08 - Assessment Summary - Rev04

MANAGEMENT SYSTEM AUDIT
SUMMARY REPORT No:
CLIENT NAME IN FULL
ADDRESS OF CLIENT
SCOPE OF ACTIVITIES
Standard(s):
Date of visit
Type of Visit
(Stage 1, stage 2,
surveillance,
re assessment)
Total employees within
Total time on site Man-days
organisation
SUMMARY OF SYSTEM CHANGES SINCE LAST VISIT
(Or status of system if initial assessment)
Assessment Representative(s) Client Representatives
Lead Auditor on behalf of LMS On behalf of Organisation

Please note: This report remains the property of LMS Certifications Pvt. Ltd. (LMS)
and must not be distributed without the permission of the client or LMS. All
finding are strictly confidential and will not be released to any other third party.
08_ Assessment Summary Report _Rev 04 Dated 11/12/2011

SUMMARY REPORT No:
ASSESSMENT SUMMARY (including reference to any sites visited)
CONFIRMED EXCLUSIONS
RECOMMENDATIONS AND FOLLOW UP ACTION
SYSTEM EFFECTIVENESS
POSITIVE COMMENTS

SUMMARY REPORT No:
ASSESSMENT MATRIX
Control ID
Control Question Applicability
Question
Name Matrix
5 Security policy
5.1 Information security policy
Information A.5.1.1 Is a security
policy
5.1.1
document,
Security
approved
Policy
by management, published and
communicated document
to all employees and relevant external parties?
A.5.1.2 Is the published
policy reviewed at planned
Review of the intervals or if significant
5.1.2 information changes have occurred to
security policy ensure its continuing
suitability, adequacy, and
effectiveness?
6 Organization of information security

6.1 Internal Organization
A.6.1.1 Is a management
forum in place to ensure
that Management shall
actively support security
Management
within the organization
commitment to
6.1.1 through clear direction,
information
demonstrated commitment,
security
explicit assignment, and
acknowledgment of
information security
responsibilities?
A.6.1.2 Are information
security activities
Information coordinated by
6.1.2 security representatives from
coordination different parts of the
organization with relevant
roles and job functions?
Allocation of
A.6.1.3 Are all information
information
6.1.3 security responsibilities
security
clearly defined?
responsibilities
Authorization A.6.1.4 Is there a defined
process for management authorization
6.1.4 information process for new
processing information processing
facilities facilities?
6.1.5 Confidentiality A.6.1.5 Are the
agreements requirements for
confidentiality or non-
disclosure agreements
reflecting the
organization’s needs for
the protection of

SUMMARY REPORT No:
information identified and

regularly reviewed?
A.6.1.6 Does your
Contact with organization maintain
6.1.6
authorities appropriate contacts with
relevant authorities?
A.6.1.7 Are appropriate
contacts with special
Contact with
interest groups or other
6.1.7 special interest
specialist security forums
groups
and professional
associations maintained?
A.6.1.8 Is the
organisation’s approach to
managing information
security and its implication
(i.e. control objectives,
Independent
controls, policies,
review of
6.1.8 processes and procedures
information
for information security)
security
reviewed independently at
planned intervals, or when
significant changes to the
security implementation
occur?
6.2 External Parties
A.6.2.1 Have the risks to
the organization’s
information and
information processing
Identification of
facilities from business
6.2.1 risks related to
processes involving
external parties
external parties been
identified and appropriate
controls implemented
before granting access?
A.6.2.2 Have all identified
Addressing security requirements been
security when addressed before giving
6.2.2
dealing with customers access to the
customers organization’s information
or assets?
A.6.2.3 Do agreements
with third parties involving
accessing, processing,
communicating or
6.2.3 managing the
Addressing
organization’s information
security in third
or information processing
party agreements
facilities, or adding
products or services to
facilities cover all relevant
security requirements?
7 Asset Management

SUMMARY REPORT No:
7.1 Responsibility for Assets

A.7.1.1 Are all assets
clearly identified and an
7.1.1 Inventory of Assets inventory of all important
assets drawn up and
maintained?
A.7.1.2 Are all
information and assets
associated with
7.1.2 Ownership of assets information processing
facilities owned by a
designated part of the
organisation?
A.7.1.3 Have rules for
the acceptable use of
information and assets
Acceptable use of associated with
7.1.3
assets information processing
facilities identified,
documented and
implemented?
7.2 Information classification
A.7.2.1 Has information
been classified in terms of
Classification its value, legal
7.2.1
guidelines requirements, sensitivity
and criticality to the
organization?
A.7.2.2 Has an
appropriate set of
procedures for information
labeling and handling been
Information labeling developed and
7.2.2
and handling implemented in
accordance with the
classification scheme
adopted by the
organization?
Human Resources Security

8.1 Prior to employment
A.8.1.1 Have security
roles and responsibilities
of employees, contractors
Roles and and third party users been
8.1.1
responsibilities defined and documented in
accordance with the
organisation’s information
security policy?
8.1.2 Screening A.8.1.2 Have background
verification checks on all
candidates for
employment, contractors,
and third party users been
carried out in accordance

SUMMARY REPORT No:
with relevant laws,

regulations and ethics, and
proportional to the
business requirements, the
classification of the
information to be
accessed, and the
perceived risks?
A.8.1.3 As part of their
contractual obligation,
have all employees,
contractors and third party
users agreed and signed
Terms and conditions
8.1.3 the terms and conditions of
of employment
their employment contract,
which state their and the
organization’s
responsibilities for
information security?
8.2 During employment
A.8.2.1 Is there a process
in place that shows
Management ensures
employees, contractors
Management
8.2.1 and third party users apply
responsibilities
security in accordance
with established policies
and procedures of the
organization?
A.8.2.2 Do all employees
of the organization and,
where relevant, contractors
and third party users
Information security
receive appropriate
8.2.2 awareness, education
awareness training and
and training
regular updates in
organizational policies and
procedures, as relevant for
their job function?
A.8.2.3 Is there a formal
disciplinary process for
8.2.3 Disciplinary process employees who have
committed a security
breach?
8.3 Termination or change of employment
A.8.3.1 Are
responsibilities for
Termination performing employment
8.3.1
responsibilities termination or change of
employment clearly
defined and assigned?
8.3.2 Return of assets A.8.3.2 Is there a process
in place to ensure that all
and third party users return
all of the organization’s

SUMMARY REPORT No:
assets in their possession

upon termination of their
employment, contract or
agreement?
in places that ensures the
access rights of all
and third party users to
Removal of access information and
8.3.3
rights information processing
facilities have been
removed upon termination
of their employment,
contract or agreement, or
adjusted upon change?
9 Physical and Environmental Security

9.1 Secure Areas
A.9.1.1 Are security
perimeters (barriers such
as walls, card controlled
entry gates or manned
Physical security
9.1.1 reception desks) used to
perimeter
protect areas that contain
information and
facilities?
A.9.1.2 Are secure areas
protected by appropriate
Physical entry entry controls to ensure
9.1.2
controls that only authorized
personnel are allowed
access?
A.9.1.3 Has physical
Securing offices, security for offices, rooms,
9.1.3
rooms and facilities and facilities been
designed and applied?
protection against damage
from fire, flood,
Protecting against
earthquake, explosion,
9.1.4 external and
civil unrest, and other
environmental attacks
forms of natural or man-
made disaster been
designed and applied?
protection and guidelines
Working in secure
9.1.5 for working in secure areas
areas
been designed and
applied?
9.1.6 Public access, A.9.1.6 Are access points
delivery and loading such as delivery and
areas loading areas and other
points where unauthorized
persons may enter the
SUMMARY REPORT No:
premises controlled and, if

possible, isolated from
facilities to avoid
unauthorized access?
9.2 Equipment security
A.9.2.1 Is equipment
sited or protected to reduce
Equipment siting and the risks from
9.2.1
protection environmental threats and
hazards, and opportunities
for unauthorized access?
protected from power
failures and other
9.2.2 Supporting utilities
disruptions caused by
failures in supporting
utilities?
A.9.2.3 Is power and
telecommunications
cabling carrying data or
9.2.3 Cabling Security
supporting information
services protected from
interception or damage?
Equipment correctly maintained to
9.2.4
maintenance ensure its continued
availability and integrity?
A.9.2.5 Has security been
applied to off-site
equipment and have the
Security of equipment
9.2.5 different risks of working
off-premises
outside the organization’s
premises been taken into
account
A.9.2.6 Have all items of
equipment containing
storage media been
checked to ensure that any
Secure disposal or re-
9.2.6 sensitive data and licensed
use of equipment
software has been
removed or securely
overwritten prior to
disposal?
in place to ensure that
equipment, information or
9.2.7 Removal of property
software shall not be taken
off-site without prior
authorization?
10 Communications and Operations Management

10.1 Operational procedures and responsibilities
10.1.1 Documented A.10.1.1 Are operating
operating procedures procedures documented,
maintained, and made
SUMMARY REPORT No:
available to all users who

need them?
A.10.1.2 Are changes to
10.1.2 Change management
facilities and systems
controlled?
A.10.1.3 Are duties and
areas of responsibility
segregated to reduce
opportunities for
10.1.3 Segregation of duties
unauthorized or
unintentional modification
or misuse of the
organization’s assets?
A.10.1.4 Are
development, test and
Separation of operational facilities
10.1.4 development, test and separated to reduce the
operational facilities risks of unauthorised
access or changes to the
operational system?
10.2 Third party service delivery management
A.10.2.1 Is there a
process in place that
ensures that the security
controls, service
definitions and delivery
10.2.1 Service delivery levels included in the third
party service delivery
agreement are
implemented, operated,
and maintained by the
third party?
A.10.2.2 Are the
services, reports and
Monitoring and records provided by the
10.2.2 review of third party third party regularly
services monitored and reviewed,
and audits carried out
regularly?
A.10.2.3 Are changes to
the provision of services,
including maintaining and
improving existing
Managing changes to
10.2.3 policies, procedures and
third party services
controls, managed, taking
account of the criticality of
business systems and
processes involved and re-
assessment of risks?
10.3 System planning and acceptance
10.3.1 Capacity management A.10.3.1 Is there a
ensures that the use of
resources are monitored,

SUMMARY REPORT No:
tuned, and projections

made of future capacity
requirements to ensure the
required system
performance?
A.10.3.2 Have
acceptance criteria for new
information systems,
upgrades, and new
10.3.2 System acceptance versions been established
and suitable tests of the
system(s) carried out
during development and
prior to acceptance?
10.4 Protection against malicious and mobile code
A.10.4.1 Have detection,
prevention, and recovery
controls to protect against
Controls against
10.4.1 malicious code and
malicious code
appropriate user awareness
procedures been
implemented?
A.10.4.2 Where the use
of mobile code is
authorized, does the
configuration ensure that
Controls against the authorized mobile code
10.4.2
mobile code operates according to a
clearly defined security
policy, and unauthorized
mobile code has been
prevented from executing?
10.5 Back-up
A.10.5.1 Is there a
process in place to ensure
that back-up copies of
information and software
10.5.1 Information back-up
are taken and tested
regularly in accordance
with the agreed backup
policy?
10.6 Network security management
A.10.6.1 Are networks
adequately managed and
controlled, in order to be
protected from threats, and
10.6.1 Network controls to maintain security for the
systems and applications
using the network,
including information in
transit?
10.6.2 Security of network A.10.6.2 Have security
services features, service levels,
and management
requirements of all
network services been
SUMMARY REPORT No:
identified and included in

any network services
agreement, whether these
services are provided in-
house or outsourced?
10.7 Media handling
A.10.7.1 Are there
Management of procedures in place for the
10.7.1
removable media management of removable
media?
A.10.7.2 Is media
disposed of securely and
10.7.2 Disposal of media safely when no longer
required, using formal
procedures?
A.10.7.3 Are there
procedures established for
the handling and storage of
Information handling
10.7.3 information to protect this
procedures
information from
unauthorized disclosure or
misuse?
A.10.7.4 Is system
Security of system documentation protected
10.7.4
documentation against unauthorized
access?
10.8 Exchange of information
A.10.8.1 Are there formal
exchange policies,
procedures, and controls in
Information exchange
place to protect the
10.8.1 policies and
exchange of information
procedures
through the use of all types
of communication
facilities?
A.10.8.2 Have
agreements been
established for the
10.8.2 Exchange agreements exchange of information
and software between the
organization and external
parties?
A.10.8.3 Is media
containing information
protected against
Physical media in unauthorized access,
10.8.3
transit misuse or corruption
during transportation
beyond an organization’s
physical boundaries?
A.10.8.4 Is information
involved in electronic
10.8.4 Electronic messaging
messaging appropriately
protected?
Business information A.10.8.5 Have policies
10.8.5
systems and procedures been
SUMMARY REPORT No:
developed and
implemented to protect
information associated
with the interconnection of
business information
systems?
10.9 E-commerce services
involved in electronic
commerce passing over
public networks protected
10.9.1 Electronic commerce
from fraudulent activity,
contract dispute, and
unauthorized disclosure
and modification?
involved in on-line
transactions protected to
prevent incomplete
transmission, misrouting,
10.9.2 On-line transactions
unauthorized message
alteration, unauthorized
disclosure, unauthorized
message duplication or
replay?
A.10.9.3 Is the integrity
of information being made
Publicly available available on a publicly
10.9.3
information available system protected
to prevent unauthorized
modification?
Control
Control Name Question Question Applicability Matrix
ID
10.10 Monitoring
A.10.10.1 Has the
organisation produced
audit logs that record user
activities, exceptions, and
10.10.1 Audit logging
events and are they kept
for an agreed period to
assist in future
investigations and access
control monitoring?
A.10.10.2 Have
procedures been
established for monitoring
Monitoring system the use of information
10.10.2
use processing facilities and
are the results of the
monitoring activities
reviewed regularly?
10.10.3 Protection of log A.10.10.3 Are logging
information facilities and log
information protected
against tampering and

SUMMARY REPORT No:
unauthorised access?
A.10.10.4 Is there a
Administrator and
10.10.4 that system administrator
operator logs
and system operator
activities are logged?
A.10.10.5 Is there a
10.10.5 Fault logging ensures that faults are
logged, analysed and
appropriate action taken?
A.10.10.6 Are the clocks
of all relevant information
processing systems within
Clock
10.10.6 an organization or security
synchronisation
domain synchronized with
an agreed accurate time
source?
11 Access Control
11.1 Business requirements for access control
A.11.1.1 Has an access
control policy been
established, documented,
11.1.1 Access control policy
and reviewed based on
business and security
requirements for access?
11.2 User access management
user registration and de-
registration procedure in
11.2.1 User registration place for granting and
revoking access to all
information systems and
services?
A.11.2.2 Are the
allocation and use of
11.2.2 Privilege management
privileges restricted and
controlled?
A.11.2.3 Is the allocation
User password of passwords controlled
11.2.3
management through a formal
management process?
process in place which
Review of user access
11.2.4 allows Management to
rights
review users’ access rights
at regular intervals?
11.3 User responsibilities
A.11.3.1 Is there a
ensures users follow good
11.3.1 Password use
security practices in the
selection and use of
passwords?

SUMMARY REPORT No:
A.11.3.2 Is there a
process in place which
Unattended user
11.3.2 ensures users are aware
equipment
that unattended equipment
has appropriate protection?
A.11.3.3 Has a clear desk
policy for papers and
Clear desk and clear removable storage media
11.3.3
screen policy and a clear screen policy
for information processing
facilities been adopted?
11.4 Network access control
A.11.4.1 Is there a
that users shall only be
Policy on use network
11.4.1 provided with access to
services
the services that they have
been specifically
authorized to use?
A.11.4.2 Is there a
User authentication
that appropriate
11.4.2 for external
authentication methods
connections
shall be used to control
access by remote users?
A.11.4.3 Is there a
process in place to support
automatic equipment
Equipment
identification being
11.4.3 identification in
considered as a means to
networks
authenticate connections
from specific locations
and equipment?
A.11.4.4 Is physical and
Remote diagnostic logical access to
11.4.4 and configuration port diagnostic and
protection configuration ports
controlled?
A.11.4.5 Are groups of
information services,
Segregation in
11.4.5 users, and information
networks
systems segregated on
networks?
A.11.4.6 Is the capability
of users to connect to the
network restricted for
shared networks,
especially those extending
Network connection
11.4.6 across the organization’s
control
boundaries, in line with
the access control policy
and requirements of the
business applications (see
11.1)?
Network routing A.11.4.7 Are routing
11.4.7
control controls implemented for

SUMMARY REPORT No:
networks to ensure that

computer connections and
information flows do not
breach the access control
policy of the business
applications?
11.5 Operating system access control
A.11.5.1 Is access to
Secure log-on operating systems
11.5.1
procedures controlled by a secure log-
on procedure?
A.11.5.2 Do all users
have a unique identifier
(user ID) for their personal
User identification use only, and has a
11.5.2
and authentication suitable authentication
technique been chosen to
substantiate the claimed
identity of a user?
A.11.5.3 Are systems for
Password managing passwords
11.5.3
management system interactive and do they
ensure quality passwords?
A.11.5.4 Is the utility
programs that might be
capable of overriding
11.5.4 Use of system utilities
system and application
controls restricted and
tightly controlled?
A.11.5.5 Are inactive
sessions shut down after a
11.5.5 Session time-out
defined period of
inactivity?
A.11.5.6 Are there
restrictions on connection
Limitation of
11.5.6 times used to provide
connection time
additional security for
high-risk applications?
11.6 Application and information access control
information and
application system
Information access functions by users and
11.6.1
restriction support personnel
restricted in accordance
with the defined access
control policy?
A.11.6.2 Do sensitive
Sensitive system systems have a dedicated
11.6.2
isolation (isolated) computing
environment?
11.7 Mobile computing and teleworking
11.7.1 Mobile computing A.11.7.1 Is there a formal
and communications policy in place, and
appropriate security
measures adopted to
SUMMARY REPORT No:
protect against the risks of

using mobile computing
and communication
facilities?
A.11.7.2 Has a policy,
operational plans and
procedures been
11.7.2 Teleworking
developed and
implemented for
teleworking activities?
Information systems acquisition, development
12
and maintenance
12.1 Security requirements of information systems
Security requirements
12.1.1 analysis and
specification
12.2 Correct processing in applications
A.12.2.1 Are data input
to applications validated to
12.2.1 Input data validation
ensure that this data is
correct and appropriate?
A.12.2.2 Are validation
checks incorporated into
Control of internal applications to detect any
12.2.2
processing corruption of information
through processing errors
or deliberate acts?
A.12.2.3 Have
requirements for ensuring
authenticity and protecting
message integrity in
12.2.3 Message integrity
applications been
identified, and appropriate
controls identified and
implemented?
A.12.2.4 Is data output
from an application
validated to ensure that the
12.2.4 Output data validation processing of stored
information is correct and
appropriate to the
circumstances?
12.3 Cryptographic controls
A.12.3.1 Has a policy on
the use of cryptographic
Policy on the use of
controls for protection of
12.3.1 cryptographic
information been
controls
developed and
implemented?
A.12.3.2 Is there a key
management process in
12.3.2 Key management place to support the
organization’s use of
cryptographic techniques?
12.4

SUMMARY REPORT No:
A.12.4.1 Are there

procedures in place to
Control of operational
12.4.1 control the installation of
software
software on operational
systems?
A.12.4.2 Is test data
Protection of system
12.4.2 selected carefully, and
test data
protected and controlled?
Access control to
12.4.3 program source code
program source code
restricted?
12.5 Security in development and support processes
A.12.5.1 Are the
implementation of changes
Change control
12.5.1 controlled by the use of
procedures
formal change control
procedures?
A.12.5.2 When operating
systems are changed, are
Technical review of business critical
applications after applications reviewed and
12.5.2
operating system tested to ensure there is no
changes adverse impact on
organizational operations
or security?
A.12.5.3 Are
modifications to software
Restrictions on
packages discouraged,
12.5.3 changes to software
limited to necessary
packages
changes, and all changes
shall be strictly controlled?
A.12.5.4 Are
opportunities for
12.5.4 Information leakage
information leakage
prevented?
A.12.5.5 Is outsourced
Outsourced software software development
12.5.5
development supervised and monitored
by the organization?
12.6 Technical Vulnerability Management

A.12.6.1 Is the timely
information about
technical vulnerabilities of
information systems being
Control of technical used obtained, the
12.6.1
vulnerabilities organization's exposure to
such vulnerabilities
evaluated and appropriate
measures taken to address
the associated risk?
Information security incident management

SUMMARY REPORT No:
13.1 Reporting information security events and weaknesses

security events reported
Reporting information
13.1.1 through appropriate
security events
management channels as
quickly as possible?
A.13.1.2 Is there a
ensures all employees,
contractors and third party
users of information
13.1.2 Reporting weaknesses
systems and services note
and report any observed or
suspected security
weaknesses in systems or
services?
13.2 Management of information security incidents and improvements
A.13.2.1 Have
Management
responsibilities and
procedures been
Responsibilities and
13.2.1 established to ensure a
procedures
quick, effective, and
orderly response to
incidents?
A.13.2.2 Are there
mechanisms in place to
Learning from
enable the types, volumes,
13.2.2 information security
and costs of information
incidents
security incidents to be
quantified and monitored?
A.13.2.3 Where a follow-
up action against a person
or organization after an
incident involves legal
action (either civil or
Collection of criminal), is there a
13.2.3
evidence process in place that
ensures evidence is
collected, retained, and
presented to conform to
the rules for evidence laid
down in the relevant
jurisdiction(s)?
14 Business Continuity management

14.1 Information security aspects of business continuity management
14.1.1 Including information A.14.1.1 Has a managed
security in the process been developed
business continuity and maintained for
management process business continuity
throughout the
organization that addresses

SUMMARY REPORT No:
the information security

requirements needed for
the organization’s business
continuity?
A.14.1.2 Is there a
ensures that events that
can cause interruptions to
Business continuity business processes can be
14.1.2
and risk assessment identified, along with the
probability and impact of
such interruptions and
their consequences for
information security?
A.14.1.3 Have plans been
developed and
implemented to maintain
Developing and or restore operations and
implementing ensure availability of
14.1.3 continuity plans information at the required
including information level and in the required
security time scales following
interruption to, or failure
of, critical business
processes?
A.14.1.4 Is a single
framework of business
continuity plans being
maintained to ensure all
Business continuity plans are consistent, to
14.1.4
planning framework consistently address
requirements, and to
identify priorities for
testing and maintenance?
A.14.1.5 Are business
Test maintaining and continuity plans tested and
14.1.5 re-assessing business updated regularly to
continuity plans ensure that they are up to
date and effective?
15 Compliance
15.1 Compliance with legal requirements
A.15.1.1 Have all
relevant statutory,
regulatory and contractual
requirements and the
organization’s approach to
Identification of
15.1.1 meet these requirements
applicable legislation
been explicitly defined,
documented, and kept up
to date for each
information system and
the organization?
A.15.1.2 Have
Intellectual Property
15.1.2 appropriate procedures
Rights (IPR)
been implemented to
SUMMARY REPORT No:
ensure compliance with

legislative, regulatory, and
contractual requirements
on the use of material in
respect of which there may
be intellectual property
rights and on the use of
proprietary software
products?
A.15.1.3 Are important
records protected from
loss, destruction and
Protection of
15.1.3 falsification, in accordance
organisational records
with statutory, regulatory,
contractual, and business
requirements?
A.15.1.4 Is data
protection and privacy
Data protection and ensured as required in
15.1.4 privacy of personal relevant legislation,
information regulations, and, if
applicable, contractual
clauses?
A.15.1.5 Are users
Prevention of misuse deterred from using
15.1.5 of information information processing
processing facilities facilities for unauthorized
purposes?
A.15.1.6 Are
Regulation of cryptographic controls
15.1.6 cryptographic used in compliance with
controls all relevant agreements,
laws, and regulations?
15.2 Compliance with security policies & standards, & technical compliance
A.15.2.1 Do Managers
ensure that all security
procedures within their
Compliance with
area of responsibility are
15.2.1 security policies and
carried out correctly to
standards
achieve compliance with
security policies and
standards?
systems regularly checked
Technical compliance
15.2.2 for compliance with
checking
security implementation
standards?
15.3 Information systems audit considerations
A.15.3.1 Are audit
requirements and activities
involving checks on
Information systems operational systems
15.3.1
audit controls carefully planned and
agreed to minimize the
risk of disruptions to
business processes?

SUMMARY REPORT No:
Protection of information systems audit
15.3.2 information system tools protected to prevent
audit tools any possible misuse or
compromise?
Site NC OFI

08 - Assessment Summary - Rev04

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

08 - Assessment Summary - Rev04

Uploaded by

Copyright:

Available Formats

MANAGEMENT SYSTEM AUDIT

SUMMARY REPORT No:

CLIENT NAME IN FULL

Assessment Representative(s) Client Representatives

Lead Auditor on behalf of LMS On behalf of Organisation

08_ Assessment Summary Report _Rev 04 Dated 11/12/2011

ASSESSMENT SUMMARY (including reference to any sites visited)

RECOMMENDATIONS AND FOLLOW UP ACTION

08_ Assessment Summary Report _Rev 04 Dated 11/12/2011

6 Organization of information security

08_ Assessment Summary Report _Rev 04 Dated 11/12/2011

information identified and

08_ Assessment Summary Report _Rev 04 Dated 11/12/2011

7.1 Responsibility for Assets

Human Resources Security

08_ Assessment Summary Report _Rev 04 Dated 11/12/2011

with relevant laws,

08_ Assessment Summary Report _Rev 04 Dated 11/12/2011

assets in their possession

9 Physical and Environmental Security

premises controlled and, if

10 Communications and Operations Management

available to all users who

08_ Assessment Summary Report _Rev 04 Dated 11/12/2011

tuned, and projections

identified and included in

08_ Assessment Summary Report _Rev 04 Dated 11/12/2011

08_ Assessment Summary Report _Rev 04 Dated 11/12/2011

08_ Assessment Summary Report _Rev 04 Dated 11/12/2011

networks to ensure that

protect against the risks of

08_ Assessment Summary Report _Rev 04 Dated 11/12/2011

A.12.4.1 Are there

12.6 Technical Vulnerability Management

Information security incident management

13.1 Reporting information security events and weaknesses

14 Business Continuity management

08_ Assessment Summary Report _Rev 04 Dated 11/12/2011

the information security

ensure compliance with

08_ Assessment Summary Report _Rev 04 Dated 11/12/2011

08_ Assessment Summary Report _Rev 04 Dated 11/12/2011

You might also like