Statement of Applicability
Confidential
� ISO 27001:2022 - Statement of Applicability - BHARAT POWER PLANT (2 X 250 MW)
Domain/Subdomain/Control Control Justification/ Narration
Selection
Information Security Policies
Policies for Information Security Yes An information security policy is required to provide a controls framework for the
information security management system. This control is managed from Plant
Head.
Review of policies for Information Yes The business of BPP is subject to technology changes. Therefore, a process for
Security review and evaluation of information security policies has to be formalized. This
control is managed centrally from Plant Head.
Information Security Roles and Yes Formalized responsibilities need to be provided to named individuals at BPP in
Responsibilties order to ensure that required implementation steps are adhered to.
Segregation of Duties Yes The management of BPP realizes that segregation of duties conflicts can be
exploited to perform unauthorized activities for personal gain.
Contact with Authorities Yes During a crisis, BPP may require the co-operation of third parties. Therefore, BPP
needs to identify such authorities beforehand and develop relationships that
would ensure adequate support when needed.
Contact with Special Interest Yes To stay updated of the relevant security requirements, BPP needs to participate or
Groups be updated by joining security forums/special interest groups. This control is
managed centrally from corporate office for all locations.
Information Security in Project Yes BPP identifies the need to incorporating requirements aimed at securing the
Management information assets during the project management lifecycle
Mobile device policy Yes BPP acknowleges the requirement of identifying mobile device policy in order to
protect its informaiton assets from unaithorized access
Teleworking NO BPP does not see any requirement for teleworking since teleworking is not
performed in any of the processes
�Screening Yes A personnel screening policy is required for the employees of BPP and Third Party
to identify potentially unsuitable personnel from a security and asset protection
standpoint.
Terms and Conditions of Yes Terms and conditions of employment are required to be mentioned and agreed
employment upon by all users.
Management Responsibilities Yes BPP management should require employees, contractors and third party users to
apply security in accordance with established policies and procedures of the
organization.
Information security awareness, Yes From time to time, new joiners and existing employees need to be educated on
education and training information security, in order to make them more vigilant of potential breaches of
security, and perform their duties in a secure manner.
Disciplinary Process Yes The management recognizes the need for maintaining information security at all
times. It is important to take action against those who violate the information
security policy. Breach of security policies should lead to disciplinary action as per
the defined process.
Termination or change of NO BPP has permanent employment with the organization might not end or change.
employment responsibilities
Inventory of Assets Yes BPP needs to keep a track of all its assets, in order to provide for adequate
security controls.
Ownership of Assets Yes BPP needs to assign responsibilities to asset owners for application of security
controls on all the assets.
Acceptable use of Assets Yes BPP needs to prepare guidelines defining acceptable use of assets, to ensure that
the security requirements are met.
Return of Assets Yes During the course of their employment with BPP, employees, third parties and
contractors may be issued various organizational assets including but not limited
to access cards, information on software media etc that needs to be returned back
to BPP on termination of their contract or agreement.
Classification of Information Yes All information assets of the BPP do not require same level of protection.
Classification guidelines are required for assets in order to analyze the level of
security to be placed on each asset.
�Labeling of Information Yes In order to reflect the classification level of an information asset, these assets
should carry an appropriate label.
Handling of Assets Yes Handling requirements should be derived from the classification guidelines
adopted by BPP.
Management of removable media Yes The removable computer media of BPP face the risk of loss of confidentiality if
they are in possession of an unauthorized person or put to unauthorized use.
Disposal of media Yes Unsecured disposal of BPP media can lead to breach of confidentiality of data
available therein.
Physical media transfer Yes Appropriate controls need to be implemented in order to ensure adequate
protection of information assets while in transit
Access control policy Yes BPP intends to ensure that access to information processing facilities is provided
in a controlled manner on a "Need to Know" and "Need to Perform" basis.
Access to networks and network Yes BPP intends to ensure that access to networks and network services is restricted
services to authorized individuals only
User registration and de- Yes In order to maintain a strict control on the users accessing information processing
registration facilities, user registration and deregistration process is required at BPP.
User access provisioning Yes BPP intends to restrict access to it information systems to users based on business
requirements.
Managing of privileged access Yes In order to provide "Need to Know" and "Need to Perform" access rights, BPP
rights needs to have documented procedures for privilege management.
Management of secret Yes In order to protect the authentication information used to access the information
authentication information of users systems it is critical to create guidelines regarding management of authentication
information
Review of user access rights Yes A periodic review of user access rights of BPP' critical systems will ensure that
users with additional rights are not overlooked.
Removal or adjustment of access Yes Timely removal of access rights ensures accountability of changes/modifications to
rights information systems
�Use of secret authentication NO BPP employees understand the importance of maintenance of security of the
information authentication information of user accounts provided to them. Hence it is not
applicable
Information Access Restriction Yes It is critical for BPP to restrict access to information systems only on a "need-to-
know" basis
Secure Log-on procedures Yes A secure logon procedure should be in place to ensure appropriate authentication
before providing access to information resources.
Password Management System Yes Adequate mechanisms should be incorporated in all systems in order to ensure
that passwords used on these systems are difficult to compromise.
Use of privileged utility programs Yes Adequate mechanisms and guidelines shall be developed to restrict the usage of
privileged utility programs used on BPP's information systems
Access control to program source Yes Changes made to program source code in terms of introduction of malicious sub
code programs can be used to compromise the production system, once compiled and
ported.
Policy on the use of cryptographic NO Not applicable as the company does not implement any cryptographic
controls
controls
Key management NO
Not applicable as the company does not
implement any cryptographic controls
Physical Security Perimeter Yes BPP has a physical security perimeter for securing its premises.
Physical Entry Controls Yes Physical entry controls are required for restricting entry of personnel to secure
areas.
Securing offices, rooms and facilities Yes There are areas such as the office, UPS room that require additional protection
and need to be protected by appropriate physical & environmental controls.
Protecting against external and Yes Physical protection against damage from fire, flood, earthquake, explosion, civil
environmental threats unrest, and other forms of natural or man-made disaster should be designed and
applied.
Working in secure areas Yes Specific guidelines for working in secure areas are required since these areas have
a defined physical and environmental tolerance level.
Delivery and loading areas Yes BPP identifies the need to implement a material movemente process to provide a
secure movement process of its information assets
�Equipment siting and protection Yes Sensitive equipment can be compromised by unauthorized access, and their siting
and protection controls are required.
Supporting utilities Yes Unavailability of supporting utilities can lead to significant downtimes
Cabling Security NO Compromise of BPP cabling can result in downtime as well as loss of
confidentiality and integrity of data in transit. But all the cables are in te primises
hence no security is needed.
Equipment Maintenance Yes BPP is required to maintain its equipment in good working condition. Therefore, it
is important to define preventive maintenance guidelines.
Removal of Assets Yes Strong controls relating to asset management are required for all BPP assets.
Security of equipment and assets NO BPP employees does not take the information assets from within the datacenter
off-premises outside the premises
Secure disposal or reuse of Yes Unsecured disposal of equipment can lead to breach of confidentiality of data
equipment available therein.
Unattended user equipment Yes Unattended user equipment can be used by unauthorized persons to access
information.
Clear desk and clear screen policy Yes Confidential data can be compromised if left unattended on a desk or terminal.
Documented operating procedures Yes In order to enforce consistent security controls, BPP needs to formalize operating
procedures to ensure the inclusion of appropriate security controls.
Change management Yes BPP needs to control changes to all systems/softwares/applications/configurations
etc.
Capacity management Yes The management of BPP realizes that capacity planning process provides for a
framework to monitor current performance levels and plan for future growth of
information processing facilities.
Separation of development, testing Yes BPP performs testing of security patches prior to deployment on production
and operational environment systems
Controls against malware Yes Information leakage could be caused by introducing trojans, worms or any other
malware in a software. Hence, BPP recognizes the need to ensure no malware is
introduced in the in-house/externally procured software.
�Information backup Yes Backup of data is required in order to rBPPoduce data lost in an operational
environment due to a system failure or data corruption.
Event Logging Yes Event logging provides an audit trail that is useful for fault analysis and analyzing
unauthorized activity on BPP systems.
Protection of Log information Yes BPP needs to protect log information to help identify security events for security
monitoring.
Administrator and operator logs Yes In order to keep a record of actions performed by administrators/operators, logs
are maintained.
Clock synchronization Yes Clock synchronization is required to maintain parity between event logs on
disparate systems.
Installation of software on Yes Compromise of system files can lead to overall unauthorized use of systems and
operational systems damage to BPP assets.
Management of technical Yes BPP recognizes the need to obtain timely information about technical
vulnerabilities vulnerabilities of Information systems being used.
Restrictions on software installation Yes BPP recognizes the need to restrict updation of software on its information assets
by users in order to restrict leakage of information due to trojans, malware and
viruses
Information systems audit controls Yes System audits may cause disruptions in information processing facilities'
availability thus impacting dependent business processes.
Network Controls Yes BPP realizes the need to adequately manage and control it's network in order to
protect systems and applications using the network.
Security of network services Yes BPP needs to enumerate security attributes of the network services and
implement adequate security controls.
Segregation in networks Yes BPP can require certain networks to be segregated from the rest of the
organization's network.
Information Transfer Policies and Yes BPP realizes the need to define guidelines for information transfer in order to
Procedures protect information in transit over network and physically
�Agreements on information transfer Yes Agreements on information (whether electronic or manual) and software
exchange between organizations is required as BPP exchanges with various third
parties and customers.
Electronic Messaging Yes Electronic messaging security is required as it is used extensively at BPP and
carries confidential information of the organization.
Confidentiality or Non Disclosure Yes BPP intends to bind all relevant parties with agreements defining their
Agreements responsiblities and legal course of action in case of any incident
Information security requirements NO Not applicable, as the company is not
analysis and specification involved in application services transactions
(on-line transactions activities)
Securing application services on NO
public networks
Protecting application services NO
transactions
Secure development policy NO Exclusion has been taken against this control as no software development is
System change control procedures NO carried in BPP
Technical review of applications NO
after operating platform changes
Restrictions on changes to software NO
packages
Secure system engineering NO
principles
Secure development environment NO
Outsourced development NO
System security testing NO
System acceptance testing NO
Protection of test data Yes BPP identifies the need for defining guidelines and principles for performing
security testing on information systems
�Information security policy for Yes Since suppliers are an integral part of BPP's operating environment, the policy
supplier relationships needs to specifically cater to the information security implications in such cases
Addressing security within supplier Yes Specific requirements for information security need to be identified for supplier
agreements agreements
Information and communication Yes BPP identifies the need to develop guidelines on communicating information
technology supply chain security requirements through the technology supply chain
Monitoring and review of supplier Yes BPP intends to deploy monitoring and review mechanidm for the services
service provided by suppliers
Managing changes to supplier Yes BPP must develop guidelines on managing security requirements during any
services changes to supplier services
Responsibilities and procedures Yes The management recognizes the need for maintaining information security at all
times and thus needs to identify personnel responsible for ensuring the same. It is
important to take action against those who violate the information security policy.
BPP intends to assign specifi responsibilities and develop detailed procedures to
deal with security incidents
Reporting information security Yes Security incidents need to be reported in a timely manner in order to respond to
events the threat before significant damage can take place.
Reporting information security Yes Security weaknesses need to be reported in a timely manner in order to mitigate
weaknesses the threat by deploying new controls.
Assessment of and decision on Yes Information security incidents need to be assessed and reviewed in order to
information security events restrict further propogation and restoring normal services
Response to information security Yes Responsibilities for responding to informaiton security incidents shoulf be clearly
incidents documented and communicated to concerned individuals
Learning from information security Yes The repository of incident related data should be analyzed periodically to
incidents understand the threat probabilities and design of additional controls.
Collection of evidence Yes Evidence collected during security incidents need to be adequate to establish the
accuracy of observations pertaining to the incident.
Planning information security Yes Documented continuity plans with information security are essential to formalize
continuity and educate users of the plan on the requirements and responsibilities for
continuity management.
�Implementing information security Yes A business continuity management process with information security should be
continuity formalized in order to provide a structured and coordinated approach to the
continuity strategy of BPP.
Verify, review and evaluate Yes The management of BPP recognizes that the effectiveness of the business
information security continuity continuity plans can be judged only by performing tests. Further, changes in the
infrastructure, business processes and threat perceptions need to result in an
update of the plans.
Availability of information Yes BPP identifies the need to maintain redundancy of personnel and infrastructure
processing facilities for highly critical informaiton systems
Identification of applicable Yes BPP is required to identify all applicable legislation governing information
legislation and contractual processing facilities, so as to remain compliant to them.
requirements
Intellectual property rights Yes Violation of Intellectual Property Rights (IPRs) can result in significant financial and
reputation damages to BPP.
Protection of records Yes BPP records need to satisfy retention requirements as required by law, as well as
maintain adequate confidentiality.
Privacy and protection of personally Yes Personally identifiable information needs to be protected from misuse and
identifiable information corruption
Regulation of cryptographic NO Not applicable as the company does not
controls implement any cryptographic controls
Independent review of information NO BPP should not undertake an independent review of information security.
security
Compliance with security policies Yes It is important that all employees and information systems owners of BPP comply
and standards to the guidelines specified in the Information Security Policies.
Technical compliance review Yes BPP requires to perform periodic technical compliance to confirm whether
information processing facilities at BPP are compliant to the security requirements
detailed in the ISMS.
