ISO 27001 CHECKLIST TEMPLATE

IN
ISO 27001 CONTROL IMPLEMENTATION PHASES TASKS NOTES
COMPLIANCE?
5 Information Security Policies

5.1 Management direction for information security

Security Policies exist?

All policies approved by

5.1.1 Policies for information security
management?

Evidence of compliance?

6 Organization of information security

6.1 information security roles and responsibilities

6.1.1 Security roles and responsibilities Roles and responsibilities defined?

6.1.2 Segregation of duties Segregation of duties defined?

Verification body / authority

6.1.3 Contact with authorities contacted for compliance
verification?

Establish contact with special

Contact with special interest
6.1.4 interest groups regarding
groups
compliance?

Information security in project Evidence of information security in

6.1.5
management project management?

6.2 Mobile devices and teleworking

6.2.1 Mobile device policy Defined policy for mobile devices?

Defined policy for working

6.2.2 Teleworking
remotely?

7 Human resource security

7.1 Prior to employment

Defined policy for screening

7.1.1 Screening
employees prior to employment?

Terms and conditions of Defined policy for HR terms and

7.1.2
employment conditions of employment?

7.2 During employment

Defined policy for management

7.2.1 Management responsibilities
responsibilities?

Defined policy for information

Information security awareness,
7.2.2 security awareness, education,
education, and training
and training?

Defined policy for

7.2.3 Disciplinary process disciplinary process regarding
information security?
7.3 Termination and change of employment

Defined policy for HR termination

Termination or change of
7.3.1 or change-of-employment policy
employment responsibilities
regarding information security?

8 Asset management

8.1 Responsibilities for assets

8.1.1 Inventory of assets Complete inventory list of assets?

8.1.2 Ownership of assets Complete ownership list of assets

Defined "acceptable use" of assets

8.1.3 Acceptable use of assets
policy

8.1.4 Return of assets Defined return of assets policy?

8.2 Information classification

Defined policy for classification

8.2.1 Classification of information
of information?

Defined policy for labeling

8.2.2 Labeling of information
information?

Defined policy for handling

8.2.3 Handling of assets
of assets?

8.3 Media handling

Management of removable Defined policy for management

8.3.1
media of removable media?

Defined policy for disposal

8.3.2 Disposal of media
of media?

Defined policy for physical

8.3.3. Physical media transfer
media transfer?

9 Access control

9.1 Responsibilities for assets

Defined policy for access

9.1.1 Access policy control
control policy?

Access to networks and Defined policy for access to

9.1.2
network services networks and network services?

9.2 Responsibilities for assets

User registration and de- Defined policy for user asset

9.2.1
registration registration and de-registration?

Defined policy for user access

9.2.2 User access provisioning
provisioning?

Management of privileged Defined policy for management

9.2.3
access rights of privileged access rights?
 Defined policy for management
Management of secret
9.2.4 of secret authentication
authentication information of users
information of users?

Defined policy for review of user

9.2.5 Review of user access rights
access rights?

Removal or adjustment Defined policy for removal or

9.2.6
of access rights adjustment of access rights?

9.3 User responsibilities

Use of secret authentication Defined policy for use of secret

9.3.1
information authentication information?

9.4 System and application access control

Defined policy for information

9.4.1 Information access restrictions
access restrictions?

Defined policy for secure log-in

9.4.2 Secure log-on procedures
procedures?

Defined policy for password

9.4.3 Password management system
management systems?

Defined policy for use of

9.4.4 Use of privileged utility programs
privileged utility programs?

Access control to program source Defined policy for access control

9.4.5
code to program source code?

10 Cryptography

10.1 Cryptographic controls

Policy on the use of Defined policy for use of

10.1.1
cryptographic controls cryptographic controls?

Defined policy for key

10.1.2 Key management
management?

11 Physical and environmental security

11.1 Secure areas

Defined policy for physical security

11.1.1 Physical security perimeter
perimeter?

Defined policy for physical entry

11.1.2 Physical entry controls
controls?

Securing offices, rooms and Defined policy for securing offices,

11.1.3
facilities rooms and facilities?

Defined policy for protection

Protection against external and
11.1.4 against external and
environmental threats
environmental threats?

Defined policy for working in

11.1.5 Working in secure areas
secure areas?

Defined policy for delivery and

11.1.6 Delivery and loading areas
loading areas?
11.2 Equipment

Defined policy for equipment siting

11.2.1 Equipment siting and protection
and protection?

Defined policy for supporting

11.2.2 Supporting utilities
utilities?

Defined policy for cabling

11.2.3 Cabling security
security?

Defined policy for equipment

11.2.4 Equipment maintenance
maintenance?

Defined policy for removal of

11.2.5 Removal of assets
assets?

Defined policy for security of

Security of equipment and assets
11.2.6 equipment and assets off-
off-premises
premises?

Secure disposal or re-use of Secure disposal or re-use of

11.2.7
equipment equipment?

Defined policy for unattended user

11.2.8 Unattended user equipment
equipment?

Defined policy for clear desk and

11.2.9 Clear desk and clear screen policy
clear screen policy?

12 Operations security

12.1 Operational procedures and responsibilities

Documented operating Defined policy for documented

12.1.1
procedures operating procedures?

Defined policy for change

12.1.2 Change management
management?

Defined policy for capacity

12.1.3 Capacity management
management?

Separation of development, Defined policy for separation of

12.1.4 testing and operational development, testing and
environments operational environments?

12.2 Protection from malware

Defined policy for controls against

12.2.1 Controls against malware
malware?

12.3 System Backup

Defined policy for backing up

12.3.1 Backup
systems?

Defined policy for information

12.3.2 Information Backup
backup?

12.4 Logging and Monitoring

12.4.1 Event logging Defined policy for event logging?

 Defined policy for protection of
12.4.2 Protection of log information
log information?

Defined policy for administrator

12.4.3 Administrator and operator log
and operator log?

Defined policy for clock

12.4.4 Clock synchronization
synchronization?

12.5 Control of operational software

Installation of software on Defined policy for installation of

12.5.1
operational systems software on operational systems?

12.6 Technical vulnerability management

Management of technical Defined policy for management of

12.6.1
vulnerabilities technical vulnerabilities?

Defined policy for restriction on

12.6.2 Restriction on software installation
software installation?

12.7 Information systems audit considerations

Defined policy for information

12.7.1 Information system audit control
system audit control?

13 Communications security

13.1 Network security management

Defined policy for network

13.1.1 Network controls
controls?

Defined policy for security of

13.1.2 Security of network services
network services?

Defined policy for segregation in

13.1.3 Segregation in networks
networks?

13.2 Information transfer

Information transfer policies and Defined policy for information

13.2.1
procedures transfer policies and procedures?

Agreements on information Defined policy for agreements on

13.2.2
transfer information transfer?

Defined policy for electronic

13.2.3 Electronic messaging
messaging?

Confidentiality or non-disclosure Defined policy for confidentiality

13.2.4
agreements or non-disclosure agreements?

Defined policy for system

System acquisition, development
13.2.5 acquisition, development and
and maintenance
maintenance?

14 System acquisition, development and maintenance

14.1 Security requirements of information systems

Defined policy for information

Information security requirements
14.1.1 security requirements analysis and
analysis and specification
specification?
 Defined policy for securing
Securing application services on
14.1.2 application services on public
public networks
networks?

Protecting application service Defined policy for protecting

14.1.3
transactions application service transactions?

14.2 Security in development and support processes

Defined policy for in-house

14.2.1 In-house development
development?

15 Suppliers relationships

Defined policy for supplier

15.1.1 Suppliers relationships
relationships?

16 Information security incident management

Defined policy for information

16.1.1 Information security management
security management?

17 Information security aspects of business continuity management

17.1 Information security continuity

Defined policy for information

17.1.1 Information security continuity
security continuity?

17.2 Redundancies

17.2.1 Redundancies Defined policy for redundancies?

18 Compliance

18.1 Compliance with legal and contractual requirements

Identification of applicable Defined policy for identification of

18.1.1 legislation and contractual applicable legislation and
requirement contractual requirement?

Defined policy for intellectual

18.1.2 Intellectual property rights
property rights?

Defined policy for protection of

18.1.3 Protection of records
records?

Defined policy for privacy and

Privacy and protection of
18.1.4 protection of personally
personally identifiable information
identifiable information?

Regulation of cryptographic Defined policy for regulation of

18.1.5
control cryptographic control?

18.1 Independent review of information security

Defined policy for compliance

Compliance with security policies
18.1.1 with security policies and
and standards
standards?

Defined policy for technical

18.1.2 Technical compliance review
compliance review?
 DISCLAIMER

Any articles, templates, or information provided by Smartsheet on the website are for
reference only. While we strive to keep the information up to date and correct, we make no
representations or warranties of any kind, express or implied, about the completeness,
accuracy, reliability, suitability, or availability with respect to the website or the information,
articles, templates, or related graphics contained on the website. Any reliance you place on
such information is therefore strictly at your own risk.

This template is provided as a sample only. This template is in no way meant as legal or
compliance advice. Users of the template must determine what information is necessary
and needed to accomplish their objectives.