ISO 27001 Compliance Checklist Reference Checklist
Audit area, objective and question
Standard
Resul
Audit Question
Section
Findings
Security Policy 11
!1
1 .1 . 1
"nfor#ation Security Policy
5 .1 . 1
Information security policy document
Whether there exists an Information security policy which is approved !y the mana"ement pu!lished and communicated as appropriate to all employees. Whether the policy states mana"ement commitment and sets out the or"ani#ational approach to mana"in" information security. Whether the Information Security Policy is rev iewed at planned intervals or if si"nificant chan"es oc cur to ensure its continuin" suita!ility ade$uacy and effectiveness.
1 .1 . 2
5 .1 . 2
Whether the Information Security policy has an owner who has approved mana"ement responsi!ility for development review and evaluation of the security Review of Informational Security Policy policy. Whether any defined Information Security Policy review procedures exist and do they include re$uirements for the mana"ement review. Whether the results of the mana"ement review are ta%en into account. Whether mana"ement approval is o!tained for the revised policy.
$rgani%ation of "nfor#ation Security &1
'1
"nternal $rgani%ation
2.11
6.11
2 .1 . 2
6 .1 . 2
Whether mana"ement demonstrates active support for &ana"ement 'ommitment to Informaiton security measures within the or"ani#ation. (his can !e Security done via clear direction demonstrated c ommitment explicit assi"nment and ac%nowled"ement of information security responsi!ilities. Information Security coordination
Vinod Kumar
[email protected]
Whether information security activities are coordinated !y representatives from diverse parts of the or"ani#ation with pertinent roles and responsi!ilities
Page 1
ISO 27001 Comp ance C ec
04/24/2018
st
2.1.)
6.1.)
+llocation of Information Security responsi!ilities
Whether responsi!ilities for the protection of individual assets and for carryin" out specific security processes were clearly identified and defined.
2.1.*
6.1.*
+uthori#ation process for Information processin" facilities
Whether mana"ement authori#ation process is defined and implemented for any new information processin" facility within the or"ani#ation.
2.1.5
6.1.5
'onfidentiality +"reements
Whether the or"ani#ations need for 'onfidentiality or /on0isclosure +"reement /+3 for protection of information is clearly defined and re"ularly reviewed. oes this address the re$uirement to protect the confidential information usin" le"al enforcea!le terms Whether there exists a procedure that descri!es when and !y whom4 relevant authorities such as aw enforcement fire department etc. should !e contacted and how the incident should !e reported
2.1.6
6.1.6
'ontact with +uthorities
2.1.,
6.1.,
'ontact with special interest "roups
Whether appropriate contacts with special interest "roups or other specialist security forums and professional associations are maintained.
2.1.-
6.1.-
Independent review of Information Security
Whether the or"ani#ations approach to mana"in" information security and its implementation is reviewed independently at planned intervals or when maor chan"es to security implementation occur.
&&
'&
()ternal Parties
2.2.1
6.2.1
Whether ris%s to the or"ani#ations information and Identification of ris%s related to external information processin" facility from a process involvin" external party access is identified and parties appropriate control measures implemented !efore "rantin" access.
2.2.2
6.2.2
+ddressin" security while dealin" with customers
2.2.)
6.2.)
+ddressin" security in third party a"reements
Whether all identified security re$uirements are fulfilled !efore "rantin" customer access to the or"ani#ations information or assets. Whether the a"reement with third parties involvin" accessin" processin" communicatin" or mana"in" the or"ani#ations information or information processin" facility or introducin" products or services to
ISO 27001 Comp ance C ec
st
2.1.)
6.1.)
+llocation of Information Security responsi!ilities
Whether responsi!ilities for the protection of individual assets and for carryin" out specific security processes were clearly identified and defined.
2.1.*
6.1.*
+uthori#ation process for Information processin" facilities
Whether mana"ement authori#ation process is defined and implemented for any new information processin" facility within the or"ani#ation.
2.1.5
6.1.5
'onfidentiality +"reements
Whether the or"ani#ations need for 'onfidentiality or /on0isclosure +"reement /+3 for protection of information is clearly defined and re"ularly reviewed. oes this address the re$uirement to protect the confidential information usin" le"al enforcea!le terms Whether there exists a procedure that descri!es when and !y whom4 relevant authorities such as aw enforcement fire department etc. should !e contacted and how the incident should !e reported
2.1.6
6.1.6
'ontact with +uthorities
2.1.,
6.1.,
'ontact with special interest "roups
Whether appropriate contacts with special interest "roups or other specialist security forums and professional associations are maintained.
2.1.-
6.1.-
Independent review of Information Security
Whether the or"ani#ations approach to mana"in" information security and its implementation is reviewed independently at planned intervals or when maor chan"es to security implementation occur.
&&
'&
()ternal Parties
2.2.1
6.2.1
Whether ris%s to the or"ani#ations information and Identification of ris%s related to external information processin" facility from a process involvin" external party access is identified and parties appropriate control measures implemented !efore "rantin" access.
2.2.2
6.2.2
+ddressin" security while dealin" with customers
2.2.)
6.2.)
+ddressin" security in third party a"reements
Whether all identified security re$uirements are fulfilled !efore "rantin" customer access to the or"ani#ations information or assets. Whether the a"reement with third parties involvin" accessin" processin" communicatin" or mana"in" the or"ani#ations information or information processin" facility or introducin" products or services to information processin" facility complies with all appropriate security re$uirements.
Asset *anage#ent
Vinod Kumar
[email protected]
Page 2
ISO 27001 Compliance Checklist +1
1
Res-onsibility for assets
).1.1
,.1.1
Inventory of +ssets
).1.2
,.1.2
7wnership of +ssets
).1.)
,.1.)
+ccepta!le use of assets
+&
&
Whether all assets are identified and an inventory or re"ister is maintained with all the important assets. Whether each asset identified has an owner a defined and a"reed0upon security classification and access restrictions that are periodically reviewed. Whether re"ulations for accepta!le use of information and assets associated with an information pro cessin" facility were identified documented and implemented.
"nfor#ation Classification
).2.1
,.2.1
'lassification "uidelines
Whether the information is classified in terms of its value le"al re$uirements sensitivity and criticality to the or"ani#ation.
).2.2
,.2.2
Information la!ellin" and handlin"
Whether an appropriate set of procedures are defined for information la!ellin" and handlin" in accordance with the classification scheme adopted !y the or"ani#ation.
.u#an resources security /1
01
*.1.1
Prior to e#-loy#ent
-.1.1
Roles and responsi!ilities
Whether employee security roles and responsi!ilities contractors and third party users were defined and documented in accordance with the or"ani#ations information security policy. Were the roles and responsi!ilities defined and clearly communicated to o! candidates durin" the pre0 employment process
*.1.2
-.1.2
Screenin"
Whether !ac%"round verification chec%s for all candidates for employment contractors and third party users were carried out in accordance to the relevant re"ulations. oes the chec% include character reference confirmation of claimed academic and pro fessional $ualifications and independent identity chec%s Whether employee contractors and third party users
04/24/2018
ISO 27001 Compliance Checklist +1
1
Res-onsibility for assets
).1.1
,.1.1
Inventory of +ssets
).1.2
,.1.2
7wnership of +ssets
).1.)
,.1.)
+ccepta!le use of assets
+&
&
Whether all assets are identified and an inventory or re"ister is maintained with all the important assets. Whether each asset identified has an owner a defined and a"reed0upon security classification and access restrictions that are periodically reviewed. Whether re"ulations for accepta!le use of information and assets associated with an information pro cessin" facility were identified documented and implemented.
"nfor#ation Classification
).2.1
,.2.1
'lassification "uidelines
Whether the information is classified in terms of its value le"al re$uirements sensitivity and criticality to the or"ani#ation.
).2.2
,.2.2
Information la!ellin" and handlin"
Whether an appropriate set of procedures are defined for information la!ellin" and handlin" in accordance with the classification scheme adopted !y the or"ani#ation.
.u#an resources security /1
01
*.1.1
Prior to e#-loy#ent
-.1.1
Whether employee security roles and responsi!ilities contractors and third party users were defined and documented in accordance with the or"ani#ations information security policy.
Roles and responsi!ilities
Were the roles and responsi!ilities defined and clearly communicated to o! candidates durin" the pre0 employment process
*.1.2
-.1.2
Whether !ac%"round verification chec%s for all candidates for employment contractors and third party users were carried out in accordance to the relevant re"ulations.
Screenin"
oes the chec% include character reference confirmation of claimed academic and pro fessional $ualifications and independent identity chec%s
*.1.)
-.1.)
(erms and conditions of employment
Vinod Kumar
[email protected]
Whether employee contractors and third party users are as%ed to si"n confidentiality or non0disclosure a"reement as a part of their initial terms and conditions of the employment contract.
Page 3
ISO 27001 Compliance Checklist Whether this a"reement covers the information security responsi!ility of the or"ani#ation and the employee third party users and contractors. /&
0&
*.2.1
uring (#-loy#ent
-.2.1
&ana"ement Re Responsi!ilities
*.2.2
-.2.2
Infromation security awareness education and trainin"
*.2.)
-.2.)
isciplinary process
/+
0+
Whether all employees in the or"ani#ation and where relevant contractors and third party users receive appropriate security awareness trainin" and re"ular updates in or"ani#ational policies and procedures as it pertains to their o! function. Whether there is a formal disciplinary process for the employees who have committed a security !reach.
2er#ination or change of e#-loy#ent
*.).1
-.).1
(ermination re responsi!ilities
*.).2
-.).2
Return of assets
*.).)
Whether the mana"ement re$uires employees contractors and third party users to apply security in accordance with the esta!lished policies and procedures of the or"ani#ation.
-.).)
Removal of access ri"hts
Whether responsi!ilities for performin" employment termination or chan"e of employment are clearly defined and assi"ned. Whether there is a process in place that ensures all employees contractors and third party users surrender all of the or"ani#ations assets in their possession upon termination of their employment contract or a"reement. Whether access ri"hts of all employees contractors and third party users to information and information processin" facilities will !e removed upon termination of their employment contract or a"reement or will !e adusted upon chan"e.
Physical and (nviron#ental security !1
31
5.1.1
Secure Areas
8.1.1
Physical security perimeter
Whether a physical !order security facility has !een implemented to protect the information processin" service. Some examples of such security facilities are
04/24/2018
ISO 27001 Compliance Checklist Whether this a"reement covers the information security responsi!ility of the or"ani#ation and the employee third party users and contractors. /&
0&
*.2.1
uring (#-loy#ent
-.2.1
&ana"ement Re Responsi!ilities
*.2.2
-.2.2
Infromation security awareness education and trainin"
*.2.)
-.2.)
isciplinary process
/+
0+
Whether all employees in the or"ani#ation and where relevant contractors and third party users receive appropriate security awareness trainin" and re"ular updates in or"ani#ational policies and procedures as it pertains to their o! function. Whether there is a formal disciplinary process for the employees who have committed a security !reach.
2er#ination or change of e#-loy#ent
*.).1
-.).1
(ermination re responsi!ilities
*.).2
-.).2
Return of assets
*.).)
Whether the mana"ement re$uires employees contractors and third party users to apply security in accordance with the esta!lished policies and procedures of the or"ani#ation.
-.).)
Whether responsi!ilities for performin" employment termination or chan"e of employment are clearly defined and assi"ned. Whether there is a process in place that ensures all employees contractors and third party users surrender all of the or"ani#ations assets in their possession upon termination of their employment contract or a"reement. Whether access ri"hts of all employees contractors and third party users to information and information processin" facilities will !e removed upon termination of their employment contract or a"reement or will !e adusted upon chan"e.
Removal of access ri"hts
Physical and (nviron#ental security !1
31
Secure Areas
5.1.1
8.1.1
Physical security perimeter
5.1.2
8.1.2
Physical entry controls
Whether a physical !order security facility has !een implemented to protect the information processin" service. Some examples of such security facilities are card control entry "ates walls manned reception etc Whether entry controls are in place to allow only authori#ed personnel into various areas within the or"ani#ation.
Vinod Kumar
[email protected]
Page 4
ISO 27001 Compliance Checklist 5.1.)
8.1.)
Securin" offices rooms and facilities
5.1.*
8.1.*
Protectin" a"ainst external and enviornmental threats
5.1.5
8.1.5
Wor%in" in secure areas
5.1.6
8.1.6
Pu!lic access delivery and loadin" areas
!&
3&
5.2.1
5.2.2
5.2.)
Whether the rooms which have the information processin" service are loc%ed or have loc%a!le ca!inets or safes. Whether the physical protection a"ainst dama"e from fire flood earth$ua%e explosion civil unrest and other forms of natural or man0made disaster should !e desi"ned and applied. Whether there is any potential threat from nei"h!ourin" premises. Whether physical protection and "uidelines for wor%in" in secure areas is desi"ned and implemented Whether the delivery loadin" and other areas where unauthori#ed persons may enter the premises are controlled and information processin" facilities are isolated to avoid unauthori#ed access.
(qui-#ent Security
8.2.1
8.2.2
8.2.)
9$uipment sitin" and protection
Supportin" utilities
'a!lin" security
Whether the e$uipment is protected to reduce the ris%s from environmental threats and ha#ards and opportunities for unauthori#ed access. Whether the e$uipment is protected from power failures and other disruptions caused !y failures in supportin" utilities. Whether permanence of power supplies such as a multiple feed an :ninterrupti!le Power Supply ups3 a !ac%up "enerator etc. are !ein" utili#ed Whether the power and telecommunications ca!le carryin" data or supportin" information services is protected from interception or dama"e Whether there are any additional security controls in place for sensitive or critical information Whether the e$uipment is correctly maintained to ensure its continued availa!ility and inte"rity. Whether the e$uipment is maintained as per the suppliers recommended service intervals and specifications.
04/24/2018
ISO 27001 Compliance Checklist 5.1.)
8.1.)
Securin" offices rooms and facilities
5.1.*
8.1.*
Protectin" a"ainst external and enviornmental threats
5.1.5
8.1.5
Wor%in" in secure areas
5.1.6 !&
8.1.6 3&
5.2.1
8.2.1
5.2.2
8.2.2
5.2.)
8.2.)
Whether the rooms which have the information processin" service are loc%ed or have loc%a!le ca!inets or safes. Whether the physical protection a"ainst dama"e from fire flood earth$ua%e explosion civil unrest and other forms of natural or man0made disaster should !e desi"ned and applied. Whether there is any potential threat from nei"h!ourin" premises. Whether physical protection and "uidelines for wor%in" in secure areas is desi"ned and implemented
Whether the delivery loadin" and other areas where unauthori#ed persons may enter the premises are Pu!lic access delivery and loadin" areas controlled and information processin" facilities are isolated to avoid unauthori#ed access. (qui-#ent Security 9$uipment sitin" and protection
Whether the e$uipment is protected to reduce the ris%s from environmental threats and ha#ards and opportunities for unauthori#ed access. Whether the e$uipment is protected from power failures and other disruptions caused !y failures in supportin" utilities.
Supportin" utilities
Whether permanence of power supplies such as a multiple feed an :ninterrupti!le Power Supply ups3 a !ac%up "enerator etc. are !ein" utili#ed Whether the power and telecommunications ca!le carryin" data or supportin" information services is protected from interception or dama"e Whether there are any additional security controls in place for sensitive or critical information Whether the e$uipment is correctly maintained to ensure its continued availa!ility and inte"rity.
'a!lin" security
Whether the e$uipment is maintained as per the suppliers recommended service intervals and specifications. Whether the maintenance is carried out only !y authori#ed personnel.
Vinod Kumar
[email protected]
Page 5
ISO 27001 Compliance Checklist . .
. . Whether lo"s are maintained with all suspected or actual faults and all preventive and corrective measures. Whether appropriate controls are implemented while sendin" e$uipment off premises. +re the e$uipment covered !y insurance and the insurance re$uirements satisfied
5.2.5
8.2.5
Securiin" of e$uipment off0premises
Whether ris%s were assessed with re"ards t o any e$uipment usa"e outside an or"ani#ations premises and miti"ation controls implemented. Whether the usa"e of an information processin" facility outside the or"ani#ation has !een authori#ed !y the mana"ement.
5.2.6
8.2.6
Secure disposal or re0use of e$uipment
Whether all e$uipment containin" stora"e media is chec%ed to ensure that any sensitive i nformation or licensed software is physically destroyed or securely over0written prior to disposal or reuse.
5.2.,
8.2.,
Removal of property
Whether any controls are in place so that e$uipment information and software is not ta%en off0site without prior authori#ation.
Co##unication and $-erations *anage#ent '1
141
$-erational -rocedures and res-onsibilites
Whether the operatin" procedure is documented maintained and availa!le to all users who need it. 6.1.1
1;.1.1
ocumented 7peratin" procedures
6.1.2
1;.1.2
'han"e &ana"ement
6.1.)
1;.1.)
Se"re"ation of duties
Whether such procedures are treated as formal documents and therefore any chan"es made need mana"ement authori#ation. Whether all chan"es to information processin" facilities and systems are controlled. Whether duties and areas of responsi!ility are separated in order to reduce opportunities for unauthori#ed modification or misuse of information or services.
04/24/2018
ISO 27001 Compliance Checklist . .
. . Whether lo"s are maintained with all suspected or actual faults and all preventive and corrective measures. Whether appropriate controls are implemented while sendin" e$uipment off premises. +re the e$uipment covered !y insurance and the insurance re$uirements satisfied Whether ris%s were assessed with re"ards t o any e$uipment usa"e outside an or"ani#ations premises and miti"ation controls implemented.
5.2.5
8.2.5
Securiin" of e$uipment off0premises
5.2.6
8.2.6
Secure disposal or re0use of e$uipment
Whether all e$uipment containin" stora"e media is chec%ed to ensure that any sensitive i nformation or licensed software is physically destroyed or securely over0written prior to disposal or reuse.
5.2.,
8.2.,
Removal of property
Whether any controls are in place so that e$uipment information and software is not ta%en off0site without prior authori#ation.
Whether the usa"e of an information processin" facility outside the or"ani#ation has !een authori#ed !y the mana"ement.
Co##unication and $-erations *anage#ent '1
141
$-erational -rocedures and res-onsibilites
Whether the operatin" procedure is documented maintained and availa!le to all users who need it. 6.1.1
1;.1.1
ocumented 7peratin" procedures
6.1.2
1;.1.2
'han"e &ana"ement
6.1.)
1;.1.)
Whether such procedures are treated as formal documents and therefore any chan"es made need mana"ement authori#ation. Whether all chan"es to information processin" facilities and systems are controlled. Whether duties and areas of responsi!ility are separated in order to reduce opportunities for unauthori#ed modification or misuse of information or services.
Se"re"ation of duties
Vinod Kumar
[email protected]
Page
ISO 27001 Compliance Checklist
6.1.*
'&
1;.1.*
14&
Seperation of development test and operational facilities
2hird -arty service delivery #anage#ent
6.2.1
1;.2.1
Service delivery
6.2.2
1;.2.2
&onitorin" and review of third party services
6.2.)
Whether the development and testin" facilities are isolated from operational facilities.
1;.2.)
Whether measures are ta%en to ensure that the security controls service definitions and delivery levels included in the third party service delivery a"reement are implemented operated and maintained !y a third party. Whether the services reports and records provided !y third party are re"ularly monitored and reviewed. Whether audita are conducted on the a!ove third party services reports and records on re"ular interval.
Whether chan"es to provision of services includin" maintainin" and improvin" existin" information &ana"in" chan"es to third party services security policies procedures and controls are mana"ed. oes this ta%e into account criticality of !usiness systems processes involved and re0assessment of ris%s
'+
'/
14+
Syste# -lanning and acce-tance
6.).1
1;.).1
6.).2
1;.).2 14 /
'apacity &ana"ement
Whether the capacity demands are monitored and proections of future capacity re$uirements are made to ensure that ade$uate processin" power and stora"e are availa!le. 9xample4 &onitorin" hard dis% space R+& and 'P: on critical servers.
Whether system acceptance criteria are esta!lished for new information systems up"rades and new versions. Whether suita!le tests were carried out prior to acceptance. Protection against #alicious and #obile code System acceptance
04/24/2018
ISO 27001 Compliance Checklist
6.1.*
'&
1;.1.*
14&
Seperation of development test and operational facilities
2hird -arty service delivery #anage#ent
6.2.1
1;.2.1
Service delivery
6.2.2
1;.2.2
&onitorin" and review of third party services
6.2.)
Whether the development and testin" facilities are isolated from operational facilities.
1;.2.)
Whether measures are ta%en to ensure that the security controls service definitions and delivery levels included in the third party service delivery a"reement are implemented operated and maintained !y a third party. Whether the services reports and records provided !y third party are re"ularly monitored and reviewed. Whether audita are conducted on the a!ove third party services reports and records on re"ular interval.
Whether chan"es to provision of services includin" maintainin" and improvin" existin" information &ana"in" chan"es to third party services security policies procedures and controls are mana"ed. oes this ta%e into account criticality of !usiness systems processes involved and re0assessment of ris%s
'+
14+
Syste# -lanning and acce-tance
6.).1
1;.).1
6.).2
1;.).2
'/
14/
Whether the capacity demands are monitored and proections of future capacity re$uirements are made to ensure that ade$uate processin" power and stora"e are availa!le. 9xample4 &onitorin" hard dis% space R+& and 'P: on critical servers.
'apacity &ana"ement
Whether system acceptance criteria are esta!lished for new information systems up"rades and new versions. Whether suita!le tests were carried out prior to acceptance. Protection against #alicious and #obile code System acceptance
Vinod Kumar
[email protected]
Page !
ISO 27001 Compliance Checklist
6.*.1
1;.*.1
6.*.2
'!
1;.*.2
14!
6.5.1
''
6.6.2
'ontrols a"ainst mo!ile code
Whether only authori#ed mo!ile code is used. Whether the confi"uration ensures that authori#ed mo!ile code operates accordin" to security policy. Whether execution of unauthori#ed mo!ile code is prevented. &o!ile code is software code that transfers from one computer to another computer and then executes automatically. It performs a specific function function with little or no user intervention. &o!ile code is associated with a num!er of middleware services.3
5acku-
1;.5.1
14'
6.6.1
'ontrols a"ainst malicious code
Whether detection prevention and recovery controls to protect a"ainst malicious code and appropriate user awareness procedures were developed and implemented
Information !ac%up
Whether !ac%0ups of information and software is ta%en and tested re"ularly in accordance with the a"reed !ac%up policy. Whether all essential information and software can !e recovered followin" a disaster or media failure.
6et7ork Security *anage#ent
1;.6.1
1;.6.2
/etwor% 'ontrols
Security of networ% services
Whether the networ% is ade$uately mana"ed and controlled to protect from threats and to maintain security for the systems and applications usin" the networ% includin" the information in transit. Whether controls were implemented to ensure the security of the information in networ%s and the protection of the connected services from threats such as unauthori#ed access. Whether security features service levels and mana"ement re$uirements of all networ% services are identified and included in any networ% services a"reement. Whether the a!ility of the networ% service provider to mana"e a"reed services in a secure way is determined
04/24/2018
ISO 27001 Compliance Checklist
6.*.1
1;.*.1
6.*.2
'!
1;.*.2
14!
6.5.1
''
14'
'
Whether only authori#ed mo!ile code is used. Whether the confi"uration ensures that authori#ed mo!ile code operates accordin" to security policy. Whether execution of unauthori#ed mo!ile code is prevented. &o!ile code is software code that transfers from one computer to another computer and then executes automatically. It performs a specific function function with little or no user intervention. &o!ile code is associated with a num!er of middleware services.3 Whether !ac%0ups of information and software is ta%en and tested re"ularly in accordance with the a"reed !ac%up policy. Whether all essential information and software can !e recovered followin" a disaster or media failure.
Information !ac%up
6et7ork Security *anage#ent
1;.6.1
6.6.2
'ontrols a"ainst mo!ile code
Whether detection prevention and recovery controls to protect a"ainst malicious code and appropriate user awareness procedures were developed and implemented
5acku-
1;.5.1
6.6.1
'ontrols a"ainst malicious code
1;.6.2
14
Whether the networ% is ade$uately mana"ed and controlled to protect from threats and to maintain security for the systems and applications usin" the networ% includin" the information in transit.
/etwor% 'ontrols
Whether controls were implemented to ensure the security of the information in networ%s and the protection of the connected services from threats such as unauthori#ed access.
Security of networ% services
Whether security features service levels and mana"ement re$uirements of all networ% services are identified and included in any networ% services a"reement. Whether the a!ility of the networ% service provider to mana"e a"reed services in a secure way is determined and re"ularly monitored and the ri"ht to audit is a"reed upon.
*edia handling
Vinod Kumar
[email protected]
Page 8
ISO 27001 Compliance Checklist
6.,.1
1;.,.1
&ana"ement of remova!le media
6.,.2
1;.,.2
isposal of &edia
6.,.)
1;.,.)
Information handlin" procedures
6.,.* '0
1;.,.* 140
6.-.1
6.-.2
Security of system documentation
Whether procedures exist for mana"ement of remova!le media such as tapes dis%s cassettes memory cards and reports. Whether all procedures and authori#ation levels are clearly defined and documented. Whether the media that are no lon"er re$uired are disposed of securely and safely as per formal procedures. Whether a procedure exists for handlin" information stora"e. oes this procedure address issues such as information protection from unauthori#ed disclosure or misuse Whether the system documentation is protected a"ainst unauthori#ed access.
()change of infor#ation
1;.-.1
1;.-.2
Information exchan"e policies and procedures
9xchan"e +"reements
Whether there is a formal exchan"e policy procedure and control in place to ensure the protection of information. oes the procedure and control cover usin" electronic communication facilities for information exchan"e. Whether a"reements are esta!lished concernin" exchan"e of information and software !etween the or"ani#ation and external parties. Whether the security content of the a"reement reflects the sensitivity of the !usiness information involved.
6.-.)
1;.-.)
Physical media in transit
6.-.*
1;.-.*
9lectronic messa"in"
Whether media containin" information is protected a"ainst unauthori#ed access misuse or corruption durin" transportation !eyond the or"ani#ations physical !oundary. Whether the information involved in electronic messa"in" is well protected. 9lectronic messa"in" includes !ut is not restricted to 9mail 9lectronic ata Interchan"e Instant &essa"in"3
04/24/2018
ISO 27001 Compliance Checklist
6.,.1
1;.,.1
&ana"ement of remova!le media
6.,.2
1;.,.2
isposal of &edia
6.,.)
1;.,.)
Information handlin" procedures
6.,.* '0
1;.,.* 140
6.-.1
Whether the media that are no lon"er re$uired are disposed of securely and safely as per formal procedures. Whether a procedure exists for handlin" information stora"e.
Security of system documentation
oes this procedure address issues such as information protection from unauthori#ed disclosure or misuse Whether the system documentation is protected a"ainst unauthori#ed access.
()change of infor#ation
1;.-.1
6.-.2
Whether procedures exist for mana"ement of remova!le media such as tapes dis%s cassettes memory cards and reports. Whether all procedures and authori#ation levels are clearly defined and documented.
1;.-.2
Information exchan"e policies and procedures
Whether there is a formal exchan"e policy procedure and control in place to ensure the protection of information. oes the procedure and control cover usin" electronic communication facilities for information exchan"e. Whether a"reements are esta!lished concernin" exchan"e of information and software !etween the or"ani#ation and external parties.
9xchan"e +"reements
Whether the security content of the a"reement reflects the sensitivity of the !usiness information involved. Whether media containin" information is protected a"ainst unauthori#ed access misuse or corruption durin" transportation !eyond the or"ani#ations physical !oundary.
6.-.)
1;.-.)
Physical media in transit
6.-.*
1;.-.*
9lectronic messa"in"
6.-.5
1;.-.5
=usiness Information systems
Whether the information involved in electronic messa"in" is well protected. 9lectronic messa"in" includes !ut is not restricted to 9mail 9lectronic ata Interchan"e Instant &essa"in"3
Vinod Kumar
[email protected]
Whether policies and procedures are developed and enforced to protect information associated with the interconnection of !usiness information systems.
Page "
ISO 27001 Compliance Checklist '3
143
6.8.1
(lectronic co##erce services
1;.8.1
9lectronic commerce
Whether the information involved in electronic commerce passin" over the pu!lic networ% is protected from fraudulent activity contract dispute and any unauthori#ed access or modification. Whether Security control such as application of crypto"raphic controls are ta%en into consideration Whether electronic commerce arran"ements !etween tradin" partners include a documented a"reement which commits !oth parties to the a"reed terms of tradin" includin" details of security issues.
6.8.2
1;.8.2
7n0line transactions
6.8.)
1;.8.)
Pu!licly availa!le information
'14
1414
6.1;.1
1;.1;.1
Whether information involved in online transactions is protected to prevent incomplete transmission mis0 routin" unauthori#ed messa"e alteration unauthori#ed disclosure unauthori#ed messa"e duplication or replay Whether the inte"rity of the pu!licly availa!le information is protected a"ainst any unauthori#ed modification.
*onitoring
+udit o""in"
Whether audit lo"s recordin" user activities exceptions and information security events are produced and %ept for an a"reed period to assist in future investi"ations and access control monitorin". Whether appropriate Privacy protection measures are considered in +udit lo" maintenance.
6.1;.2
1;.1;.2
&onitorin" system use
Whether procedures are developed and enforced for monitorin" system use for information processin" facility. Whether the results of the monitorin" activity reviewed re"ularly. Whether the level of monitorin" re$uired for individual information processin" facility is determined !y a ris% assessment Whether lo""in" facility and lo" information are well
04/24/2018
ISO 27001 Compliance Checklist '3
143
6.8.1
(lectronic co##erce services
1;.8.1
Whether the information involved in electronic commerce passin" over the pu!lic networ% is protected from fraudulent activity contract dispute and any unauthori#ed access or modification. Whether Security control such as application of crypto"raphic controls are ta%en into consideration
9lectronic commerce
Whether electronic commerce arran"ements !etween tradin" partners include a documented a"reement which commits !oth parties to the a"reed terms of tradin" includin" details of security issues. Whether information involved in online transactions is protected to prevent incomplete transmission mis0 routin" unauthori#ed messa"e alteration unauthori#ed disclosure unauthori#ed messa"e duplication or replay
6.8.2
1;.8.2
7n0line transactions
6.8.)
1;.8.)
Pu!licly availa!le information
'14
1414
6.1;.1
Whether the inte"rity of the pu!licly availa!le information is protected a"ainst any unauthori#ed modification.
*onitoring
1;.1;.1
Whether audit lo"s recordin" user activities exceptions and information security events are produced and %ept for an a"reed period to assist in future investi"ations and access control monitorin".
+udit o""in"
Whether appropriate Privacy protection measures are considered in +udit lo" maintenance.
6.1;.2
1;.1;.2
6.1;.)
1;.1;.)
Whether procedures are developed and enforced for monitorin" system use for information processin" facility. Whether the results of the monitorin" activity reviewed re"ularly.
&onitorin" system use
Protection of lo" information
Vinod Kumar
[email protected]
Whether the level of monitorin" re$uired for individual information processin" facility is determined !y a ris% assessment Whether lo""in" facility and lo" information are well protected a"ainst tamperin" and unauthori#ed access Whether system administrator and system operator activities are lo""ed.
Page 10
ISO 27001 Compliance Checklist . .
. .
6.1;.5
1;.1;.5
6.1;.6
1;.1;.6
Whether the lo""ed activities are reviewed on re"ular !asis. Whether faults are lo""ed analysed and appropriate action ta%en.
'loc% Synchronisation
Whether level of lo""in" re$uired for individual system are determined !y a ris% assessment ta%in" performance de"radation into account. Whether system cloc%s of all information processin" system within the or"ani#ation or security domain is synchronised with an a"reed accurate time source. (he correct settin" of computer cloc% is important to ensure the accuracy of audit lo"s3
Access Control 1
111
,.1.1
5usiness require#ent for access control
11.1.1
+ccess 'ontrol policy
Whether an access control policy is developed and reviewed !ased on the !usiness and security re$uirements. Whether !oth lo"ical and physical access control are ta%en into consideration in the policy Whether the users and service providers were "iven a clear statement of the !usiness re$uirement to !e met !y access controls
&
11&
,.2.1
,.2.2
,.2.)
8ser Access *anage#ent
11.2.1
11.2.2
11.2.)
:ser Re"istration
Whether there is any formal user re"istration and de0 re"istration procedure for "rantin" access to all information systems and services.
Privile"e &ana"ement
Whether the allocation and use of any privile"es in information system environment is restricted and controlled i.e. Privile"es are allocated on need0to0use !asis privile"es are allocated only after formal authori#ation process.
:ser Password &ana"ement
(he allocation and reallocation of passwords should !e controlled throu"h a formal mana"ement process. Whether the users are as%ed to si"n a statement to %eep the password confidential.
04/24/2018
ISO 27001 Compliance Checklist . .
. .
6.1;.5
1;.1;.5
6.1;.6
1;.1;.6
Whether the lo""ed activities are reviewed on re"ular !asis. Whether faults are lo""ed analysed and appropriate action ta%en.
Whether level of lo""in" re$uired for individual system are determined !y a ris% assessment ta%in" performance de"radation into account. Whether system cloc%s of all information processin" system within the or"ani#ation or security domain is synchronised with an a"reed accurate time source. (he correct settin" of computer cloc% is important to ensure the accuracy of audit lo"s3
'loc% Synchronisation
Access Control 1
111
,.1.1
5usiness require#ent for access control
11.1.1
Whether an access control policy is developed and reviewed !ased on the !usiness and security re$uirements. Whether !oth lo"ical and physical access control are ta%en into consideration in the policy
+ccess 'ontrol policy
Whether the users and service providers were "iven a clear statement of the !usiness re$uirement to !e met !y access controls &
11&
,.2.1
8ser Access *anage#ent
11.2.1
:ser Re"istration
Whether there is any formal user re"istration and de0 re"istration procedure for "rantin" access to all information systems and services. Whether the allocation and use of any privile"es in information system environment is restricted and controlled i.e. Privile"es are allocated on need0to0use !asis privile"es are allocated only after formal authori#ation process.
,.2.2
11.2.2
Privile"e &ana"ement
,.2.)
11.2.)
:ser Password &ana"ement
Vinod Kumar [email protected]
(he allocation and reallocation of passwords should !e controlled throu"h a formal mana"ement process. Whether the users are as%ed to si"n a statement to %eep the password confidential.
Page 11
ISO 27001 Comp ance C ec
Review of user access ri"hts ,.2.* +
11.2.* 11+ ,.).1
11.).1
04/24/2018
st
Whether there exists a process to review user access ri"hts at re"ular intervals. 9xample4 Special privile"e review every ) months normal privile"es every 6 months.
8ser Res-onsibilities
Password use
,.).2
11.).2
:nattended user e$uipment
,.).)
11.).)
'lear des% and clear screen policy
Whether there are any security practice in place to "uide users in selectin" and maintainin" secure passwords Whether the users and contractors are made aware of the security re$uirements and procedures for protectin" unattended e$uipment. . 9xample4 o"off when session is finished or set up auto lo" off terminate sessions when finished etc. Whether the or"anisation has adopted clear des% policy with re"ards to papers and remova!le stora"e media Whether the or"anisation has adopted clear screen policy with re"ards to information processin" facility
/
11/
,.*.1
,.*.2
6et7ork Access Control
11.*.1
11.*.2
Policy on use of networ% services
:ser authentication for external connections 9$uipment identification in networ%s
,.*.)
,.*.*
11.*.)
11.*.*
Whether users are provided with access only to the services that they have !een specifically authori#ed to use. Whether there exists a policy that does address concerns relatin" to networ%s and networ% services. Whether appropriate authentication mechanism is used to control access !y remote users. Whether automatic e$uipment identification is considered as a means to authenticate connections from specific locations and e$uipment.
Whether physical and lo"ical access to dia"nostic ports Remote dia"nostic and confi"uration port are securely controlled i.e. protected !y a security protection mechanism. Whether "roups of information services users and information systems are se"re"ated on networ%s. Whether the networ% where !usiness partners and> or
ISO 27001 Comp ance C ec
Review of user access ri"hts ,.2.*
11.2.* 11+
+
,.).1
11.).1
st
Whether there exists a process to review user access ri"hts at re"ular intervals. 9xample4 Special privile"e review every ) months normal privile"es every 6 months.
8ser Res-onsibilities
Password use
Whether there are any security practice in place to "uide users in selectin" and maintainin" secure passwords
,.).2
11.).2
:nattended user e$uipment
,.).)
11.).)
'lear des% and clear screen policy
Whether the users and contractors are made aware of the security re$uirements and procedures for protectin" unattended e$uipment. . 9xample4 o"off when session is finished or set up auto lo" off terminate sessions when finished etc. Whether the or"anisation has adopted clear des% policy with re"ards to papers and remova!le stora"e media Whether the or"anisation has adopted clear screen policy with re"ards to information processin" facility
/
11/
,.*.1
,.*.2
6et7ork Access Control
11.*.1
11.*.2
Policy on use of networ% services
:ser authentication for external connections 9$uipment identification in networ%s
,.*.)
11.*.)
,.*.*
11.*.*
,.*.5
11.*.5
Whether users are provided with access only to the services that they have !een specifically authori#ed to use. Whether there exists a policy that does address concerns relatin" to networ%s and networ% services. Whether appropriate authentication mechanism is used to control access !y remote users. Whether automatic e$uipment identification is considered as a means to authenticate connections from specific locations and e$uipment.
Whether physical and lo"ical access to dia"nostic ports Remote dia"nostic and confi"uration port are securely controlled i.e. protected !y a security protection mechanism. Whether "roups of information services users and information systems are se"re"ated on networ%s. Whether the networ% where !usiness partners and> or third parties need access to information system3 is se"re"ated usin" perimeter security mechanisms such as firewalls.
Se"re"ation in networ%s
Vinod Kumar [email protected]
Page 12
ISO 27001 Compliance Checklist Whether consideration is made to se"re"ation of wireless networ%s from internal and private networ%s. ,.*.6
11.*.6
/etwor% connection control
,.*.,
11.*.,
/etwor% routin" control
Whether there exists an access control policy which states networ% connection control for shared networ%s especially for those extend across or"ani#ations !oundaries. Whether the access control policy states routin" controls are to !e implemented for networ%s Whether the routin" controls are !ased on the positive source and destination identification mechanism.
!
11!
,.5.1
11.5.1
,.5.2
$-erating syste# access control
11.5.2
Secure lo"0on procedures
:ser Identification and authentication
Whether access to operatin" system is controlled !y secure lo"0on procedure. Whether uni$ue identifier user I3 is provided to every user such as operators system administrators and all other staff includin" technical. Whether suita!le authentication techni$ue is chosen to su!stantiate the claimed identity of user. Whether "eneric user accounts are supplied only under exceptional circumstances where there is a clear !usiness !enefit. +dditional controls may !e necessary to maintain accounta!ility.
,.5.)
11.5.)
Password &ana"ement system
Whether there exists a password mana"ement system that enforces various password controls such as4 individual password for accounta!ility enforce password chan"es store passwords in encrypted form not display passwords on screen etc.
,.5.*
11.5.*
:se of system utilities
Whether the utility pro"rams that mi"ht !e capa!le of overridin" system and application controls is restricted and ti"htly controlled. .
,.5.5
11.5.5
Session time0out
+ limited form of timeouts can !e provided for some systems which clears the screen and prevents unauthori#ed access !ut does not close down the
04/24/2018
ISO 27001 Compliance Checklist Whether consideration is made to se"re"ation of wireless networ%s from internal and private networ%s. ,.*.6
11.*.6
/etwor% connection control
,.*.,
11.*.,
/etwor% routin" control
Whether there exists an access control policy which states networ% connection control for shared networ%s especially for those extend across or"ani#ations !oundaries. Whether the access control policy states routin" controls are to !e implemented for networ%s Whether the routin" controls are !ased on the positive source and destination identification mechanism.
!
11!
,.5.1
11.5.1
,.5.2
$-erating syste# access control
11.5.2
Whether access to operatin" system is controlled !y secure lo"0on procedure.
Secure lo"0on procedures
:ser Identification and authentication
Whether uni$ue identifier user I3 is provided to every user such as operators system administrators and all other staff includin" technical. Whether suita!le authentication techni$ue is chosen to su!stantiate the claimed identity of user. Whether "eneric user accounts are supplied only under exceptional circumstances where there is a clear !usiness !enefit. +dditional controls may !e necessary to maintain accounta!ility.
,.5.)
11.5.)
Password &ana"ement system
Whether there exists a password mana"ement system that enforces various password controls such as4 individual password for accounta!ility enforce password chan"es store passwords in encrypted form not display passwords on screen etc.
,.5.*
11.5.*
:se of system utilities
Whether the utility pro"rams that mi"ht !e capa!le of overridin" system and application controls is restricted and ti"htly controlled. .
,.5.5
11.5.5
Session time0out
+ limited form of timeouts can !e provided for some systems which clears the screen and prevents unauthori#ed access !ut does not close down the application or networ% sessions.3
Vinod Kumar [email protected]
Page 13
ISO 27001 Compliance Checklist
,.5.6 '
11.5.6 11'
Whether there exists restriction on connection time for hi"h0ris% applications. (his type of set up should !e imitation of connection time considered for sensitive applications for which the terminals are installed in hi"h0ris% locations. A--lication and "nfor#ation access control
,.6.1
11.6.1
Information access restriction
,.6.2
11.6.2
Sensitive system isolation
11
Whether access to information and application system functions !y users and support personnel is restricted in accordance with the defined access control policy. Whether sensitive systems are provided with dedicated isolated3 computin" environment such as runnin" on a dedicated computer share resources only with tr usted application systems etc.
*obile co#-uting and tele7orking
Whether a formal policy is in place and appropriate security measures are adopted to protect a"ainst the ris% of usin" mo!ile computin" and communication facilities. ,.,.1
11.,.1
&o!ile computin" and communications Some example of &o!ile computin" and communications facility include4 note!oo%s palmtops laptops smart cards mo!ile phones. Whether ris%s such as wor%in" in unprotected environment is ta%en into account !y &o!ile computin" policy.
,.,.2
Whether policy operational plan and procedures are developed and implemented for telewor%in" activities.
11.,.2 (elewor%in"
Whether telewor%in" activity is authori#ed and controlled !y mana"ement and does it ensure t hat suita!le arran"ements are in place for this way of wor%in".
"nfor#ation syste#s acquisition, develo-#ent and #aintenance 01
1&1
Security require#ents of infor#ation syste#s
Whether security re$uirements for new information systems and enhancement to existin" information system specify the re$uirements for security controls.
04/24/2018
ISO 27001 Compliance Checklist
,.5.6 '
11.5.6 11'
Whether there exists restriction on connection time for hi"h0ris% applications. (his type of set up should !e considered for sensitive applications for which the terminals are installed in hi"h0ris% locations. A--lication and "nfor#ation access control imitation of connection time
,.6.1
11.6.1
Information access restriction
,.6.2
11.6.2
Sensitive system isolation
11
Whether access to information and application system functions !y users and support personnel is restricted in accordance with the defined access control policy. Whether sensitive systems are provided with dedicated isolated3 computin" environment such as runnin" on a dedicated computer share resources only with tr usted application systems etc.
*obile co#-uting and tele7orking
Whether a formal policy is in place and appropriate security measures are adopted to protect a"ainst the ris% of usin" mo!ile computin" and communication facilities. ,.,.1
11.,.1
&o!ile computin" and communications Some example of &o!ile computin" and communications facility include4 note!oo%s palmtops laptops smart cards mo!ile phones. Whether ris%s such as wor%in" in unprotected environment is ta%en into account !y &o!ile computin" policy.
,.,.2
Whether policy operational plan and procedures are developed and implemented for telewor%in" activities.
11.,.2
Whether telewor%in" activity is authori#ed and controlled !y mana"ement and does it ensure t hat suita!le arran"ements are in place for this way of wor%in".
(elewor%in"
"nfor#ation syste#s acquisition, develo-#ent and #aintenance 01
1&1
Security require#ents of infor#ation syste#s
Whether security re$uirements for new information systems and enhancement to existin" information system specify the re$uirements for security controls.
Vinod Kumar [email protected]
Page 14
ISO 27001 Compliance Checklist
-.1.1
12.1.1
Security re$uirements analysis and specification
Whether the Security re$uirements and controls identified reflects the !usiness value of information assets involved and the conse$uence from failure of Security. Whether system re$uirements for information security and processes for implementin" security is inte"rated in the early sta"es of information system proects.
0&
1&&
Correct -rocessing in a--lications
Whether data input to application system is validated to ensure that it is correct and appropriate. -.2.1
12.2.1
-.2.2
12.2.2
Input data validation
'ontrol of internal processin"
Whether the controls such as4 ifferent types of inputs to chec% for error messa"es Procedures for respondin" to validation errors definin" responsi!ilities of all personnel involved in data input process etc. are considered. Whether validation chec%s are incorporated into applications to detect any corruption of information throu"h processin" errors or deli!erate acts. Whether the desi"n and implementation of applications ensure that the ris%s of processin" failures leadin" to a loss of inte"rity are minimised. Whether re$uirements for ensurin" and protectin" messa"e inte"rity in applications are identified and appropriate controls identified and implemented.
0+
-.2.)
12.2.)
&essa"e inte"rity
Whether an security ris% assessment was carried out to determine if messa"e inte"rity is re$uired and to identify the most appropriate method of implementation.
-.2.*
12.2.*
7utput data validation
Whether the data output of application system is validated to ensure that the processin" of stored information is correct and appropriate to circumstances.
1&+
Cry-togra-hic controls
Whether the or"ani#ation has Policy on use of
04/24/2018
ISO 27001 Compliance Checklist
-.1.1
12.1.1
Security re$uirements analysis and specification
Whether the Security re$uirements and controls identified reflects the !usiness value of information assets involved and the conse$uence from failure of Security. Whether system re$uirements for information security and processes for implementin" security is inte"rated in the early sta"es of information system proects.
0&
1&&
Correct -rocessing in a--lications
Whether data input to application system is validated to ensure that it is correct and appropriate. -.2.1
12.2.1
-.2.2
12.2.2
Whether the controls such as4 ifferent types of inputs to chec% for error messa"es Procedures for respondin" to validation errors definin" responsi!ilities of all personnel involved in data input process etc. are considered.
Input data validation
'ontrol of internal processin"
Whether validation chec%s are incorporated into applications to detect any corruption of information throu"h processin" errors or deli!erate acts. Whether the desi"n and implementation of applications ensure that the ris%s of processin" failures leadin" to a loss of inte"rity are minimised. Whether re$uirements for ensurin" and protectin" messa"e inte"rity in applications are identified and appropriate controls identified and implemented.
-.2.)
12.2.)
&essa"e inte"rity
Whether an security ris% assessment was carried out to determine if messa"e inte"rity is re$uired and to identify the most appropriate method of implementation.
-.2.*
12.2.*
7utput data validation
Whether the data output of application system is validated to ensure that the processin" of stored information is correct and appropriate to circumstances.
0+
1&+
Cry-togra-hic controls
Whether the or"ani#ation has Policy on use of crypto"raphic controls for protection of information. . Whether the policy is successfully implemented.
Vinod Kumar [email protected]
Page 15
ISO 27001 Compliance Checklist -.).1
12.).1
Policy on use of crypto"raphic controls
-.).2
12.).2
?ey &ana"ement
Whether the crypto"raphic policy does consider the mana"ement approach towards the use of crypto"raphic controls ris% assessment results to identify re$uired level of protection %ey mana"ement methods and various standards for effective implementation Whether %ey mana"ement is in place to support the or"ani#ations use of crypto"raphic techni$ues. Whether crypto"raphic %eys are protected a"ainst modification loss and destruction. Whether secret %eys and private %eys are protected a"ainst unauthori#ed disclosure. Whether e$uipments used to "enerate store %eys are physically protected. Whether the ?ey mana"ement system is !ased on a"reed set of standards procedures and secure methods.
0/
1&/
Security of syste# files
-.*.1
12.*.1
'ontrol of operational software
-.*.2
12.*.2
Protection of system test data
-.*.) 0!
12.*.) 1&!
-.5.1
12.5.1
Whether there are any procedures in place to control installation of software on operational systems. (his is to minimise the ris% of corruption of operational systems.3 Whether system test data is protected and controlled. Whether use of personal information or any sensitive information for testin" operational data!ase is shunned
Whether strict controls are in place to restrict access to pro"ram source li!raries. +ccess control to pro"ram source code (his is to avoid the potential for unauthori#ed unintentional chan"es.3 Security in develo-#ent and su--ort services
'han"e control procedures
Whether there is strict control procedure in place over implementation of chan"es to the information system. (his is to minimise the corruption of information system.3
04/24/2018
ISO 27001 Compliance Checklist -.).1
12.).1
Policy on use of crypto"raphic controls
-.).2
12.).2
?ey &ana"ement
Whether the crypto"raphic policy does consider the mana"ement approach towards the use of crypto"raphic controls ris% assessment results to identify re$uired level of protection %ey mana"ement methods and various standards for effective implementation Whether %ey mana"ement is in place to support the or"ani#ations use of crypto"raphic techni$ues. Whether crypto"raphic %eys are protected a"ainst modification loss and destruction. Whether secret %eys and private %eys are protected a"ainst unauthori#ed disclosure. Whether e$uipments used to "enerate store %eys are physically protected. Whether the ?ey mana"ement system is !ased on a"reed set of standards procedures and secure methods.
0/
1&/
Security of syste# files
-.*.1
12.*.1
'ontrol of operational software
-.*.2
12.*.2
Protection of system test data
-.*.)
12.*.)
0!
1&!
-.5.1
12.5.1
Whether there are any procedures in place to control installation of software on operational systems. (his is to minimise the ris% of corruption of operational systems.3 Whether system test data is protected and controlled. Whether use of personal information or any sensitive information for testin" operational data!ase is shunned
Whether strict controls are in place to restrict access to pro"ram source li!raries. (his is to avoid the potential for unauthori#ed unintentional chan"es.3 Security in develo-#ent and su--ort services +ccess control to pro"ram source code
'han"e control procedures
Whether there is strict control procedure in place over implementation of chan"es to the information system. (his is to minimise the corruption of information system.3 Whether this procedure addresses need for ris% assessment analysis of impacts of chan"es
Vinod Kumar [email protected]
Page 1
ISO 27001 Compliance Checklist
-.5.2
12.5.2
(echnical review of applications after operatin" system chan"es
-.5.)
12.5.)
Restrictions on chan"es to software pac%a"es
-.5.*
12.5.*
Information lea%a"e
-.5.5
12.5.5
7utsourced software development
0'
1&'
-.6.1
Whether there is process or procedure in place to review and test !usiness critical applications for adverse impact on or"ani#ational operations or security after the chan"e to 7peratin" Systems. Periodically it is necessary to up"rade operatin" system i.e. to install service pac%s patches hot fixes etc. Whether modifications to software pac%a"e is discoura"ed and> or limited to necessary chan"es. Whether all chan"es are strictly controlled. Whether controls are in place to prevent information lea%a"e. Whether controls such as scannin" of out!ound media re"ular monitorin" of personnel and system activities permitted under local le"islation monitorin" resource usa"e are considered. Whether the outsourced software development is supervised and monitored !y the or"ani#ation. Whether points such as4 icensin" arran"ements escrow arran"ements contractual re$uirement for $uality assurance testin" !efore installation to detect (roan code etc. are considered.
2echnical vulnerability #anage#ent
12.6.1
'ontrol of technical vulnera!ilities
Whether timely information a!out technical vulnera!ilities of information systems !ein" used is o!tained. Whether the or"ani#ations exposure to such vulnera!ilities evaluated and appropriate measures ta%en to miti"ate the associated ris%.
"nfor#ation Security "ncident *anage#ent 31
1+1
8.1.1
Re-orting infor#ation security events and 7eaknesses
1).1.1
Reportin" information security events
Whether information security events are reported throu"h appropriate mana"ement channels as $uic%ly as possi!le. Whether formal information security event reportin"
04/24/2018
ISO 27001 Compliance Checklist
-.5.2
12.5.2
(echnical review of applications after operatin" system chan"es
-.5.)
12.5.)
Restrictions on chan"es to software pac%a"es
-.5.*
12.5.*
Information lea%a"e
-.5.5
12.5.5
7utsourced software development
0'
1&'
-.6.1
Whether there is process or procedure in place to review and test !usiness critical applications for adverse impact on or"ani#ational operations or security after the chan"e to 7peratin" Systems. Periodically it is necessary to up"rade operatin" system i.e. to install service pac%s patches hot fixes etc. Whether modifications to software pac%a"e is discoura"ed and> or limited to necessary chan"es. Whether all chan"es are strictly controlled. Whether controls are in place to prevent information lea%a"e. Whether controls such as scannin" of out!ound media re"ular monitorin" of personnel and system activities permitted under local le"islation monitorin" resource usa"e are considered. Whether the outsourced software development is supervised and monitored !y the or"ani#ation. Whether points such as4 icensin" arran"ements escrow arran"ements contractual re$uirement for $uality assurance testin" !efore installation to detect (roan code etc. are considered.
2echnical vulnerability #anage#ent
12.6.1
'ontrol of technical vulnera!ilities
Whether timely information a!out technical vulnera!ilities of information systems !ein" used is o!tained. Whether the or"ani#ations exposure to such vulnera!ilities evaluated and appropriate measures ta%en to miti"ate the associated ris%.
"nfor#ation Security "ncident *anage#ent 31
1+1
8.1.1
Re-orting infor#ation security events and 7eaknesses
1).1.1
Reportin" information security events
Vinod Kumar [email protected]
Whether information security events are reported throu"h appropriate mana"ement channels as $uic%ly as possi!le. Whether formal information security event reportin" procedure Incident response and escalation procedure is developed and implemented.
Page 1!
ISO 27001 Compliance Checklist
8.1.2 3&
1).1.2 1+&
Whether there exists a procedure that ensures all employees of information systems and services are Reportin" security wea%nesses re$uired to note and report any o!served or suspected security wea%ness in the system or services. *anage#ent of infor#ation security incidents and i#-rove#ents Whether mana"ement responsi!ilities and procedures were esta!lished to ensure $uic% effective and orderly response to information security incidents.
8.2.1
1).2.1
Responsi!ilities and procedures
Whether monitorin" of systems alerts and vulnera!ilities are used to detect information security incidents. Whether the o!ective of information security incident mana"ement is a"reed with the m ana"ement.
8.2.2
1).2.2
earnin" from information security incidents
Whether there is a mechanism in place to identify and $uantify the type volume and costs of information security incidents. Whether the information "ained from the evaluation of the past information security incidents are used to identify recurrin" or hi"h impact incidents. Whether follow0up action a"ainst a person or or"ani#ation after an information security incident involves le"al action either civil or criminal3.
8.2.)
1).2.)
'ollection of evidence
Whether evidence relatin" to the incident are collected retained and presented to conform to the rules for evidence laid down in the relevant urisdictions3. Whether internal procedures are developed and followed when collectin" and presentin" evidence for the purpose of disciplinary action within the or"ani#ation
5usiness Continuity *anage#ent 141
1/1
"nfor#ation security as-ects of business continuity #anage#ent
Whether there is a mana"ed process in place that addresses the information security re$uirements for
04/24/2018
ISO 27001 Compliance Checklist
8.1.2 3&
1).1.2 1+&
Whether there exists a procedure that ensures all employees of information systems and services are re$uired to note and report any o!served or suspected security wea%ness in the system or services. *anage#ent of infor#ation security incidents and i#-rove#ents Reportin" security wea%nesses
Whether mana"ement responsi!ilities and procedures were esta!lished to ensure $uic% effective and orderly response to information security incidents. 8.2.1
1).2.1
Responsi!ilities and procedures
Whether monitorin" of systems alerts and vulnera!ilities are used to detect information security incidents. Whether the o!ective of information security incident mana"ement is a"reed with the m ana"ement.
8.2.2
1).2.2
earnin" from information security incidents
Whether there is a mechanism in place to identify and $uantify the type volume and costs of information security incidents. Whether the information "ained from the evaluation of the past information security incidents are used to identify recurrin" or hi"h impact incidents. Whether follow0up action a"ainst a person or or"ani#ation after an information security incident involves le"al action either civil or criminal3.
8.2.)
1).2.)
Whether evidence relatin" to the incident are collected retained and presented to conform to the rules for evidence laid down in the relevant urisdictions3.
'ollection of evidence
Whether internal procedures are developed and followed when collectin" and presentin" evidence for the purpose of disciplinary action within the or"ani#ation
5usiness Continuity *anage#ent 141
1/1
"nfor#ation security as-ects of business continuity #anage#ent
Whether there is a mana"ed process in place that addresses the information security re$uirements for developin" and maintainin" !usiness continuity throu"hout the or"ani#ation.
Vinod Kumar [email protected]
Page 18
ISO 27001 Compliance Checklist 1;.1.1
1*.1.1
1;.1.2
1*.1.2
1;.1.)
1*.1.)
1;.1.*
1*.1.*
Includin" informaiton security in the Whether this process understands the ris%s the !usiness continuity mana"ement process or"ani#ation is facin" identify !usiness critical assets identify incident impacts consider the implementation of additional preventative controls and documentin" the !usiness continuity plans addressin" the security re$uirements. =usiness co continuity an and ri ris% as assessement
Whether events that cause interruption to !usiness process is identified alon" with the pro!a!ility and impact of such interruptions and their conse$uence for information security.
Whether plans were developed to maintain and restore !usiness operations ensure availa!ility of information within the re$uired level in the re$uired time frame followin" an interruption or failure to !usiness evelopin" and implementin" continuity processes. plans includin" information security Whether the plan considers identification and a"reement of responsi!ilities identification of accepta!le loss implementation of recovery and restoration procedure documentation of procedure and re"ular testin". Whether there is a sin"le framewor% of =usiness continuity plan. Whether this framewor% is maintained to ensure that all =usiness continuity plannin" framewor% plans are consistent and identify priorities for testin" and maintenance. Whether !usiness continuity plan addresses the identified information security re$uirement. Whether =usiness continuity plans are tested re"ularly to ensure that they are up to date and effective.
1;.1.5
1*.1.5
(estin" maintainin" and re0assessin" !usiness continuity plans
Whether !usiness continuity plan tests ensure that all mem!ers of the recovery team and other relevant staff are aware of the plans and their responsi!ility for !usiness continuity and information security and %now their role when plan is evo%ed.
04/24/2018
ISO 27001 Compliance Checklist 1;.1.1
1*.1.1
1;.1.2
1*.1.2
1;.1.)
1*.1.)
1;.1.*
1*.1.*
Includin" informaiton security in the Whether this process understands the ris%s the !usiness continuity mana"ement process or"ani#ation is facin" identify !usiness critical assets identify incident impacts consider the implementation of additional preventative controls and documentin" the !usiness continuity plans addressin" the security re$uirements. Whether events that cause interruption to !usiness process is identified alon" with the pro!a!ility and =usiness co continuity an and ri ris% as assessement impact of such interruptions and their conse$uence for information security. Whether plans were developed to maintain and restore !usiness operations ensure availa!ility of information within the re$uired level in the re$uired time frame followin" an interruption or failure to !usiness evelopin" and implementin" continuity processes. plans includin" information security Whether the plan considers identification and a"reement of responsi!ilities identification of accepta!le loss implementation of recovery and restoration procedure documentation of procedure and re"ular testin". Whether there is a sin"le framewor% of =usiness continuity plan. Whether this framewor% is maintained to ensure that all =usiness continuity plannin" framewor% plans are consistent and identify priorities for testin" and maintenance. Whether !usiness continuity plan addresses the identified information security re$uirement. Whether =usiness continuity plans are tested re"ularly to ensure that they are up to date and effective.
1;.1.5
1*.1.5
(estin" maintainin" and re0assessin" !usiness continuity plans
Whether !usiness continuity plan tests ensure that all mem!ers of the recovery team and other relevant staff are aware of the plans and their responsi!ility for !usiness continuity and information security and %now their role when plan is evo%ed.
Co#-liance 111
1!1
Co#-liance 7ith legal require#ents
Vinod Kumar [email protected]
Page 1"
ISO 27001 Compliance Checklist
11.1.1
15.1.1
Identification of applica!le le"islation
Whether all relevant statutory re"ulatory contractual re$uirements and or"ani#ational approach to meet the re$uirements were explicitly defined and documented for each information system and or"ani#ation. Whether specific controls and individual responsi!ilities to meet these re$uirements were defined and documented.
11.1.2
15.1.2
Intellectual property ri"hts IPR3
Whether there are procedures to ensure compliance with le"islative re"ulatory and contractual re$uirements on the use of material in respect of which there may !e intellectual property ri"hts and on the use of proprietary software products. Whether the procedures are well implemented. Whether controls such as4 pu!lishin" intellectual property ri"hts compliance policy procedures for ac$uirin" software policy awareness maintainin" proof of ownership complyin" with software terms and conditions are considered.
11.1.)
15.1.)
Protection of or"ani#ational records
Whether important records of the or"ani#ation is protected from loss destruction and falsification in accordance with statutory re"ulatory contractual and !usiness re$uirement. Whether consideration is "iven to possi!ility of deterioration of media used for stora"e of records. Whether data stora"e systems were chosen so that re$uired data can !e retrieved in an accepta!le timeframe and format dependin" on re$uirements to !e fulfilled.
11.1.*
15.1.*
ata protection and privacy of personal information
Whether data protection and privacy is ensured as per relevant le"islation re"ulations and if applica!le as per the contractual clauses. Whether use of information processin" facilities for any non0!usiness or unauthori#ed purpose without mana"ement approval is treated as improper use of the
04/24/2018
ISO 27001 Compliance Checklist
11.1.1
15.1.1
Identification of applica!le le"islation
Whether all relevant statutory re"ulatory contractual re$uirements and or"ani#ational approach to meet the re$uirements were explicitly defined and documented for each information system and or"ani#ation. Whether specific controls and individual responsi!ilities to meet these re$uirements were defined and documented.
11.1.2
15.1.2
Intellectual property ri"hts IPR3
Whether there are procedures to ensure compliance with le"islative re"ulatory and contractual re$uirements on the use of material in respect of which there may !e intellectual property ri"hts and on the use of proprietary software products. Whether the procedures are well implemented. Whether controls such as4 pu!lishin" intellectual property ri"hts compliance policy procedures for ac$uirin" software policy awareness maintainin" proof of ownership complyin" with software terms and conditions are considered.
11.1.)
15.1.)
Protection of or"ani#ational records
Whether important records of the or"ani#ation is protected from loss destruction and falsification in accordance with statutory re"ulatory contractual and !usiness re$uirement. Whether consideration is "iven to possi!ility of deterioration of media used for stora"e of records. Whether data stora"e systems were chosen so that re$uired data can !e retrieved in an accepta!le timeframe and format dependin" on re$uirements to !e fulfilled.
11.1.*
15.1.*
ata protection and privacy of personal information
Whether data protection and privacy is ensured as per relevant le"islation re"ulations and if applica!le as per the contractual clauses. Whether use of information processin" facilities for any non0!usiness or unauthori#ed purpose without mana"ement approval is treated as improper use of the facility.
Vinod Kumar [email protected]
Page 20
ISO 27001 Comp ance C ec 11.1.5
15.1.5
11.1.6
15.1.6
11&
1!&
11.2.1
15.2.1
11.2.2
11+
15.2.2
1!+
11.).1
Prevention of misuse of information processin" facilities
04/24/2018
st
Whether a lo"0on a warnin" messa"e is presented on the computer screen prior to lo"0on. Whether the user has to ac%nowled"e the warnin" and react appropriately to the messa"e on the screen to continue with the lo"0on process. Whether le"al advice is ta%en !efore implementin" any monitorin" procedures.
Whether the crypto"raphic controls are used in compliance with all relevant a"reements laws and re"ulations. Co#-liance 7ith techincal -olicies and standards and technical co#-liance Re"ulation of crypto"raphic controls
'ompliance with security policies and standards
(echnical compliance chec%in"
Whether mana"ers ensure that all security procedures within their area of responsi!ility are carried out correctly to achieve compliance with security policies and standards. o mana"ers re"ularly review the compliance of information processin" facility within their area of responsi!ility for compliance with appropriate security policy and procedure Whether information systems are re"ularly chec%ed for compliance with security implementation standards. Whether the technical compliance chec% is carried out !y or under the supervision of competent authori#ed personnel
"nfor#ation syste#s audit considerations
15.).1
Information systems audit control
Protection of informaiton system audit
Whether audit re$uirements and activities involvin" chec%s on operational systems should !e carefully planned and a"reed to minimise the ris% of disruptions to !usiness process. Whether the audit re$uirements scope are a"reed with appropriate mana"ement. Whether access to information system audit tools such as software or data files are protected to prevent any possi!le misuse or compromise.
ISO 27001 Comp ance C ec 11.1.5
15.1.5
11.1.6
15.1.6
11&
1!&
Prevention of misuse of information processin" facilities
Whether the crypto"raphic controls are used in compliance with all relevant a"reements laws and re"ulations. Co#-liance 7ith techincal -olicies and standards and technical co#-liance
15.2.1
'ompliance with security policies and standards
11.2.2
15.2.2
(echnical compliance chec%in"
1!+
11.).1
11.).2
Whether a lo"0on a warnin" messa"e is presented on the computer screen prior to lo"0on. Whether the user has to ac%nowled"e the warnin" and react appropriately to the messa"e on the screen to continue with the lo"0on process. Whether le"al advice is ta%en !efore implementin" any monitorin" procedures.
Re"ulation of crypto"raphic controls
11.2.1
11+
st
Whether mana"ers ensure that all security procedures within their area of responsi!ility are carried out correctly to achieve compliance with security policies and standards. o mana"ers re"ularly review the compliance of information processin" facility within their area of responsi!ility for compliance with appropriate security policy and procedure Whether information systems are re"ularly chec%ed for compliance with security implementation standards. Whether the technical compliance chec% is carried out !y or under the supervision of competent authori#ed personnel
"nfor#ation syste#s audit considerations
15.).1
15.).2
Vinod Kumar [email protected]
Information systems audit control
Protection of informaiton system audit tools
Whether audit re$uirements and activities involvin" chec%s on operational systems should !e carefully planned and a"reed to minimise the ris% of disruptions to !usiness process. Whether the audit re$uirements scope are a"reed with appropriate mana"ement. Whether access to information system audit tools such as software or data files are protected to prevent any possi!le misuse or compromise. Whether information system audit tools are separated from development and operational systems unless "iven an appropriate level of additional protection.
Page 21
ISO 27001 Compliance Checklist ts Status 9:;
04/24/2018
ISO 27001 Compliance Checklist ts Status 9:;
ino umar umar [email protected]
Page 22
ISO 27001 Compliance Checklist
04/24/2018
ISO 27001 Compliance Checklist
Vinod Kumar [email protected]
Page 23
ISO 27001 Compliance Checklist
04/24/2018
ISO 27001 Compliance Checklist
Vinod Kumar [email protected]
Page 24
ISO 27001 Compliance Checklist
04/24/2018
ISO 27001 Compliance Checklist
ino umar umar [email protected]
Page 25
ISO 27001 Compliance Checklist
04/24/2018
ISO 27001 Compliance Checklist
Vinod Kumar [email protected]
Page 2
ISO 27001 Compliance Checklist
04/24/2018
ISO 27001 Compliance Checklist
Vinod Kumar [email protected]
Page 2!
ISO 27001 Compliance Checklist
04/24/2018
ISO 27001 Compliance Checklist
Vinod Kumar [email protected]
Page 28
ISO 27001 Compliance Checklist
04/24/2018
ISO 27001 Compliance Checklist
Vinod Kumar [email protected]
Page 2"
ISO 27001 Compliance Checklist
04/24/2018
ISO 27001 Compliance Checklist
Vinod Kumar [email protected]
Page 30
ISO 27001 Compliance Checklist
04/24/2018
ISO 27001 Compliance Checklist
Vinod Kumar [email protected]
Page 31
ISO 27001 Compliance Checklist
04/24/2018
ISO 27001 Compliance Checklist
Vinod Kumar [email protected]
Page 32
ISO 27001 Compliance Checklist
04/24/2018
ISO 27001 Compliance Checklist
Vinod Kumar [email protected]
Page 33
ISO 27001 Compliance Checklist
04/24/2018
ISO 27001 Compliance Checklist
Vinod Kumar [email protected]
Page 34
ISO 27001 Compliance Checklist
04/24/2018
ISO 27001 Compliance Checklist
Vinod Kumar [email protected]
Page 35
ISO 27001 Compliance Checklist
04/24/2018
ISO 27001 Compliance Checklist
Vinod Kumar [email protected]
Page 3
ISO 27001 Compliance Checklist
04/24/2018
ISO 27001 Compliance Checklist
Vinod Kumar [email protected]
Page 3!
ISO 27001 Compliance Checklist
04/24/2018
ISO 27001 Compliance Checklist
Vinod Kumar [email protected]
Page 38
ISO 27001 Compliance Checklist
04/24/2018
ISO 27001 Compliance Checklist
Vinod Kumar [email protected]
Page 3"
ISO 27001 Compliance Checklist
04/24/2018
ISO 27001 Compliance Checklist
Vinod Kumar [email protected]
Page 40
ISO 27001 Compliance Checklist
04/24/2018
ISO 27001 Compliance Checklist
Vinod Kumar [email protected]
Page 41
ISO 27001 Compliance Checklist
04/24/2018
ISO 27001 Compliance Checklist
Vinod Kumar [email protected]
Page 42
04/24/2018
ISO 27001 Compliance Checklist
o#ain
$bjectives Security Policy $rgani%ation of "nfor#ation Security
Asset *anage#ent
.u#an resources security
Physical and (nviorn#ental security
Co##unication and $-erations *anage#ent
Access Control
Status 9:;
Information Security Policy
0%
Internal 7r"ani#ation 9xternal Parties
0%
Responsi!ilities for assets Information 'lassification
0%
Prior to 9mployment urin" 9mployment (ermination or chan"e of employment
0%
Secure +reas 9$uipment Security
0%
7perational procedures and responsi!ilities (hird party service delivery mana"ement
0%
System plannin" and acceptance Protection a"ainst malicious and mo!ile code =ac%up /etwor% Security &ana"ement &edia handlin" 9xchan"e of information 9lectronic commerce services &onitorin"
0%
=usiness 'ontrol for access control :ser +ccess &ana"ement :ser Responsi!ilities /etwor% +ccess control 7peratin" system access control
0%
0%
0%
0% 0%
0%
0%
0% 0% 0% 0% 0% 0% 0%
0% 0% 0% 0%
ISO 27001 Compliance Checklist
o#ain
$bjectives Security Policy $rgani%ation of "nfor#ation Security
Asset *anage#ent
.u#an resources security
Physical and (nviorn#ental security
Co##unication and $-erations *anage#ent
Access Control
"nfor#ation syste# acquisition, develo-#ent and #aintanence
"nfor#ation security incident #anage#ent
5usiness Continuity *anage#ent
Co#-liance
Vinod Kumar [email protected]
Status 9:;
Information Security Policy
0%
Internal 7r"ani#ation 9xternal Parties
0%
Responsi!ilities for assets Information 'lassification
0%
Prior to 9mployment urin" 9mployment (ermination or chan"e of employment
0%
Secure +reas 9$uipment Security
0%
7perational procedures and responsi!ilities (hird party service delivery mana"ement System plannin" and acceptance Protection a"ainst malicious and mo!ile code =ac%up /etwor% Security &ana"ement &edia handlin" 9xchan"e of information 9lectronic commerce services &onitorin"
0%
=usiness 'ontrol for access control :ser +ccess &ana"ement :ser Responsi!ilities /etwor% +ccess control 7peratin" system access control +pplication and information access control &o!ile computin" and telewor%in"
0%
Security re$uirements of information systems 'orrect processin" in applications 'rypto"raphic controls Security of system files Security in development and support services (echnical vulnera!ility mana"ement
0%
Reportin" information security events and wea%nesses &ana"ement of information security incidents and imporvements
0%
Information security aspects of =usiness continuity mana"ement
0%
'ompliance with le"al re$uirements 'omplinace with techincal policies and standards and technical complinace Information system audit considerations
0%
Page 45
0%
0%
0% 0%
0%
0% 0% 0% 0% 0% 0% 0% 0% 0%
0% 0% 0% 0% 0% 0%
0% 0% 0% 0% 0%
0%
0% 0%
04/24/2018
ISO 27001 Compliance Checklist o#ain
Status 9:;
Security Policy $rgani%ation of "nfor#ation Security Asset *anage#ent .u#an resources security
0%
Physical and (nviorn#ental security Co##unication and $-erations *anage#ent
0%
Access Control "nfor#ation syste# acquisition, develo-#ent and #aintanence "nfor#ation security incident #anage#ent 5usiness Continuity *anage#ent
0%
Co#-liance
0%
Vinod Kumar [email protected]
0% 0% 0%
0%
Page 4
0% 0% 0%
04/24/2018
$00% ,0% +0%
s u t a t S
*0% )0% (0% '0% &0% 0% $0% 0%
y ; @ c i l o P y t i r u c e S
y t i ; @ r u c e S n o i t a m r o f n I f o n o i t a z i n a g r O
t n ; @ e m e g a n a M t e s s A
Compliance per Domain
y t ;@ i r u c e s s e c r u o s e r n a m u H
y t i ; @ r u c e s l a t n e m n r o i v n E d n a l a c i s y h P
t n ; @ e m e g a n a M s n o i t a r e O d n a n o i t a c i n u m m o C
1o#ain
l o ; @ r t n o C s s e c c A
e c ; @ n e n a t n i a m d n a t n e m o l e v e d " n o i t i s i u ! c a
t n ; @ e m e g a n a m t n e d i c n i y t i r u c e s n o i t a m r o f n I
t ; n @ e m e g a n a M y t i u n i t n o C s s e n i s u #
; e @ c n a i l m o C
m e t s y s n o i t a m r o f n I
ISO 27001 Compliance Checklist Co#-liance Checklist + conditional conditional formattin" has !een provided provided on A'ompliance A'ompliance chec%listA chec%listA sheet sheet under the AStatus @
1 to 25 26 to ,5 ,6 to 1;; In the field A
ISO 27001 Compliance Checklist Co#-liance Checklist + conditional conditional formattin" has !een provided provided on A'ompliance A'ompliance chec%listA chec%listA sheet sheet under the AStatus @
1 to 25 26 to ,5 ,6 to 1;; In the field A
Vinod Kumar [email protected]
Page 48
04/24/2018
ISO 27001 Compliance Checklist
3A filed and is as mentioned !elow
control is not applica!le to the or"ani#ation
l o!ective as per your status in
in as per your status in the
d into your presentation to the mana"ement
Vinod Kumar [email protected]
Page 4"
04/24/2018