St

Con

Introduction
This spreadsheet is used to record and track the status of your organization as you implement the mandatory an
The main body of ISO/IEC 27001 formally specifies a number of mandatory requirements that must be fulfilled i
rather than the information risks and the security controls being managed. For example, the standard require
and procedures defined in the ISMS. The standard does not mandate specific information security controls: the
However, Annex A to '27001 outlines a suite of information security controls that the management system wou
much more detail in ISO/IEC 27002:2022, and in various other standards, laws, regulations etc.

Instructions

1. Design and implement an ISMS complying with all the mandatory elements specified in the main body of ISO
2. Identify and assess the information security risks facing those parts of the organization that are declared in s
constrained by Annex A! Adapt the sheet, modifying the wording and adding-in additional rows if you determin
point.
3. Systematically check and record the status of your security risks and controls, updating the status column of
4. Once your ISMS is operating normally, the metrics are looking good and you have amassed sufficient evidenc
requirements, and that your in-scope information security risks are being identified, treated and monitored acc
periodically reviewed/audited.

Document history and acknowledgements

Bala Ramanan donated the original ISO/IEC 27001:2005 version of the 27001 requirements worksheet. Joel Co
Ed Hodgson updated the workbook for ISO/IEC 27001:2013. Gary Hinson fiddled with the wording and formatti
Christian Breitenstrom updated the workbook to reflect ISO/IEC 27001:2022 and ISO/IEC 27002:2022. Gary tidi

Copyright
This work is copyright © 2022, ISO27k Forum, some rights reserved.  It is licensed under the Creative Commons
incorporated into a commercial product, (b) it is properly attributed to the ISO27k Forum at www.ISO27001secu
Note: you need licensed copies of both ISO/IEC 27001 and 27002 to make much sense of this, and other ISO27
may not entirely fulfill their meaning or intent. The definitive references are the ISO27k standards, not this wor
Please visit ISO27001security.com for further advice and guidance on the ISO27k standards, including the ISO27
 Status of ISO/IEC 27001 implementation
Section ISO/IEC 27001 requirement Status Notes

4 Context of the organisation

4.1 Organisational context
4.1 Determine the organization's ISMS objectives and any issues that might affect its effectiveness Initial

4.2 Interested parties

4.2 (a) Identify interested parties including applicable laws, regulations, contracts etc. Limited
4.2 (b) Determine their information security-relevant requirements and obligations Initial

4.3 ISMS scope

4.3 Determine and document the ISMS scope Limited

4.4 ISMS
4.4 Establish, implement, maintain and continually improve an ISMS according to the standard! Nonexistent

5 Leadership
5.1 Leadership & commitment
5.1 Top management must demonstrate leadership & commitment to the ISMS Defined

5.2 Policy
5.2 Establish the information security policy Nonexistent

5.3 Organizational roles, responsibilities & authorities

5.3 Assign and communicate information security rôles & responsibilities Not applicable

6 Planning
6.1 Actions to address risks & opportunities
6.1.1 Design/plan the ISMS to satisfy the requirements, addressing risks & opportunities Initial
6.1.2 Define and apply an information security risk assessment process Initial
6.1.3 Document and apply an information security risk treatment process Initial

6.2 Information security objectives & plans

6.2 Establish and document the information security objectives and plans Initial

6.3 Planning of changes

6.3 Substantial changes to the ISMS shall be carried out in a planned manner Initial New for 2022

7 Support
7.1 Resources
7.1 Determine and allocate necessary resources for the ISMS Initial

7.2 Competence
7.2 Determine, document and make available necessary competences Initial

7.3 Awareness
7.3 Establish a security awareness program Initial

7.4 Communication
7.4 Determine the need for internal and external communications relevant to the ISMS Initial

7.5 Documented information

7.5.1 Provide documentation required by the standard plus that required by the organization Initial
7.5.2 Provide document titles, authors etc., format them consistently, and review & approve them Initial
7.5.3 Control the documentation properly Initial

8 Operation
8.1 Operational planning and control
8.1 Plan, implement, control & document ISMS processes to manage risks (i.e. a risk treatment plan) Initial

8.2 Information security risk assessment

8.2 (Re)assess & document information security risks regularly & on changes Initial

8.3 Information security risk treatment

8.3 Implement the risk treatment plan (treat the risks!) and document the results Initial

9 Performance evaluation
9.1 Monitoring, measurement, analysis and evaluation
9.1 Monitor, measure, analyze and evaluate the ISMS and the controls Initial

9.2 Internal audit

9.2 Plan & conduct internal audits of the ISMS Initial

9.3 Management review

9.3 Undertake regular management reviews of the ISMS Initial

10 Improvement
10.1 Continual improvement
10.1 Continually improve the ISMS Initial

10.2 Nonconformity and corrective action

10.2 Identify, fix and take action to prevent recurrence of nonconformities, documenting the actions Initial
28 Number of requirements

01/09/2023 Page2 of 5
 Statement of Applicability and status of information security controls
Section Information security control Status Notes
A5 Organizational controls
A.5.1 Policies for information security ? Unknown
A.5.2 Information security roles and responsibilities ? Unknown
A.5.3 Segregation of duties ? Unknown
A.5.4 Management responsibilities ? Unknown
A.5.5 Contact with authorities ? Unknown
A.5.6 Contact with special interest groups ? Unknown
A.5.7 Threat intelligence ? Unknown
A.5.8 Information security in projectmanagement ? Unknown
A.5.9 Inventory of information and other associated assets ? Unknown
A.5.10 Acceptable use of information and other associated assets ? Unknown
A.5.11 Return of assets ? Unknown
A.5.12 Classification of information ? Unknown
A.5.13 Labelling of information ? Unknown
A.5.14 Information transfer ? Unknown
A.5.15 Access control ? Unknown
A.5.16 Identity management ? Unknown
A.5.17 Authentication information ? Unknown
A.5.18 Access rights ? Unknown
A.5.19 Information security in supplier relationships ? Unknown
A.5.20 Addressing information security within supplier agreements ? Unknown

A.5.21 Managing information security in the information ? Unknown

and communication technology (ICT) supply-chain
A.5.22 Monitoring, review and change management of supplier services ? Unknown
A.5.23 Information security for use of cloud services ? Unknown
A.5.24 Information security incident management planning and preparation ? Unknown
A.5.25 Assessment and decision on information security events ? Unknown
A.5.26 Response to information security incidents ? Unknown
A.5.27 Learning from information security incidents ? Unknown
A.5.28 Collection of evidence ? Unknown
A.5.29 Information security during disruption ? Unknown
A.5.30 ICT readiness for business continuity ? Unknown
A.5.31 Legal, statutory, regulatory and contractual requirements ? Unknown
A.5.32 Intellectual property rights ? Unknown
A.5.33 Protection of records ? Unknown
A.5.34 Privacy and protection of personal identifiable information (PII) ? Unknown
A.5.35 Independent review of information security ? Unknown
A.5.36 Compliance with policies, rules and standards for information security ? Unknown
A.5.37 Documented operating procedures ? Unknown

A6 People controls
A.6.1 Screening ? Unknown
A.6.2 Terms and conditions of employment Nonexistent
A.6.3 Information security awareness, education and training Initial
A.6.4 Disciplinary process Limited
A.6.5 Responsibilities after termination or change of employment Defined
A.6.6 Confidentiality or non-disclosure agreements Managed
A.6.7 Remote working Optimized
A.6.8 Information security event reporting Not applicable

A7 Physical controls
A.7.1 Physical security perimeters ? Unknown
A.7.2 Physical entry ? Unknown
A.7.3 Securing offices, rooms and facilities ? Unknown
A.7.4 Physical security monitoring ? Unknown
A.7.5 Protecting against physical and environmental threats ? Unknown
A.7.6 Working in secure areas ? Unknown
A.7.7 Clear desk and clear screen ? Unknown

01/09/2023 Page 3 of 5
 Statement of Applicability and status of information security controls
Section Information security control Status Notes
A.7.8 Equipment siting and protection ? Unknown
A.7.9 Security of assets off-premises ? Unknown
A.7.10 Storage media ? Unknown
A.7.11 Supporting utilities ? Unknown
A.7.12 Cabling security ? Unknown
A.7.13 Equipment maintenance ? Unknown
A.7.14 Secure disposal or re-use of equipment ? Unknown

A8 Technological controls
A.8.1 User end point devices ? Unknown
A.8.2 Privileged access rights ? Unknown
A.8.3 Information access restriction ? Unknown
A.8.4 Access to source code ? Unknown
A.8.5 Secure authentication ? Unknown
A.8.6 Capacity management ? Unknown
A.8.7 Protection against malware ? Unknown
A.8.8 Management of technical vulnerabilities ? Unknown
A.8.9 Configuration management ? Unknown
A.8.10 Information deletion ? Unknown
A.8.11 Data masking ? Unknown
A.8.12 Data leakage prevention ? Unknown
A.8.13 Information backup ? Unknown
A.8.14 Redundancy of information processing facilities ? Unknown
A.8.15 Logging ? Unknown
A.8.16 Monitoring activities ? Unknown
A.8.17 Clock synchronization ? Unknown
A.8.18 Use of privileged utility programs ? Unknown
A.8.19 Installation of software on operational systems ? Unknown
A.8.20 Networks security ? Unknown
A.8.21 Security of network services ? Unknown
A.8.22 Segregation of networks ? Unknown
A.8.23 Web filtering ? Unknown
A.8.24 Use of cryptography ? Unknown
A.8.25 Secure development life cycle ? Unknown
A.8.26 Application security requirements ? Unknown
A.8.27 Secure system architecture and engineering principles ? Unknown
A.8.28 Secure coding ? Unknown
A.8.29 Security testing in development and acceptance ? Unknown
A.8.30 Outsourced development ? Unknown
A.8.31 Separation of development, test and production environments ? Unknown
A.8.32 Change management ? Unknown
A.8.33 Test information ? Unknown
A.8.34 Protection of information systems during audit testing ? Unknown
93 Number of controls

01/09/2023 Page 4 of 5
 Status Meaning
Proportion of
ISMS
requirements
Proportion of
information
security controls
ISMS implementation status
? Unknown Has not even been checked yet 0% 92%

Nonexistent Complete lack of recognizable policy,

procedure, control etc. 7% 1% ? Unknown
Nonexistent
Initial
Development has barely started and will
Initial require significant work to fulfill the
requirements
79% 1% Limited
Defined
Managed
Optimized
Limited Progressing nicely but not yet complete 7% 1% Not applicable

Development is more or less complete

Defined although detail is lacking and/or it is not yet
implemented, enforced and actively supported 4% 1%
by top management

Development is complete, the process/control

Managed has been implemented and recently started
operating
0% 1%

The requirement is fully satisfied, is operating

Optimized 0% 1%
Infosec controls status
fully as expected, is being actively monitored
and improved, and there is substantial
evidence to prove all that to the auditors

ALL requirements in the main body of ISO/IEC

27001 are mandatory IF your ISMS is to be
Not applicable certified. Otherwise, managemnent can ignore 4% 1%
them.

Total 100% 100%

? Unknown
Nonexistent
Initial
Limited
Defined
Managed
Optimized
Not applicable