Iso 27001 Compliance Checklist | Information Security | Business Continuity

ISO 27001 Compliance Checklist Reference

Checklist Standard
Security Policy
1.1 5.1 Information Security Policy Whether there exists an Information security policy, which is approved by the management, published and communicated as appropriate to all employees. Whether the policy states management commitment and sets out the organizational approach to managing information security. Whether the Information Security Policy is reviewed at planned intervals, or if significant changes occur to ensure its continuing suitability, adequacy and effectiveness. Whether the Information Security policy has an owner, who has approved management responsibility for development, review and evaluation of the security policy. Whether any defined Information Security Policy review procedures exist and do they include requirements for the management review. Whether the results of the management review are taken into account. Whether management approval is obtained for the revised policy.

Audit area, objective and question
Section Audit Question

Results
Findings

1.1.1

5.1.1

Information security policy document

1.1.2

5.1.2

Review of Informational Security Policy

Organization of Information Security
2.1 6.1 Internal Organization Whether management demonstrates active support for security measures within the organization. This can be done via clear direction, demonstrated commitment, explicit assignment and acknowledgement of information security responsibilities. Whether information security activities are coordinated by representatives from diverse parts of the organization, with pertinent roles and responsibilities

2.11

6.11

Management Commitment to Informaiton Security

2.1.2

6.1.2

Information Security coordination

Vinod Kumar vinodjis@hotmail.com

Page 1

01/12/2011

ISO 27001 Compliance Checklist
2.1.3 6.1.3 Whether responsibilities for the protection of individual assets, and for carrying out specific security processes, were clearly identified and defined. Whether management authorization process is Authorization process for Information defined and implemented for any new information processing facility within the processing facilities organization. organization’s need for Whether the Allocation of Information Security responsibilities Confidentiality or Non-Disclosure Agreement (NDA) for protection of information is clearly defined and regularly requirement to protect the Confidentiality Agreements Does this address the reviewed. confidential information using legal enforceable terms Whether there exists a procedure that describes when, and by whom: relevant authorities such as Law enforcement, fire department etc., should be Contact with Authorities contacted, and how the incident should be reported Whether appropriate contacts with special interest groups or other specialist security Contact with special interest groups forums, and professional associations are maintained. Whether the organization’s approach to managing information security, and its Independent review of Information implementation, is reviewed independently at Security planned intervals, or when major changes to security implementation occur. External Parties Identification of risks related to external parties Whether risks to the organization’s information and information processing facility, from a process involving external party access, is identified and appropriate control measures implemented before granting access. Whether all identified security requirements are fulfilled before granting customer access to the organization’s information or assets. Whether the agreement with third parties, involving accessing, processing, communicating or managing the organization’s information or information processing facility, or introducing products or services to information processing facility, complies with all appropriate security requirements.

2.1.4

6.1.4

2.1.5

6.1.5

2.1.6

6.1.6

2.1.7

6.1.7

2.1.8 2.2 6.2

6.1.8

2.2.1

6.2.1

2.2.2

6.2.2

Addressing security while dealing with customers

2.2.3

6.2.3

Addressing security in third party agreements

Asset Management Vinod Kumar vinodjis@hotmail.com Page 2 01/12/2011

ISO 27001 Compliance Checklist
3.1 3.1.1 3.1.2 7.1 7.1.1 7.1.2 Responsibility for assets Inventory of Assets Ownership of Assets Whether all assets are identified and an inventory or register is maintained with all the important assets. Whether each asset identified has an owner, a defined and agreed-upon security classification, and access restrictions that are periodically reviewed. Whether regulations for acceptable use of information and assets associated with an information processing facility were identified, documented and implemented. Whether the information is classified in terms of its value, legal requirements, sensitivity and criticality to the organization. Whether an appropriate set of procedures are defined for information labelling and handling, in accordance with the classification scheme adopted by the organization.

3.1.3 3.2 3.2.1 7.2

7.1.3

Acceptable use of assets Information Classification

7.2.1

Classification guidelines

3.2.2

7.2.2

Information labelling and handling

Human resources security
4.1 8.1 Prior to employment Whether employee security roles and responsibilities, contractors and third party users were defined and documented in accordance with the organization’s information security policy. Were the roles and responsibilities defined and clearly communicated to job candidates during the pre-employment process Whether background verification checks for all candidates for employment, contractors, and third party users were carried out in accordance to the relevant regulations. Screening Does the check include character reference, confirmation of claimed academic and professional qualifications and independent identity checks Whether employee, contractors and third party users are asked to sign confidentiality or nondisclosure agreement as a part of their initial terms and conditions of the employment Terms and conditions of employment contract.

4.1.1

8.1.1

Roles and responsibilities

4.1.2

8.1.2

4.1.3

8.1.3

Vinod Kumar vinodjis@hotmail.com

Page 3

01/12/2011

ISO 27001 Compliance Checklist
4.1.3 8.1.3 Terms and conditions of employment Whether this agreement covers the information security responsibility of the organization and the employee, third party users and contractors. 4.2 4.2.1 8.2 8.2.1 During Employment Management Responsibilities Whether the management requires employees, contractors and third party users to apply security in accordance with the established policies and procedures of the organization.

4.2.2

8.2.2

4.2.3 4.3 4.3.1 8.3

8.2.3

Whether all employees in the organization, and where relevant, contractors and third party users, receive appropriate security awareness training and regular updates in organizational policies and procedures as it pertains to their job function. Whether there is a formal disciplinary process for the employees who have committed a security Disciplinary process breach. Termination or change of employment Infromation security awareness, education and training Termination responsibilities Whether responsibilities for performing employment termination, or change of employment, are clearly defined and assigned. Whether there is a process in place that ensures all employees, contractors and third party users surrender all of the organization’s assets in their possession upon termination of their employment, contract or agreement. Whether access rights of all employees, contractors and third party users, to information and information processing facilities, will be removed upon termination of their employment, contract or agreement, or will be adjusted upon change.

8.3.1

4.3.2

8.3.2

Return of assets

4.3.3

8.3.3

Removal of access rights

Physical and Environmental security
5.1 5.1.1 9.1 9.1.1 Secure Areas Physical security perimeter Whether a physical border security facility has been implemented to protect the information processing service. Some examples of such security facilities are card control entry gates, walls, manned reception, etc

Vinod Kumar vinodjis@hotmail.com

Page 4

01/12/2011

2 9. rooms and facilities processing service. Whether physical protection and guidelines for working in secure areas is designed and implemented Whether the delivery. and information processing facilities are isolated. Whether the equipment is maintained.com Equipment Maintenance Page 5 01/12/2011 .2.2.4 Protecting against external and enviornmental threats 5.1.1. civil unrest and other forms of natural or man-made disaster should be designed and applied.1. are being utilized Whether the power and telecommunications cable.2 9. and other areas where unauthorized persons may enter the premises are controlled. loading. 5.4 9.6 5.5 Working in secure areas Public access delivery and loading areas Equipment Security 5.3 9.1.1.1.2. are locked or have lockable cabinets or safes.2 Physical entry controls Whether entry controls are in place to allow only authorized personnel into various areas within the organization. carrying data or supporting information services. earthquake. explosion.3 Cabling security Whether the equipment is correctly maintained to ensure its continued availability and integrity.1. such as a multiple feed.2. as per the supplier’s recommended service intervals and specifications.2 9.3 9.2 5.2. flood.1.2. Whether permanence of power supplies.1. Whether the equipment is protected from power failures and other disruptions caused by failures in supporting utilities.3 Whether the rooms. and opportunities for unauthorized access. etc.2. Whether the physical protection against damage from fire. a backup generator.2. Whether the equipment is protected to reduce the risks from environmental threats and hazards.4 9. is protected from interception or damage there are any additional security Whether controls in place for sensitive or critical information 5. to avoid unauthorized access.1 Equipment siting and protection 5. Whether there is any potential threat from neighbouring premises.4 Vinod Kumar vinodjis@hotmail.2 Supporting utilities 5. which have the information Securing offices. 5.ISO 27001 Compliance Checklist 5.1 9.5 9. an Uninterruptible Power Supply (ups).1.6 9.

1 Documented Operating procedures Whether such procedures are treated as formal documents.4 9.1. containing storage media.2 10.7 9. Whether all equipment.3 10.ISO 27001 Compliance Checklist Whether the maintenance is carried out only by authorized personnel.5 Securiing of equipment off-premises 5. Whether logs are maintained with all suspected or actual faults and all preventive and corrective measures. 6. Whether appropriate controls are implemented while sending equipment off premises.2. Are the equipment covered by insurance and the insurance requirements satisfied Whether risks were assessed with regards to any equipment usage outside an organization’s premises.6 Secure disposal or re-use of equipment 5. Change Management Whether all changes to information processing facilities and systems are controlled.2.2.1. prior to disposal or reuse. information and software is not taken off-site without prior authorization.1 10. Whether duties and areas of responsibility are separated. 6.2.com Page 6 01/12/2011 .1 10. and therefore any changes made need management authorization. Whether the usage of an information processing facility outside the organization has been authorized by the management. or securely over-written.2.6 9.2 6.1. and mitigation controls implemented.2. in order to reduce opportunities for unauthorized modification or misuse of information.1.4 Equipment Maintenance 5.5 9.1.3 Segregation of duties Vinod Kumar vinodjis@hotmail.2. is checked to ensure that any sensitive information or licensed software is physically destroyed. or services. 5. Whether any controls are in place so that equipment.7 Removal of property Communication and Operations Management 6. maintained and available to all users who need it.2.1 Operational procedures and responsibilites Whether the operating procedure is documented.1.

3 System planning and acceptance Whether the capacity demands are monitored and projections of future capacity requirements are made. and records Whether the services.4 Vinod Kumar vinodjis@hotmail. Whether system acceptance criteria are established for new information systems.4 10.1.com Page 7 01/12/2011 .2.1 Service delivery 6. are implemented. are managed. development and production software operational facilities should be run on different computers.ISO 27001 Compliance Checklist Whether the development and testing facilities are isolated from operational facilities. System acceptance Whether suitable tests were carried out prior to acceptance.2 10. test and example. upgrades and new versions.4 10.2.3 10.3.3.2 10.2 6.2. For Seperation of development. on regular interval. RAM and CPU on critical servers.2 provided by third party are regularly monitored Monitoring and review of third party and reviewed. are conducted on the above third Whether audita services party services. procedures and controls.1 10.2.1 10. processes involved and re-assessment of risks 6.3 Managing changes to third party services 6.4 6. Third party service delivery management Whether measures are taken to ensure that the security controls.3.2 10. Where necessary. Does this take into account criticality of business systems. operated and maintained by a third party.1 6.2. reports 6.3 10.3. Protection against malicious and mobile code 6. to ensure that adequate processing Capacity Management power and storage are available. Whether changes to provision of services. included in the third party service delivery agreement. reports and records. Example: Monitoring hard disk space. development and production networks should be kept separate from each other.1.2 6. including maintaining and improving existing information security policies. service definitions and delivery levels.2.

(Mobile code is software code that transfers from one computer to another computer and then executes automatically.6. is determined and regularly monitored.7 10.6.4. and the protection of the connected services from threats.4. Whether the ability of the network service provider. and to maintain security for the systems and applications using the network.com Page 8 01/12/2011 .6. to manage agreed services in a secure way.2 10. were developed and implemented Whether only authorized mobile code is used. including the information in transit. Mobile code is associated with a number of middleware services.7 Media handling Vinod Kumar vinodjis@hotmail.1 10.2 Controls against mobile code 6. prevention and recovery controls.6 10. to protect from threats.ISO 27001 Compliance Checklist Whether detection.5 Backup 6.information and software Whether all essential can be recovered following a disaster or media failure. It performs a specific function with little or no user intervention.1 10. 6.4. Whether security features. Whether the configuration ensures that authorized mobile code operates according to security policy. Whether controls were implemented to ensure the security of the information in networks. are identified and included in any network services agreement.1 Information backup 6.6 Network Security Management 6.) Whether back-ups of information and software is taken and tested regularly in accordance with the agreed backup policy.1 Network Controls Whether the network is adequately managed and controlled. service levels and management requirements.5. 6.1 10.4. to protect against malicious code and appropriate user awareness procedures.2 Security of network services 6. of all network services.5.6.5 10.1 Controls against malicious code 6. such as unauthorized access. Whether execution of unauthorized mobile code is prevented.2 10. and the right to audit is agreed upon.

8.1 6.7.8 Security of system documentation Exchange of information Information exchange policies and procedures 6.8.7. Electronic Data Interchange. Whether the security content of the agreement reflects the sensitivity of the business information involved. 6.7.8. Whether a procedure exists for handling information storage.2 10.7.1 10. Whether all procedures and authorization levels are clearly defined and documented. Whether the information involved in electronic messaging is well protected. 6. cassettes. Does the procedure and control cover using electronic communication facilities for information exchange.3 10.8. (Electronic messaging includes but is not restricted to Email. as per formal procedures. from unauthorized disclosure or misuse Whether the system documentation is protected against unauthorized access.5 10.7.3 Physical media in transit 6.3 Information handling procedures Does this procedure address issues.8.com Page 9 01/12/2011 .ISO 27001 Compliance Checklist Whether procedures exist for management of removable media. misuse or corruption during transportation beyond the organization’s physical boundary.2 Exchange Agreements 6. Whether agreements are established concerning exchange of information and software between the organization and external parties.1 Management of removable media 6. memory cards. and reports.2 10.4 6.7. procedure and control in place to ensure the protection of information. Whether there is a formal exchange policy. such as information protection.4 10. Whether media containing information is protected against unauthorized access.7.8.2 Disposal of Media Whether the media that are no longer required are disposed of securely and safely.4 10.3 10. such as tapes.8. disks.7. 6.8 10.8.1 10.4 Electronic messaging 6.8. Instant Messaging) Whether policies and procedures are developed and enforced to protect information associated with the interconnection of business information systems.5 Business Information systems Vinod Kumar vinodjis@hotmail.8.

unauthorized message alteration.10. Whether appropriate Privacy protection measures are considered in Audit log maintenance.9 10.2 On-line transactions 6.4 Administrator and operator log Vinod Kumar vinodjis@hotmail.10.10. exceptions.9.10 10. 6. Whether information involved in online transactions is protected to prevent incomplete transmission.10 Publicly available information Monitoring 6.9.1 10.3 Protection of log information 6. mis-routing. Whether Security control such as application of 6.2 Monitoring system use Whether the results of the monitoring activity reviewed regularly.1 10. including details of security issues.9 Electronic commerce services Whether the information involved in electronic commerce passing over the public network is protected from fraudulent activity. which commits both parties to the agreed terms of trading.9. Whether audit logs recording user activities.2 10.2 10. and information security events are produced and kept for an agreed period to assist in future investigations and access control monitoring. unauthorized message duplication or replay Whether the integrity of the publicly available information is protected against any unauthorized modification.ISO 27001 Compliance Checklist 6.9. and any unauthorized access or modification.com Page 10 01/12/2011 .10.10. contract dispute.4 10.9.3 10.10.1 Audit Logging 6. 6.1 Electronic commerce cryptographic controls are taken into consideration Whether electronic commerce arrangements between trading partners include a documented agreement. Whether procedures are developed and enforced for monitoring system use for information processing facility.9.3 10.3 6. unauthorized disclosure.10. Whether the level of monitoring required for individual information processing facility is determined by a risk assessment Whether logging facility and log information are well protected against tampering and unauthorized access Whether system administrator and system operator activities are logged.10.

1 11.5 10. (The correct setting of computer clock is important to ensure the accuracy of audit logs) 6. The allocation and reallocation of passwords should be controlled through a formal management process.10.com Page 11 01/12/2011 .1 Access Control policy Whether both logical and physical access control are taken into consideration in the policy Whether the users and service providers were given a clear statement of the business requirement to be met by access controls 7.10. Whether system clocks of all information processing system within the organization or security domain is synchronised with an agreed accurate time source. Whether the allocation and use of any privileges in information system environment is restricted and controlled i.10.3 User Password Management Vinod Kumar vinodjis@hotmail. 7.2 11.2 11. 6.1 11.2.1..4 Administrator and operator log Whether the logged activities are reviewed on regular basis.1 11. taking performance degradation into account.1 User Access Management User Registration Whether there is any formal user registration and de-registration procedure for granting access to all information systems and services.3 11.6 Clock Synchronisation Access Control 7.2. Whether faults are logged analysed and appropriate action taken.2.e.4 10. Privileges are allocated on need-to-use basis.2 Privilege Management 7.6 10.10. 7.1. Whether the users are asked to sign a statement to keep the password confidential.2.10.10.2. privileges are allocated only after formal authorization process.1 Business requirement for access control Whether an access control policy is developed and reviewed based on the business and security requirements.2 7.ISO 27001 Compliance Checklist 6.5 Fault logging Whether level of logging required for individual system are determined by a risk assessment.2.

4. users and information systems are segregated on networks.. 7.com Page 12 01/12/2011 . Whether automatic equipment identification is considered as a means to authenticate Equipment identification in networks connections from specific locations and equipment.4 7. normal privileges every 6 months.4.4 Network Access Control Whether users are provided with access only to the services that they have been specifically authorized to use.2 Unattended user equipment 7.4. 7.1 11.ISO 27001 Compliance Checklist Whether there exists a process to review user access rights at regular intervals.3 11. protected by a port protection security mechanism.3 Clear desk and clear screen policy 7.5 Segregation in networks Vinod Kumar vinodjis@hotmail.4 11.2. Whether there are any security practice in place to guide users in selecting and maintaining Whether the users and contractors are made secure passwords aware of the security requirements and procedures for protecting unattended equipment.4.3.4.2 11.4. Whether the network (where business partner’s and/ or third parties need access to information system) is segregated using perimeter security mechanisms such as firewalls.4.1 11.3.4.1 User Responsibilities Password use 7. Whether groups of information services. Remote diagnostic and configuration Whether physical and logical access to diagnostic ports are securely controlled i. .3 Whether appropriate authentication mechanism is used to control access by remote users.4 11.5 11.3 7.4.e.3 11.4 11.2 11. Whether there exists a policy that does address concerns relating to networks and network services.1 Policy on use of network services 7.3 11.4 7.2 User authentication for external connections Review of user access rights 7.. Example: Special privilege review every 3 months.4.3.3.3. Whether the organisation has adopted clear desk policy with regards to papers and removable storage media Whether the organisation has adopted clear screen policy with regards to information processing facility 7.3. Example: Logoff when session is finished or set up auto log off.2. terminate sessions when finished etc.

4 Use of system utilities 7. enforce password changes. Whether access to operating system is controlled by secure log-on procedure. Whether there exists a password management system that enforces various password controls such as: individual password for accountability. 7. Additional controls may be necessary to maintain accountability.5.5.7.4.5 11.5. (A limited form of timeouts can be provided for some systems.5 11.6 Network connection control Whether there exists an access control policy which states network connection control for shared networks.3 11.com Page 13 01/12/2011 . defined period of inactivity.5.5 11.4 11.4. which clears the screen and prevents unauthorized access but does not close down the application or network sessions.7 Network routing control Whether the routing controls are based on the positive source and destination identification mechanism. Whether suitable authentication technique is chosen to substantiate the claimed identity of user.4.5 Session time-out Vinod Kumar vinodjis@hotmail.4. store passwords in encrypted form. especially for those extend across organization’s boundaries.2 User Identification and authentication 7.5.1 11.5 7.5 Segregation in networks ISO 27001 Compliance Checklist Whether consideration is made to segregation of wireless networks from internal and private networks.3 Password Management system 7. Whether unique identifier (user ID) is provided to every user such as operators.. Whether the utility programs that might be capable of overriding system and application Whether inactive session is shutdown after a controls is restricted and tightly controlled. system administrators and all other staff including technical. Whether generic user accounts are supplied only under exceptional circumstances where there is a clear business benefit.) 7. not display passwords on screen etc.4.7 11.6 11. Whether the access control policy states routing controls are to be implemented for networks 7.5.5.5.5.5.4.2 11.1 Operating system access control Secure log-on procedures 7.

6 11.6.1 12.1 Security requirements of information systems Whether security requirements for new information systems and enhancement to existing information system specify the requirements for security controls.1 12.1 Mobile computing and communications Some example of Mobile computing and communications facility include: notebooks.1 Vinod Kumar vinodjis@hotmail.1 7.6.6 7.2 7. Security requirements analysis and specification 8.7 11.2 Information systems acquisition. 7. Application and Information access control Information access restriction Whether access to information and application system functions by users and support personnel is restricted in accordance with the defined access control policy.5. development and maintenance 8.2 11.5.7.6.7 Sensitive system isolation Mobile computing and teleworking 7. etc. This type of set up should be considered for sensitive applications Limitation of connection time for which the terminals are installed in high-risk locations.1. Teleworking Whether teleworking activity is authorized and controlled by management and does it ensure that suitable arrangements are in place for this way of working. operational plan and procedures are developed and implemented for teleworking activities.6 7.2 11. Whether sensitive systems are provided with dedicated (isolated) computing environment such as running on a dedicated computer. and appropriate security measures are adopted to protect against the risk of using mobile computing and communication facilities. smart cards.1 11.7.1.1 11. 7. laptops. palmtops. Whether a formal policy is in place. Whether risks such as working in unprotected environment is taken into account by Mobile computing policy.6 11.6. Whether policy. share resources only with trusted application systems. mobile phones.ISO 27001 Compliance Checklist Whether there exists restriction on connection time for high-risk applications.7.com Page 14 01/12/2011 ..7.

are considered. 8.3 12.2.4 8. Whether the policy is successfully implemented.3. Whether requirements for ensuring and protecting message integrity in applications are identified.1 12. defining responsibilities of all personnel involved in data input process etc.4 12.2 12.2 12.1.3 Message integrity 8. Whether the design and implementation of applications ensure that the risks of processing failures leading to a loss of integrity are minimised. and appropriate controls identified and implemented.1.1 Policy on use of cryptographic controls 8. Procedures for responding to validation errors.2. Whether system requirements for information security and processes for implementing security is integrated in the early stages of information system projects. Whether the data output of application system is validated to ensure that the processing of stored information is correct and appropriate to circumstances.ISO 27001 Compliance Checklist Whether the Security requirements and controls Security requirements analysis and identified reflects the business value of specification information assets involved and the consequence from failure of Security.1 12.3 Output data validation Cryptographic controls Vinod Kumar vinodjis@hotmail.1 12. Whether an security risk assessment was carried out to determine if message integrity is required.3 12.3.2. Whether the organization has Policy on use of cryptographic controls for protection of information. .2 8.2 Control of internal processing 8. 8.com Page 15 01/12/2011 . Whether validation checks are incorporated into applications to detect any corruption of information through processing errors or deliberate acts.1 8.. Correct processing in applicationsWhether data input to application system is validated to ensure that it is correct and appropriate. and to identify the most appropriate method of implementation.2.2.2.1 Input data validation Whether the controls such as: Different types of inputs to check for error messages.2.2.

2 Protection of system test data 8.) Security in development and support services Access control to program source code Whether there is strict control procedure in place over implementation of changes to the information system. Whether cryptographic keys are protected against modification. 8.3. procedures and secure methods.1 Change control procedures Vinod Kumar vinodjis@hotmail.4 8.3.4. Whether equipments used to generate.1 Policy on use of cryptographic controls Whether the cryptographic policy does consider the management approach towards the use of cryptographic controls. 8. 8.2 Key Management Whether secret keys and private keys are protected against unauthorized disclosure.5 Whether strict controls are in place to restrict access to program source libraries.2 12.3.5 12.3 8.1 12.1 12.2 12.4 12.4.4.4. (This is to minimise the risk of corruption of operational systems. and destruction.) Whether system test data is protected and controlled. (This is to minimise the corruption of information system. risk assessment results to identify required level of protection. Whether the Key management system is based on agreed set of standards.com Page 16 01/12/2011 .5.4.ISO 27001 Compliance Checklist 8.3. Whether use of personal information or any sensitive information for testing operational database is shunned 8. key management methods and various standards for effective implementation Whether key management is in place to support the organizations use of cryptographic techniques. unintentional changes.) Whether this procedure addresses need for risk assessment.1 Security of system files Control of operational software Whether there are any procedures in place to control installation of software on operational systems. loss. analysis of impacts of changes.1 12. store keys are physically protected.4. (This is to avoid the potential for unauthorized.3 12.5.

to install service packs. testing before installation to detect Trojan code etc.3 12. monitoring resource usage are considered.1 Control of technical vulnerabilities Information Security Incident Management 9.5.4 Information leakage Whether controls are in place to prevent information leakage.e.3 8.com Page 17 01/12/2011 .6. Whether controls such as scanning of outbound media. contractual requirement for quality assurance.ISO 27001 Compliance Checklist Whether there is process or procedure in place to review and test business critical applications for Technical review of applications after adverse impact on organizational operations or security after the change to Operating Systems.5...4 12. hot fixes etc. 9. regular monitoring of personnel and system activities permitted under local legislation.6 12.1 13.1 13.5. Incident response and escalation procedure is developed and implemented.1. 8. patches. Whether formal information security event reporting procedure. packages Whether all changes are strictly controlled.1.1 Reporting information security events Vinod Kumar vinodjis@hotmail.1 Reporting information security events and weaknesses Whether information security events are reported through appropriate management channels as quickly as possible. Whether the organization’s exposure to such vulnerabilities evaluated and appropriate measures taken to mitigate the associated risk.5 8.5.6.5.5.1 12.5.6 Outsourced software development Whether points such as: Licensing arrangements. are considered. Technical vulnerability management Whether timely information about technical vulnerabilities of information systems being used is obtained. escrow arrangements. operating system changes Periodically it is necessary to upgrade operating system i.5. Whether modifications to software package is discouraged and/ or limited to necessary Restrictions on changes to software changes. Whether the outsourced software development is supervised and monitored by the organization. 8.2 12. 8.5 12.2 8..

10.2 9. effective and orderly response to information security incidents.1 14.2 Whether there is a mechanism in place to identify and quantify the type. Whether internal procedures are developed and followed when collecting and presenting evidence for the purpose of disciplinary action within the organization 9.1 14.1.3 13. alerts and vulnerabilities are used to detect information security incidents.2 13.2 13.1.1.2.1 13. Whether follow-up action against a person or organization after an information security incident involves legal action (either civil or criminal).2. Whether the objective of information security incident management is agreed with the management.2.com Including informaiton security in the business continuity management process Page 18 01/12/2011 .2.2 13.2 9. volume and costs of Learning from information security information security incidents. from the Whether the information gained incidents evaluation of the past information security incidents are used to identify recurring or high impact incidents.1 Responsibilities and procedures Whether monitoring of systems. retained and presented to conform to the rules for evidence laid down in the relevant jurisdiction(s).ISO 27001 Compliance Checklist Whether there exists a procedure that ensures all employees of information systems and services are required to note and report any observed or Reporting security weaknesses suspected security weakness in the system or services. Whether evidence relating to the incident are collected.2.1 Vinod Kumar vinodjis@hotmail. 9.1 Information security aspects of business continuity management Whether there is a managed process in place that addresses the information security requirements for developing and maintaining business continuity throughout the organization. 9. Management of information security incidents and improvements Whether management responsibilities and procedures were established to ensure quick.1.3 Collection of evidence Business Continuity Management 10.2.

1 Vinod Kumar vinodjis@hotmail.2 14.1. implementation of recovery and restoration procedure. Business continuity and risk assessement Whether events that cause interruption to business process is identified along with the probability and impact of such interruptions and their consequence for information security. Whether business continuity plan tests ensure Testing maintaining and re-assessing that all members of the recovery team and other business continuity plans relevant staff are aware of the plans and their responsibility for business continuity and information security and know their role when plan is evoked.2 10. Whether business continuity plan addresses the identified information security requirement. Compliance with legal requirements 10.1.com Page 19 01/12/2011 . 10. Whether Business continuity plans are tested regularly to ensure that they are up to date and effective.1.1 15.1. Whether plans were developed to maintain and restore business operations.1.5 14. documentation of procedure and regular testing.4 Business continuity planning framework Whether this framework is maintained to ensure that all plans are consistent and identify priorities for testing and maintenance.5 Compliance 11.1. identification of acceptable loss.1.1.1 Including informaiton security in the business continuity management Whether this process understands the risks the process organization is facing.3 14.4 14. identify incident impacts.3 Developing and implementing continuity plans including information security 10.ISO 27001 Compliance Checklist 10. ensure availability of information within the required level in the required time frame following an interruption or failure to business processes. consider the implementation of additional preventative controls and documenting the business continuity plans addressing the security requirements. Whether the plan considers identification and agreement of responsibilities.1 14. identify business critical assets.1.1. Whether there is a single framework of Business continuity plan.

policy awareness. complying with software terms and conditions are considered.ISO 27001 Compliance Checklist Whether all relevant statutory. Whether there are procedures to ensure compliance with legislative.1.1. Whether controls such as: publishing intellectual property rights compliance policy. procedures for acquiring software. regulatory. 11.5 15. regulatory.5 Prevention of misuse of information processing facilities Vinod Kumar vinodjis@hotmail.4 Data protection and privacy of personal information Whether data protection and privacy is ensured as per relevant legislation. Whether the procedures are well implemented. contractual and business given to possibility of Whether consideration is requirement. contractual requirements and organizational approach to meet the requirements were explicitly defined and documented for each Identification of applicable legislation information system and organization. Whether important records of the organization is protected from loss destruction and falsification. 11. depending on requirements to be fulfilled.2 15.1.1. regulatory and contractual requirements on the use of material in respect of which there may be intellectual property rights and on the use of proprietary software products.2 Intellectual property rights (IPR) Whether data storage systems were chosen so that required data can be retrieved in an acceptable timeframe and format.1.4 15.1 11.3 15.1. in accordance with statutory.1. 11. without management approval is treated as improper use of the facility. 11.com Page 20 01/12/2011 . maintaining proof of ownership.1 15. regulations and if applicable as per the contractual clauses.1. Whether use of information processing facilities for any non-business or unauthorized purpose.1.1.3 Protection of organizational records deterioration of media used for storage of records. Whether specific controls and individual responsibilities to meet these requirements were defined and documented.

2. Whether the user has to acknowledge the processing facilities warning and react appropriately to the message on the screen to continue with the log-on process.2.3. 11. 11.2. unless given an appropriate level of additional protection.1.2 15.1 Compliance with security policies and standards 11. Whether the audit requirements.1 15.2 15. Whether information system audit tools are separated from development and operational systems. or under the supervision of.3 15.3.5 15.6 15.3.com Page 21 01/12/2011 .ISO 27001 Compliance Checklist 11.2 Protection of informaiton system audit tools Vinod Kumar vinodjis@hotmail.1 15.1.2. scope are agreed with appropriate management.2 11.3 Whether the technical compliance check is carried out by.6 11. and regulations. Technical compliance checking 11.1.2 15.3. Whether legal advice is taken before implementing any monitoring procedures.1 Information systems audit control 11.2 Whether the cryptographic controls are used in Regulation of cryptographic controls compliance with all relevant agreements. authorized personnel Information systems audit considerations Whether audit requirements and activities involving checks on operational systems should be carefully planned and agreed to minimise the risk of disruptions to business process. competent.5 Whether a log-on a warning message is Prevention of misuse of information presented on the computer screen prior to log-on. Do managers regularly review the compliance of information processing facility within their area of responsibility for compliance with appropriate security policy and procedure Whether information systems are regularly checked for compliance with security implementation standards. laws.1. Compliance with techincal policies and standards and technical compliance Whether managers ensure that all security procedures within their area of responsibility are carried out correctly to achieve compliance with security policies and standards. Whether access to information system audit tools such as software or data files are protected to prevent any possible misuse or compromise.

ISO 27001 Compliance Checklist Results Status (%) Vinod Kumar vinodjis@hotmail.com Page 22 01/12/2011 .

com Page 23 01/12/2011 .ISO 27001 Compliance Checklist Vinod Kumar vinodjis@hotmail.

com Page 24 01/12/2011 .ISO 27001 Compliance Checklist Vinod Kumar vinodjis@hotmail.

com Page 25 01/12/2011 .ISO 27001 Compliance Checklist Vinod Kumar vinodjis@hotmail.

ISO 27001 Compliance Checklist Vinod Kumar vinodjis@hotmail.com Page 26 01/12/2011 .

com Page 27 01/12/2011 .ISO 27001 Compliance Checklist Vinod Kumar vinodjis@hotmail.

com Page 28 01/12/2011 .ISO 27001 Compliance Checklist Vinod Kumar vinodjis@hotmail.

ISO 27001 Compliance Checklist Vinod Kumar vinodjis@hotmail.com Page 29 01/12/2011 .

com Page 30 01/12/2011 .ISO 27001 Compliance Checklist Vinod Kumar vinodjis@hotmail.

ISO 27001 Compliance Checklist Vinod Kumar vinodjis@hotmail.com Page 31 01/12/2011 .

ISO 27001 Compliance Checklist Vinod Kumar vinodjis@hotmail.com Page 32 01/12/2011 .

ISO 27001 Compliance Checklist Vinod Kumar vinodjis@hotmail.com Page 33 01/12/2011 .

ISO 27001 Compliance Checklist Vinod Kumar vinodjis@hotmail.com Page 34 01/12/2011 .

ISO 27001 Compliance Checklist Vinod Kumar vinodjis@hotmail.com Page 35 01/12/2011 .

ISO 27001 Compliance Checklist Vinod Kumar vinodjis@hotmail.com Page 36 01/12/2011 .

ISO 27001 Compliance Checklist Vinod Kumar vinodjis@hotmail.com Page 37 01/12/2011 .

ISO 27001 Compliance Checklist Vinod Kumar vinodjis@hotmail.com Page 38 01/12/2011 .

ISO 27001 Compliance Checklist Vinod Kumar vinodjis@hotmail.com Page 39 01/12/2011 .

ISO 27001 Compliance Checklist Vinod Kumar vinodjis@hotmail.com Page 40 01/12/2011 .

ISO 27001 Compliance Checklist Vinod Kumar vinodjis@hotmail.com Page 41 01/12/2011 .

com Page 42 01/12/2011 .ISO 27001 Compliance Checklist Vinod Kumar vinodjis@hotmail.

com Page 43 01/12/2011 . development and maintanence Security of system files Security in development and support services Technical vulnerability management Information security incident management Business Continuity Management Reporting information security events and weaknesses Management of information security incidents and imporvements Information security aspects of Business continuity management Compliance with legal requirements Complinace with techincal policies and standards and technical complinace Information system audit considerations Compliance Vinod Kumar vinodjis@hotmail.ISO 27001 Compliance Checklist Domain Security Policy Organization of Information Security Objectives Information Security Policy Internal Organization External Parties Responsibilities for assets Information Classification Prior to Employment During Employment Termination or change of employment Physical and Enviornmental security Secure Areas Equipment Security Operational procedures and responsibilities Third party service delivery management System planning and acceptance Protection against malicious and mobile code Backup Network Security Management Media handling Exchange of information Electronic commerce services Monitoring Business Control for access control User Access Management User Responsibilities Network Access control Operating system access control Application and information access control Mobile computing and teleworking Security requirements of information systems Status (%) 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% Asset Management Human resources security Communication and Operations Management Access Control Correct processing in applications Cryptographic controls Information system acquisition.

development and maintanence 0% Information security incident management 0% Business Continuity Management 0% Compliance 0% Vinod Kumar vinodjis@hotmail.com Page 44 01/12/2011 .ISO 27001 Compliance Checklist Domain Status (%) Security Policy 0% Organization of Information Security 0% Asset Management 0% Human resources security 0% Physical and Enviornmental security 0% Communication and Operations Management 0% Access Control 0% Information system acquisition.

development and maintanence Domain Communication and Operations Management Access Control Information security incident management Business Continuity Management Compliance 0% 0% 0% 0% 0% 0% 0% 0% 0% .Status 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% Security Policy 0% Organization of Information Security 0% Asset Management Human resources security Physical and Enviornmental security Compliance per Domain Information system acquisition.

Which can be in-corporated int Vinod Kumar vinodjis@hotmail.ISO 27001 Compliance Checklist Compliance Checklist A conditional formatting has been provided on "Compliance checklist" sheet under the "Status (%)" fi 1 to 25 26 to 75 76 to 100 In the field "Findings" fill in the evidence that you saw and your thoughts of the implementation In the field "Status (%)" fill in the compliance level on the scale as mentioned above If any of the controls in not applicable. please put in "NA" or anything that denotes that particular con Compliance Per Control Kindly note: this sheet has been automated and will show you the status pertaining to each control ob per your status in the "Complinace Checklist" sheet Compliance Per Domain Kindly note: this sheet has been automated and will show you the status pertaining to each domain.com Page 46 01/12/2011 . a status in the "Complinace Checklist" sheet Graphical Representation This will give you a graphical representation of the status per domain.

com Page 47 01/12/2011 . as ertaining to each domain.ISO 27001 Compliance Checklist et under the "Status (%)" filed and is as mentioned below f the implementation ned above denotes that particular control is not applicable to the organization ertaining to each control objective. as per your ch can be in-corporated into your presentation to the management Vinod Kumar vinodjis@hotmail.

Sign up to vote on this title
UsefulNot useful