Professional Documents
Culture Documents
Statement of Applicabilit
Controls Status (gap analys
Introduction
This spreadsheet is used to record and track the status of your organization as you implement the mandatory and discretionary elem
The main body of ISO/IEC 27001 formally specifies a number of mandatory requirements that must be fulfilled in order for an Inform
mandatory requirements for certification concern the management system rather than the information security controls. For exam
assess them, decide how those risks are to be treated, treat them and monitor them, using the policies and procedures defined in the
However, Annex A to '27001 outlines a suite of information security controls that the management system would typically be used to
security risks). The security controls in Annex A are explained in much more detail in ISO/IEC 27002, and in various other standards, l
Instructions
1. Design and implement an ISMS complying with all the mandatory elements specified in the main body of ISO/IEC 27001, using the
record its status.
2. Identify and assess the information security risks facing those parts of the organization that are declared in scope for your ISMS, id
column of the annex A controls sheet. Note: do not feel constrained by Annex A! Adapt the sheet, modifying the wording and addi
security risks and obligations (e.g. ISO 22301, privacy laws, PCI-DSS etc.). Annex A is merely a guide, a starting point.
3. Systematically check and record the status of your security risks and controls, updating the status column of Annex A sheet accord
4. Once your ISMS is operating normally, the metrics are looking good and you have amassed sufficient evidence ("records"), it can b
that your ISMS fulfills the standard's mandatory requirements, and that your in-scope information security risks are being identified,
should both be maintained i.e. updated when the information security risks or controls change, and periodically reviewed/audited.
Copyright
This work is copyright © 2014, ISO27k Forum, some rights reserved. It is licensed under the Creative Commons Attribution-Noncomm
works from this provided that (a) it is not sold or incorporated into a commercial product, (b) it is properly attributed to the ISO27k Fo
are subject the same copyright terms as this.
Note: you need licensed copies of both ISO/IEC 27001 and 27002 to make much sense of this, and other ISO27k standards are also h
shortened the wording of the standards in ways that may not entirely fulfill their meaning or intent. The definitive references are the
Please visit ISO27001security.com for further advice and guidance on the ISO27k standards, including the ISO27k Forum and many ot
www.ISO27001security.c
Status of ISO/IEC 27001 implementation
Section ISO/IEC 27001 requirement Status Notes
4.4 ISMS
4.4 Establish, implement, maintain and continually improve an ISMS according to the standard! Nonexistent
5 Leadership
5.1 Leadership & commitment
5.1 Top management must demonstrate leadership & commitment to the ISMS Defined
5.2 Policy
5.2 Document the information security policy Nonexistent
6 Planning
6.1 Actions to address risks & opportunities
6.1.1 Design/plan the ISMS to satisfy the requirements, addressing risks & opportunities ? Unknown
6.1.2 Define and apply an information security risk assessment process ? Unknown
6.1.3 Document and apply an information security risk treatment process ? Unknown
7 Support
7.1 Resources
7.1 Determine and allocate necessary resources for the ISMS ? Unknown
7.2 Competence
7.2 Determine, document and make available necessary competences ? Unknown
7.3 Awareness
7.3 Establish a security awareness program ? Unknown
7.4 Communication
7.4 Determine the need for internal and external communications relevant to the ISMS ? Unknown
7.5.2 Provide document titles, authors etc., format them consistently, and review & approve them ? Unknown
8 Operation
8.1 Operational planning and control
8.1 Plan, implement, control & document ISMS processes to manage risks (i.e. a risk treatment plan) ? Unknown
9 Performance evaluation
9.1 Monitoring, measurement, analysis and evaluation
9.1 Monitor, measure, analyze and evaluate the ISMS and the controls ? Unknown
10 Improvement
10.1 Nonconformity and corrective action
10.1 Identify, fix and take action to prevent recurrence of nonconformities, documenting the actions ? Unknown
27 Number of requirements
03/30/2020 Page2 of 7
Statement of Applicability and status of information security controls
Section Information security control Status Notes
A8 Asset management
A8.1 Responsibility for assets
A8.1.1 Inventory of assets ? Unknown
A8.1.2 Ownership of assets ? Unknown
A8.1.3 Acceptable use of assets ? Unknown
A8.1.4 Return of assets ? Unknown
A9 Access control
A9.1 Business requirements of access control
A9.1.1 Access control policy ? Unknown
A9.1.2 Access to networks and network services ? Unknown
A10 Cryptography
A10.1 Cryptographic controls
A10.1.1 Policy on the use of cryptographic controls ? Unknown
A10.1.2 Key management ? Unknown
A11.2 Equipment
A11.2.1 Equipment siting and protection ? Unknown
A11.2.2 Supporting utilities ? Unknown
A11.2.3 Cabling security ? Unknown
A11.2.4 Equipment maintenance ? Unknown
A11.2.5 Removal of assets ? Unknown
A11.2.6 Security of equipment and assets off-premises ? Unknown
A11.2.7 Secure disposal or reuse of equipment ? Unknown
A11.2.8 Unattended user equipment ? Unknown
A11.2.9 Clear desk and clear screen policy ? Unknown
A12.3 Backup
A12.3.1 Information backup ? Unknown
03/30/2020 Page 4 of 7
Statement of Applicability and status of information security controls
Section Information security control Status Notes
A13.2.2 Agreements on information transfer ? Unknown
A13.2.3 Electronic messaging ? Unknown
A13.2.4 Confidentiality or nondisclosure agreements ? Unknown
A17.2 Redundancies
A17.2.1 Availability of information processing facilities ? Unknown
A18 Compliance
A18.1 Compliance with legal and contractual requirements
A18.1.1 Identification of applicable legislation and contractual requirements ? Unknown
A18.1.2 Intellectual property rights ? Unknown
A18.1.3 Protection of records ? Unknown
A18.1.4 Privacy and protection of personally identifiable information ? Unknown
A18.1.5 Regulation of cryptographic controls ? Unknown
03/30/2020 Page 6 of 7
Status Meaning
Proportion of
ISMS
requirements
Proportion of
information
security controls
ISMS implementation status
? Unknown Has not even been checked yet 74% 93%
? Unknown
Nonexistent
Initial
Limited
Defined
Managed
Optimized
Not applicable