OrganisationalLearning from information security incidentsImplementedPost-incident lessons learned and improvement
A.8.28YesA.8 TechnologicalSecure codingIn ProgressSecure coding (TT/HVT development)
A.8.23PartialA.8 TechnologicalWeb filteringIn ProgressLimited direct web filtering in BYOD environment. Defender web protection used
A.8.32YesA.8 TechnologicalChange managementIn ProgressChange management
A.8.14PartialA.8 TechnologicalRedundancy of information processing facilitiesImplementedNo on-premises facilities. Reliant on Cloud SLA
A.8.17YesA.8 TechnologicalClock synchronizationImplementedClock synchronisation
A.5.21YesA.5 OrganisationalManaging information security in the ICT supply chainIn ProgressICT supply chain security management (high SaaS/Cloud dependency)
A.8.15YesA.8 TechnologicalLoggingImplementedLogging and audit trails
A.5.36YesA.5 OrganisationalCompliance with policies, rules and standards for information securityIn ProgressSecurity policy compliance verification
A.5.9YesA.5 OrganisationalInventory of information and other associated assetsImplementedInformation asset identification and inventory management required
A.8.11PartialA.8 TechnologicalData maskingIn ProgressLimited data masking scope at SMB scale
A.8.21YesA.8 TechnologicalSecurity of network servicesImplementedNetwork services security
A.8.16YesA.8 TechnologicalMonitoring activitiesImplementedMonitoring activities
A.8.10YesA.8 TechnologicalInformation deletionImplementedInformation deletion (retention expiry, termination, etc.)