Professional Documents
Culture Documents
ADDRESS OF CLIENT
SCOPE OF ACTIVITIES
Standard(s):
Date of visit
Type of Visit
(Stage 1, stage 2,
surveillance,
re assessment)
Total employees within
Total time on site Man-days
organisation
SUMMARY OF SYSTEM CHANGES SINCE LAST VISIT
(Or status of system if initial assessment)
CONFIRMED EXCLUSIONS
SYSTEM EFFECTIVENESS
POSITIVE COMMENTS
ASSESSMENT MATRIX
Control ID
Control Question Applicability
Question
Name Matrix
5 Security policy
5.1 Information security policy
Information A.5.1.1 Is a security
policy
5.1.1
document,
Security
approved
Policy
by management, published and
communicated document
to all employees and relevant external parties?
A.5.1.2 Is the published
policy reviewed at planned
Review of the intervals or if significant
5.1.2 information changes have occurred to
security policy ensure its continuing
suitability, adequacy, and
effectiveness?
7 Asset Management
developed and
implemented to protect
information associated
with the interconnection of
business information
systems?
10.9 E-commerce services
A.10.9.1 Is information
involved in electronic
commerce passing over
public networks protected
10.9.1 Electronic commerce
from fraudulent activity,
contract dispute, and
unauthorized disclosure
and modification?
A.10.9.2 Is information
involved in on-line
transactions protected to
prevent incomplete
transmission, misrouting,
10.9.2 On-line transactions
unauthorized message
alteration, unauthorized
disclosure, unauthorized
message duplication or
replay?
A.10.9.3 Is the integrity
of information being made
Publicly available available on a publicly
10.9.3
information available system protected
to prevent unauthorized
modification?
Control
Control Name Question Question Applicability Matrix
ID
10.10 Monitoring
A.10.10.1 Has the
organisation produced
audit logs that record user
activities, exceptions, and
information security
10.10.1 Audit logging
events and are they kept
for an agreed period to
assist in future
investigations and access
control monitoring?
A.10.10.2 Have
procedures been
established for monitoring
Monitoring system the use of information
10.10.2
use processing facilities and
are the results of the
monitoring activities
reviewed regularly?
10.10.3 Protection of log A.10.10.3 Are logging
information facilities and log
information protected
against tampering and
unauthorised access?
A.10.10.4 Is there a
process in place to ensure
Administrator and
10.10.4 that system administrator
operator logs
and system operator
activities are logged?
A.10.10.5 Is there a
process in place that
10.10.5 Fault logging ensures that faults are
logged, analysed and
appropriate action taken?
A.10.10.6 Are the clocks
of all relevant information
processing systems within
Clock
10.10.6 an organization or security
synchronisation
domain synchronized with
an agreed accurate time
source?
11 Access Control
11.1 Business requirements for access control
A.11.1.1 Has an access
control policy been
established, documented,
11.1.1 Access control policy
and reviewed based on
business and security
requirements for access?
11.2 User access management
A.11.2.1 Is there a formal
user registration and de-
registration procedure in
11.2.1 User registration place for granting and
revoking access to all
information systems and
services?
A.11.2.2 Are the
allocation and use of
11.2.2 Privilege management
privileges restricted and
controlled?
A.11.2.3 Is the allocation
User password of passwords controlled
11.2.3
management through a formal
management process?
A.11.2.4 Is there a formal
process in place which
Review of user access
11.2.4 allows Management to
rights
review users’ access rights
at regular intervals?
11.3 User responsibilities
A.11.3.1 Is there a
process in place that
ensures users follow good
11.3.1 Password use
security practices in the
selection and use of
passwords?
A.11.3.2 Is there a
process in place which
Unattended user
11.3.2 ensures users are aware
equipment
that unattended equipment
has appropriate protection?
A.11.3.3 Has a clear desk
policy for papers and
Clear desk and clear removable storage media
11.3.3
screen policy and a clear screen policy
for information processing
facilities been adopted?
11.4 Network access control
A.11.4.1 Is there a
process in place to ensure
that users shall only be
Policy on use network
11.4.1 provided with access to
services
the services that they have
been specifically
authorized to use?
A.11.4.2 Is there a
process in place to ensure
User authentication
that appropriate
11.4.2 for external
authentication methods
connections
shall be used to control
access by remote users?
A.11.4.3 Is there a
process in place to support
automatic equipment
Equipment
identification being
11.4.3 identification in
considered as a means to
networks
authenticate connections
from specific locations
and equipment?
A.11.4.4 Is physical and
Remote diagnostic logical access to
11.4.4 and configuration port diagnostic and
protection configuration ports
controlled?
A.11.4.5 Are groups of
information services,
Segregation in
11.4.5 users, and information
networks
systems segregated on
networks?
A.11.4.6 Is the capability
of users to connect to the
network restricted for
shared networks,
especially those extending
Network connection
11.4.6 across the organization’s
control
boundaries, in line with
the access control policy
and requirements of the
business applications (see
11.1)?
Network routing A.11.4.7 Are routing
11.4.7
control controls implemented for
A.12.5.5 Is outsourced
Outsourced software software development
12.5.5
development supervised and monitored
by the organization?
A.15.3.2 Is access to
Protection of information systems audit
15.3.2 information system tools protected to prevent
audit tools any possible misuse or
compromise?
Site NC OFI