Professional Documents
Culture Documents
Ask yourselves the following questions to assess your progress towards achieving ISO
27001:2013
Do we have and maintain the following documentation and records?
These are the mandatory documents:
• Scope of the ISMS (clause 4.3)
• Information security policy and objectives (clauses 5.2 and 6.2)
• Risk assessment and risk treatment methodology (clause 6.1.2)
• Statement of Applicability (clause 6.1.3 d)
• Risk treatment plan (clauses 6.1.3 e and 6.2)
• Risk assessment report (clause 8.2)
• Definition of security roles and responsibilities (clauses A.7.1.2 and A.13.2.4)
• Inventory of assets (clause A.8.1.1)
• Acceptable use of assets (clause A.8.1.3)
• Access control policy (clause A.9.1.1)
• Operating procedures for IT management (clause A.12.1.1)
• Secure system engineering principles (clause A.14.2.5)
• Supplier security policy (clause A.15.1.1)
• Incident management procedure (clause A.16.1.5)
• Business continuity procedures (clause A.17.1.2)
• Statutory, regulatory, and contractual requirements (clause A.18.1.1)
And here are the mandatory records:
• Records of training, skills, experience and qualifications (clause 7.2)
• Monitoring and measurement results (clause 9.1)
• Internal audit program (clause 9.2)
• Results of internal audits (clause 9.2)
• Results of the management review (clause 9.3)
• Results of corrective actions (clause 10.1)
• Logs of user activities, exceptions, and security events (clauses A.12.4.1 and
A.12.4.3)
Do we comply? Y/N
7.1 Resources
19. Are adequate resources provided for all the elements of the ISMS?
7.2 Competence
20. Is appropriate competence assessed, and training provided where needed, for personnel doing
tasks that can affect the information security? Are records of competences maintained?
7.3 Awareness
21. Is the personnel aware of the Information Security Policy, of their role, and consequences of not
complying with the rules?
22. Is there a process for communication related to information security, including the
responsibilities and what to communicate, to whom and when?
7.5 Documented Information
23. Does the documentation of the ISMS include the Information Security Policy, objectives &
targets, the scope of the ISMS, the main elements and their interaction, documents and records of
ISO 27001 and those identified by the company?
24. Is it ensured that managing of documents and records exists, including who reviews and
approves documents, and where and how they are published, stored, and protected?
25. Is documented information of external origin controlled?
8.0 OPERATIONS
8.1 Operational Planning And Control
26. Does the organisation have the necessary documented information to be confident that its
processes are being carried out as planned?
27. Are planned changes controlled? Are consequences of unplanned changes reviewed to identify
mitigation actions if necessary?
28. Are outsourced processes identified and controlled?
8.2 Information Security Risk Assessment
29. Are the risks, their owners, likelihood, consequences, and the level of risk identified? Are these
results documented?
8.3 Information Risk Treatment
30. Does a risk treatment plan exist, approved by risk owners?
31. Is there a documented list with all controls deemed as necessary, with proper justification and
implementation status?
9.0 PERFORMANCE EVALUATION
9.1 Monitoring, Measurement, Analysis And Evaluation
32. Is it defined what needs to be measured, by which method, who is responsible, who will
analyse and evaluate the results?
33. Are the results of measurement documented, analysed, and evaluated by responsible persons?
ISO 27001:2013 Gap Analysis
Do we comply? Y/N
52. Are there agreements with employees and contractors that specify information security
responsibilities?
53. Is management actively requiring all employees and contractors to comply with information
security rules?
54. Do employees and contractors attend trainings to better perform their security duties, and do
the awareness programs exist?
55. Does the organisation have a formal disciplinary process?
56. Are there agreements covering information security responsibilities that remain valid after the
termination of employment?
A.8 ASSET MANAGEMENT
57. Does an inventory of assets exist?
58. Does every asset in the inventory of assets have a designated owner?
59. Are rules for handling of information and assets defined?
60. Are company assets returned by employees and contractors when their employment is
terminated?
62. Are there procedures which define how to label and handle classified information?
63. Are there procedures which define how to handle assets?
64. Are there procedures which define how to handle removable media in line with the classification
rules?
65. Are there formal procedures for disposing of the media?
66. Is the media that contains sensitive information protected during transportation?
A.9 ACCESS CONTROL
67. Is there an access control policy?
68. Do the users have access only to the resources they are allowed to?
69. Are access rights provided via a formal registration process?
70. Is there a formal access control system when logging into information systems?
71. Are privileged access rights managed with special care?
72. Are passwords and other secret authentication information provided in a secure way?
73. Do asset owners periodically check all the privileged access rights?
74. Are access rights updated when there is a change in the user situation (e.g.: organisational
change or termination)?
75. Are there rules for users on how to protect passwords and other authentication information?
76. Is the access to information in systems restricted according to the access control policy?
77. Is secure log-on required on systems according to the Access Control Policy?
ISO 27001:2013 Gap Analysis
Do we comply? Y/N
78. Do the password management systems used by the organisation help users to securely
manage their authentication information?
79. Is the use of utility tools controlled and limited to specific employees?
80. Is the access to source code restricted to authorised persons?
A.10 CRYPTOGRAPHY
81. Do a policy to regulate encryption and other cryptographic controls exist?
82. Are the cryptographic keys properly protected?
A.11 PHYSICAL AND ENVIRONMENTAL SECURITY
83. Do secure areas that protect sensitive information exist?
84. Is the entrance to secure areas protected?
85. Are secure areas located in a protected way?
86. Are the alarms, fire protection, and other systems installed?
87. Are working procedures for secure areas defined?
88. Are delivery and loading areas protected?
89. Is the equipment properly protected?
90. Does the equipment have protection against energy variations?
91. Are the power and telecommunication cables adequately protected?
92. Is the equipment maintained regularly?
93. Is information and equipment removal to outside of the organization premises controlled?
94. Are the organization assets properly protected when they are not at the organization premises?
95. Is information properly removed from media or equipment that will be disposed of?
96. Are there rules to protect equipment when not in physical possession of its users?
97. Is there orientation for users about what to do when they are not present at their workstations?
A.12 OPERATIONAL SECURITY
98. Are operating procedures for IT processes documented?
99. Are changes that could affect information security strictly controlled?
100. Are resources monitored and plans made to ensure their capacity to fulfill users' demands?
101. Are development, testing, and production environments separated?
102. Are anti-virus software, and other software for malware protection installed and properly used?
103. Is a backup policy defined and performed properly?
104. Are relevant events from IT systems logged, and verified periodically?
105. Are logs protected properly?
ISO 27001:2013 Gap Analysis
Do we comply? Y/N
134. Do the agreements with providers and suppliers include security requirements?
135. Are suppliers regularly monitored?
136. Are changes involving arrangements and contracts with suppliers and partners taking into
account risks and existing processes?
A.16 INFORMATION SECURITY INCIDENT MANAGEMENT
137. Are incidents managed properly?
138. Are information security events reported in properly?
139. Are employees and contractors reporting on security weaknesses?
140. Are security events assessed and classified properly?
141. Are procedures on how to respond to incidents documented?
142. Are security incidents analyzed properly?
143. Do procedures exist which define how to collect evidence?
A.17. INFORMATION SECURITY ASPECTS OF BUSINESS CONTINUITY MANAGEMENT
144. Are requirements for continuity of information security defined?
145. Do procedures exist that ensure the continuity of information security during a crisis or a
disaster?
146. Is exercising and testing of continuity performed?
147. Does IT infrastructure have redundancy (e.g.: secondary location) included in its planning and
operation?
A.18 COMPLIANCE
148. Are legislative, regulatory, contractual, and other security requirements known?
149. Do procedures exist to protect intellectual property rights?
150. Are records protected properly?
151. Is personally identifiable information protected properly?
152. Are cryptographic controls used properly?
153. Is information security regularly reviewed by an independent auditor?
154. Do the managers regularly review if the security policies and procedures are performed
properly in their areas of responsibility?
155. Are information systems regularly reviewed to check their compliance with the information
security policies and standards?