St

Con

Introduction
This spreadsheet is used to record and track the status of your organization as you implement the mandatory an
The main body of ISO/IEC 27001 formally specifies a number of mandatory requirements that must be fulfilled i
rather than the information risks and the security controls being managed. For example, the standard require
and procedures defined in the ISMS. The standard does not mandate specific information security controls: the
However, Annex A to '27001 outlines a suite of information security controls that the management system wou
much more detail in ISO/IEC 27002:2022, and in various other standards, laws, regulations etc.

Instructions

1. Design and implement an ISMS complying with all the mandatory elements specified in the main body of ISO
2. Identify and assess the information security risks facing those parts of the organization that are declared in s
constrained by Annex A! Adapt the sheet, modifying the wording and adding-in additional rows if you determin
point.
3. Systematically check and record the status of your security risks and controls, updating the status column of
4. Once your ISMS is operating normally, the metrics are looking good and you have amassed sufficient evidenc
requirements, and that your in-scope information security risks are being identified, treated and monitored acc
periodically reviewed/audited.

Document history and acknowledgements

Bala Ramanan donated the original ISO/IEC 27001:2005 version of the 27001 requirements worksheet. Joel Co
Ed Hodgson updated the workbook for ISO/IEC 27001:2013. Gary Hinson fiddled with the wording and formatti
Christian Breitenstrom updated the workbook to reflect ISO/IEC 27001:2022 and ISO/IEC 27002:2022. Gary tidi

Copyright
This work is copyright © 2022, ISO27k Forum, some rights reserved. It is licensed under the Creative Commons
incorporated into a commercial product, (b) it is properly attributed to the ISO27k Forum at www.ISO27001secu
Note: you need licensed copies of both ISO/IEC 27001 and 27002 to make much sense of this, and other ISO27
may not entirely fulfill their meaning or intent. The definitive references are the ISO27k standards, not this wor
Please visit ISO27001security.com for further advice and guidance on the ISO27k standards, including the ISO27
 Status of ISO/IEC 27001 implementation
Section ISO/IEC 27001 requirement Status Notes

4 Context of the organisation

4.1 Organisational context
4.1 Determine the organization's ISMS objectives and any issues that might affect its effectiveness Defined

4.2 Interested parties

4.2 (a) Identify interested parties including applicable laws, regulations, contracts etc. Defined
4.2 (b) Determine their information security-relevant requirements and obligations Defined

4.3 ISMS scope

4.3 Determine and document the ISMS scope Defined

4.4 ISMS
4.4 Establish, implement, maintain and continually improve an ISMS according to the standard! Nonexistent

5 Leadership
5.1 Leadership & commitment
5.1 Top management must demonstrate leadership & commitment to the ISMS Defined

5.2 Policy
5.2 Establish the information security policy Nonexistent

5.3 Organizational roles, responsibilities & authorities

5.3 Assign and communicate information security rôles & responsibilities Not applicable

6 Planning
6.1 Actions to address risks & opportunities
6.1.1 Design/plan the ISMS to satisfy the requirements, addressing risks & opportunities Initial
6.1.2 Define and apply an information security risk assessment process Initial
6.1.3 Document and apply an information security risk treatment process Initial

6.2 Information security objectives & plans

6.2 Establish and document the information security objectives and plans Initial

6.3 Planning of changes

6.3 Substantial changes to the ISMS shall be carried out in a planned manner Initial New for 2022

7 Support
7.1 Resources
7.1 Determine and allocate necessary resources for the ISMS Initial

7.2 Competence
7.2 Determine, document and make available necessary competences Initial

7.3 Awareness
7.3 Establish a security awareness program Initial

7.4 Communication
7.4 Determine the need for internal and external communications relevant to the ISMS Initial

7.5 Documented information

7.5.1 Provide documentation required by the standard plus that required by the organization Initial
7.5.2 Provide document titles, authors etc., format them consistently, and review & approve them Initial
7.5.3 Control the documentation properly Initial

8 Operation
8.1 Operational planning and control
8.1 Plan, implement, control & document ISMS processes to manage risks (i.e. a risk treatment plan) Initial

8.2 Information security risk assessment

8.2 (Re)assess & document information security risks regularly & on changes Initial

8.3 Information security risk treatment

8.3 Implement the risk treatment plan (treat the risks!) and document the results Initial

9 Performance evaluation
9.1 Monitoring, measurement, analysis and evaluation
9.1 Monitor, measure, analyze and evaluate the ISMS and the controls Initial

9.2 Internal audit

9.2 Plan & conduct internal audits of the ISMS Initial

9.3 Management review

9.3 Undertake regular management reviews of the ISMS Initial

10 Improvement
10.1 Continual improvement
10.1 Continually improve the ISMS Initial

10.2 Nonconformity and corrective action

10.2 Identify, fix and take action to prevent recurrence of nonconformities, documenting the actions Initial
28 Number of requirements

04/14/2024 Page2 of 5
 Statement of Applicability and status of information security controls
Section Information security control Status Notes
A5 Organizational controls
A.5.1 Politiques de sécurité de l'information ? Unknown
A.5.2 Fonctions et responsabilités liées à la sécurité de l'information ? Unknown
A.5.3 Séparation des tâches ? Unknown
A.5.4 Responsabilités de la direction ? Unknown
A.5.5 Contacts avec les autorités ? Unknown
A.5.6 Contacts avec des groupes d'intérêt spécifiques ? Unknown
A.5.7 Renseignement sur les menaces ? Unknown
A.5.8 Sécurité de l'information dans la gestion de projet ? Unknown
A.5.9 Inventaire des informations et autres actifs associés ? Unknown
A.5.10 Utilisation correcte des informations et autres actifs associés ? Unknown
A.5.11 Restitution des actifs ? Unknown
A.5.12 Classification des informations ? Unknown
A.5.13 Marquage des informations ? Unknown
A.5.14 Transfert des informations ? Unknown
A.5.15 Contrôle d'accès ? Unknown
A.5.16 Gestion des identités ? Unknown
A.5.17 Informations d'authentification ? Unknown

A.5.18 Droits d'accès ? Unknown

A.5.19 Sécurité de l'information dans les relations avec les fournisseurs ? Unknown

A.5.20 La sécurité de l'information dans les accords conclus avec les fournisseurs ? Unknown

A.5.21 Gestion de la sécurité de l'information dans la chaîne ? Unknown

d'approvisionnement TIC
A.5.22 Surveillance, révision et gestion des changements des services forunisseurs ? Unknown

A.5.23 Sécurité de l'information dans l'utilisation de services en nuage ? Unknown

A.5.24 Planification et préparation de la gestion des incidentsliés à la sécurité de l'information ? Unknown

A.5.25 Evaluation des événements liés à la sécurité de l'information et prise de décision ? Unknown
A.5.26 Réponse aux incidents liés à la sécurité de l'information ? Unknown

A.5.27 Enseignements des incidents liés à la sécurité de l'information ? Unknown

A.5.28 Collecte de preuves ? Unknown

A.5.29 Sécurité de l'information pendant une perturbation ? Unknown

A.5.30 Préparation des TIC pour la continuité d'activité ? Unknown

A.5.31 Exigences légales, statutaires, réglementaires et contractuelles ? Unknown

A.5.32 Droits de propriété intellectuelle ? Unknown

A.5.33 Protection des enregistrements ? Unknown
A.5.34 Protection de la vie privée et des DCP ? Unknown
A.5.35 Revue indépendante de la sécurité de l'information ? Unknown
A.5.36 Conformité aux politiques, règles et normes de sécurité de l'information ? Unknown
A.5.37 Procédures d'exploitation documentées ? Unknown

A6 People controls
A.6.1 Sélection des candidats ? Unknown

A.6.2 Termes et conditions du contrat de travail Nonexistent

A.6.3 Sensibilisation, enseignement et formation en sécurité de l'information Initial

A.6.4 Processus disciplinaire Limited

A.6.5 Responsabilités après la fin ou le changement d'un emploi Defined

A.6.6 Accords de confidentialité ou de non-divulgation Managed

A.6.7 Télétravail Optimized

A.6.8 Déclaration des événements liés à la sécurité de l'information Not applicable

Physical controls
A7
A.7.1 Périmètres de sécurité physique ? Unknown
A.7.2 Les entrées physiques ? Unknown
A.7.3 Sécurisation des bureaux, des salles et des installations ? Unknown
A.7.4 Surveillance de la sécurité physique ? Unknown
A.7.5 Protection contre les menaces physiques et environnementales ? Unknown

04/14/2024 Page 3 of 5
 Statement of Applicability and status of information security controls
Section Information security control Status Notes
A.7.6 Travail dans les zones sécurisées ? Unknown
A.7.7 Bureau propre et écran vide ? Unknown
A.7.8 Emplacement et protection du matériel ? Unknown
A.7.9 Sécurité des actifs hors des bureaux ? Unknown

A.7.10 Supports de stockage ? Unknown

A.7.11 Services support ? Unknown

A.7.12 Sécurité du câblage ? Unknown
A.7.13 Maintenance du matériel ? Unknown
A.7.14 Elimination ou recyclage sécurisé du matériel ? Unknown

Technological controls
A8
A.8.1 Terminaux utilisateurs ? Unknown
A.8.2 Droits d'accès privilégiés ? Unknown
A.8.3 Restriction d'accès aux informations ? Unknown
A.8.4 Accès au code source ? Unknown
A.8.5 Authentification sécurisée ? Unknown

A.8.6 Dimensionnement ? Unknown

A.8.7 Protection contre les programmes malveillants (malware) ? Unknown
A.8.8 Gestion des vulnérabilités techniques ? Unknown

A.8.9 Gestion de la configuration ? Unknown

A.8.10 Suppression d'information ? Unknown

A.8.11 Masquage des données ? Unknown

A.8.12 Prévention de la fuite de données ? Unknown
A.8.13 Sauvegarde des informations ? Unknown
A.8.14 Redondance des moyens de traitement de l'information ? Unknown
A.8.15 Journalisation ? Unknown
A.8.16 Activités de surveillance ? Unknown
A.8.17 Synchronisation des horloges ? Unknown

A.8.18 Utilisation de programmes utilitaires à privilèges ? Unknown

A.8.19 Installation de logiciels sur des systèmes opérationnels ? Unknown

A.8.20 Sécurité des réseaux ? Unknown
A.8.21 Sécurité des services réseau ? Unknown
A.8.22 Cloisonnement des réseaux ? Unknown
A.8.23 Filtrage web ? Unknown
A.8.24 Utilisation de la cryptographie ? Unknown
A.8.25 Cycle de développement sécurisé ? Unknown
A.8.26 Exigences de sécurité des applications ? Unknown

A.8.27 Principes d'ingénierie et d'architecture des systèmes sécurisés ? Unknown

A.8.28 Codage sécurisé ? Unknown

A.8.29 Test de sécurité dans le développement et l'acceptation ? Unknown
A.8.30 Développement externalisé ? Unknown
A.8.31 Séparation des environnements de développement, de test et opérationnels ? Unknown

A.8.32 Gestion des changements ? Unknown

A.8.33 Informations de test ? Unknown
A.8.34 Protection des systèmes d'informationpendant les tests d'audit ? Unknown
93 Number of controls

04/14/2024 Page 4 of 5
 Status Meaning
Proportion of
ISMS
requirements
Proportion of
information
security controls
ISMS implementation status
? Unknown Has not even been checked yet 0% 92%

Nonexistent Complete lack of recognizable policy,

procedure, control etc. 7% 1% ? Unknown
Nonexistent
Initial
Development has barely started and will
Initial require significant work to fulfill the
requirements
71% 1% Limited
Defined
Managed
Optimized
Limited Progressing nicely but not yet complete 0% 1% Not applicable

Development is more or less complete

Defined although detail is lacking and/or it is not yet
implemented, enforced and actively supported 18% 1%
by top management

Development is complete, the process/control

Managed has been implemented and recently started
operating
0% 1%

The requirement is fully satisfied, is operating

Optimized fully as expected, is being actively monitored
0% 1%
and improved, and there is substantial
evidence to prove all that to the auditors Infosec controls status
ALL requirements in the main body of ISO/IEC
27001 are mandatory IF your ISMS is to be
Not applicable certified. Otherwise, managemnent can ignore 4% 1%
them.

Total 100% 100%

? Unknown
Nonexistent
Initial
Limited
Defined
Managed
Optimized
Not applicable