Professional Documents
Culture Documents
No Warranties
THE SOFTWARE AND ANY RELATED DOCUMENTATION ARE PROVIDED TO YOU "AS IS."
Excel in Profession, MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AND EXPRESSLY DISCLAIMS ALL
REPRESENTATIONS, ORAL OR WRITTEN, TERMS, CONDITIONS, AND WARRANTIES, INCLUDING BUT NOT
LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND
NONINFRINGEMENT. WITHOUT LIMITING THE ABOVE YOU ACCEPT THAT THE SOFTWARE MAY NOT MEET
YOUR REQUIREMENTS, OPERATE ERROR FREE, OR IDENTIFY ANY OR ALL ERRORS OR PROBLEMS, OR DO
SO ACCURATELY. This Agreement does not affect any statutory rights you may have as a consumer.
Limitation of Liability
IN NO EVENT SHALL Excel in Profession, BE LIABLE TO YOU, FOR ANY DAMAGES, INCLUDING ANY LOST PROFITS,
LOST SAVINGS, OR ANY OTHER DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES
ARISING FROM THE USE OR THE INABILITY TO USE THE SOFTWARE (EVEN IF WE OR AN AUTHORIZED DEALER
OR DISTRIBUTOR HAS BEEN ADVISED OF THE POSSIBILITY OF THESE DAMAGES), OR ANY MISTAKES AND
NEGLIGENCE IN DEVELOPING THIS SOFTWARE, OR FOR ANY CLAIM BY ANY OTHER PARTY. THE
ORGANIZATION, BUSINESS, OR PERSON USING THIS SOFTWARE BEARS ALL RISKS AND RESPONSIBILITY
FOR THE QUALITY AND PERFORMANCE OF THIS SOFTWARE.
Note : Please contact SEKAR.T@HOTMAIL.COM in case you need any support on this template
LOST PROFITS,
RIZED DEALER
Change history
Version No. Date Change Description
T Sekar - ExcelinProfession.com
Author
Note
of companies.
te of compliance and implementation state to take
1; 1% 16; 14%
1; 1%
65; 55% 35; 30%
Status :- Process Implementation comply with ISO 27001:2005 standard and documented
In Percent
100%
90%
80%
70%
60%
50%
40%
30%
20%
10%
0%
t t t l t t t
ts S ts en en di ra pu pu en tio
n
io
n
en M en Au e In ut t
em e
IS
em itm em S en w O em ac ac
ir th ir m ag M -G ie w ov tiv
e
iv
e
u
ng qu om an IS ev ie pr nt
eq gi re tC
l 7.
1
ev m re
c
ve
R M na -R lI or
al an
a
tio
n en ce te
r 2 -R ua re
ne
r
ta m ur n 7. 3 in -C -P
e m n ge so -I 7. nt 2 .3
an
d e a e 6 o 8. 8
-G um an -R -C
4.
1 ng oc -M 2 8.
1
hi 5.
lis -D 5.
1
t ab 4.
3
- Es
2
4.
ISO 27001:2005 Annexure-A Controls Implementation Status by Classification in number and percentage
2; 2% 1; 1% 1; 1%
1; 1%
128; 96%
ISO 27001:2005 Annexure-A Controls Implementation Status by Classification in number and percentage
2; 2% 1; 1% 1; 1%
1; 1%
128; 96%
80
65
60
40 35
20 16
1 1
0
Process Comply Process is Process is not Process is not in Process is not
with Standard and implemented and comply with place / not applicable
documented must be standard and must implemented
documented be redesigned
Compliance percentage
Status :- Process Implementation comply with ISO 27001:2005 standard and documented
100%
90%
80%
70%
60%
Compliance
50% %
Goal
40%
30%
20%
10%
0%
n e t
tio
O
nc
R IT W en ng
IS H S/ ni
tr a C na em ai
in
is Fi ag T r
d m an
A M
p
To
120%
100%
80%
Compliance %
60%
Goal
40%
20%
40%
60%
80%
0%
100%
120%
Security Policy
Organization of in...
Asset Management
Communications ...
Access Control
Information syst...
Information secur...
Business continu...
Annexure - A Controls Implementation Status by Domain
Compliance
Goal
Compliance %
1
ess is not
cable
ed
Compliance
%
Goal
mpliance %
al
mpliance %
al
Legend
Implementation Status by ISO 27001:2005 - Clauses
ISO Clauses 16 1 35
Controls
Controls implemented not
Controls documented and
Reference implemented must comply with
implemented
be documented standards, needs
to redesign
Controls 128 1 2
Process is not in
Process is
place / not
not applicable
implemented
65 1 118
ure - A Controls
Control not
Controls not
implemented &
applicable
documented
1 1
Goal
100%
100%
100%
100%
100%
100%
100%
100%
100%
100%
100%
100%
Goal
100%
100%
100%
100%
100%
100%
100%
100%
100%
100%
100%
Gap analysis: status of ISO 27001 implementation
ISO 27001 Mandatory requirement for the ISMS Status
clause
Authorization process for A management authorization process for new information processing
A.6.1.4 CISO NA
information processing facilities facilities shall be defined and implemented.
Addressing security when All identified security requirements shall be addressed before giving
A.6.2.2 IT D
dealing with customers customers access to the organization's information or assets.
Agreements with third parties involving accessing, processing,
communicating or managing the organization's information or
Addressing security in third
A.6.2.3 information processing facilities, or adding products or services to Finance D
party contracts
information processing facilities shall cover all relevant security
requirements.
Termination or change of To ensure that employees, contractors and third party users exit
A.8.3
employment an organization or change employment in an orderly manner.
The services, reports and records provided by the third party shall be
Monitoring and review of third
A10.2.2 regularly monitored and reviewed, and audits shall be carried out CISO D
party services
regularly.
A10.10.4 Administrator and operator logs System administrator and system operator activities shall be logged. IT D
A10.10.5 Fault logging Faults shall be logged, analyzed, and appropriate action taken. IT D
The clocks of all relevant information processing systems within an
A10.10.6 Clock synchronization organization or security domain shall be synchronized with an agreed IT D
accurate time source.
A11 Access Control
Business requirement for
A11.1 To control access to information.
access control
An access control policy shall be established, documented, and
A11.1.1 Access control policy IT D
reviewed based on business and security requirements for access.
To ensure authorized user access and to prevent unauthorized
A11.2 User access management
access to information systems.
There shall be a formal user registration and de-registration procedure
A11.2.1 User registration in place for granting and revoking access to all information systems and IT D
services.
A11.2.2 Privilege management The allocation and use of privileges shall be restricted and controlled. IT D
The allocation of passwords shall be controlled through a formal
A11.2.3 User password management IT D
management process.
Management shall review users' access rights at regular intervals using
A11.2.4 Review of user access rights IT D
a formal process.
To prevent unauthorized user access, and compromise or theft of
A11.3 User responsibilities
information and information processing facilities.
Users shall be required to follow good security practices in the selection
A11.3.1 Password use IT D
and use of passwords.
Users shall ensure that unattended equipment has appropriate
A11.3.2 Unattended user equipment IT D
protection.
Clear desk and clear screen A clear desk policy for papers and removable storage media and a clear
A11.3.3 IT D
policy screen policy for information processing facilities shall be adopted.
A11.4 Network access control To prevent unauthorized access to networked services.
Policy on use of network Users shall only be provided with access to the services that they have
A11.4.1 IT D
services been specifically authorized to use.
User authentication for external Appropriate authentication methods shall be used to control access by
A11.4.2 IT D
connections remote users.
Equipment identification in Automatic equipment identification shall be considered as a means to
A11.4.3 IT D
networks authenticate connections from specific locations and equipment.
Remote diagnostic and Physical and logical access to diagnostic and configuration ports shall
A11.4.4 IT D
configuration port protection be controlled.
Groups of information services, users and information systems shall be
A11.4.5 Segregation in networks IT D
segregated on networks.
For shared networks, especially those extending across the
organization's boundaries, the capability of users to connect to the
A11.4.6 Network connection control IT D
network shall be restricted, in line with the access control policy and
requirements of the business applications (see 11.1).
Routing controls shall be implemented for networks to ensure that
A11.4.7 Network routing control computer connections and information flows do not breach the access IT D
control policy of the business applications.
Operating system access
A11.5 To prevent unauthorized access to operating systems.
control
Access to operating systems shall be controlled by a secure log-on
A11.5.1 Secure log-on procedures IT D
procedure.
A11.5.5 Session time-out Inactive sessions shall be shut down after a defined period of inactivity. IT D
Restrictions on connection times shall be used to provide additional
A11.5.6 Limitation of connection time IT D
security for high-risk applications.
Application and information To prevent unauthorized access to information held in application
A11.6
access control systems.
Management of information
To ensure a consistent and effective approach is applied to the
A13.2 security incidents and
management of information security incidents.
improvements
Learning from information There shall be mechanisms in place to enable the types, volumes, and
A13.2.2 CISO D
security incidents costs of information security incidents to be quantified and monitored.
Including information security A managed process shall be developed and maintained for business
A14.1.1 in the business continuity continuity throughout the organization that addresses the information CISO D
management process security requirements needed for the organization's business continuity.
Prevention of misuse of Users shall be deterred from using information processing facilities for
A15.1.5 Administration D
information processing facilities unauthorized purposes.
Regulation of cryptographic Cryptographic controls shall be used in compliance with all relevant
A15.1.6 IT D
controls agreements, laws, and regulations.
Compliance with security
To ensure compliance of systems with organizational security
A15.2 policies and standards, and
policies and standards
technical compliance
Managers shall ensure that all security procedures within their area of
Compliance with security
A15.2.1 responsibility are carried out correctly to achieve compliance with Top Management D
policies and standards
security policies and standards.
Legend
Count Status Code Meaning Contribution %
133