Free ISO 27001 Gap Analysis Tool

Find out your level of compliance with ISO 27001

Save my progress and resume later | Resume a previously saved form

Resume Later

In order to be able to resume this form later, please enter your email and choose a password.

Your Email:

A Password:

Confirm Password:

* Please use a different unique password every time you are saving your progress and intend to resume later.

4.0 CONTEXT OF THE ORGANIZATION

4.1 UNDERSTANDING THE ORGANIZATION AND ITS CONTEXT

1. Did the organization determine the purpose(s) of the ISMS?

YesNo

You must determine the purpose of the ISMS (e.g.: assure compliance with legal obligations, improve operational resilience, improve product/service security, etc.).

2. Did the organization determine the internal and external issues that are relevant to the ISMS purpose?

YesNo

You need to define which are internal and external issues that influence the business purpose and are relevant to information security (e.g.: internal culture, available resources, market share, client profile, suppliers availability, etc.).

3. Did the organization determine how internal and external issues could influence the ISMS ability to achieve its intended outcomes?

YesNo

You need to define how internal and external issues can affect the ISMS ability to achieve its intended outcomes (e.g.: legal requirements change frequently, clients have to comply with specific standards, internal culture appreciates information sharing, etc.)

4.2 UNDERSTANDING THE NEEDS AND EXPECTATIONS OF INTERESTED PARTIES

4. Did the organization determine interested parties?

YesNo

The organization must define which interested parties are relevant to the information security management system (ISMS) (e.g.: critical clients and suppliers, employees, stakeholders, government agencies, etc.)

Click here to see an example Procedure for Identification of Requirements.

5. Does the list of all of interested parties’ requirements exist?

YesNo

Requirements are needs and expectations that can be evaluated in a qualitative or quantitative way, and they need to be documented for the interested parties you defined as relevant to the ISMS.

Click here to see an example List of Legal, Regulatory, Contractual and Other Requirements.

4.3 DETERMINING THE SCOPE OF THE INFORMATION SECURITY MANAGEMENT SYSTEM

6. Is the scope documented with clearly defined boundaries and applicability?

YesNo

You need to define the scope of the ISMS, considering internal and external issues, relevant interested parties' requirements, and interfaces and dependencies between activities realized by the organization and those realized by other organizations.

Click here to see an example ISMS Scope Document.

4.4 INFORMATION SECURITY MANAGEMENT SYSTEM

7. Have you established, documented, implemented, maintained, and continually improved an information security management system, including needed processes and interactions, per ISO 27001 requirements?

YesNo

You must establish, document, implement, maintain and continually improve an information security management system, including needed processes and interactions, per ISO 27001 requirements.

5.0 LEADERSHIP

5.1 LEADERSHIP AND COMMITMENT

8. Are the general ISMS objectives compatible with the strategic direction?

YesNo

To be more valuable, an ISMS must support the achievement of the business objectives, and to better assure this, its proposed objectives must be aligned with the strategic direction.

9. Does management ensure the necessary ISMS resources are available as needed?

YesNo

An ISMS without resources at the proper times cannot achieve its objectives, so management has to assure these resources are available when needed.

10. Does management ensure that ISMS achieves its intended outcomes?

YesNo

An ISMS that can't deliver the expected results is a failure, even if it operates as planned and uses fewer resources than expected. To avoid this, the management must assure that the ISMS has achieved the proposed outcomes.

5.2 POLICY

11. Does an Information Security Policy exist with included objectives or a framework for setting objectives?

YesNo

Top management must define the Information Security Policy within the scope of the ISMS. The policy needs to be appropriate to your activities, include a commitment to continual improvement, and provide objectives & targets or a framework for their establishment.

Click here to see an example Information Security Policy.

12. Is the Information Security Policy documented and communicated within the company and to other interested parties?

YesNo

The policy needs to be documented, be communicated to employees, and be available to other interested parties.

5.3 ORGANIZATIONAL ROLES, RESPONSIBILITIES AND AUTHORITIES

13. Are roles, responsibilities, and authorities for information security assigned and communicated?

YesNo

Responsibility and authority should be assigned by top management to organize information security activities, to ensure that the ISMS conforms to ISO 27001:2013, and that reporting on the performance of the ISMS to the top management exists.

6.0 PLANNING

6.1 ACTIONS TO ADDRESS RISKS AND OPPORTUNITIES

6.1.1 GENERAL

14. Are internal and external issues, as well as interested parties' requirements, considered while addressing risks and opportunities?

YesNo

The issues and requirements considered relevant to the interested parties need to be taken into account in the ISMS planning, to ensure its alignment with the business purposes and achievement of its intended goals.

6.1.2 INFORMATION SECURITY RISK ASSESSMENT

15. Is there a documented process to identify information security risks, including the risk acceptance criteria and criteria for risk assessment?

YesNo

There needs to be a process that establishes and maintains risk criteria as well as identifies, analyzes, and evaluates information security risks.

Click here to see an example Risk assessment methodology.

6.1.3 INFORMATION SECURITY RISK TREATMENT

16. Is the risk treatment process documented, including the risk treatment options and how to create a Statement of Applicability?

YesNo

There needs to be a process to treat information security risks by taking account of the risk assessment results and to create specific documents like Statement of Applicability.

Click here to see an example of Risk Treatment Methodology, Risk Treatment Plan, and Statement of Applicability.

6.2 INFORMATION SECURITY OBJECTIVES AND PLANNING TO ACHIEVE THEM

17. Are information security objectives and targets established at relevant functions of the organization, measured and monitored where practical, and consistent with the information security policy?

YesNo

To make clear for the most critical actors involved in protecting information what is expected from them, and how they will be evaluated, information security objectives and targets must be established at relevant functions of the organization, measured and monitored where practical, and consistent with the Information Security Policy.

18. Is there a plan, or group of plans, in place to achieve the information security objectives and targets including designated responsibility, evaluation method, and the means & timeframe for the plan(s)?

YesNo

Plan(s) need to be in place to assure the availability of resources to achieve the objectives and targets, including the designated responsibility, evaluation method, and the time frame for the plan(s).

Click here to see an example Risk Treatment Plan.

6.3 PLANNING OF CHANGES

19. Are changes in the ISMS done in a planned manner?

YesNo

Changes to the ISMS need to be performed consistently by assessing whether they are needed and whether the resources are available.

7.0 SUPPORT

7.1 RESOURCES

20. Are adequate resources provided for all the elements of the ISMS?

YesNo

Resources (e.g.: equipments, facilities, money, etc.) must be made available for the ISMS establishment, implementation, ongoing operation, and improvement.

7.2 COMPETENCE

21. Is appropriate competence assessed, and training provided where needed, for personnel doing tasks that can affect the information security? Are records of competences maintained?

YesNo

Appropriate competence needs to be assessed, and training provided where needed, for personnel doing tasks that can affect the information security. Records of competence must be maintained.

Click here to see an example Training and Awareness Plan.

7.3 AWARENESS

22. Is the personnel aware of the Information Security Policy, of their role, and consequences of not complying with the rules?

YesNo

Awareness of the Information Security Policy, procedures, risks, roles, responsibilities, authorities, and consequences of departing from specified procedures must be promoted.

Click here to see an example Training and Awareness Plan.

7.4 COMMUNICATION

23. Are there identified needs for communication related to information security, including the responsibilities and what to communicate, to whom and when?

YesNo

Needs for communication internally and externally to the company need to be determined. If the decision is to communicate information security issues outside of the company, this must be included.

7.5 DOCUMENTED INFORMATION (7.5.1 GENERAL; 7.5.2 CREATING AND UPDATING; 7.5.3 CONTROL OF DOCUMENTED INFORMATION)

24. Does the documentation of the ISMS include the Information Security Policy, objectives & targets, the scope of the ISMS, the main elements and their interaction, documents and records of ISO 27001 and those identified by the company?

YesNo

Documentation of the ISMS must include the Information Security Policy, objectives & targets, the scope of the ISMS, the main elements and their interaction, documents and records of ISO 27001 and those identified by the company.

25. Is it ensured that managing of documents and records exists, including who reviews and approves documents, and where and how they are published, stored, and protected?

YesNo

A procedure for control of documents should exist that specifies approval, review and update, change identification, relevant version availability, document legibility, control of external documents, and prevention of obsolete document use.

Click here to see an example Procedure for Document and Record Control.

26. Is documented information of external origin controlled?

YesNo

External documented information handled by the organization must be controlled and protected in the same way as the internal.

8.0 OPERATION

8.1 OPERATIONAL PLANNING AND CONTROL

27. Does the organization have established criteria for processes, and has it implemented controls over them according to these criteria?

YesNo

Criteria for processes need to be established, and controls implemented over processes need to take these criteria into account.

28. Does the organization have the necessary documented information to be confident that its processes are being carried out as planned?

YesNo

Documented information must be kept to the extent necessary to have confidence that the processes have been carried out as planned (e.g., procedures for operational control, operating criteria, etc.).

Click here to see an example Security Procedures for IT Department.

29. Are planned changes controlled? Are consequences of unplanned changes reviewed to identify mitigation actions if necessary?

YesNo

To minimize risks to information security, changes must be controlled.

30. Are outsourced processes identified and controlled?

YesNo

Outsourced processes must handle information security the same way as the organization itself.

8.2 INFORMATION SECURITY RISK ASSESSMENT

31. Are the risks, their owners, likelihood, consequences, and the level of risk identified? Are these results documented?

YesNo

The security assessment must be performed and evidences must be recorded.

Click here to see an example of Risk Assessment Table, and Risk Treatment Table.

8.3 INFORMATION RISK TREATMENT

32. Does a risk treatment plan exist, approved by risk owners?

YesNo

Plan(s) need to be in place to achieve the objectives and targets and these need to include designated responsibility, evaluation method, and the means & time frame for the plan(s).

Click here to see an example Risk Treatment Plan.

33. Is there a documented list with all controls deemed as necessary, with proper justification and implementation status?

YesNo

Actions need to be established to treat the risks deemed unacceptable. These actions need to be implemented, reviewed, and revised and periodically tested where practicable.

Click here to see an example Risk Treatment Table, and Statement of Applicability.

9.0 PERFORMANCE EVALUATION

9.1 MONITORING, MEASUREMENT, ANALYSIS AND EVALUATION

34. Is it defined what needs to be measured, by which method, who is responsible, who will analyze and evaluate the results?

YesNo

A process must exist to regularly monitor and measure key characteristics that can have impact over information security, including information for operational controls.

35. Are the results of measurement documented, analyzed, and evaluated by responsible persons?

YesNo

Results of measurements must be documented, analyzed, and evaluated by the responsible persons.

9.2 INTERNAL AUDIT

36. Does an audit program exist that defines the timing, responsibilities, reporting, audit criteria, and scope?

YesNo

Audit procedures must address audit responsibilities, reporting, recording criteria, scope frequency, and methods. The procedures need to include criteria for selection of auditors to maintain impartiality and objectivity.

Click here to see an example Annual Internal Audit Program and Internal Audit Procedure.

37. Are internal audits performed according to an audit program, results reported through an internal audit report, and relevant corrective actions raised?

YesNo

Audit procedures must be in place to evaluate the ISMS against the planned arrangements (including proper implementation and maintenance) at planned intervals and results must be reported to management.

Click here to see an example Internal Audit Report.

9.3 MANAGEMENT REVIEW

38. Is management review regularly performed, and are the results documented in minutes of the meeting?

YesNo

Top management must review the ISMS at planned intervals to ensure suitability, adequacy, and effectiveness and assess opportunities for improvements. Records must be kept of the review.

Click here to see an example Management Review Minutes.

39. Did management decide on all the crucial issues important for the success of the ISMS?

YesNo

The outputs of management review must include decisions and actions related to possible changes of the Information Security Policy, objectives, targets, and other ISMS elements in order to continually improve the ISMS.

Click here to see an example of Management Review Minutes.

10.0 IMPROVEMENT

10.1 CONTINUAL IMPROVEMENT

40. Is the ISMS continuously adjusted to maintain its suitability, adequacy, and effectiveness?

YesNo

Risks and business requirements change over time, so your ISMS should be adjusted to reflect these new conditions to maintain or increase its value to the organization.

10.2 NONCONFORMITY AND CORRECTIVE ACTION

41. Does the organization react to every nonconformity?

YesNo

A procedure(s) to deal with actual nonconformities, including taking corrective action, must be in place.

Click here to see an example Procedure for Corrective Action.

42. Does the organization consider eliminating the cause of the nonconformity and, where appropriate, take corrective action?

YesNo

The procedure must include identification, investigating and determining causes and actions to prevent recurrence. These actions need to be appropriate to the magnitude of the nonconformity.

Click here to see an example Procedure for Corrective Action.

43. Are all nonconformities recorded, together with corrective actions?

YesNo

Records must be kept, and the effectiveness evaluated for corrective actions. Necessary changes in ISMS documentation must be made.

Click here to see an example Corrective Action Form.

REQUIREMENTS READINESS:

ANNEX A. (Note: only the controls marked as applicable in the Statement of Applicability must be implemented.)

A.5 ORGANIZATIONAL CONTROLS

44. Are there published policies, approved by management, reviewed, and updated to support information security?

YesNo

Management needs to define Information Security Policies within the scope of the ISMS. The policies need to be appropriate to support information security and the business requirements, and must be reviewed at planned intervals to ensure suitability, adequacy, and effectiveness.

Click here to see an example Bring Your Own Device (BYOD) Policy, Mobile Device and Teleworking Policy, IT Security Policy, Information Classification Policy, Access Control Policy, Password Policy, Clear Desk and Clear Screen Policy, Disposal and Destruction Policy, Change Management Policy, Backup Policy, Information Transfer Policy, Secure Development Policy, and Supplier Security Policy.

45. Are all information security responsibilities defined?

YesNo

Responsibility needs to be assigned to organize information security activities, to ensure that the ISMS implementation and operation activities are performed.

46. Are duties and responsibilities properly segregated considering situations of conflict of interest?

YesNo

Splitting critical activities into two or more steps, or between two or more people, can minimize the probability of an incident to occur.

47. Is management actively requiring all employees and contractors to comply with information security rules?

YesNo

Management needs to publish an information security policy, define responsibilities, authorities and roles, and promote information security awareness to employees and contractors.

48. Are contacts with relevant authorities defined?

YesNo

Contacts with authorities, and who needs to contact them, need to be clearly defined.

49. Are contacts with special interest groups or professional associations defined?

YesNo

Contacts with special interest groups or professional associations, and respective responsibilities, need to be clearly defined.

50. Is information related to information security threats collected and analyzed to produce threat intelligence?

YesNo

Information about attacks, methods and technologies used, and/or information about attack trends needs to be gathered in order to take appropriate mitigation actions.

Click here to see an example of an Incident Management Procedure

51. Do projects consider information security aspects?

YesNo

Information security rules need to be defined to include proper controls to protect information.

For new and existing information systems to be upgraded, security requirements should form part of the requirements assessment.

Click here to see an example of Specification of Information System Requirements

52. Does an Inventory of Assets exist, and does every asset in the inventory have a designated owner?

YesNo

An inventory of assets need to help you to identify and organize the information assets and information process resources.

To ensure the proper handling and protection of an asset, an owner needs to be designated for it.

Click here to see an example of an Inventory of Assets, and IT Security Policy.

53. Are rules and procedures for handling of information and other associated assets defined?

YesNo

To ensure the proper handling and protection of an asset, according to the classified information it handles, a set of rules and procedures need to be defined.

Click here to see an example IT Security Policy, and Information Classification Policy.

54. Are company assets returned by employees and contractors when their employment is terminated?

YesNo

To ensure the proper handling and protection of an asset, a set of rules need to be defined.

Click here to see an example IT Security Policy.

55. Are criteria to classify information defined?

YesNo

The existence of defined classification criteria ensures that all information need to receive a level of protection according to its value to the organization.

Click here to see an example Information Classification Policy.

56. Are there procedures which define how to label and handle classified information?

YesNo

The existence of labeling and handling procedures ensures that all classified information need to receive treatment according to its classification level.

Click here to see an example Information Classification Policy.

57. Is the information transfer properly protected?

YesNo

Formal policies and procedures, enforced by agreements and asset configurations, need to be in place to enforce the protection of information transfer.

Click here to see an example Information Transfer Policy, and Bring Your Own Device (BYOD) Policy.

58. Is there an Access Control Policy, and do users have access only to the resources they are allowed to use?

YesNo

Management needs to define an Access Control Policy within the scope of the ISMS. The policy needs to be appropriate to support information security and the business requirements, to ensure users have access only to those networks and services they are specifically authorized for.

Click here to see an example Access Control Policy.

59. Are access rights provided via a formal registration process?

YesNo

A formal process need to be in place for the creation / exclusion of user accounts and attribution of user access rights.

Click here to see an example Access Control Policy, and Password Policy.

60. Are there rules for passwords and other secret authentication information to be provided in a secure way, as well as for password management systems, and users, on how to manage and protect them?

YesNo

All information related to user authentication need to be protected (e.g.: passwords, passphrases, etc.), and provided in a way that only the user needs to know the authentication information (e.g.: passwords, passphrases, etc.).

Password management systems adopted by the organization need to be interactive, and ensure the creation of secure passwords.

Click here to see an example Access Control Policy, and Password Policy.

61. Is there a formal access management process to handle, review, and update access to information systems and users' access rights?

YesNo

A formal process need to be in place to grant / revoke user access for all types of users to all systems and services, when there is a change in his/her situation, and to periodically verify user access to privileged rights.

Click here to see an example Access Control Policy.

62. Is there a policy on how to treat the risks related to suppliers and partners?

YesNo

A policy on how to treat the risks related to suppliers and partners need to be documented to help guide suppliers and partners relationships.

Click here to see an example Supplier Security Policy.

63. Are relevant security requirements included in the agreements with the suppliers and partners?

YesNo

All the relevant security requirements need to be included in the agreements with the suppliers and partners to ensure they are committed to the same level of security defined for the organization.

Click here to see an example Supplier Security Policy, Confidentiality Statement, and Security Clauses for Suppliers and Partners.

64. Do the agreements with providers and suppliers include security requirements?

YesNo

Agreements with providers and other suppliers need to include security requirements for ensuring the reliable delivery of services.

Click here to see an example Supplier Security Policy, and Security Clauses for Suppliers and Partners.

65. Are suppliers regularly monitored, and are changes involving arrangements and contracts with suppliers and partners taking into account risks and existing processes?

YesNo

Suppliers need to be regularly monitored, and audited if appropriate, for compliance with the security requirements.

Any changes in the provisioning of the services made by a supplier need to be managed and include re-assessment of risks.

Click here to see an example Supplier Security Policy.

66. Are cloud services acquired, used, managed, and canceled according to information security requirements?

YesNo

Processes related to provided cloud services need to be established according to defined information security requirements.

Click here to see an example of a Supplier Security Policy.

67. Are incidents managed properly?

YesNo

Procedures and responsibilities for managing incidents need to be in place to ensure proper and prompt response.

Click here to see an example Incident Management Procedure.

68. Are security events assessed and classified properly?

YesNo

Security events need to be assessed and classified properly to better allocate the available resources and to ensure prompt response.

Click here to see an example Incident Management Procedure.

69. Are procedures on how to respond to incidents documented?

YesNo

Procedures on how to respond to incidents need to be documented to ensure a standardized response to security events.

Click here to see an example Incident Management Procedure.

70. Are security incidents analyzed properly?

YesNo

Security incidents need to be analyzed in order to gain knowledge on how to prevent their recurrence.

Click here to see an example Incident Management Procedure, and Incident Log.

71. Do procedures exist which define how to collect evidence?

YesNo

Procedures on how to collect evidence need to be in place to ensure they will be acceptable in the event that they are required during a legal process.

Click here to see an example Incident Management Procedure.

72. Are requirements for continuity of information security defined, implemented, exercised, and tested?

YesNo

Requirements for continuity of information security need to be defined to ensure they are supporting the business even during a disruption event.

Procedures to ensure the continuity of information security during a crisis or a disaster need to be available to help speed up recovery of normal business operations and to support information protection during the restart of operations.

Exercising and testing need to be performed in order to ensure effective response in a real event.

Click here to see an example of a Disaster Recovery Plan.

73. Is ICT readiness managed according to business continuity objectives and ICT requirements?

YesNo

ICT resources need to be planned, implemented, maintained, and tested considering business continuity objectives and ICT requirments.

Click here to see an example of a Disaster Recovery Plan.

74. Are legislative, regulatory, contractual, and other security requirements listed?

YesNo

All legislative, regulatory, contractual, and other security requirements need to be listed and documented to ensure a base for defining controls and compliance activities.

Click here to see an example of a List of legal, regulatory, contractual and other requirements.

75. Do procedures exist to protect intellectual property rights?

YesNo

Procedures need to be available to ensure the enforcement of intellectual property rights, in particular, the use of licensed software.

Click here to see an example IT Security Policy.

76. Are records protected properly?

YesNo

All the records need to be protected according to identified regulatory, contractual, and other requirements.

77. Is personally identifiable information protected properly?

YesNo

Personally identifiable information needs to be protected as required in laws and regulations.

78. Is information security regularly reviewed by an independent auditor?

YesNo

Information security needs to be regularly reviewed by an independent auditor to ensure the management system's suitability, adequacy, and effectiveness, and to assess opportunities for improvements.

Click here to see an example Internal Audit Procedure.

79. Do the managers regularly review if the security policies and procedures are performed properly in their areas of responsibility, and that information systems are in compliance with the information security policies and standards?

YesNo

Managers need to regularly review if the security policies and procedures are performed properly in their areas of responsibility to ensure the controls' suitability, adequacy, and effectiveness, and to assess opportunities for improvements.

Information systems need to be regularly reviewed to check their compliance with the information security policies and standards to ensure their suitability, adequacy, and effectiveness, and to assess opportunities for improvements.

80. Are operating procedures for IT processes documented?

YesNo

Available documentation needs to help to ensure the proper operation and security of information processing resources.

Click here to see an example Security Procedures for IT Department.

A.6 PEOPLES CONTROLS

81. Does the organization perform background checks on candidates for employment or for contractors?

YesNo

Background checks need to be done, according to your country's laws and business requirements, to avoid exposure of information to unnecessary risk.

82. Are there agreements with employees and contractors that specify information security responsibilities?

YesNo

Before gaining access to information, employees and contractors need to be made aware of their information security responsibilities and agree to fulfill them.

Click here to see an example Confidentiality Statement, and Statement of Acceptance of ISMS Documents.

83. Do employees and contractors attend trainings to better perform their security duties, and do the awareness programs exist?

YesNo

Employees and contractors need to be trained on the competencies required to fulfill their security duties and be aware of security issues relevant to the organization.

84. Does the organization have a formal disciplinary process?

YesNo

A disciplinary process needs to be in place to ensure a systematic application of penalties against employees and contractors who have committed a security breach and to avoid allegations of unfair treatment.

85. Are there agreements covering information security responsibilities that remain valid after the termination of employment?

YesNo

The organization needs to define information security obligations to be fulfilled after the termination of employment, and make employees and contractors aware of these responsibilities.

86. Does the organization list all the confidentiality clauses that need to be included in agreements with third parties?

YesNo

The organization needs to ensure that all relevant confidentiality clauses to be included in agreements with third parties should be identified, reviewed, and documented.

Click here to see an example Confidentiality Statement.

87. Are there rules defining how the organization's information is protected considering teleworking sites?

YesNo

Management needs to define policies for teleworking within the scope of the ISMS. The policies need to be appropriate to support information security and the business requirements.

Click here to see an example Bring Your Own Device (BYOD) Policy, Mobile Device and Teleworking Policy, and IT Security Policy.

88. Are information security events and weaknesses reported in properly by employees and contractors?

YesNo

Information security events and weaknesses need to be reported in a timely manner to minimize risks and damage to information, systems, and the business.

Click here to see an example of an Incident Management Procedure.

A.7 PHYSICAL CONTROLS

89. Do secure areas that protect sensitive information exist?

YesNo

Physical areas need to offer an additional security layer to help protect sensitive information.

90. Are the entrances to secure areas protected?

YesNo

The entrance to secure areas need to be protected with controls that allow only the authorized persons to enter.

Delivery and loading areas need to be controlled in such a way that unauthorized persons cannot enter the company premises.

91. Are secure areas located in a protected way?

YesNo

Secure areas need to be located in such a way that they are not visible to outsiders, and not easily reached from the outside.

92. Are premises monitored for unauthorized access?

YesNo

The organization's secure areas need to be continuously monitored.

Click here to see an example of Procedures for Working in Secure Areas.

93. Are the alarms, fire protection, and other systems installed?

YesNo

Physical protections need to be in place to minimize risk related to external and environmental threats.

94. Are working procedures for secure areas defined?

YesNo

Specific working procedures proportional to the sensitivity of the secure areas need to be in place to minimize incidents related to inappropriate actions.

Click here to see an example Procedures for Working in Secure Areas.

95. Is there orientation for users about what to do when they are not present at their workstations?

YesNo

A policy needs to require users to remove papers and media, and lock their screens, when not present at their workstations.

Click here to see an example IT Security Policy, and Clear Desk and Clear Screen Policy.

96. Is the equipment properly protected?

YesNo

Equipment needs to be sited in such a way to protect it from unauthorized access, and from environmental threats.

97. Are the organization assets properly protected when they are not at the organization premises?

YesNo

Assets outside the organization's premises are exposed to more risks, and may require the application of stronger controls.

Click here to see an example IT Security Policy, and Mobile Device, Teleworking and Work From Home Policy.

98. Are there procedures that define how to handle, protect, transport, and dispose of storage media, inside and outside the organization premises, in line with the classification rules and information sensitivity?

YesNo

The existence of storage media handling procedures ensures that all storage media need to receive treatment according to the classified information they handle.

Click here to see examples of the Information Classification Policy, Disposal and Destruction Policy, Security Procedures for IT Department, and IT Security Policy.

99. Does the equipment have protection against energy variations?

YesNo

Protections such as uninterrupted power supply (UPS) need to be considered to prevent energy levels higher or lower beyond the manufacturer's specifications from damaging equipment.

100. Are the power and telecommunication cables adequately protected?

YesNo

Power and telecommunication cables can be a entrance point to an attack against information and system's resources and need to be protected.

101. Is the equipment maintained regularly?

YesNo

To ensure systems' reliability, equipment needs to undergo maintenance procedures according to manufacturers’ specifications and good practices.

102. Is information properly removed from media or equipment that will be disposed of?

YesNo

All the information and licensed software need to be removed from media or equipment containing media when these media are disposed of.

Click here to see an example of the Disposal and Destruction Policy, and Security Procedures for IT Department.

A.8 TECHNOLOGICAL CONTROLS

103. Are rules for the secure handling of mobile devices, and for protecting equipment when not in the physical possession of its users, defined?

YesNo

Management needs to define policies for mobile device handling within the scope of the ISMS. The policies need to be appropriate to support information security and the business requirements.

No equipment needs to be left unsupervised, but if there is no alternative, recommendations need to be provided to guide users' behavior.

Click here to see an example Bring Your Own Device (BYOD) Policy, Mobile Device and Teleworking Policy, IT Security Policy, and Clear Desk and Clear Screen Policy

104. Are privileged access rights managed with special care?

YesNo

A formal process to grant / revoke user access with privileged rights needs to be in place.

Click here to see an example Access Control Policy.

105. Is the access to information in systems restricted according to the access control policy?

YesNo

Access to databases and applications functions need to be restricted according to the Access Control Policy.

Click here to see an example Access Control Policy.

106. Is the access to source code restricted to authorized persons?

YesNo

Source codes can have a huge impact to business systems if they are compromised, so they need to be handled with care and access to them should be restricted.

107. Is secure log-on required on systems according to the Access Control Policy?

YesNo

Systems developed or acquired by the organization need to consider log-on systems as one of their security requirements according to the Access Control Policy.

Click here to see an example of an Access Control Policy.

108. Are resources monitored and plans made to ensure their capacity to fulfill users' demands?

YesNo

Someone needs to monitor the use of resources and project the required capacity to ensure the maintenance of the accorded performance.

109. Are anti-virus software, and other software for malware protection installed and properly used?

YesNo

Anti-virus software, and other software for malware protection, need to be in place, and properly configured and updated.

Click here to see an example IT Security Policy.

110. Is information about vulnerabilities properly managed, and are information systems regularly reviewed to check their compliance with the information security policies and standards?

YesNo

Someone needs to be in charge of collecting information about vulnerabilities, to speed up proper resolution of those identified as relevant to the organization.

111. Are configurations of relevant IT assets properly handled?

YesNo

Configuration of hardware, software, services, and networks needs to be established, documented, implemented, monitored, and reviewed.

Click here to see an example of Secure Procedures for IT Department.

112. Is data that is no longer required properly disposed of?

YesNo

Information in systems, devices, and storage media need to be deleted when no longer required.

Click here to see examples of the IT Security Policy and Disposal and Destruction Policy.

113. Is data masking applied according to applicable requirements?

YesNo

Data masking needs to consider access policies and business and legal requirements.

Click here to see examples of the Information Classification Policy, Access Control Policy, and Secure Development Policy.

114. Do systems, networks, and devices include data leakage prevention measures?

YesNo

Assets related to processing, storage or transmission of sensitive information need to have data leakage prevention measures implemented.

Click here to see examples of the Information Classification Policy, IT Security Policy, and Security Procedures for IT Department.

115. Is a backup policy defined and performed properly?

YesNo

A backup policy needs to be in place and it needs to be performed according to this policy.

Click here to see an example of Backup Policy.

116. Does IT infrastructure have redundancy (e.g.: secondary location) included in its planning and operation?

YesNo

IT infrastructure needs to have redundancy to help fulfill the expectations during disaster events.

Click here to see an example of a Disaster Recovery Plan.

117. Are relevant events from IT systems logged periodically, and are logs protected properly?

YesNo

User logs, administrators' logs, faults, and other relevant events from IT systems need to be logged and protected against unauthorized access and modification.

Click here to see an example of Security Procedures for IT Department.

118. Are systems, networks, and applications monitored, and proper actions taken when anomalous behaviors are found?

YesNo

Someone needs to monitor for anomalous behavior, so that proper actions are taken to prevent the compromise of systems, networks, and applications.

Click here to see an example of Security Procedures for IT Department.

119. Are clocks on all IT systems synchronized?

YesNo

IT systems' clocks need to be synchronized with a single source of correct time to ensure precise event logging.

120. Is the use of utility tools controlled and limited to specific employees?

YesNo

Some utility tools can override the security controls of applications and systems and need to be strictly controlled, including limiting their access to a narrow circle of employees.

121. Is installation of software strictly controlled?

YesNo

There need to be defined rules and procedures to ensure that software installations are made in a proper and controlled way.

Click here to see an example IT Security Policy.

122. Are the networks controlled to protect information in systems and applications?

YesNo

Networks need to be controlled to avoid information and systems compromise.

Click here to see an example Security Procedures for IT Department.

123. Are security requirements for network services defined, and included in agreements?

YesNo

In-house and external network services need to have clear rules to protect information and systems, and these rules shall be defined and included in agreements.

Click here to see an example Security Procedures for IT Department.

124. Are the networks segregated considering risks and assets classification?

YesNo

Users, services, and systems need to be segregated in different networks to minimize risks of information compromise.

125. Is access to external websites controlled?

YesNo

Access to external websites needs to be controlled to decrease the risk of information compromise due to external malicious content.

Click here to see an example IT Security Policy, and Security Procedures for IT Department.

126. Does a policy to regulate encryption and other cryptographic controls exist?

YesNo

Management needs to define a Cryptographic Control Policy within the scope of the ISMS. The policy need to be appropriate to support information security and the business requirements.

Click here to see an example Policy on the Use of Encryption.

127. Are rules for the secure development of software and systems defined?

YesNo

Software and systems need to incorporate security since early stages of development, oriented by rules that consider the risks those software and systems will be exposed to.

Click here to see an example Secure Development Policy.

128. Is application information, including transaction information, transferred through public networks appropriately protected?

YesNo

Public networks need to be considered insecure and proper controls need to be in place to protect application information, and transaction information, that is transferred through them.

Click here to see an example Secure Development Policy.

129. Are principles for engineering secure systems applied to the organization system's development process?

YesNo

Systems need to incorporate security since early stages of development, driven by principles for engineering security in their components and functions.

Click here to see an example Secure Development Policy.

130. Is software code developed according to defined principles?

YesNo

Software code needs to be developed according to defined secure coding principles.

Click here to see an example of a Secure Development Policy.

131. Is the implementation of security requirements tested during system development, and are the criteria for accepting the systems defined?

YesNo

Proper testing of security requirements implementation is critical and needs to be performed to ensure a system can achieve business and security objectives.

Criteria for accepting systems need to be defined to ensure a way to verify if all security and business needs were fulfilled.

Click here to see an example Secure Development Policy.

132. Is the outsourced development of systems monitored?

YesNo

Outsourced development of systems needs to be monitored to ensure that business security requirements are properly fulfilled.

Click here to see an example Secure Development Policy, Supplier Security Policy, and Security Clauses for Suppliers and Partners.

133. Are development, testing, and production environments separated and properly secured?

YesNo

Separate environments need to be implemented to minimize risks related to unauthorized access or modification of information or resources, or the environments themselves.

Click here to see an example Secure Development Policy.

134. Are changes that could affect the information security of new or existing systems properly controlled and tested?

YesNo

All the changes to IT systems, new or existing, and to other processes that could affect information security, need to be properly controlled, so only critical and relevant changes need to be allowed to be made, with change control and testing procedures in place to minimize information security risks during changes.

Click here to see an example Security Procedures for IT Department, Secure Development Policy, and Change Management Policy.

135. Are test data carefully selected and protected?

YesNo

Test data need to be selected in a way to not allow inference of sensitive business data, while still being useful to validate a system.

Click here to see an example Secure Development Policy.

136. Are audits of production systems planned and executed properly?

YesNo

Audits of production systems need to be planned and executed in a way to not increase the risk of disruption of those systems.

Number of controls complied with:

NOTE: Please open all the elements that you want to be e-mailed to you.

Enter your e-mail address

[The results will be sent to entered e-mail address]

Save my progress and resume later | Resume a previously saved form

Contact Information

For more information on what personal data we collect, why we need it, what we do with it, how long we keep it, and what your rights are, see this Privacy Notice.

Dejan Kosutic
Lead ISO 27001/ISO 22301 Expert

Have questions about any step?

Talk with our consultants for free

SCHEDULE FREE CONSULTATION

English

Deutsch
Español

Products

Conformio

Toolkits

Training
Resources

Articles

Webinars

Courses

White Papers

Tools

Checklists

Live Consultations

Consultant Directory

Community
Standards & Regulations

ISO 27001

ISO 9001

ISO 13485

ISO 14001

ISO 45001

ISO 17025

ISO in General

ISO 20000

EU MDR

EU GDPR

IATF 16949

AS9100

ISO 22301
Advisera

About Us

For Partners

Careers

Contact Sales

Terms of Use
Help

Help Center

Contact Support

Partnerships

Conformio

ISO 27001 Documentation Toolkits

ISO 27001 Training

By Type

By Standard

Other

Dejan Kosutic

Free ISO 27001 Gap Analysis Tool

Find out your level of compliance with ISO 27001

Have questions about any step?

Products

Resources

Standards & Regulations

Advisera

Help