WorkAxle Trust Center

Below is a list of all related controls for this domain. A status of green means compliant, yellow means partially compliant, and red means non-compliant.

A Statement of Applicability is maintained as part of the Information Security Management System (ISMS)

A Statement of Applicability (SoA) is maintained as part of the Information Security Management System (ISMS) to document the scope, implementation, and tailoring of security controls in alignment with ISO 27001 standards.

The SoA includes:

Selected Controls: A list of ISO 27001 controls implemented based on the organization’s risk assessment and business needs.
Exclusions: Justifications for any controls not applicable to the organization.
Contextual Factors: Consideration of internal and external influences, such as business processes, operations, technologies, and stakeholders.

This document serves as a reference for aligning the ISMS with the organization’s unique context, supporting compliance with ISO 27001, addressing identified risks, and ensuring consistency with regulatory and contractual requirements.

An audit and compliance program is established and maintained to verify adherence to applicable laws, regulations, policies, and standards, ensuring that controls effectively mitigate risks and support accountability

A structured audit and compliance program helps ensure legal, regulatory, and policy adherence while identifying and mitigating risks. This includes:

Regular Audits: Conducting internal and independent external audits to assess compliance and control effectiveness.
Compliance Assessments: Identifying non-compliance risks and opportunities for improvement.
Corrective Actions: Implementing remediation plans to address identified gaps.
Stakeholder Reporting: Providing clear, timely audit findings to leadership and key stakeholders.

By enforcing consistent monitoring, evaluation, and corrective action, the audit and compliance program promotes accountability, reduces legal and operational risks, and supports ethical, secure business operations.

Anti-counterfeit measures are implemented to deter counterfeiting, detect counterfeit products, and protect consumers, brand owners, and intellectual property rights holders from associated risks and impacts

Protecting against counterfeiting is essential to maintaining product integrity, consumer trust, and brand reputationwhile safeguarding intellectual property rights. This is achieved through measures that deter counterfeit activity, detect fraudulent products, and support enforcement actions.

Key anti-counterfeit measures include:

Authentication and Verification: Using tools like serial numbers, holograms, digital tracking, or tamper-evident packaging to confirm product authenticity.
Supply Chain Security: Strengthening sourcing, manufacturing, and distribution processes to prevent counterfeit goods from entering legitimate channels.
Collaboration and Enforcement: Engaging with regulators, law enforcement, and industry partners to combat counterfeiting and protect intellectual property.

By integrating robust anti-counterfeit measures into business operations, organizations can reduce financial and reputational risks, support compliance efforts, and reinforce confidence in their products and brand.

Applicable legal and contractual requirements are carefully reviewed and incorporated into the organization’s business practices to ensure compliance, protect its reputation, and mitigate legal risks

Ensuring compliance with legal and contractual obligations helps safeguard the organization from regulatory penalties, reputational damage, and operational risks. This requires identifying relevant requirements, integrating them into policies and operations, and maintaining ongoing alignment as laws, regulations, and business commitments evolve.

A strong compliance approach:

Reduces legal and financial risk by proactively addressing obligations.
Enhances accountability by embedding compliance into decision-making.
Supports business continuity by adapting to regulatory and contractual changes.

By aligning business practices with legal and contractual requirements, the organization strengthens its credibility, resilience, and long-term sustainability.

Independent oversight and strategic direction are provided by the Board of Directors and, where applicable, a Steering Committee to align decisions with the organization’s goals and ensure accountability

In most Small and Medium-sized Businesses (SMBs), the security team is responsible for designing, implementing, and managing the security program. This team typically consists of individuals overseeing IT, cloud infrastructure, software development, HR, and security leadership. In many cases, the security team also makes the majority of security-related decisions, ensuring alignment with business objectives and managing risks effectively.

The Board of Directors provides high-level oversight, ensuring that security and governance efforts are properly resourced and that risks are being addressed appropriately. The Board’s role is not to manage security operations but to receive updates on key risks, compliance, and security posture to fulfill its governance responsibilities.

For larger organizations or those with heightened security risks, a Steering Committee may be established to provide additional oversight, strategic alignment, and prioritization of security initiatives. However, in most SMBs, the security team handles both implementation and decision-making, while the Board ensures accountability and strategic alignment.

Policies are established to define the organization's approach to privacy, security, and compliance

The organization establishes policies, procedures, and a dedicated security team to provide a structured framework for managing privacy, security, compliance, and overall governance. These initiatives define responsibilities, set expectations, and ensure consistent practices, fostering effective communication, coordination, and collaboration across all levels.

Key Focus Areas

The policies, procedures, and security team initiatives address:

Legal and Regulatory Compliance: Adhering to applicable laws, standards, and contractual obligations.
Roles and Responsibilities: Assigning accountability for privacy, security, compliance, and operational efforts.
Access Control and Segregation of Duties: Defining authority and preventing unauthorized access or conflicts of interest.
Incident Response: Establishing procedures to address and mitigate security or privacy incidents.
Training and Awareness: Promoting understanding of responsibilities through regular education initiatives.
Continuous Improvement: Reviewing and updating policies and security measures to adapt to evolving requirements and risks.
Boundaries and Expectations: Defining acceptable practices and responsibilities to guide decision-making and behavior.
Consistency: Ensuring uniform application of rules across governance, operations, finance, human resources, and other areas.
Security Coordination: Conducting regular security meetings to:
- Discuss security concerns and emerging threats.
- Review the effectiveness of current security measures.
- Identify opportunities for improvement and proactive risk mitigation.

Change Log Requirements

Policies must include a change log to document updates transparently and ensure accountability. The change log should:

Summarize changes made, identifying whether they are minor (e.g., typos) or major (e.g., substantive updates to key policies).
Record details such as the reviewer’s name, title, date of review, and specifics of the changes.
Ensure minor changes are logged without requiring re-approval and major changes undergo employee awareness initiatives and potential re-approval.

Policy Review Guidelines

Policies and procedures should be reviewed annually or when significant changes occur.
Minor updates should be logged but do not necessitate a full review.
Major updates should trigger a review and re-approval process to maintain alignment with organizational goals and compliance obligations.

Approval and Change Tracking

Once a policy is approved, all subsequent updates must be transparently documented to ensure:

Transparency: Stakeholders have visibility into changes.
Compliance: Policies remain aligned with legal, regulatory, and contractual requirements.
Trust: Documentation demonstrates the organization’s commitment to accountability, consistency, and strong security practices.

The effectiveness of security controls is assessed and reported through performance measurements to ensure the protection of organizational assets, timely detection of incidents, and effective response to security events

The security team is responsible for assessing and reporting on the effectiveness of security controls to ensure the protection of organizational assets, timely incident detection, and effective response.

This process includes:

Metrics Collection: Gathering data on security control performance, incidents, and response effectiveness.
Analysis: Evaluating trends, identifying gaps, and assessing alignment with security objectives.
Reporting: Providing actionable insights to stakeholders, ensuring transparency and accountability.

These measurements support:

Continuous Improvement: Identifying weaknesses and refining security controls to strengthen the organization’s security posture.
Goal Tracking: Measuring progress toward security objectives and risk reduction targets.
Compliance: Demonstrating adherence to regulatory and contractual requirements through documented reporting.

Regular performance assessments help ensure that security efforts remain effective, scalable, and responsive to emerging threats. The frequency of these assessments should be tailored to the organization’s size, risk profile, and regulatory obligations to maintain a practical and impactful security measurement process.

The Security and Privacy Strategy is developed, maintained, and updated to align with evolving threats, business objectives, and regulatory requirements

A Security and Privacy Strategy serves as a roadmap for managing risks, protecting sensitive data, and maintaining resilience. It should be reviewed at least annually or when significant changes occur, such as:

Business shifts (e.g., expansion, new products).
Emerging threats or regulatory updates.
Security incidents or assessment findings.

Key activities include:

Threat Monitoring: Tracking risks, vulnerabilities, and evolving threats.
Data Analysis: Using intelligence to assess risks and prioritize responses.
Control Improvement: Refining security measures and incident response.
Stakeholder Communication: Keeping leadership and key teams informed.

A structured review process ensures security efforts remain adaptive, proactive, and aligned with business needs, supporting continuous improvement and compliance.