Professional Documents
Culture Documents
Con
Introduction
This spreadsheet is used to record and track the status of your organization as you implement the mandatory an
The main body of ISO/IEC 27001 formally specifies a number of mandatory requirements that must be fulfilled i
rather than the information risks and the security controls being managed. For example, the standard require
and procedures defined in the ISMS. The standard does not mandate specific information security controls: the
However, Annex A to '27001 outlines a suite of information security controls that the management system wou
much more detail in ISO/IEC 27002:2022, and in various other standards, laws, regulations etc.
Instructions
1. Design and implement an ISMS complying with all the mandatory elements specified in the main body of ISO
2. Identify and assess the information security risks facing those parts of the organization that are declared in s
constrained by Annex A! Adapt the sheet, modifying the wording and adding-in additional rows if you determin
point.
3. Systematically check and record the status of your security risks and controls, updating the status column of
4. Once your ISMS is operating normally, the metrics are looking good and you have amassed sufficient evidenc
requirements, and that your in-scope information security risks are being identified, treated and monitored acc
periodically reviewed/audited.
Copyright
This work is copyright © 2022, ISO27k Forum, some rights reserved. It is licensed under the Creative Commons
incorporated into a commercial product, (b) it is properly attributed to the ISO27k Forum at www.ISO27001secu
Note: you need licensed copies of both ISO/IEC 27001 and 27002 to make much sense of this, and other ISO27
may not entirely fulfill their meaning or intent. The definitive references are the ISO27k standards, not this wor
Please visit ISO27001security.com for further advice and guidance on the ISO27k standards, including the ISO27
Status of ISO/IEC 27001 implementation
Section ISO/IEC 27001 requirement Status Notes
4.4 ISMS
4.4 Establish, implement, maintain and continually improve an ISMS according to the standard! Nonexistent
5 Leadership
5.1 Leadership & commitment
5.1 Top management must demonstrate leadership & commitment to the ISMS Defined
5.2 Policy
5.2 Establish the information security policy Nonexistent
6 Planning
6.1 Actions to address risks & opportunities
6.1.1 Design/plan the ISMS to satisfy the requirements, addressing risks & opportunities Initial
6.1.2 Define and apply an information security risk assessment process Initial
6.1.3 Document and apply an information security risk treatment process Initial
7 Support
7.1 Resources
7.1 Determine and allocate necessary resources for the ISMS Initial
7.2 Competence
7.2 Determine, document and make available necessary competences Initial
7.3 Awareness
7.3 Establish a security awareness program Initial
7.4 Communication
7.4 Determine the need for internal and external communications relevant to the ISMS Initial
8 Operation
8.1 Operational planning and control
8.1 Plan, implement, control & document ISMS processes to manage risks (i.e. a risk treatment plan) Initial
9 Performance evaluation
9.1 Monitoring, measurement, analysis and evaluation
9.1 Monitor, measure, analyze and evaluate the ISMS and the controls Initial
10 Improvement
10.1 Continual improvement
10.1 Continually improve the ISMS Initial
04/14/2024 Page2 of 5
Statement of Applicability and status of information security controls
Section Information security control Status Notes
A5 Organizational controls
A.5.1 Politiques de sécurité de l'information ? Unknown
A.5.2 Fonctions et responsabilités liées à la sécurité de l'information ? Unknown
A.5.3 Séparation des tâches ? Unknown
A.5.4 Responsabilités de la direction ? Unknown
A.5.5 Contacts avec les autorités ? Unknown
A.5.6 Contacts avec des groupes d'intérêt spécifiques ? Unknown
A.5.7 Renseignement sur les menaces ? Unknown
A.5.8 Sécurité de l'information dans la gestion de projet ? Unknown
A.5.9 Inventaire des informations et autres actifs associés ? Unknown
A.5.10 Utilisation correcte des informations et autres actifs associés ? Unknown
A.5.11 Restitution des actifs ? Unknown
A.5.12 Classification des informations ? Unknown
A.5.13 Marquage des informations ? Unknown
A.5.14 Transfert des informations ? Unknown
A.5.15 Contrôle d'accès ? Unknown
A.5.16 Gestion des identités ? Unknown
A.5.17 Informations d'authentification ? Unknown
A.5.19 Sécurité de l'information dans les relations avec les fournisseurs ? Unknown
A.5.20 La sécurité de l'information dans les accords conclus avec les fournisseurs ? Unknown
A6 People controls
A.6.1 Sélection des candidats ? Unknown
Physical controls
A7
A.7.1 Périmètres de sécurité physique ? Unknown
A.7.2 Les entrées physiques ? Unknown
A.7.3 Sécurisation des bureaux, des salles et des installations ? Unknown
A.7.4 Surveillance de la sécurité physique ? Unknown
A.7.5 Protection contre les menaces physiques et environnementales ? Unknown
04/14/2024 Page 3 of 5
Statement of Applicability and status of information security controls
Section Information security control Status Notes
A.7.6 Travail dans les zones sécurisées ? Unknown
A.7.7 Bureau propre et écran vide ? Unknown
A.7.8 Emplacement et protection du matériel ? Unknown
A.7.9 Sécurité des actifs hors des bureaux ? Unknown
Technological controls
A8
A.8.1 Terminaux utilisateurs ? Unknown
A.8.2 Droits d'accès privilégiés ? Unknown
A.8.3 Restriction d'accès aux informations ? Unknown
A.8.4 Accès au code source ? Unknown
A.8.5 Authentification sécurisée ? Unknown
04/14/2024 Page 4 of 5
Status Meaning
Proportion of
ISMS
requirements
Proportion of
information
security controls
ISMS implementation status
? Unknown Has not even been checked yet 0% 92%
? Unknown
Nonexistent
Initial
Limited
Defined
Managed
Optimized
Not applicable