Professional Documents
Culture Documents
Con
Introduction
This spreadsheet is used to record and track the status of your organization as you implement the mandatory an
The main body of ISO/IEC 27001 formally specifies a number of mandatory requirements that must be fulfilled i
rather than the information risks and the security controls being managed. For example, the standard require
and procedures defined in the ISMS. The standard does not mandate specific information security controls: the
However, Annex A to '27001 outlines a suite of information security controls that the management system wou
much more detail in ISO/IEC 27002:2022, and in various other standards, laws, regulations etc.
Instructions
1. Design and implement an ISMS complying with all the mandatory elements specified in the main body of ISO
2. Identify and assess the information security risks facing those parts of the organization that are declared in s
constrained by Annex A! Adapt the sheet, modifying the wording and adding-in additional rows if you determin
point.
3. Systematically check and record the status of your security risks and controls, updating the status column of
4. Once your ISMS is operating normally, the metrics are looking good and you have amassed sufficient evidenc
requirements, and that your in-scope information security risks are being identified, treated and monitored acc
periodically reviewed/audited.
Copyright
This work is copyright © 2022, ISO27k Forum, some rights reserved. It is licensed under the Creative Commons
incorporated into a commercial product, (b) it is properly attributed to the ISO27k Forum at www.ISO27001secu
Note: you need licensed copies of both ISO/IEC 27001 and 27002 to make much sense of this, and other ISO27
may not entirely fulfill their meaning or intent. The definitive references are the ISO27k standards, not this wor
Please visit ISO27001security.com for further advice and guidance on the ISO27k standards, including the ISO27
Status of ISO/IEC 27001 implementation
Section ISO/IEC 27001 requirement Status Notes
4.4 ISMS
4.4 Establish, implement, maintain and continually improve an ISMS according to the standard! Nonexistent
5 Leadership
5.1 Leadership & commitment
5.1 Top management must demonstrate leadership & commitment to the ISMS Defined
5.2 Policy
5.2 Establish the information security policy Nonexistent
6 Planning
6.1 Actions to address risks & opportunities
6.1.1 Design/plan the ISMS to satisfy the requirements, addressing risks & opportunities Initial
6.1.2 Define and apply an information security risk assessment process Initial
6.1.3 Document and apply an information security risk treatment process Initial
7 Support
7.1 Resources
7.1 Determine and allocate necessary resources for the ISMS Initial
7.2 Competence
7.2 Determine, document and make available necessary competences Initial
7.3 Awareness
7.3 Establish a security awareness program Initial
7.4 Communication
7.4 Determine the need for internal and external communications relevant to the ISMS Initial
8 Operation
8.1 Operational planning and control
8.1 Plan, implement, control & document ISMS processes to manage risks (i.e. a risk treatment plan) Initial
9 Performance evaluation
9.1 Monitoring, measurement, analysis and evaluation
9.1 Monitor, measure, analyze and evaluate the ISMS and the controls Initial
10 Improvement
10.1 Continual improvement
10.1 Continually improve the ISMS Initial
01/09/2023 Page2 of 5
Statement of Applicability and status of information security controls
Section Information security control Status Notes
A5 Organizational controls
A.5.1 Policies for information security ? Unknown
A.5.2 Information security roles and responsibilities ? Unknown
A.5.3 Segregation of duties ? Unknown
A.5.4 Management responsibilities ? Unknown
A.5.5 Contact with authorities ? Unknown
A.5.6 Contact with special interest groups ? Unknown
A.5.7 Threat intelligence ? Unknown
A.5.8 Information security in projectmanagement ? Unknown
A.5.9 Inventory of information and other associated assets ? Unknown
A.5.10 Acceptable use of information and other associated assets ? Unknown
A.5.11 Return of assets ? Unknown
A.5.12 Classification of information ? Unknown
A.5.13 Labelling of information ? Unknown
A.5.14 Information transfer ? Unknown
A.5.15 Access control ? Unknown
A.5.16 Identity management ? Unknown
A.5.17 Authentication information ? Unknown
A.5.18 Access rights ? Unknown
A.5.19 Information security in supplier relationships ? Unknown
A.5.20 Addressing information security within supplier agreements ? Unknown
A6 People controls
A.6.1 Screening ? Unknown
A.6.2 Terms and conditions of employment Nonexistent
A.6.3 Information security awareness, education and training Initial
A.6.4 Disciplinary process Limited
A.6.5 Responsibilities after termination or change of employment Defined
A.6.6 Confidentiality or non-disclosure agreements Managed
A.6.7 Remote working Optimized
A.6.8 Information security event reporting Not applicable
A7 Physical controls
A.7.1 Physical security perimeters ? Unknown
A.7.2 Physical entry ? Unknown
A.7.3 Securing offices, rooms and facilities ? Unknown
A.7.4 Physical security monitoring ? Unknown
A.7.5 Protecting against physical and environmental threats ? Unknown
A.7.6 Working in secure areas ? Unknown
A.7.7 Clear desk and clear screen ? Unknown
01/09/2023 Page 3 of 5
Statement of Applicability and status of information security controls
Section Information security control Status Notes
A.7.8 Equipment siting and protection ? Unknown
A.7.9 Security of assets off-premises ? Unknown
A.7.10 Storage media ? Unknown
A.7.11 Supporting utilities ? Unknown
A.7.12 Cabling security ? Unknown
A.7.13 Equipment maintenance ? Unknown
A.7.14 Secure disposal or re-use of equipment ? Unknown
A8 Technological controls
A.8.1 User end point devices ? Unknown
A.8.2 Privileged access rights ? Unknown
A.8.3 Information access restriction ? Unknown
A.8.4 Access to source code ? Unknown
A.8.5 Secure authentication ? Unknown
A.8.6 Capacity management ? Unknown
A.8.7 Protection against malware ? Unknown
A.8.8 Management of technical vulnerabilities ? Unknown
A.8.9 Configuration management ? Unknown
A.8.10 Information deletion ? Unknown
A.8.11 Data masking ? Unknown
A.8.12 Data leakage prevention ? Unknown
A.8.13 Information backup ? Unknown
A.8.14 Redundancy of information processing facilities ? Unknown
A.8.15 Logging ? Unknown
A.8.16 Monitoring activities ? Unknown
A.8.17 Clock synchronization ? Unknown
A.8.18 Use of privileged utility programs ? Unknown
A.8.19 Installation of software on operational systems ? Unknown
A.8.20 Networks security ? Unknown
A.8.21 Security of network services ? Unknown
A.8.22 Segregation of networks ? Unknown
A.8.23 Web filtering ? Unknown
A.8.24 Use of cryptography ? Unknown
A.8.25 Secure development life cycle ? Unknown
A.8.26 Application security requirements ? Unknown
A.8.27 Secure system architecture and engineering principles ? Unknown
A.8.28 Secure coding ? Unknown
A.8.29 Security testing in development and acceptance ? Unknown
A.8.30 Outsourced development ? Unknown
A.8.31 Separation of development, test and production environments ? Unknown
A.8.32 Change management ? Unknown
A.8.33 Test information ? Unknown
A.8.34 Protection of information systems during audit testing ? Unknown
93 Number of controls
01/09/2023 Page 4 of 5
Status Meaning
Proportion of
ISMS
requirements
Proportion of
information
security controls
ISMS implementation status
? Unknown Has not even been checked yet 0% 92%
? Unknown
Nonexistent
Initial
Limited
Defined
Managed
Optimized
Not applicable