ISO 27001 CONTROLS CHECKLIST TEMPLATE

SECTION/ IN
REQUIREMENT/TASK ASSIGNED TO DATE LAST UPDATED
CATEGORY COMPLIANCE?

5. Information Security Policies

5.1 Security policies exist.

5.2 All policies approved by management.

5.3 Evidence of compliance.

6. Organization of information security

6.1 Roles and responsibilities defined.

6.2 Segregation of duties defined.

Verification body / authority contacted for

6.3
compliance verification.

Establish contact with special interest

6.4
groups regarding compliance.

Evidence of information security in

6.5
project management.

6.6 Defined policy for mobile devices.

6.7 Defined policy for working remotely.

7. Human resources security

Defined policy for screening employees

7.1
prior to employment.

Defined policy for HR terms and

7.2
conditions of employment.

Defined policy for management

7.3
responsibilities.

Defined policy for information security

7.4 awareness, education,
and training.

Defined policy for

7.5 disciplinary process regarding information
security.

Defined policy for HR termination or

7.6 change-of-employment policy regarding
information security.
8. Asset management

8.1 Complete inventory list of assets.

8.2 Complete ownership list of assets.

8.3 Defined "acceptable use" of assets policy.

8.4 Defined return of assets policy.

Defined policy for classification

8.5
of information.

8.6 Defined policy for labeling information.

Defined policy for handling

8.7
of assets.

Defined policy for management

8.8
of removable media.

Defined policy for disposal

8.9
of media.

Defined policy for physical

8.10
media transfer.

9. Access control

Defined policy for user asset registration

9.1
and de-registration.

Defined policy for user access

9.2
provisioning.

Defined policy for management of

9.3
privileged access rights.

Defined policy for management

9.4 of secret authentication
information of users.

Defined policy for review of user access

9.5
rights.

Defined policy for removal or adjustment

9.6
of access rights.

Defined policy for use of secret

9.7
authentication information.

Defined policy for information access

9.8
restrictions.
 Defined policy for secure log-in
9.9
procedures.

Defined policy for password management

9.10
systems.

Defined policy for use of privileged utility

9.11
programs.

Defined policy for access control

9.12
to program source code.

10. Cryptography

Defined policy for use of cryptographic

10.1
controls.

10.2 Defined policy for key management.

11. Physical and environmental security

Defined policy for physical security

11.1
perimeter.

11.2 Defined policy for physical entry controls.

Defined policy for securing offices,

11.3
rooms, and facilities.

Defined policy for protection against

11.4
external and environmental threats.

Defined policy for working in secure

11.5
areas.

Defined policy for delivery and loading

11.6
areas.

Defined policy for equipment siting and

11.7
protection.

11.8 Defined policy for supporting utilities.

11.9 Defined policy for cabling security.

Defined policy for equipment

11.10
maintenance.

11.11 Defined policy for removal of assets.

Defined policy for security of equipment

11.12
and assets off premises.
 11.13 Secure disposal or re-use of equipment.

Defined policy for unattended user

11.14
equipment.

Defined policy for clear desk and clear

11.15
screen policy.

12. Operations security

Defined policy for documented operating

12.1
procedures.

12.2 Defined policy for change management.

12.3 Defined policy for capacity management.

Defined policy for separation of

12.4 development, testing, and operational
environments.

Defined policy for controls against

12.5
malware.

12.6 Defined policy for backing up systems.

12.7 Defined policy for information backup.

12.8 Defined policy for event logging.

Defined policy for protection of

12.9
log information.

Defined policy for administrator and

12.10
operator log.

12.11 Defined policy for clock synchronization.

Defined policy for installation of software

12.12
on operational systems.

Defined policy for management of

12.13
technical vulnerabilities.

Defined policy for restriction on software

12.14
installation.

Defined policy for information system

12.15
audit control.

13. Communication security

 13.1 Defined policy for network controls.

Defined policy for security of network

13.2
services.

Defined policy for segregation in

13.3
networks.

Defined policy for information transfer

13.4
policies and procedures.

Defined policy for agreements on

13.5
information transfer.

13.6 Defined policy for electronic messaging.

Defined policy for confidentiality or non-

13.7
disclosure agreements.

Defined policy for system acquisition,

13.8
development, and maintenance.

14. System acquisition, development, and maintenance

Defined policy for information security

14.1
requirements analysis and specification.

Defined policy for securing application

14.2
services on public networks.

Defined policy for protecting application

14.3
service transactions.

15. Supplier relationships

15.1 Defined policy for supplier relationships.

16. Information security incident management

Defined policy for information security

16.1
management.

17. Information security aspects of business continuity management

17.1 Defined policy for redundancies.

18. Compliance

Defined policy for identification of

18.1 applicable legislation and contractual
requirement.

Defined policy for intellectual property

18.2
rights.

18.3 Defined policy for protection of records.

 Defined policy for privacy and protection
18.4
of personally identifiable information.

Defined policy for regulation of

18.5
cryptographic control.

Defined policy for compliance with

18.6
security policies and standards.

Defined policy for technical compliance

18.7
review.
Any articles, templates, or information provided by Smartsheet on the website are for reference
only. While we strive to keep the information up to date and correct, we make no
representations or warranties of any kind, express or implied, about the completeness,
accuracy, reliability, suitability, or availability with respect to the website or the information,
articles, templates, or related graphics contained on the website. Any reliance you place on
such information is therefore strictly at your own risk.

This template is provided as a sample only. This template is in no way meant as legal or
compliance advice. Users of the template must determine what information is necessary and
needed to accomplish their objectives.