You are on page 1of 70

1

0.9
0.8
0.7
0.6
0.5
0.4
0.3
0.2
0.1
0

A.5
A.6
A.7
A.8

Co mp lia n ce

In fo rma tio n s e cu rity in c id e n t ma n a g e me n t

S ys te m a cq u is itio n , d e ve lo p me n t a n d ma in te n a n ce

Op e ra tio n s s e c u rity

Cryp to g ra p h y

As s e t ma n a g e me n t

Org a n is a tio n o f in fo rma tio n s e c u rity

ISO27001:2013 Assessment

Compliance Status - By Section


1

0.8

0.6

0.4

A.9 A.10 A.11 A.12 A.13 A.14 A.15 A.16 A.17 A.18

0.2
0

013 Assessment Status


Compliance Status - By Control
1
0.8
0.6
0.4
0.2
0

Introduction

This tool is designed to assist a skilled and experienced professional ensure that the relevant contr
of
ISO
/ IEC
27001:2013
haveabeen
This
tool
does
not constitute
validaddressed.
assessment and the use of this tool does not confer ISO/IEC 27
certification. The findings here must be confirmed as part of a formal audit / assessment visit.

Instructions for use


Pre-assessment
1. Determine assessment scope.

2. Collect evidence.

3. Prepare toolkit.

Assessment
4. Review control areas.

5. Determine level of compliance.

Post Assessment
6. Record areas of weakness
7. Determine improvement plan

8. Schedule re-assessment
Lifecycle Review
9. ISMS Review Schedules

troduction

rienced professional ensure that the relevant control areas


and the use of this tool does not confer ISO/IEC 27001:2013
ed as part of a formal audit / assessment visit.

uctions for use


Work with the relevant business stakeholders to
determine what the appropriate scope of the
assessment is.
Identify and centralise as much evidence as
possible. This can include policy documents,
process documents, interview transcripts etc.
Using the assessment scope you can identify what
areas of the tool kit are not appropriate and set
these to 100% to close reporting.
Additionally, where suggested audit questions are
not relevant, these can be replaced with more
suitable ones.

Work through the tool kit, reviewing the evidence


for each control and determining how compliant it
is with the requirements.
The toolkit allows for this to be done in 5%
increments.
On completion of the review, the tool kit will give
you an overall level of compliance by control area
and by individual controls.
Make a note of any areas where compliance is
unsuitable (normally less than 90%)
For each area of weakness, work with the relevant
business stakeholders to determine how the
control can be improved.
Arrange a date to review weak areas to set a
target for improvement plans.
Ensure that the ISMS is re-assessed on a regular
basis, ideally once every 12 months.

Standard
A.5
A.6
A.7
A.8
A.9
A.10
A.11
A.12
A.13
A.14
A.15
A.16
A.17
A.18

Overall Compliance

Compliance per Section


Section
Information Security Policies
Organisation of information security
Human resources security
Asset management
Access control
Cryptography
Physical and environmental security
Operations security
Communications security
System acquisition, development and maintenance
Supplier relationships
Information security incident management
Information security aspects of business continuity management
Compliance

Overall Compliance

Status
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%

0%

Standard
A.5.1
A.6.1
A.6.2
A.7.1
A.7.2
A.7.3
A.8.1
A.8.2
A.8.3
A.9.1
A.9.2
A.9.3
A.9.4
A.10.1
A.11.1
A.11.2
A.12.1
A.12.2
A.12.3
A.12.4
A.12.5
A.12.6
A.12.7
A.13.1
A.13.2
A.14.1
A.14.2
A.14.3
A.15.1
A.15.2
A.16.1
A.17.1
A.17.2
A.18.1
A.18.2

Compliance per Control


Section
Management direction for information security
Internal Organisation
Mobile devices and teleworking
Prior to employment
During employment
Termination and change of employment
Responibility for assets
Information classification
Media handling
Business requirements for access control
User access management
User responsibilities
System and application access control
Crypographic controls
Secure areas
Equipment
Operational procedures and responsibilities
Protection from malware
Backup
Logging and monitoring
Control of operational software
Technical vulnerability management
Information systems audit considerations
Network security management
Information transfer
Security requirements of information systems
Security in development and support processes
Test data
Information security in supplier relationships
Supplier service delivery management
Management of infosec incidents & improvements
Information security continuity
Redundancies
Compliance with legal and contractual requirements
Information security reviews

Status
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%

Reference
Checklist

Standard
A.5
A.5.1
A.5.1.1

A.5.1.2

A.6
A.6.1
A.6.1.1

A.6.1.2

A.6.1.3

A.6.1.4

A.6.1.5

A.6.2
A.6.2.1

A.6.2

A.7
A.7.1
A.7.1.1

A.7.1.2

A.7.2
A.7.2.1

A.7.2.2

A.7.2.3

A.7.3

A.8
A.8.1
A.8.1.1

A.8.1.2

A.8.1.3

A.8.1.4

A.8.2
A.8.2.1

A.8.2.2

A.8.2.3

A.8.3
A.8.3.1

A.8.3.2

A.8.3.3

A.9
A.9.1
A.9.1.1

A.9.1.2

A.9.2
A.9.2.1

A.9.2.2

A.9.2.3

A.9.2.4

A.9.2.5

A.9.2.6

A.9.3
A.9.3.1

A.9.4
A.9.4.1

A.9.4.2

A.9.4.3

A.9.4.4

A.9.4.5

A.10
A.10.1
A.10.1.1

A.10.1.2

A.11
A.11.1
A.11.1.1

A.11.1.2

A.11.1.3

A.11.1.4

A11.1.5

A.11.1.6

A11.2
A11.2.1

A11.2.2

A11.2.3

A11.2.4

A11.2.5

A11.2.6

A11.2.7

A11.2.8

A11.2.9

A.12
A.12.1
A.12.1.1

A12.1.2

A.12.1.3

A.12.1.4

A.12.2
A.12.2.1

A.12.3
A.12.3.1

A.12.4
A.12.4.1

A.12.4.2

A.12.4.3

A.12.4.4

A.12.5
A.12.5.1

A.12.6
A.12.6.1

A.12.6.2

A.12.7
A.12.7.1

A.13
A.13.1
A.13.1.1

A.13.1.2

A.13.1.3

A.13.2
A.13.2.1

A.13.2.2

A.13.2.3

A.13.2.4

A.14
A.14.1
A.14.1.1

A.14.1.2

A.14.1.3

A.14.2
A.14.2.1

A.14.2.2

A.14.2.3

A.14.2.4

A.14.2.5

A.14.2.6

A.12.2.7

A.12.2.8

A.12.2.9

A.14.3
A.14.3.1

A.15
A.15.1

A.15.1.1

A.15.1.2

A.15.1.3

A.15.2
A.15.2.1

A.15.2.2

A.16
A.16.1
A.16.1.1

A.16.1.2

A.16.1.3

A.16.1.4

A.16.1.5

A.16.1.6

A.16.1.7

A.17
A.17.1
A.17.1.1

A.17.1.2

A.17.1.3

A.17.2
A.17.2.1

A.18
A.18.1
A.18.1.1

A.18.1.2

A.18.1.3

A.18.1.4

A.18.1.5

A.18.2
A.18.2.1

A.18.2.2

A.18.2.3

Compliance
Section
Information Security Policies
Management direction for information security
Policies for information security

Review of the policies for information security

Organisation of Information Security


Internal organization
Information security roles and responsibilities

Segregation of duties

Contact with authorities

Contact with special interest groups

Information security in project management

Mobile devices and teleworking


Mobile device policy

Teleworking

Human Resources Security


Prior to employment
Screening

Terms and conditions of employment

During employment
Management responsibilities

Information security awareness, education and


training

Disciplinary process

Termination and change of employment

Asset Management
Responsibility for assets
Inventory of assets

Ownership of assets

Acceptable use of assets

Return of assets

Information classification
Classification of information

Labelling of information

Handling of assets

Media handling
Management of removable media

Disposal of media

Physical media transfer

Access Control
Business requirements for access control
Access control policy

Access to networks and network services

User access management


User registration and de-registration

User access provisioning

Management of privileged access rights

Management of secret authentication information of


users

Review of user access rights

Removal or adjustment of access rights

User responsibilities
Use of secret authentication information

System and application access control


Information access restriction

Secure log-on procedures

Password management system

Use of privileged utility programs

Access control to program source code

Cryptography
Cryptographic controls
Policy on the use of cryptographic controls

Key management

Physical and Environmental Security


Secure areas
Physical security perimeter

Physical entry controls

Securing offices, rooms and facilities

Protecting against external and environmental


threats

Working in secure areas

Delivery and loading areas

Equipment
Equipment siting and protection

Supporting utilities

Cabling security

Equipment maintenance

Removal of assets

Security of equipment and assets off-premises

Secure disposal or reuse of equipment

Unattended user equipment

Clear desk and clear screen policy

Operations Security
Operational procedures and responsibilities
Documented operating procedures

Change management

Capacity management

Separation of development, testing and operational


environments

Protection from malware


Controls against malware

Backup
Information backup

Logging and monitoring


Event Logging

Protection of log information

Administrator and operator logs

Clock synchronisation

Control of operational software


Installation of software on operational systems

Technical vulnerability management


Management of technical vulnerabilities

Restrictions on software installations

IInformation systems audit considerations


Information systems audit controls

Communications Security
Network security management
Network controls

Security of network services

Segregation in networks

Information transfer
Information transfer policies and procedures

Agreements on information transfer

Electronic messaging

Confidentiality or nondisclosure agreements

System Acquisition, Development and


Maintenance
Security requirements of information systems
Information security requirements analysis and
specification

Securing application services on public networks

Protecting application services transactions

Security in development and support processes


Secure development policy

System change control procedures

Technical review of applications after operating


platform changes

Restrictions on changes to software packages

Secure system engineering principles

Secure development environment

Outsourced development

System security testing

System acceptance testing

Test data
Protection of test data

Supplier Relationships
Information security in supplier relationships

Information security policy for supplier relationships

Addressing security within supplier agreements

Information and communication technology supply


chain

Supplier service delivery management


Monitoring and review of supplier services

Managing changes to supplier services

Information Security Incident


Management
Management of information security incidents and
improvements
Responsibilities and procedures

Reporting information security events

Reporting information security weaknesses

Assessment of and decision on information security


events

Response to information security incidents

Learning from information security incidents

Collection of evidence

Information Security Aspects of Business


Continuity Management
Information security continuity
Planning information security continuity

Implementing information security continuity

Verify, review and evaluate information security


continuity

Redundancies
Availability of information processing facilities

Compliance
Compliance with legal and contractual requirements
Identification of applicable legislation and
contractual requirements

Intellectual property rights

Protection of records

Privacy and protection of personally identifiable


information

Regulation of cryptographic controls

Information security reviews


Independent review of information security

Compliance with security policies and standards

Technical compliance review

Assessment

Do Security policies exist?


Are all policies approved by management?
Are policies properly communicated to employees?

Are security policies subject to review?


Are the reviews conducted at regular intervals?
Are reviews conducted when circumstances change?

Are responsibilities for the protection of individual assets, and


for carrying out specific security processes, clearly identified
and defined and communicated to the relevant parties?

Are duties and areas of responsibility separated, in order to


reduce opportunities for unauthorized modification or misuse
of information, or services?

Is there a procedure documenting when, and by whom,


contact with relevant authorities (law enforcement etc.) will be
made?
Is there a process which details how and when contact is
required?
Is there a process for routine contact and intelligence sharing?

Do relevant individuals within the organisation maintain active


membership in relevant special interest groups?

Do all projects go through some form of information security


assessment?

Does a mobile device policy exist?


Does the policy have management approval?
Does the policy document and address additional risks from
using mobile devices (e.g. Theft of asset, use of open wireless
hotspots etc.)

Is there a policy for teleworking?


Does this have management approval?
Is there a set process for remote workers to get access?
Are teleworkers given the advice and equipment to protect
their assets?

Are background verification checks carried out on all new


candidates for employment?
Are these checks approved by appropriate management
authority?
Are the checks compliant with relevant laws, regulations and
ethics?
Are the level of checks required supported by business risk
assessments?

Are all employees, contractors and third party users asked to


sign confidentiality and non-disclosure agreements?
Do employment / service contracts

Are managers (of all levels) engaged in driving security within


the business?
Does management behaviour and policy drive, and
encourage, all employees, contractors and 3rd party users to
apply security in accordance with established policies and
procedures?

Do all employees, contractors and 3rd party users undergo


regular security awareness training appropriate to their role
and function within the organisation?

Is there a formal disciplinary process which allows the


organisation to take action against employees who have
committed an information security breach?
Is this communicated to all employees?

Is there a documented process for terminating or changing


employment duties?
Are any information security duties which survive employment
communicated to the employee or contractor?
Is the organisation able to enforce compliance with any duties
that survive employment?

Is there an inventory of all assets associated with information


and information processing facilities?
Is the inventory accurate and kept up to date?

All information assets must have a clearly defined owner who


is aware of their responsibilities.

Is there an acceptable use policy for each class / type of


information asset?
Are users made aware of this policy prior to use?

Is there a process in place to ensure all employees and


external users return the organisation's assets on termination
of their employment, contract or agreement?

Is there a policy governing information classification?


Is there a process by which all information can be
appropriately classified?

Is there a process or procedure for ensuring information


classification is appropriately marked on each asset?

Is there a procedure for handling each information


classification?
Are users of information assets made aware of this procedure?

Is there a policy governing removable media?


Is there a process covering how removable media is managed?
Are the policy and process(es) communicated to all employees
using removable media?

Is there a formal procedure governing how removable media is


disposed?

Is there a documented policy and process detailing how


physical media should be transported?
Is media in transport protected against unauthorised access,
misuse or corruption?

Is there a documented access control policy?


Is the policy based on business requirements?
Is the policy communicated appropriately?

Are controls in place to ensure users only have access to the


network resources they have been specially authorised to use
and are required for their duties?

Is there a formal user access registration process in place?

Is there a formal user access provisioning process in place to


assign access rights for all user types and services?

Are privileged access accounts separately managed and


controlled?

Is there a formal management process in place to control


allocation of secret authentication information?

Is there a process for asset owners to review access rights to


their assets on a regular basis?
Is this review process verified?

Is there a process to ensure user access rights are removed


on termination of employment or contract, or adjusted upon
change of role?

Is there a policy document covering the organisations


practices in how secret authentication information must be
handled?
Is this communicated to all users?

Is access to information and application system functions


restricted in line with the access control policy?

Where the access control policy requires it, is access


controlled by a secure log-on procedure?

Are password systems interactive?


Are complex passwords required?

Are privilege utility programs restricted and monitored?

Is access to the source code of the Access Control System


protected?

Is there a policy on the use of cryptographic controls?

Is there a policy governing the whole lifecycle of cryptographic


keys?

Is there a designated security perimeter?


Are sensitive or critical information areas segregated and
appropriately controlled?

Do secure areas have suitable entry control systems to ensure


only authorised personnel have access?

Have offices, rooms and facilities been designed and


configured with security in mind?
Do processes for maintaining the security (e.g. Locking up,
clear desks etc.) exist?

Have physical protection measures to prevent natural


disasters, malicious attack or accidents been designed in?

Do secure areas exist?


Where they do exist, do secure areas have suitable policies
and processes?
Are the policies and processes enforced and monitored?

Are there separate delivery / loading areas?


Is access to these areas controls?

Is access from loading areas isolated from information


processing facilities?

Are environmental hazards identified and considered when


equipment locations are selected?
Are the risks from unauthorised access /passers-by considered
when siting equipment?

Is there a UPS system or back up generator?


Have these been tested within an appropriate timescale?

Have risk assessments been conducted over the location of


power and telecommunications cables?
Are they located to protect from interference, interception or
damage?

Is there a rigorous equipment maintenance schedule?

Is there a process controlling how assets are removed from


site?
Is this process enforced?
Are spot checks carried out?

Is there a policy covering security of assets off-site?


Is this policy widely communicated?

Is there a policy covering how information assets may be


reused?
Where data is wiped, is this properly verified before
reuse/disposal?

Does the organisation have a policy around how unattended


equipment should be protected?
Are technical controls in place to secure equipment that has
been inadvertently left unattended?

Is there a clear desk / clear screen policy?

Is this well enforced?

Are operating procedures well documented?


Are the procedures made available to all users who need
them?

Is there a controlled change management process in place?

Is there a capacity management process in place?

Does the organisation enforce segregation of development,


test and operational environments?

Are processes to detect malware in place?


Are processes to prevent malware spreading in place?
Does the organisation have a process and capacity to recover
from a malware infection?

Is there an agreed backup policy?


Does the organisation's backup policy comply with relevant
legal frameworks?
Are backups made in accordance with the policy?
Are backups tested?

Are appropriate event logs maintained and regularly


reviewed?

Are logging facilities protected against tampering and


unauthorised access?

Are sysadmin / sysop logs maintained, protected and regularly


reviewed?

Are all clocks within the organisation synchronized?

Is there a release management process in place to control the


installation of software onto operational systems?

Does the organisation have access to updated and timely


information on technical vulnerabilities?
Is there a process to risk assess and react to any new
vulnerabilities as they are discovered?

Are there processes in place to restrict how users install


software?

Are IS Systems subject to audit?


Does the audit process ensure business disruption is
minimised?

Is there a network management process in place?

Does the organisation implement a risk management


approach which identifies all network services and service
agreements?
Is security mandated in agreements and contracts with service
providers (in house and outsourced)?
Are security related SLAs mandated?

Does the network topology enforce segregation of networks


for different tasks?

Do organisational policies govern how information is


transferred?
Are procedures for how data should be transferred made
available to all employees?
Are relevant technical controls in place to prevent nonauthorised forms of data transfer?

Do contracts with external parties and agreements within the


organisation detail the requirements for securing business
information in transfer?

Do security policies cover the use of information transfer while


using electronic messaging systems?

Do employees, contractors and agents sign confidentiality or


non disclosure agreements?
Are these agreements subject to regular review?
Are records of the agreements maintained?

Are information security requirements specified when new


systems are introduced?
When systems are being enhanced or upgraded, are security
requirements specified and addressed?

Do applications which send information over public networks


appropriately protect the information against fraudulent
activity, contract dispute, unauthorised discloser and
unauthorised modification?

Are controls in place to prevent incomplete transmission,


misrouting, unauthorised message alteration, unauthorised
disclosure, unauthorised message duplication or replay
attacks?

Does the organisation develop software or systems?

If so, are there policies mandating the implementation and


assessment of security controls?

Is there a formal change control process?

Is there a process to ensure a technical review is carried out


when operating platforms are changed?

Is there a policy in place which mandates when and how


software packages can be changed or modified?

Does the organisation have documented principles on how


systems must be engineered to ensure security?

Has a secure development environment been established?


Do all projects utilise the secure development environment
appropriately during the system development lifecycle?

Where development has been outsourced, is this supervised?


Is externally developed code subject to a security review
before deployment?

Where systems or applications are developed, are they


security tested as part of the development process?

Is there an established process to accept new systems /


applications, or upgrades, into production use?

Is there a process for selecting test data?


Is test data suitably protected?

Is information security included in contracts established with


suppliers and service providers?
Is there an organisation-wide risk management approach to
supplier relationships?

Are suppliers provided with documented security


requirements?
Is supplier access to information assets & infrastructure
controlled and monitored?

Do supplier agreements include requirements to address


information security within the service & product supply
chain?

Are suppliers subject to regular review and audit?

Are changes to the provision of services subject to a


management process which includes security & risk
assessment?

Are management responsibilities clearly identified and


documented in the incident management processes?

Is there a process for timely reporting of information security


events?
Is there a process for reviewing and acting on reported
information security events?

Is there a process for reporting of identified information


security weaknesses?
Is this process widely communicated?

Is there a process for reviewing and addressing reports in a


timely manner?

Is there a process to ensure information security events are


properly assessed and classified?

Is there an incident response process which reflects the


classification and severity of information security incidents?

Is there a process or framework which allows the organisation


to learn from information security incidents and reduce the
impact / probability of future events?

Is there a forensic readiness policy?


In the event of an information security incident is relevant
data collected in a manner which allows it to be used as
evidence?

Is information security included in the organisation's continuity


plans?

Does the organisation's information security function have


documented, implemented and maintained processes to
maintain continuity of service during an adverse situation?

Are continuity plans validated and verified at regular


intervals?

Do information processing facilities have sufficient redundancy


to meet the organisations availability requirements?

Has the organisation identified and documented all relevant


legislative, regulatory or contractual requirements related to
security?
Is compliance documented?

Does the organisation keep a record of all intellectual property


rights and use of proprietary software products?
Does the organisation monitor for the use of unlicensed
software?

Are records protected from loss, destruction, falsification and


unauthorised access or release in accordance with legislative,
regulatory, contractual and business requirements?

Is personal data identified and appropriately classified?


Is personal data protected in accordance with relevant
legislation?

Are cryptographic controls protected in accordance with all


relevant agreements, legislation and regulations?

Is the organisations approach to managing information


security subject to regular independent review?
Is the implementation of security controls subject to regular
independent review?

Does the organisation instruct managers to regularly review


compliance with policy and procedures within their area of
responsibility?

Are records of these reviews maintained?

Does the organisation regularly conduct technical compliance


reviews of its information systems?

Results
Findings

Status

0%
0%
0%
0%
0%
0%
0%
0%

0%
0%

0%
0%

0%
0%

0%
0%

0%
0%

0%
0%

0%
0%
0%
0%

0%
0%
0%
0%
0%

0%
0%
0%
0%
0%

0%
0%

0%

0%
0%
0%

0%

0%

0%
0%

0%
0%
0%
0%

0%

0%
0%
0%
0%
0%

0%
0%
0%
0%
0%

0%
0%
0%

0%
0%

0%
0%
0%

0%
0%
0%
0%

0%
0%

0%
0%
0%

0%
0%
0%
0%
0%
0%

0%
0%

0%

0%

0%
0%

0%
0%

0%
0%
0%
0%
0%

0%
0%

0%

0%
0%

0%
0%

0%
0%
0%
0%
0%

0%
0%

0%
0%
0%
0%

0%
0%
0%

0%
0%

0%
0%
0%

0%
0%

0%
0%
0%
0%

0%
0%
0%

0%

0%
0%
0%

0%
0%
0%

0%
0%
0%

0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%

0%
0%
0%

0%
0%

0%

0%
0%
0%

0%
0%

0%
0%
0%
0%

0%
0%
0%
0%

0%
0%
0%
0%

0%
0%

0%
0%

0%
0%

0%
0%

0%
0%

0%
0%
0%

0%
0%

0%
0%
0%

0%
0%
0%
0%

0%

0%
0%
0%

0%

0%
0%
0%

0%
0%

0%
0%

0%
0%
0%
0%

0%
0%
0%

0%
0%

0%
0%

0%
0%

0%

0%
0%
0%
0%

0%
0%

0%
0%

0%
0%
0%

0%
0%
0%

0%
0%

0%
0%

0%
0%
0%

0%
0%
0%

0%
0%
0%

0%
0%

0%
0%
0%
0%

0%
0%

0%
0%
0%

0%
0%
0%

0%
0%

0%
0%

0%
0%

0%
0%
0%

0%
0%

0%
0%

0%
0%

0%
0%

0%
0%

0%
0%
0%

0%

0%
0%

0%
0%
0%

0%
0%

0%
0%

0%

0%
0%

0%
0%
0%