ISO 27001 FBR CHECKLIST

IN
ISO 27001 IMPLEMENTATION
TASKS COMPLIANCE NOTES
CONTROL PHASES
?

5 Registration and Compliance

5.1 Taxpayer Registration

4.1.2.5 - Verify taxpayer

registration accuracy

5.1.1
4.6.6 - Assess the
completeness of supporting
documentation.
Policies for Tax Payer
Registration
4.6.5 - Confirm the
NO authenticity of invoices
NO
YES and receipts.
UNKNOWN
YES

4.5.4 - Ensure proper

record-keeping practices.

5.1
Taxpayer Registration
6 Financial Records

6.1 information security roles and responsibilities

Security roles and Roles and responsibilities

6.1.1
responsibilities defined?

Segregation of duties
6.1.2 Segregation of duties
defined?

Verification body /
6.1.3 Contact with authorities authority contacted for
compliance verification?

Establish contact with

Contact with special interest
6.1.4 special interest groups
groups
regarding compliance?

Evidence of information
Information security in project
6.1.5 security in project
management
management?

6.2
6.2.1
Defined policy for mobile
Mobile device policy
devices?

Defined policy for working

6.2.2 Teleworking
NO remotely?
YES
UNKNOWN
YES
7 Tax Payments:

7.1 Prior to employment

Defined policy for

7.1.1 Screening screening employees prior
to employment?

Defined policy for HR

Terms and conditions of
7.1.2 terms and conditions of
employment
employment?

7.2 During employment

Defined policy for

7.2.1 Management responsibilities management
responsibilities?
Defined policy for
Information security awareness, information security
7.2.2
education, and training awareness, education,
and training?
Defined policy for
disciplinary process
7.2.3 Disciplinary process
regarding information
security?
7.3
Termination and change of employment
Defined policy for HR
termination or change-of-
Termination or change-of-
7.3.1 NO employment policy
YES
employment
UNKNOWN
YES responsibilities
regarding information
security?
8 Documentation

8.1 Responsibilities for assets

Complete inventory list of

8.1.1 Inventory of assets
assets?

Complete ownership list of

8.1.2 Ownership of assets
assets

Defined acceptable use of

8.1.3 Acceptable use of assets
assets policy

Defined return of assets

8.1.4 Return of assets
policy?

8.2 Information classification

 Defined policy for
8.2.1 Classification of information classification
of information?

Defined policy for labeling

8.2.2 Labeling of information
of information?

Defined policy for

8.2.3 Handling of assets handling
of assets?

8.3 Media handling

Defined policy for

8.3.1 Management of removable media management
of removable media?
8.3.2
Defined policy for disposal
Disposal of media
of media?

Defined policy for physical

8.3.3. Physical media transfer
NO
YES media transfer?
UNKNOWN
YES

9 Internal control

9.1 Responsibilities for assets

Defined policy for access

9.1.1 Access control policy
control?

Defined policy for access

Access to networks and
9.1.2 to networks and network
network services
services?

9.2 Responsibilities for assets

Defined policy for user

User asset registration and de-
9.2.1 asset registration and de-
registration
registration?

Defined policy for user

9.2.2 User access provisioning
access provisioning?

Defined policy for

Management of privileged
9.2.3 management
access rights
of privileged access rights?
Defined policy for
Management of secret
management
9.2.4 authentication information of
of secret authentication
users
information of users?

Defined policy for review

9.2.5 Review of user access rights
of user access rights?

Removal or adjustment
9.2.6
of access rights
Defined policy for removal
or adjustment of access
rights?

9.3 User responsibilities

Defined policy for use of

Use of secret authentication
9.3.1 secret authentication
information
information?

9.4 System and application access control

Defined policy for

9.4.1 Information access restrictions information access
restrictions?

Defined policy for secure

9.4.2 Secure log-in procedures
log-in procedures?

Defined policy for

9.4.3 Password management systems password management
systems?
9.4.4
Defined policy for use of
Use of privileged utility
privileged utility
programs
programs?

Defined policy for access

Access control to program source
9.4.5 control
NO code
YES
UNKNOWN
YES to program source code?

10 Risk Management

10.1 Cryptographic controls

10.1.1
Policy for the use of Defined policy for use of
cryptographic controls cryptographic controls?

Defined policy for key

10.1.2 Key management
NO management?
YES
UNKNOWN
YES

11 Electronic Filing and Communication:

11.1 Secure areas

Defined policy for physical

11.1.1 Physical security perimeter
security perimeter?

Defined policy for physical

11.1.2 Physical entry controls
entry controls?

Defined policy for

Securing offices, rooms, and
11.1.3 securing offices, rooms,
facilities
and facilities?

Protection against external and
11.1.4
environmental threats
Defined policy for
protection against external
and environmental threats?

Defined policy for working

11.1.5 Working in secure areas
in secure areas?

Defined policy for delivery

11.1.6 Delivery and loading areas
and loading areas?

11.2 Equipment

Defined policy for

11.2.1 Equipment siting and protection equipment siting and
protection?

Defined policy for

11.2.2 Supporting utilities
supporting utilities?

Defined policy for cabling

11.2.3 Cabling security
security?

Defined policy for

11.2.4 Equipment maintenance
equipment maintenance?

Defined policy for removal

11.2.5 Removal of assets
of assets?

Defined policy for security

Security of equipment and assets
11.2.6 of equipment and assets
off-premises
off-premises?

Secure disposal or re-use of Secure disposal or re-use

11.2.7
equipment of equipment?

11.2.8
Defined policy for
Unattended user equipment unattended user
equipment?

Defined policy for clear

Clear desk and clear screen
11.2.9 desk and clear screen
NO policy
YES
UNKNOWN
YES policy?

12 Employee Training

12.1 Operational procedures and responsibilities

Defined policy for

Documented operating
12.1.1 documented operating
procedures
procedures?

Defined policy for change

12.1.2 Change management
management?
 Defined policy for capacity
12.1.3 Capacity management
management?

Defined policy for

Separation of development,
separation of development,
12.1.4 testing, and operational
testing, and operational
environments
environments?
12.2 Protection from malware

Defined policy for controls

12.2.1 Controls against malware
against malware?

12.3 System backup

Defined policy for backing

12.3.1 Backup
up systems?

Defined policy for

12.3.2 Information Backup
information backup?

12.4 Logging and monitoring

Defined policy for event

12.4.1 Event logging
logging?

Defined policy for

12.4.2 Protection of log information protection of
log information?

Defined policy for

12.4.3 Administrator and operator log administrator and operator
log?

Defined policy for clock

12.4.4 Clock synchronization
synchronization?

12.5 Control of operational software

Defined policy for

Installation of software on
12.5.1 installation of software on
operational systems
operational systems?

12.6 Technical vulnerability management

Defined policy for

Management of technical
12.6.1 management of technical
vulnerabilities
vulnerabilities?

Defined policy for

Restriction on software
12.6.2 restriction on software
installation
installation?
12.7
Information systems audit considerations

NO
YES
UNKNOWN
YES
 Defined policy for
12.7.1 Information system audit control information system audit
control?

13 Communication security

13.1 Network security management

Defined policy for network

13.1.1 Network controls
controls?

Defined policy for security

13.1.2 Security of network services
of network services?

Defined policy for

13.1.3 Segregation in networks
segregation in networks?

13.2 Information transfer

Defined policy for

Information transfer policies and
13.2.1 information transfer
procedures
policies and procedures?

Defined policy for

Agreements on information
13.2.2 agreements on information
transfer
transfer?

Defined policy for

13.2.3 Electronic messaging
electronic messaging?

13.2.4
Defined policy for
Confidentiality or non-disclosure
confidentiality or non-
agreements
disclosure agreements?

Defined policy for system

System acquisition, development,
13.2.5 acquisition, development,
NOand maintenance
YES
UNKNOWN
YES and maintenance?

14 System acquisition, development, and maintenance

14.1 Security requirements of information systems

Defined policy for
Information security
information security
14.1.1 requirements analysis and
requirements analysis and
specification
specification?
Defined policy for
Securing application services on securing application
14.1.2
public networks services on public
networks?
Defined policy for
Protecting application service
14.1.3 protecting application
transactions
service transactions?
14.2
Security in development and support processes

NO
YES
UNKNOWN
YES
 Defined policy for in-
14.2.1 In-house development
house development?

15 Supplier relationships

Defined policy for supplier

15.1.1 Supplier relationships
relationships?

16 Information security incident management

Defined policy for

Information security
16.1.1 information security
management
management?

17 Information security aspects of business continuity management

17.1 Information security continuity

Defined policy for

17.1.1 Information security continuity information security
continuity?
17.2
Redundancies

Defined policy for

17.2.1 Redundancies
NO
YES redundancies?
UNKNOWN
YES

18 Compliance

18.1 Compliance with legal and contractual requirements

Defined policy for
Identification of applicable
identification of applicable
18.1.1 legislation and contractual
legislation and contractual
requirement
requirement?
Defined policy for
18.1.2 Intellectual property rights intellectual property
rights?

Defined policy for

18.1.3 Protection of records
protection of records?

Defined policy for privacy

Privacy and protection of
and protection of
18.1.4 personally identifiable
personally identifiable
information
information?
Defined policy for
Regulation of cryptographic
18.1.5 regulation of cryptographic
control
control?

18.1 Independent review of information security

Defined policy for

Compliance with security
18.1.1 compliance with security
policies and standards
policies and standards?
 Defined policy for
18.1.2 Technical compliance review technical compliance
review?

DISCLAIMER

Any articles, templates, or information provided by Smartsheet on the website are for reference only. While we strive
to keep the information up to date and correct, we make no representations or warranties of any kind, express or
implied, about the completeness, accuracy, reliability, suitability, or availability with respect to the website or the
information, articles, templates, or related graphics contained on the website. Any reliance you place on such
information is therefore strictly at your own risk.