This report is a statement of the measures your company takes to ensure the ongoing confidentiality, integrity and availability of IT systems and information as you described in the associated assessment.
This report can be used to provide comfort that reasonable IT and information security controls are in place, thereby satisfying both client requirements for reasonable assurance in their supply chain and related compliance requirements.
What is included in the report?
Capability statements for every practice area along with the associated control IDS for the in-scope standard.
Capability statements are statements about all controls in your assessment which have been rated as mature.
Where you have selected that a control is not applicable this is also described.
Where you have assessed controls as being weak the corresponding statements are not included however a summary statement in the report tells readers that "For further information about any control not covered by this report please contact your company".
