SlideShare una empresa de Scribd logo

ISO 27001 (v2013) Checklist

Ivan Piskunov
Ivan Piskunov

The checklist identifies in red documentation and records that we believe are explicitly required in the main body of ISO/IEC 27001

Tecnología
1 de 22
Descargar para leer sin conexión
Compliance Assessment Results Stan dard Section Findings A.5 Information Security Policies A.5.1 Management direction for information A.5.1.1 Policies for information security Do Security policies exist? Are all policies approved by management? Are policies properly communicated to A.5.1.2 Review of the policies for information Are security policies subject to review? Are the reviews conducted at regular Are reviews conducted when A.6 Organisation of Information Security A.6.1 Internal organization A.6.1.1 Information security roles and Are responsibilities for the protection of individual assets, and for carrying out specific security processes, clearly identified and defined and communicated A.6.1.2 Segregation of duties Are duties and areas of responsibility separated, in order to reduce opportunities for unauthorized modification or misuse of A.6.1.3 Contact with authorities
Is there a procedure documenting when, and by whom, contact with relevant authorities (law enforcement etc.) will be Is there a process which details how and when contact is required? Is there a process for routine contact and intelligence sharing? A.6.1.4 Contact with special interest groups Do relevant individuals within the organisation maintain active membership in relevant special interest groups? A.6.1.5 Information security in project Do all projects go through some form of information security assessment? A.6.2 Mobile devices and teleworking A.6.2.1 Mobile device policy Does a mobile device policy exist? Does the policy have management Does the policy document and address additional risks from using mobile devices (e.g. Theft of asset, use of open wireless A.6.2 Teleworking Is there a policy for teleworking? Does this have management approval? Is there a set process for remote workers to get access? Are teleworkers given the advice and equipment to protect their assets?
A.7 Human Resources Security A.7.1 Prior to employment A.7.1.1 Screening Are background verification checks carried out on all new candidates for employment? Are these checks approved by appropriate management authority? Are the checks compliant with relevant laws, regulations and ethics? Are the level of checks required supported by business risk assessments? A.7.1.2 Terms and conditions of employment Are all employees, contractors and third party users asked to sign confidentiality and non-disclosure agreements? Do employment / service contracts A.7.2 During employment A.7.2.1 Management responsibilities Are managers (of all levels) engaged in driving security within the business? Does management behaviour and policy drive, and encourage, all employees, contractors and 3rd party users to apply security in accordance with established A.7.2.2 Information security awareness, education and training
Do all employees, contractors and 3rd party users undergo regular security awareness training appropriate to their role and function within the organisation? A.7.2.3 Disciplinary process Is there a formal disciplinary process which allows the organisation to take action against employees who have committed an Is this communicated to all employees? A.7.3 Termination and change of employment Is there a documented process for terminating or changing employment Are any information security duties which survive employment communicated to the employee or contractor? Is the organisation able to enforce compliance with any duties that survive A.8 Asset Management A.8.1 Responsibility for assets A.8.1.1 Inventory of assets Is there an inventory of all assets associated with information and Is the inventory accurate and kept up to A.8.1.2 Ownership of assets All information assets must have a clearly defined owner who is aware of their
A.8.1.3 Acceptable use of assets Is there an acceptable use policy for each class / type of information asset? Are users made aware of this policy prior A.8.1.4 Return of assets Is there a process in place to ensure all employees and external users return the organisation's assets on termination of their employment, contract or agreement? A.8.2 Information classification A.8.2.1 Classification of information Is there a policy governing information Is there a process by which all information can be appropriately classified? A.8.2.2 Labelling of information Is there a process or procedure for ensuring information classification is appropriately marked on each asset? A.8.2.3 Handling of assets Is there a procedure for handling each information classification? Are users of information assets made aware of this procedure? A.8.3 Media handling A.8.3.1 Management of removable media Is there a policy governing removable Is there a process covering how removable media is managed?
Are the policy and process(es) communicated to all employees using A.8.3.2 Disposal of media Is there a formal procedure governing how removable media is disposed? A.8.3.3 Physical media transfer Is there a documented policy and process detailing how physical media should be Is media in transport protected against unauthorised access, misuse or corruption? A.9 Access Control A.9.1 Business requirements for access control A.9.1.1 Access control policy Is there a documented access control Is the policy based on business Is the policy communicated appropriately? A.9.1.2 Access to networks and network services Are controls in place to ensure users only have access to the network resources they have been specially authorised to use and A.9.2 User access management A.9.2.1 User registration and de-registration Is there a formal user access registration process in place? A.9.2.2 User access provisioning
Is there a formal user access provisioning process in place to assign access rights for all user types and services? A.9.2.3 Management of privileged access rights Are privileged access accounts separately managed and controlled? A.9.2.4 Management of secret authentication information of users Is there a formal management process in place to control allocation of secret authentication information? A.9.2.5 Review of user access rights Is there a process for asset owners to review access rights to their assets on a Is this review process verified? A.9.2.6 Removal or adjustment of access rights Is there a process to ensure user access rights are removed on termination of employment or contract, or adjusted upon A.9.3 User responsibilities A.9.3.1 Use of secret authentication information Is there a policy document covering the organisations practices in how secret authentication information must be Is this communicated to all users? A.9.4 System and application access control A.9.4.1 Information access restriction
Is access to information and application system functions restricted in line with the access control policy? A.9.4.2 Secure log-on procedures Where the access control policy requires it, is access controlled by a secure log-on A.9.4.3 Password management system Are password systems interactive? Are complex passwords required? A.9.4.4 Use of privileged utility programs Are privilege utility programs restricted and monitored? A.9.4.5 Access control to program source code Is access to the source code of the Access Control System protected? A.10 Cryptography A.10.1 Cryptographic controls A.10.1. Policy on the use of cryptographic Is there a policy on the use of A.10.1. Key management Is there a policy governing the whole lifecycle of cryptographic keys? A.11 Physical and Environmental Security A.11.1 Secure areas A.11.1. Physical security perimeter
Is there a designated security perimeter? Are sensitive or critical information areas segregated and appropriately controlled? A.11.1. Physical entry controls Do secure areas have suitable entry control systems to ensure only authorised A.11.1. Securing offices, rooms and facilities Have offices, rooms and facilities been designed and configured with security in Do processes for maintaining the security (e.g. Locking up, clear desks etc.) exist? A.11.1. 4 Protecting against external and environmental threats Have physical protection measures to prevent natural disasters, malicious attack or accidents been designed in? A11.1. Working in secure areas Do secure areas exist? Where they do exist, do secure areas have suitable policies and processes? Are the policies and processes enforced and monitored? A.11.1. Delivery and loading areas Are there separate delivery / loading Is access to these areas controls? Is access from loading areas isolated from information processing facilities?
A11.2 Equipment A11.2. Equipment siting and protection Are environmental hazards identified and considered when equipment locations are Are the risks from unauthorised access /passers-by considered when siting A11.2. Supporting utilities Is there a UPS system or back up Have these been tested within an appropriate timescale? A11.2. Cabling security Have risk assessments been conducted over the location of power and Are they located to protect from interference, interception or damage? A11.2. Equipment maintenance Is there a rigorous equipment maintenance A11.2. Removal of assets Is there a process controlling how assets are removed from site? Is this process enforced? Are spot checks carried out? A11.2. Security of equipment and assets off- Is there a policy covering security of assets Is this policy widely communicated? A11.2. Secure disposal or reuse of equipment
Is there a policy covering how information assets may be reused? Where data is wiped, is this properly verified before reuse/disposal? A11.2. Unattended user equipment Does the organisation have a policy around how unattended equipment should be Are technical controls in place to secure equipment that has been inadvertently left A11.2. Clear desk and clear screen policy Is there a clear desk / clear screen policy? Is this well enforced? A.12 Operations Security A.12.1 Operational procedures and A.12.1. Documented operating procedures Are operating procedures well Are the procedures made available to all users who need them? A12.1. Change management Is there a controlled change management process in place? A.12.1. Capacity management Is there a capacity management process in A.12.1. 4 Separation of development, testing and operational environments
Does the organisation enforce segregation of development, test and operational A.12.2 Protection from malware A.12.2. Controls against malware Are processes to detect malware in place? Are processes to prevent malware Does the organisation have a process and capacity to recover from a malware A.12.3 Backup A.12.3. Information backup Is there an agreed backup policy? Does the organisation's backup policy comply with relevant legal frameworks? Are backups made in accordance with the Are backups tested? A.12.4 Logging and monitoring A.12.4. Event Logging Are appropriate event logs maintained and regularly reviewed? A.12.4. Protection of log information Are logging facilities protected against tampering and unauthorised access? A.12.4. Administrator and operator logs Are sysadmin / sysop logs maintained, protected and regularly reviewed? A.12.4. Clock synchronisation Are all clocks within the organisation
A.12.5 Control of operational software A.12.5. Installation of software on operational Is there a release management process in place to control the installation of software onto operational systems? A.12.6 Technical vulnerability management A.12.6. Management of technical vulnerabilities Does the organisation have access to updated and timely information on Is there a process to risk assess and react to any new vulnerabilities as they are A.12.6. Restrictions on software installations Are there processes in place to restrict how users install software? A.12.7 IInformation systems audit A.12.7. Information systems audit controls Are IS Systems subject to audit? Does the audit process ensure business disruption is minimised? A.13 Communications Security A.13.1 Network security management A.13.1. Network controls Is there a network management process in A.13.1. Security of network services
Does the organisation implement a risk management approach which identifies all network services and service agreements?Is security mandated in agreements and contracts with service providers (in house and outsourced)? Are security related SLAs mandated? A.13.1. Segregation in networks Does the network topology enforce segregation of networks for different A.13.2 Information transfer A.13.2. Information transfer policies and Do organisational policies govern how information is transferred? Are procedures for how data should be transferred made available to all Are relevant technical controls in place to prevent non-authorised forms of data A.13.2. Agreements on information transfer Do contracts with external parties and agreements within the organisation detail the requirements for securing business A.13.2. Electronic messaging Do security policies cover the use of information transfer while using electronic A.13.2. Confidentiality or nondisclosure Do employees, contractors and agents sign confidentiality or non disclosure
Are these agreements subject to regular Are records of the agreements maintained? A.14 System Acquisition, Development and Maintenance A.14.1 Security requirements of information A.14.1. 1 Information security requirements analysis and specification Are information security requirements specified when new systems are When systems are being enhanced or upgraded, are security requirements A.14.1. Securing application services on public Do applications which send information over public networks appropriately protect the information against fraudulent activity, contract dispute, unauthorised discloser and unauthorised modification? A.14.1. Protecting application services Are controls in place to prevent incomplete transmission, misrouting, unauthorised message alteration, unauthorised disclosure, unauthorised message A.14.2 Security in development and support A.14.2. Secure development policy Does the organisation develop software or If so, are there policies mandating the implementation and assessment of security
A.14.2. System change control procedures Is there a formal change control process? A.14.2. 3 Technical review of applications after operating platform changes Is there a process to ensure a technical review is carried out when operating A.14.2. Restrictions on changes to software Is there a policy in place which mandates when and how software packages can be A.14.2. Secure system engineering principles Does the organisation have documented principles on how systems must be A.14.2. Secure development environment Has a secure development environment been established? Do all projects utilise the secure development environment appropriately during the system development lifecycle? A.12.2. Outsourced development Where development has been outsourced, is this supervised? Is externally developed code subject to a security review before deployment? A.12.2. System security testing Where systems or applications are developed, are they security tested as part of the development process?
A.12.2. System acceptance testing Is there an established process to accept new systems / applications, or upgrades, A.14.3 Test data A.14.3. Protection of test data Is there a process for selecting test data? Is test data suitably protected? A.15 Supplier Relationships A.15.1 Information security in supplier A.15.1. 1 Information security policy for supplier relationships Is information security included in contracts established with suppliers and Is there an organisation-wide risk management approach to supplier A.15.1. Addressing security within supplier Are suppliers provided with documented security requirements? Is supplier access to information assets & infrastructure controlled and monitored? A.15.1. 3 Information and communication technology supply chain Do supplier agreements include requirements to address information security within the service & product A.15.2 Supplier service delivery management
A.15.2. Monitoring and review of supplier Are suppliers subject to regular review and A.15.2. Managing changes to supplier services Are changes to the provision of services subject to a management process which includes security & risk assessment? A.16 Information Security Incident Management A.16.1 Management of information security incidents and improvements A.16.1. Responsibilities and procedures Are management responsibilities clearly identified and documented in the incident management processes? A.16.1. Reporting information security events Is there a process for timely reporting of information security events? Is there a process for reviewing and acting on reported information security events? A.16.1. Reporting information security Is there a process for reporting of identified information security weaknesses? Is this process widely communicated? Is there a process for reviewing and addressing reports in a timely manner? A.16.1. 4 Assessment of and decision on information security events
Is there a process to ensure information security events are properly assessed and A.16.1. Response to information security Is there an incident response process which reflects the classification and severity of information security incidents? A.16.1. Learning from information security Is there a process or framework which allows the organisation to learn from information security incidents and reduce the impact / probability of future events? A.16.1. Collection of evidence Is there a forensic readiness policy? In the event of an information security incident is relevant data collected in a manner which allows it to be used as A.17 Information Security Aspects of Business Continuity Management A.17.1 Information security continuity A.17.1. Planning information security continuity Is information security included in the organisation's continuity plans? A.17.1. Implementing information security Does the organisation's information security function have documented, implemented and maintained processes to maintain continuity of service during an
A.17.1. 3 Verify, review and evaluate information security continuity Are continuity plans validated and verified at regular intervals? A.17.2 Redundancies A.17.2. Availability of information processing Do information processing facilities have sufficient redundancy to meet the organisations availability requirements? A.18 Compliance A.18.1 Compliance with legal and contractual requirements A.18.1. 1 Identification of applicable legislation and contractual requirements Has the organisation identified and documented all relevant legislative, regulatory or contractual requirements Is compliance documented? A.18.1. Intellectual property rights Does the organisation keep a record of all intellectual property rights and use of proprietary software products? Does the organisation monitor for the use of unlicensed software? A.18.1. Protection of records
Are records protected from loss, destruction, falsification and unauthorised access or release in accordance with legislative, regulatory, contractual and A.18.1. 4 Privacy and protection of personally identifiable information Is personal data identified and appropriately classified? Is personal data protected in accordance with relevant legislation? A.18.1. Regulation of cryptographic controls Are cryptographic controls protected in accordance with all relevant agreements, legislation and regulations? A.18.2 Information security reviews A.18.2. Independent review of information Is the organisations approach to managing information security subject to regular independent review? Is the implementation of security controls subject to regular independent review? A.18.2. Compliance with security policies and Does the organisation instruct managers to regularly review compliance with policy and procedures within their area of Are records of these reviews maintained? A.18.2. Technical compliance review
Does the organisation regularly conduct technical compliance reviews of its

Recomendados

Iso 27001 Checklist
Iso 27001 ChecklistIso 27001 Checklist
Iso 27001 Checklist
Craig Willetts ISO Expert
 
ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2
Tanmay Shinde
 
ISO 27001
ISO 27001ISO 27001
ISO 27001
n|u - The Open Security Community
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
Shankar Subramaniyan
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management System
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
27001.pptx
27001.pptx27001.pptx
27001.pptx
AvniJain836319
 
ISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewISO 27001 2013 isms final overview
ISO 27001 2013 isms final overview
Naresh Rao
 
IC-ISO-27001-Checklist-10838_PDF.pdf
IC-ISO-27001-Checklist-10838_PDF.pdfIC-ISO-27001-Checklist-10838_PDF.pdf
IC-ISO-27001-Checklist-10838_PDF.pdf
Napoleon NV
 

Recomendados

Iso 27001 Checklist
Iso 27001 ChecklistIso 27001 Checklist
Iso 27001 Checklist
Craig Willetts ISO Expert
 
ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2
Tanmay Shinde
 
ISO 27001
ISO 27001ISO 27001
ISO 27001
n|u - The Open Security Community
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
Shankar Subramaniyan
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management System
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
27001.pptx
27001.pptx27001.pptx
27001.pptx
AvniJain836319
 
ISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewISO 27001 2013 isms final overview
ISO 27001 2013 isms final overview
Naresh Rao
 
IC-ISO-27001-Checklist-10838_PDF.pdf
IC-ISO-27001-Checklist-10838_PDF.pdfIC-ISO-27001-Checklist-10838_PDF.pdf
IC-ISO-27001-Checklist-10838_PDF.pdf
Napoleon NV
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
Dam Frank
 
ISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTINGISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTING
Arul Nambi
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My Organisation
Vigilant Software
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001
Imran Ahmed
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interprom
Mart Rovers
 
isms-presentation.ppt
isms-presentation.pptisms-presentation.ppt
isms-presentation.ppt
HasnolAhmad2
 
Isms awareness presentation
Isms awareness presentationIsms awareness presentation
Isms awareness presentation
Pranay Kumar
 
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...
IT Governance Ltd
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
GDPR and Security.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf
ControlCase
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy
Dam Frank
 
Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013
scttmcvy
 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementation
Ralf Braga
 
ISO_ 27001:2022 Controls & Clauses.pptx
ISO_ 27001:2022 Controls & Clauses.pptxISO_ 27001:2022 Controls & Clauses.pptx
ISO_ 27001:2022 Controls & Clauses.pptx
foram74
 
ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...
ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...
ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...
himalya sharma
 
ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1
Tanmay Shinde
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentation
Midhun Nirmal
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3
Tanmay Shinde
 
What is iso 27001 isms
What is iso 27001 ismsWhat is iso 27001 isms
What is iso 27001 isms
Craig Willetts ISO Expert
 
Комплект документов по ISO 27001-2013
Комплект документов по ISO 27001-2013Комплект документов по ISO 27001-2013
Комплект документов по ISO 27001-2013
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Вопросы для интервью ISO 27001
Вопросы для интервью ISO 27001Вопросы для интервью ISO 27001
Вопросы для интервью ISO 27001
Ivan Piskunov
 

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
 
ISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTINGISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTING
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My Organisation
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interprom
 
isms-presentation.ppt
isms-presentation.pptisms-presentation.ppt
isms-presentation.ppt
 
Isms awareness presentation
Isms awareness presentationIsms awareness presentation
Isms awareness presentation
 
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
 
GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
GDPR and Security.pdf
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy
 
Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013
 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementation
 
ISO_ 27001:2022 Controls & Clauses.pptx
ISO_ 27001:2022 Controls & Clauses.pptxISO_ 27001:2022 Controls & Clauses.pptx
ISO_ 27001:2022 Controls & Clauses.pptx
 
ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...
ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...
ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...
 
ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentation
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3
 
What is iso 27001 isms
What is iso 27001 ismsWhat is iso 27001 isms
What is iso 27001 isms
 

Destacado

Политика обнаружения и реагирования на инциденты информационной безопасности
Политика обнаружения и реагирования на инциденты информационной безопасностиПолитика обнаружения и реагирования на инциденты информационной безопасности
Политика обнаружения и реагирования на инциденты информационной безопасности
Evgeniy Shauro
 
Астерит. Марат Хазиев. "Аудит информационной безопасности - всё начинается с ...
Астерит. Марат Хазиев. "Аудит информационной безопасности - всё начинается с ...Астерит. Марат Хазиев. "Аудит информационной безопасности - всё начинается с ...
Астерит. Марат Хазиев. "Аудит информационной безопасности - всё начинается с ...
Expolink
 
Управление инцидентами информационной безопасности от А до Я
Управление инцидентами информационной безопасности от А до ЯУправление инцидентами информационной безопасности от А до Я
Управление инцидентами информационной безопасности от А до Я
DialogueScience
 
ISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedureISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedure
Uppala Anand
 

Destacado (20)

Комплект документов по ISO 27001-2013
Комплект документов по ISO 27001-2013Комплект документов по ISO 27001-2013
Комплект документов по ISO 27001-2013
 
Вопросы для интервью ISO 27001
Вопросы для интервью ISO 27001Вопросы для интервью ISO 27001
Вопросы для интервью ISO 27001
 
Scope of work IT DD
Scope of work IT DDScope of work IT DD
Scope of work IT DD
 
ISO/IEC 27001:2005 naar ISO 27001:2013 Checklist
ISO/IEC 27001:2005 naar ISO 27001:2013 ChecklistISO/IEC 27001:2005 naar ISO 27001:2013 Checklist
ISO/IEC 27001:2005 naar ISO 27001:2013 Checklist
 
Общий план комплексного аудита информационной безопасности
Общий план комплексного аудита информационной безопасностиОбщий план комплексного аудита информационной безопасности
Общий план комплексного аудита информационной безопасности
 
Политика обнаружения и реагирования на инциденты информационной безопасности
Политика обнаружения и реагирования на инциденты информационной безопасностиПолитика обнаружения и реагирования на инциденты информационной безопасности
Политика обнаружения и реагирования на инциденты информационной безопасности
 
Астерит. Марат Хазиев. "Аудит информационной безопасности - всё начинается с ...
Астерит. Марат Хазиев. "Аудит информационной безопасности - всё начинается с ...Астерит. Марат Хазиев. "Аудит информационной безопасности - всё начинается с ...
Астерит. Марат Хазиев. "Аудит информационной безопасности - всё начинается с ...
 
Управление инцидентами информационной безопасности от А до Я
Управление инцидентами информационной безопасности от А до ЯУправление инцидентами информационной безопасности от А до Я
Управление инцидентами информационной безопасности от А до Я
 
пр Разработка комплекта документов по управлению ИБ (прозоров)
пр Разработка комплекта документов по управлению ИБ (прозоров)пр Разработка комплекта документов по управлению ИБ (прозоров)
пр Разработка комплекта документов по управлению ИБ (прозоров)
 
Iso 27001 2013 Standard Requirements
Iso 27001 2013 Standard RequirementsIso 27001 2013 Standard Requirements
Iso 27001 2013 Standard Requirements
 
Аудит СУИБ
Аудит СУИБАудит СУИБ
Аудит СУИБ
 
ISO 27001 Implementation_Documentation_Mandatory_List
ISO 27001 Implementation_Documentation_Mandatory_ListISO 27001 Implementation_Documentation_Mandatory_List
ISO 27001 Implementation_Documentation_Mandatory_List
 
ISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedureISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedure
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview
 
Модель зрелости процесса (мониторинг и оценка ИБ)
Модель зрелости процесса (мониторинг и оценка ИБ) Модель зрелости процесса (мониторинг и оценка ИБ)
Модель зрелости процесса (мониторинг и оценка ИБ)
 
пр про SOC для ФСТЭК
пр про SOC для ФСТЭКпр про SOC для ФСТЭК
пр про SOC для ФСТЭК
 
Доступ к технической библиотеке обучающих материалов Symantec
Доступ к технической библиотеке обучающих материалов SymantecДоступ к технической библиотеке обучающих материалов Symantec
Доступ к технической библиотеке обучающих материалов Symantec
 
Risk Management Practices for PCI DSS 2.0
Risk Management Practices for PCI DSS 2.0Risk Management Practices for PCI DSS 2.0
Risk Management Practices for PCI DSS 2.0
 
Coso erm frmwrk
Coso erm frmwrkCoso erm frmwrk
Coso erm frmwrk
 
On line вещание лукацкого с базы
On line вещание лукацкого с базыOn line вещание лукацкого с базы
On line вещание лукацкого с базы
 

Similar a ISO 27001 (v2013) Checklist

Risk Assessment
Risk AssessmentRisk Assessment
Risk Assessment
jenito21
 
gkkSecurity essentials domain 1
gkkSecurity essentials domain 1gkkSecurity essentials domain 1
gkkSecurity essentials domain 1
Anne Starr
 
Security Education and Training1111.pdf
Security Education and Training1111.pdfSecurity Education and Training1111.pdf
Security Education and Training1111.pdf
akkashkumar055
 
Cybertopic_1security
Cybertopic_1securityCybertopic_1security
Cybertopic_1security
Anne Starr
 

Similar a ISO 27001 (v2013) Checklist (20)

AnnexIX1302.pdf
AnnexIX1302.pdfAnnexIX1302.pdf
AnnexIX1302.pdf
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62
 
Shivani shukla_B38_KnowledgeManagement
Shivani shukla_B38_KnowledgeManagementShivani shukla_B38_KnowledgeManagement
Shivani shukla_B38_KnowledgeManagement
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk Management
 
Ch08 8 Information Security Process it-slideshares.blogspot.com
Ch08 8 Information Security Process it-slideshares.blogspot.comCh08 8 Information Security Process it-slideshares.blogspot.com
Ch08 8 Information Security Process it-slideshares.blogspot.com
 
Chapter003
Chapter003Chapter003
Chapter003
 
04 - Annexe 20sdsdsdsadsadsdsdsad22.pptx
04 - Annexe 20sdsdsdsadsadsdsdsad22.pptx04 - Annexe 20sdsdsdsadsadsdsdsad22.pptx
04 - Annexe 20sdsdsdsadsadsdsdsad22.pptx
 
Roadmap to IT Security Best Practices
Roadmap to IT Security Best PracticesRoadmap to IT Security Best Practices
Roadmap to IT Security Best Practices
 
27001 2013 iso geek
27001 2013 iso geek27001 2013 iso geek
27001 2013 iso geek
 
R.a 1
R.a 1R.a 1
R.a 1
 
Risk Assessment
Risk AssessmentRisk Assessment
Risk Assessment
 
Developing an Information Security Program
Developing an Information Security ProgramDeveloping an Information Security Program
Developing an Information Security Program
 
gkkSecurity essentials domain 1
gkkSecurity essentials domain 1gkkSecurity essentials domain 1
gkkSecurity essentials domain 1
 
Security Education and Training1111.pdf
Security Education and Training1111.pdfSecurity Education and Training1111.pdf
Security Education and Training1111.pdf
 
Hipaa checklist - information security
Hipaa checklist - information securityHipaa checklist - information security
Hipaa checklist - information security
 
)k
)k)k
)k
 
Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...
Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...
Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...
 
Iso 27001
Iso 27001Iso 27001
Iso 27001
 
Cybertopic_1security
Cybertopic_1securityCybertopic_1security
Cybertopic_1security
 
Supplier security assessment questionnaire
Supplier security assessment questionnaireSupplier security assessment questionnaire
Supplier security assessment questionnaire
 

Más de Ivan Piskunov

Электронная подпись и счет-фактуры в бухгалтерском учете
Электронная подпись и счет-фактуры в бухгалтерском учете Электронная подпись и счет-фактуры в бухгалтерском учете
Электронная подпись и счет-фактуры в бухгалтерском учете
Ivan Piskunov
 
Особенности проведения аудита безопасности корпоративной IT-инфраструктуры_PH...
Особенности проведения аудита безопасности корпоративной IT-инфраструктуры_PH...Особенности проведения аудита безопасности корпоративной IT-инфраструктуры_PH...
Особенности проведения аудита безопасности корпоративной IT-инфраструктуры_PH...
Ivan Piskunov
 
Как сэкономить, вложив в информационную безопасность?
Как сэкономить, вложив в информационную безопасность? Как сэкономить, вложив в информационную безопасность?
Как сэкономить, вложив в информационную безопасность?
Ivan Piskunov
 

Más de Ivan Piskunov (8)

Электронная подпись и счет-фактуры в бухгалтерском учете
Электронная подпись и счет-фактуры в бухгалтерском учете Электронная подпись и счет-фактуры в бухгалтерском учете
Электронная подпись и счет-фактуры в бухгалтерском учете
 
Особенности проведения аудита безопасности корпоративной IT-инфраструктуры_PH...
Особенности проведения аудита безопасности корпоративной IT-инфраструктуры_PH...Особенности проведения аудита безопасности корпоративной IT-инфраструктуры_PH...
Особенности проведения аудита безопасности корпоративной IT-инфраструктуры_PH...
 
Человеческий фактор [без]опасного интернета
Человеческий фактор [без]опасного интернетаЧеловеческий фактор [без]опасного интернета
Человеческий фактор [без]опасного интернета
 
Как сэкономить, вложив в информационную безопасность?
Как сэкономить, вложив в информационную безопасность? Как сэкономить, вложив в информационную безопасность?
Как сэкономить, вложив в информационную безопасность?
 
Аудит ИБ как инструмент повышения эффективности вашего бизнеса
Аудит ИБ как инструмент повышения эффективности вашего бизнесаАудит ИБ как инструмент повышения эффективности вашего бизнеса
Аудит ИБ как инструмент повышения эффективности вашего бизнеса
 
Анти-фрод системы: правовые и технические аспекты, перспективы применения и ...
Анти-фрод системы: правовые и технические аспекты, перспективы применения и ...Анти-фрод системы: правовые и технические аспекты, перспективы применения и ...
Анти-фрод системы: правовые и технические аспекты, перспективы применения и ...
 
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...
 
Scope of work IT DD
Scope of work IT DDScope of work IT DD
Scope of work IT DD
 

Último

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 

Último (20)

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 

ISO 27001 (v2013) Checklist

  • 1. Compliance Assessment Results Stan dard Section Findings A.5 Information Security Policies A.5.1 Management direction for information A.5.1.1 Policies for information security Do Security policies exist? Are all policies approved by management? Are policies properly communicated to A.5.1.2 Review of the policies for information Are security policies subject to review? Are the reviews conducted at regular Are reviews conducted when A.6 Organisation of Information Security A.6.1 Internal organization A.6.1.1 Information security roles and Are responsibilities for the protection of individual assets, and for carrying out specific security processes, clearly identified and defined and communicated A.6.1.2 Segregation of duties Are duties and areas of responsibility separated, in order to reduce opportunities for unauthorized modification or misuse of A.6.1.3 Contact with authorities
  • 2. Is there a procedure documenting when, and by whom, contact with relevant authorities (law enforcement etc.) will be Is there a process which details how and when contact is required? Is there a process for routine contact and intelligence sharing? A.6.1.4 Contact with special interest groups Do relevant individuals within the organisation maintain active membership in relevant special interest groups? A.6.1.5 Information security in project Do all projects go through some form of information security assessment? A.6.2 Mobile devices and teleworking A.6.2.1 Mobile device policy Does a mobile device policy exist? Does the policy have management Does the policy document and address additional risks from using mobile devices (e.g. Theft of asset, use of open wireless A.6.2 Teleworking Is there a policy for teleworking? Does this have management approval? Is there a set process for remote workers to get access? Are teleworkers given the advice and equipment to protect their assets?
  • 3. A.7 Human Resources Security A.7.1 Prior to employment A.7.1.1 Screening Are background verification checks carried out on all new candidates for employment? Are these checks approved by appropriate management authority? Are the checks compliant with relevant laws, regulations and ethics? Are the level of checks required supported by business risk assessments? A.7.1.2 Terms and conditions of employment Are all employees, contractors and third party users asked to sign confidentiality and non-disclosure agreements? Do employment / service contracts A.7.2 During employment A.7.2.1 Management responsibilities Are managers (of all levels) engaged in driving security within the business? Does management behaviour and policy drive, and encourage, all employees, contractors and 3rd party users to apply security in accordance with established A.7.2.2 Information security awareness, education and training
  • 4. Do all employees, contractors and 3rd party users undergo regular security awareness training appropriate to their role and function within the organisation? A.7.2.3 Disciplinary process Is there a formal disciplinary process which allows the organisation to take action against employees who have committed an Is this communicated to all employees? A.7.3 Termination and change of employment Is there a documented process for terminating or changing employment Are any information security duties which survive employment communicated to the employee or contractor? Is the organisation able to enforce compliance with any duties that survive A.8 Asset Management A.8.1 Responsibility for assets A.8.1.1 Inventory of assets Is there an inventory of all assets associated with information and Is the inventory accurate and kept up to A.8.1.2 Ownership of assets All information assets must have a clearly defined owner who is aware of their
  • 5. A.8.1.3 Acceptable use of assets Is there an acceptable use policy for each class / type of information asset? Are users made aware of this policy prior A.8.1.4 Return of assets Is there a process in place to ensure all employees and external users return the organisation's assets on termination of their employment, contract or agreement? A.8.2 Information classification A.8.2.1 Classification of information Is there a policy governing information Is there a process by which all information can be appropriately classified? A.8.2.2 Labelling of information Is there a process or procedure for ensuring information classification is appropriately marked on each asset? A.8.2.3 Handling of assets Is there a procedure for handling each information classification? Are users of information assets made aware of this procedure? A.8.3 Media handling A.8.3.1 Management of removable media Is there a policy governing removable Is there a process covering how removable media is managed?
  • 6. Are the policy and process(es) communicated to all employees using A.8.3.2 Disposal of media Is there a formal procedure governing how removable media is disposed? A.8.3.3 Physical media transfer Is there a documented policy and process detailing how physical media should be Is media in transport protected against unauthorised access, misuse or corruption? A.9 Access Control A.9.1 Business requirements for access control A.9.1.1 Access control policy Is there a documented access control Is the policy based on business Is the policy communicated appropriately? A.9.1.2 Access to networks and network services Are controls in place to ensure users only have access to the network resources they have been specially authorised to use and A.9.2 User access management A.9.2.1 User registration and de-registration Is there a formal user access registration process in place? A.9.2.2 User access provisioning
  • 7. Is there a formal user access provisioning process in place to assign access rights for all user types and services? A.9.2.3 Management of privileged access rights Are privileged access accounts separately managed and controlled? A.9.2.4 Management of secret authentication information of users Is there a formal management process in place to control allocation of secret authentication information? A.9.2.5 Review of user access rights Is there a process for asset owners to review access rights to their assets on a Is this review process verified? A.9.2.6 Removal or adjustment of access rights Is there a process to ensure user access rights are removed on termination of employment or contract, or adjusted upon A.9.3 User responsibilities A.9.3.1 Use of secret authentication information Is there a policy document covering the organisations practices in how secret authentication information must be Is this communicated to all users? A.9.4 System and application access control A.9.4.1 Information access restriction
  • 8. Is access to information and application system functions restricted in line with the access control policy? A.9.4.2 Secure log-on procedures Where the access control policy requires it, is access controlled by a secure log-on A.9.4.3 Password management system Are password systems interactive? Are complex passwords required? A.9.4.4 Use of privileged utility programs Are privilege utility programs restricted and monitored? A.9.4.5 Access control to program source code Is access to the source code of the Access Control System protected? A.10 Cryptography A.10.1 Cryptographic controls A.10.1. Policy on the use of cryptographic Is there a policy on the use of A.10.1. Key management Is there a policy governing the whole lifecycle of cryptographic keys? A.11 Physical and Environmental Security A.11.1 Secure areas A.11.1. Physical security perimeter
  • 9. Is there a designated security perimeter? Are sensitive or critical information areas segregated and appropriately controlled? A.11.1. Physical entry controls Do secure areas have suitable entry control systems to ensure only authorised A.11.1. Securing offices, rooms and facilities Have offices, rooms and facilities been designed and configured with security in Do processes for maintaining the security (e.g. Locking up, clear desks etc.) exist? A.11.1. 4 Protecting against external and environmental threats Have physical protection measures to prevent natural disasters, malicious attack or accidents been designed in? A11.1. Working in secure areas Do secure areas exist? Where they do exist, do secure areas have suitable policies and processes? Are the policies and processes enforced and monitored? A.11.1. Delivery and loading areas Are there separate delivery / loading Is access to these areas controls? Is access from loading areas isolated from information processing facilities?
  • 10. A11.2 Equipment A11.2. Equipment siting and protection Are environmental hazards identified and considered when equipment locations are Are the risks from unauthorised access /passers-by considered when siting A11.2. Supporting utilities Is there a UPS system or back up Have these been tested within an appropriate timescale? A11.2. Cabling security Have risk assessments been conducted over the location of power and Are they located to protect from interference, interception or damage? A11.2. Equipment maintenance Is there a rigorous equipment maintenance A11.2. Removal of assets Is there a process controlling how assets are removed from site? Is this process enforced? Are spot checks carried out? A11.2. Security of equipment and assets off- Is there a policy covering security of assets Is this policy widely communicated? A11.2. Secure disposal or reuse of equipment
  • 11. Is there a policy covering how information assets may be reused? Where data is wiped, is this properly verified before reuse/disposal? A11.2. Unattended user equipment Does the organisation have a policy around how unattended equipment should be Are technical controls in place to secure equipment that has been inadvertently left A11.2. Clear desk and clear screen policy Is there a clear desk / clear screen policy? Is this well enforced? A.12 Operations Security A.12.1 Operational procedures and A.12.1. Documented operating procedures Are operating procedures well Are the procedures made available to all users who need them? A12.1. Change management Is there a controlled change management process in place? A.12.1. Capacity management Is there a capacity management process in A.12.1. 4 Separation of development, testing and operational environments
  • 12. Does the organisation enforce segregation of development, test and operational A.12.2 Protection from malware A.12.2. Controls against malware Are processes to detect malware in place? Are processes to prevent malware Does the organisation have a process and capacity to recover from a malware A.12.3 Backup A.12.3. Information backup Is there an agreed backup policy? Does the organisation's backup policy comply with relevant legal frameworks? Are backups made in accordance with the Are backups tested? A.12.4 Logging and monitoring A.12.4. Event Logging Are appropriate event logs maintained and regularly reviewed? A.12.4. Protection of log information Are logging facilities protected against tampering and unauthorised access? A.12.4. Administrator and operator logs Are sysadmin / sysop logs maintained, protected and regularly reviewed? A.12.4. Clock synchronisation Are all clocks within the organisation
  • 13. A.12.5 Control of operational software A.12.5. Installation of software on operational Is there a release management process in place to control the installation of software onto operational systems? A.12.6 Technical vulnerability management A.12.6. Management of technical vulnerabilities Does the organisation have access to updated and timely information on Is there a process to risk assess and react to any new vulnerabilities as they are A.12.6. Restrictions on software installations Are there processes in place to restrict how users install software? A.12.7 IInformation systems audit A.12.7. Information systems audit controls Are IS Systems subject to audit? Does the audit process ensure business disruption is minimised? A.13 Communications Security A.13.1 Network security management A.13.1. Network controls Is there a network management process in A.13.1. Security of network services
  • 14. Does the organisation implement a risk management approach which identifies all network services and service agreements?Is security mandated in agreements and contracts with service providers (in house and outsourced)? Are security related SLAs mandated? A.13.1. Segregation in networks Does the network topology enforce segregation of networks for different A.13.2 Information transfer A.13.2. Information transfer policies and Do organisational policies govern how information is transferred? Are procedures for how data should be transferred made available to all Are relevant technical controls in place to prevent non-authorised forms of data A.13.2. Agreements on information transfer Do contracts with external parties and agreements within the organisation detail the requirements for securing business A.13.2. Electronic messaging Do security policies cover the use of information transfer while using electronic A.13.2. Confidentiality or nondisclosure Do employees, contractors and agents sign confidentiality or non disclosure
  • 15. Are these agreements subject to regular Are records of the agreements maintained? A.14 System Acquisition, Development and Maintenance A.14.1 Security requirements of information A.14.1. 1 Information security requirements analysis and specification Are information security requirements specified when new systems are When systems are being enhanced or upgraded, are security requirements A.14.1. Securing application services on public Do applications which send information over public networks appropriately protect the information against fraudulent activity, contract dispute, unauthorised discloser and unauthorised modification? A.14.1. Protecting application services Are controls in place to prevent incomplete transmission, misrouting, unauthorised message alteration, unauthorised disclosure, unauthorised message A.14.2 Security in development and support A.14.2. Secure development policy Does the organisation develop software or If so, are there policies mandating the implementation and assessment of security
  • 16. A.14.2. System change control procedures Is there a formal change control process? A.14.2. 3 Technical review of applications after operating platform changes Is there a process to ensure a technical review is carried out when operating A.14.2. Restrictions on changes to software Is there a policy in place which mandates when and how software packages can be A.14.2. Secure system engineering principles Does the organisation have documented principles on how systems must be A.14.2. Secure development environment Has a secure development environment been established? Do all projects utilise the secure development environment appropriately during the system development lifecycle? A.12.2. Outsourced development Where development has been outsourced, is this supervised? Is externally developed code subject to a security review before deployment? A.12.2. System security testing Where systems or applications are developed, are they security tested as part of the development process?
  • 17. A.12.2. System acceptance testing Is there an established process to accept new systems / applications, or upgrades, A.14.3 Test data A.14.3. Protection of test data Is there a process for selecting test data? Is test data suitably protected? A.15 Supplier Relationships A.15.1 Information security in supplier A.15.1. 1 Information security policy for supplier relationships Is information security included in contracts established with suppliers and Is there an organisation-wide risk management approach to supplier A.15.1. Addressing security within supplier Are suppliers provided with documented security requirements? Is supplier access to information assets & infrastructure controlled and monitored? A.15.1. 3 Information and communication technology supply chain Do supplier agreements include requirements to address information security within the service & product A.15.2 Supplier service delivery management
  • 18. A.15.2. Monitoring and review of supplier Are suppliers subject to regular review and A.15.2. Managing changes to supplier services Are changes to the provision of services subject to a management process which includes security & risk assessment? A.16 Information Security Incident Management A.16.1 Management of information security incidents and improvements A.16.1. Responsibilities and procedures Are management responsibilities clearly identified and documented in the incident management processes? A.16.1. Reporting information security events Is there a process for timely reporting of information security events? Is there a process for reviewing and acting on reported information security events? A.16.1. Reporting information security Is there a process for reporting of identified information security weaknesses? Is this process widely communicated? Is there a process for reviewing and addressing reports in a timely manner? A.16.1. 4 Assessment of and decision on information security events
  • 19. Is there a process to ensure information security events are properly assessed and A.16.1. Response to information security Is there an incident response process which reflects the classification and severity of information security incidents? A.16.1. Learning from information security Is there a process or framework which allows the organisation to learn from information security incidents and reduce the impact / probability of future events? A.16.1. Collection of evidence Is there a forensic readiness policy? In the event of an information security incident is relevant data collected in a manner which allows it to be used as A.17 Information Security Aspects of Business Continuity Management A.17.1 Information security continuity A.17.1. Planning information security continuity Is information security included in the organisation's continuity plans? A.17.1. Implementing information security Does the organisation's information security function have documented, implemented and maintained processes to maintain continuity of service during an
  • 20. A.17.1. 3 Verify, review and evaluate information security continuity Are continuity plans validated and verified at regular intervals? A.17.2 Redundancies A.17.2. Availability of information processing Do information processing facilities have sufficient redundancy to meet the organisations availability requirements? A.18 Compliance A.18.1 Compliance with legal and contractual requirements A.18.1. 1 Identification of applicable legislation and contractual requirements Has the organisation identified and documented all relevant legislative, regulatory or contractual requirements Is compliance documented? A.18.1. Intellectual property rights Does the organisation keep a record of all intellectual property rights and use of proprietary software products? Does the organisation monitor for the use of unlicensed software? A.18.1. Protection of records
  • 21. Are records protected from loss, destruction, falsification and unauthorised access or release in accordance with legislative, regulatory, contractual and A.18.1. 4 Privacy and protection of personally identifiable information Is personal data identified and appropriately classified? Is personal data protected in accordance with relevant legislation? A.18.1. Regulation of cryptographic controls Are cryptographic controls protected in accordance with all relevant agreements, legislation and regulations? A.18.2 Information security reviews A.18.2. Independent review of information Is the organisations approach to managing information security subject to regular independent review? Is the implementation of security controls subject to regular independent review? A.18.2. Compliance with security policies and Does the organisation instruct managers to regularly review compliance with policy and procedures within their area of Are records of these reviews maintained? A.18.2. Technical compliance review
  • 22. Does the organisation regularly conduct technical compliance reviews of its