Free ISO 27001 Gap Analysis Tool

Find out your level of compliance with ISO 27001

Save my progress and resume later | Resume a previously saved form

Resume Later

In order to be able to resume this form later, please enter your email and choose a password.

Your Email:

A Password:

Confirm Password:

* Please use a different unique password every time you are saving your progress and intend to resume later.

4.0 CONTEXT OF THE ORGANIZATION

4.1 UNDERSTANDING THE ORGANIZATION AND ITS CONTEXT

1. Did the organization determine the purpose(s) of the ISMS?

YesNo

You must determine the purpose of the ISMS (e.g.: assure compliance with legal obligations, improve operational resilience, improve product/service security, etc.).

2. Did the organization determine the internal and external issues that are relevant to the ISMS purpose?

YesNo

You need to define which are internal and external issues that influence the business purpose and are relevant to information security (e.g.: internal culture, available resources, market share, client profile, suppliers availability, etc.).

3. Did the organization determine how internal and external issues could influence the ISMS ability to achieve its intended outcomes?

YesNo

You need to define how internal and external issues can affect the ISMS ability to achieve its intended outcomes (e.g.: legal requirements change frequently, clients have to comply with specific standards, internal culture appreciates information sharing, etc.)

4.2 UNDERSTANDING THE NEEDS AND EXPECTATIONS OF INTERESTED PARTIES

4. Did the organization determine interested parties?

YesNo

The organization must define which interested parties are relevant to the information security management system (ISMS) (e.g.: critical clients and suppliers, employees, stakeholders, government agencies, etc.)

Click here to see an example Procedure for Identification of Requirements.

5. Does the list of all of interested parties’ requirements exist?

YesNo

Requirements are needs and expectations that can be evaluated in a qualitative or quantitative way, and they need to be documented for the interested parties you defined as relevant to the ISMS.

Click here to see an example List of Legal, Regulatory, Contractual and Other Requirements.

4.3 DETERMINING THE SCOPE OF THE INFORMATION SECURITY MANAGEMENT SYSTEM

6. Is the scope documented with clearly defined boundaries and applicability?

YesNo

You need to define the scope of the ISMS, considering internal and external issues, relevant interested parties' requirements, and interfaces and dependencies between activities realized by the organization and those realized by other organizations.

Click here to see an example ISMS Scope Document.

4.4 INFORMATION SECURITY MANAGEMENT SYSTEM

7. Have you established, documented, implemented, maintained, and continually improved an information security management system per ISO 27001 requirements?

YesNo

You must establish, document, implement, maintain and continually improve an information security management system per ISO 27001 requirements.

5.0 LEADERSHIP

5.1 LEADERSHIP AND COMMITMENT

8. Are the general ISMS objectives compatible with the strategic direction?

YesNo

To be more valuable, an ISMS must support the achievement of the business objectives, and to better assure this, its proposed objectives must be aligned with the strategic direction.

9. Does management ensure the necessary ISMS resources are available as needed?

YesNo

An ISMS without resources at the proper times cannot achieve its objectives, so management has to assure these resources are available when needed.

10. Does management ensure that ISMS achieves its intended outcomes?

YesNo

An ISMS that can't deliver the expected results is a failure, even if it operates as planned and uses fewer resources than expected. To avoid this, the management must assure that the ISMS has achieved the proposed outcomes.

5.2 POLICY

11. Does an Information Security Policy exist with included objectives or a framework for setting objectives?

YesNo

Top management must define the Information Security Policy within the scope of the ISMS. The policy needs to be appropriate to your activities, include a commitment to continual improvement, and provide objectives & targets or a framework for their establishment.

Click here to see an example Information Security Policy.

12. Is the Information Security Policy documented and communicated within the company and to other interested parties?

YesNo

The policy needs to be documented, be communicated to employees, and be available to other interested parties.

5.3 ORGANIZATIONAL ROLES, RESPONSIBILITIES AND AUTHORITIES

13. Are roles, responsibilities, and authorities for information security assigned and communicated?

YesNo

Responsibility and authority should be assigned by top management to organize information security activities, to ensure that the ISMS conforms to ISO 27001:2013, and that reporting on the performance of the ISMS to the top management exists.

6.0 PLANNING

6.1 ACTIONS TO ADDRESS RISKS AND OPPORTUNITIES

6.1.1 GENERAL

14. Are internal and external issues, as well as interested parties' requirements, considered while addressing risks and opportunities?

YesNo

The issues and requirements considered relevant to the interested parties need to be taken into account in the ISMS planning, to ensure its alignment with the business purposes and achievement of its intended goals.

6.1.2 INFORMATION SECURITY RISK ASSESSMENT

15. Is there a documented process to identify information security risks, including the risk acceptance criteria and criteria for risk assessment?

YesNo

There shall be a process that establishes and maintains risk criteria as well as identifies, analyzes, and evaluates information security risks.

Click here to see an example Risk assessment methodology.

6.1.3 INFORMATION SECURITY RISK TREATMENT

16. Is the risk treatment process documented, including the risk treatment options and how to create a Statement of Applicability?

YesNo

There needs to be a process to treat information security risks by taking account of the risk assessment results and to create specific documents like Statement of Applicability.

Click here to see an example of Risk Treatment Methodology, Risk Treatment Plan, and Statement of Applicability.

6.2 INFORMATION SECURITY OBJECTIVES AND PLANNING TO ACHIEVE THEM

17. Are information security objectives and targets established at relevant functions of the organization, measured where practical, and consistent with the information security policy?

YesNo

To make clear for the most critical actors involved in protecting information what is expected from them, and how they will be evaluated, information security objectives and targets must be established at relevant functions of the organization, measured where practical, and consistent with the Information Security Policy.

18. Is there a plan, or group of plans, in place to achieve the information security objectives and targets including designated responsibility, evaluation method, and the means & timeframe for the plan(s)?

YesNo

Plan(s) need to be in place to assure the availability of resources to achieve the objectives and targets, including the designated responsibility, evaluation method, and the time frame for the plan(s).

Click here to see an example Risk Treatment Plan.

7.0 SUPPORT

7.1 RESOURCES

19. Are adequate resources provided for all the elements of the ISMS?

YesNo

Resources (e.g.: equipments, facilities, money, etc.) must be made available for the ISMS establishment, implementation, ongoing operation, and improvement.

7.2 COMPETENCE

20. Is appropriate competence assessed, and training provided where needed, for personnel doing tasks that can affect the information security? Are records of competences maintained?

YesNo

Appropriate competence needs to be assessed, and training provided where needed, for personnel doing tasks that can affect the information security. Records of competence must be maintained.

Click here to see an example Training and Awareness Plan.

7.3 AWARENESS

21. Is the personnel aware of the Information Security Policy, of their role, and consequences of not complying with the rules?

YesNo

Awareness of the Information Security Policy, procedures, risks, roles, responsibilities, authorities, and consequences of departing from specified procedures must be promoted.

Click here to see an example Training and Awareness Plan.

7.4 COMMUNICATION

22. Is there a process for communication related to information security, including the responsibilities and what to communicate, to whom and when?

YesNo

A process must be in place to communicate internally and externally to the company. If the decision is to communicate information security issues outside of the company, this must be included.

7.5 DOCUMENTED INFORMATION (7.5.1 GENERAL; 7.5.2 CREATING AND UPDATING; 7.5.3 CONTROL OF DOCUMENTED INFORMATION)

23. Does the documentation of the ISMS include the Information Security Policy, objectives & targets, the scope of the ISMS, the main elements and their interaction, documents and records of ISO 27001 and those identified by the company?

YesNo

Documentation of the ISMS must include the Information Security Policy, objectives & targets, the scope of the ISMS, the main elements and their interaction, documents and records of ISO 27001 and those identified by the company.

24. Is it ensured that managing of documents and records exists, including who reviews and approves documents, and where and how they are published, stored, and protected?

YesNo

A procedure for control of documents should exist that specifies approval, review and update, change identification, relevant version availability, document legibility, control of external documents, and prevention of obsolete document use.

Click here to see an example Procedure for Document and Record Control.

25. Is documented information of external origin controlled?

YesNo

External documented information handled by the organization must be controlled and protected in the same way as the internal.

8.0 OPERATION

8.1 OPERATIONAL PLANNING AND CONTROL

26. Does the organization have the necessary documented information to be confident that its processes are being carried out as planned?

YesNo

Documented information must be kept to the extent necessary to have confidence that the processes have been carried out as planned (e.g., procedures for operational control, operating criteria, etc.).

Click here to see an example Operating Procedures for Information and Communication Technology.

27. Are planned changes controlled? Are consequences of unplanned changes reviewed to identify mitigation actions if necessary?

YesNo

To minimize risks to information security, changes must be controlled.

28. Are outsourced processes identified and controlled?

YesNo

Outsourced processes must handle information security the same way as the organization itself.

8.2 INFORMATION SECURITY RISK ASSESSMENT

29. Are the risks, their owners, likelihood, consequences, and the level of risk identified? Are these results documented?

YesNo

The security assessment must be performed and evidences must be recorded.

Click here to see an example of Risk Assessment Table, and Risk Treatment Table.

8.3 INFORMATION RISK TREATMENT

30. Does a risk treatment plan exist, approved by risk owners?

YesNo

Plan(s) need to be in place to achieve the objectives and targets and these need to include designated responsibility, evaluation method, and the means & time frame for the plan(s).

Click here to see an example Risk Treatment Plan.

31. Is there a documented list with all controls deemed as necessary, with proper justification and implementation status?

YesNo

Actions need to be established to treat the risks deemed unacceptable. These actions need to be implemented, reviewed, and revised and periodically tested where practicable.

Click here to see an example Risk Treatment Table, and Statement of Applicability.

9.0 PERFORMANCE EVALUATION

9.1 MONITORING, MEASUREMENT, ANALYSIS AND EVALUATION

32. Is it defined what needs to be measured, by which method, who is responsible, who will analyze and evaluate the results?

YesNo

A process must exist to regularly monitor and measure key characteristics that can have impact over information security, including information for operational controls.

33. Are the results of measurement documented, analyzed, and evaluated by responsible persons?

YesNo

Results of measurements must be documented, analyzed, and evaluated by the responsible persons.

9.2 INTERNAL AUDIT

34. Does an audit program exist that defines the timing, responsibilities, reporting, audit criteria, and scope?

YesNo

Audit procedures must address audit responsibilities, reporting, recording criteria, scope frequency, and methods. The procedures need to include criteria for selection of auditors to maintain impartiality and objectivity.

Click here to see an example Audit Program and Internal Audit Procedure.

35. Are internal audits performed according to an audit program, results reported through an internal audit report, and relevant corrective actions raised?

YesNo

Audit procedures must be in place to evaluate the ISMS against the planned arrangements (including proper implementation and maintenance) at planned intervals and results must be reported to management.

Click here to see an example Internal Audit Report.

9.3 MANAGEMENT REVIEW

36. Is management review regularly performed, and are the results documented in minutes of the meeting?

YesNo

Top management must review the ISMS at planned intervals to ensure suitability, adequacy, and effectiveness and assess opportunities for improvements. Records must be kept of the review.

Click here to see an example Management Review Minutes.

37. Did management decide on all the crucial issues important for the success of the ISMS?

YesNo

The outputs of management review must include decisions and actions related to possible changes of the Information Security Policy, objectives, targets, and other ISMS elements in order to continually improve the ISMS.

Click here to see an example of Management Review Minutes.

10.0 IMPROVEMENT

10.1 NONCONFORMITY AND CORRECTIVE ACTION

38. Does the organization react to every nonconformity?

YesNo

A procedure(s) to deal with actual nonconformities, including taking corrective action, must be in place.

Click here to see an example Procedure for Corrective Action.

39. Does the organization consider eliminating the cause of the nonconformity and, where appropriate, take corrective action?

YesNo

The procedure must include identification, investigating and determining causes and actions to prevent recurrence. These actions need to be appropriate to the magnitude of the nonconformity.

Click here to see an example Procedure for Corrective Action.

40. Are all nonconformities recorded, together with corrective actions?

YesNo

Records must be kept, and the effectiveness evaluated for corrective actions. Necessary changes in ISMS documentation must be made.

Click here to see an example Corrective Action Form.

10.2 CONTINUAL IMPROVEMENT

41. Is the ISMS continuously adjusted to maintain its suitability, adequacy, and effectiveness?

YesNo

Risks and business requirements change over time, so your ISMS should be adjusted to reflect these new conditions to maintain or increase its value to the organization.

REQUIREMENTS READINESS:

ANNEX A. (Note: only the controls marked as applicable in the Statement of Applicability must be implemented.)

A.5 INFORMATION SECURITY POLICIES

42. Are there published policies, approved by management, to support information security ?

YesNo

Management shall define Information Security Policies within the scope of the ISMS. The policies need to be appropriate to support information security and the business requirements.

Click here to see an example Bring Your Own Device (BYOD) Policy, Mobile Device and Teleworking Policy, Acceptable Use Policy, Information Classification Policy, Access Control Policy, Password Policy, Clear Desk and Clear Screen Policy, Disposal and Destruction Policy, Change Management Policy, Backup Policy, Information Transfer Policy, Secure Development Policy, and Supplier Security Policy.

43. Are information security policies reviewed and updated?

YesNo

Information security policies must be reviewed at planned intervals to ensure suitability, adequacy, and effectiveness.

A.6 ORGANIZATION OF INFORMATION SECURITY

44. Are all information security responsibilities defined?

YesNo

Responsibility shall be assigned to organize information security activities, to ensure that the ISMS implementation and operation activities are performed.

45. Are duties and responsibilities properly segregated considering situations of conflict of interest?

YesNo

Splitting critical activities into two or more steps, or between two or more people, can minimize the probability of an incident to occur.

46. Are contacts with relevant authorities defined?

YesNo

Contacts with authorities, and who shall contact them, shall be clearly defined.

47. Are contacts with special interest groups or professional associations defined?

YesNo

Contacts with special interest groups or professional associations, and respective responsibilities, shall be clearly defined.

48. Do projects consider information security aspects?

YesNo

Information security rules shall be defined to include proper controls to protect information.

49. Are rules for secure handling of mobile devices defined?

YesNo

Management shall define policies for mobile device handling within the scope of the ISMS. The policies need to be appropriate to support information security and the business requirements.

Click here to see an example Bring Your Own Device (BYOD) Policy, Mobile Device and Teleworking Policy, and Acceptable Use Policy.

50. Are there rules defining how the organization's information is protected considering teleworking sites?

YesNo

Management shall define policies for teleworking within the scope of the ISMS. The policies need to be appropriate to support information security and the business requirements.

Click here to see an example Bring Your Own Device (BYOD) Policy, Mobile Device and Teleworking Policy, and Acceptable Use Policy.

A.7 HUMAN RESOURCES SECURITY

51. Does the organization perform background checks on candidates for employment or for contractors?

YesNo

Background checks shall be done, according to your country's laws and business requirements, to avoid exposure of information to unnecessary risk.

52. Are there agreements with employees and contractors that specify information security responsibilities?

YesNo

Before gaining access to information, employees and contractors shall be made aware of their information security responsibilities and agree to fulfill them.

Click here to see an example Confidentiality Statement, and Statement of Acceptance of ISMS Documents.

53. Is management actively requiring all employees and contractors to comply with information security rules?

YesNo

Management shall publish an information security policy, define responsibilities, authorities and roles, and promote information security awareness to employees and contractors.

54. Do employees and contractors attend trainings to better perform their security duties, and do the awareness programs exist?

YesNo

Employees and contractors shall be trained on the competencies required to fulfill their security duties and be aware of security issues relevant to the organization.

55. Does the organization have a formal disciplinary process?

YesNo

A disciplinary process shall be in place to ensure a systematic application of penalties against employees and contractors who have committed a security breach and to avoid allegations of unfair treatment.

56. Are there agreements covering information security responsibilities that remain valid after the termination of employment?

YesNo

The organization shall define information security obligations to be fulfilled after the termination of employment, and make employees and contractors aware of these responsibilities.

A.8 ASSET MANAGEMENT

57. Does an inventory of assets exist?

YesNo

An inventory of assets shall help you to identify and organize the information assets and information process resources.

Click here to see an example Inventory of assets.

58. Does every asset in the inventory of assets have a designated owner?

YesNo

To ensure the proper handling and protection of an asset, an owner shall be designated to it.

Click here to see an example Inventory of assets, and Acceptable Use Policy.

59. Are rules for handling of information and assets defined?

YesNo

To ensure the proper handling and protection of an asset, a set of rules shall be defined.

Click here to see an example Acceptable Use Policy.

60. Are company assets returned by employees and contractors when their employment is terminated?

YesNo

To ensure the proper handling and protection of an asset, a set of rules shall be defined.

Click here to see an example Acceptable Use Policy.

61. Are criteria to classify information defined?

YesNo

The existence of defined classification criteria ensures that all information shall receive a level of protection according to its value to the organization.

Click here to see an example Information Classification Policy.

62. Are there procedures which define how to label and handle classified information?

YesNo

The existence of labeling and handling procedures ensures that all classified information shall receive treatment according to its classification level.

Click here to see an example Information Classification Policy.

63. Are there procedures which define how to handle assets?

YesNo

The existence of assets handling procedures ensures that all assets shall receive treatment according to the classified information they handle.

Click here to see an example Information Classification Policy.

64. Are there procedures which define how to handle removable media in line with the classification rules?

YesNo

The existence of removable media handling procedures ensures that all removable media shall receive treatment according to the classified information they handle.

Click here to see an example Information Classification Policy.

65. Are there formal procedures for disposing of the media?

YesNo

There shall be formal procedures to ensure that media no longer needed cannot be reused and that information contained in it be destroyed or made inaccessible.

Click here to see an example Disposal and Destruction Policy, and Operating Procedures for Information and Communication Technology.

66. Is the media that contains sensitive information protected during transportation?

YesNo

The existence of removable media handling procedures ensures that all removable media shall receive treatment according to the classified information they handle.

Click here to see an example Information Classification Policy.

A.9 ACCESS CONTROL

67. Is there an access control policy?

YesNo

Management shall define an Access Control Policy within the scope of the ISMS. The policy needs to be appropriate to support information security and the business requirements.

Click here to see an example Access Control Policy.

68. Do the users have access only to the resources they are allowed to?

YesNo

User shall have access only to those networks and services they are specifically authorized for.

Click here to see an example Access Control Policy.

69. Are access rights provided via a formal registration process?

YesNo

A formal process shall be in place for the creation / exclusion of user accounts and attribution of user access rights.

Click here to see an example Access Control Policy, and Password Policy.

70. Is there a formal access control system when logging into information systems?

YesNo

A formal process shall be in place to grant / revoke user access for all types of users to all systems and services.

Click here to see an example Access Control Policy, and Password Policy.

71. Are privileged access rights managed with special care?

YesNo

A formal process to grant / revoke user access with privileged rights shall be in place.

Click here to see an example Access Control Policy.

72. Are passwords and other secret authentication information provided in a secure way?

YesNo

All information related to user authentication shall be provided in a way that only the user shall know the authentication information (e.g.: passwords, passphrases, etc.).

Click here to see an example Access Control Policy, and Password Policy.

73. Do asset owners periodically check all the privileged access rights?

YesNo

A formal process to periodically verify user access to privileged rights shall be in place.

Click here to see an example Access Control Policy.

74. Are access rights updated when there is a change in the user situation (e.g.: organizational change or termination)?

YesNo

A formal process shall be in place to change / revoke user access for all types of users to all systems and services when there is a change in his/her situation.

Click here to see an example Access Control Policy.

75. Are there rules for users on how to protect passwords and other authentication information?

YesNo

All information related to user authentication shall be protected (e.g.: passwords, passphrases, etc.).

Click here to see an example Access Control Policy, Acceptable Use Policy, Information Classification Policy, and Password Policy.

76. Is the access to information in systems restricted according to the access control policy?

YesNo

Access to databases and applications functions shall be restricted according to the Access Control Policy.

Click here to see an example Access Control Policy.

77. Is secure log-on required on systems according to the Access Control Policy?

YesNo

Systems developed or acquired by the organization shall consider log-on systems as one of their security requirements according to the Access Control Policy.

78. Do the password management systems used by the organization help users to securely manage their authentication information?

YesNo

Password management systems adopted by the organization shall be interactive, and ensure the creation of secure passwords.

Click here to see an example Access Control Policy, and Password Policy.

79. Is the use of utility tools controlled and limited to specific employees?

YesNo

Some utility tools can override the security controls of applications and systems and shall be strictly controlled, including limiting their access to a narrow circle of employees.

80. Is the access to source code restricted to authorized persons?

YesNo

Source codes can have a huge impact to business systems if they are compromised, so they shall be handled with care and access to them should be restricted.

A.10 CRYPTOGRAPHY

81. Do a policy to regulate encryption and other cryptographic controls exist?

YesNo

Management shall define a Cryptographic Control Policy within the scope of the ISMS. The policy need to be appropriate to support information security and the business requirements.

Click here to see an example Policy on the Use of Cryptographic Controls.

82. Are the cryptographic keys properly protected?

YesNo

Cryptographic controls are as strong as their keys are kept secure, so the handling of cryptographic keys shall be managed properly.

Click here to see an example Policy on the Use of Cryptographic Controls.

A.11 PHYSICAL AND ENVIRONMENTAL SECURITY

83. Do secure areas that protect sensitive information exist?

YesNo

Physical areas shall offer an additional security layer to help protect sensitive information.

84. Is the entrance to secure areas protected?

YesNo

The entrance to secure areas shall be protected with controls that allow only the authorized persons to enter.

85. Are secure areas located in a protected way?

YesNo

Secure areas shall be located in such a way that they are not visible to outsiders, and not easily reached from the outside.

86. Are the alarms, fire protection, and other systems installed?

YesNo

Physical protections shall be in place to minimize risk related to external and environmental threats.

87. Are working procedures for secure areas defined?

YesNo

Specific working procedures proportional to the sensitivity of the secure areas shall be in place to minimize incidents related to inappropriate actions.

Click here to see an example Procedures for working in secure areas.

88. Are delivery and loading areas protected?

YesNo

Delivery and loading areas shall be controlled in such a way that unauthorized persons cannot enter the company premises.

89. Is the equipment properly protected?

YesNo

Equipment shall be sited in such a way to protect it from unauthorized access, and from environmental threats.

90. Does the equipment have protection against energy variations?

YesNo

Protections such as uninterrupted power supply (UPS) shall be considered to prevent energy levels higher or lower beyond the manufacturer's specifications from damaging equipment.

91. Are the power and telecommunication cables adequately protected?

YesNo

Power and telecommunication cables can be a entrance point to an attack against information and system's resources and shall be protected.

92. Is the equipment maintained regularly?

YesNo

To ensure systems' reliability, equipment shall undergo maintenance procedures according to manufacturers’ specifications and good practices.

93. Is information and equipment removal to outside of the organization premises controlled?

YesNo

Authorization for information and other assets to be removed to outside of the organization premises shall be given each time it is needed.

Click here to see an example Acceptable Use Policy.

94. Are the organization assets properly protected when they are not at the organization premises?

YesNo

Assets outside the organization's premises are exposed to more risks, and may require the application of stronger controls.

Click here to see an example Acceptable Use Policy, and Mobile Device and Teleworking Policy.

95. Is information properly removed from media or equipment that will be disposed of?

YesNo

All the information and licensed software shall be removed from media or equipment containing media when these media are disposed of.

Click here to see an example Disposal and Destruction Policy, and Operating Procedures for Information and Communication Technology.

96. Are there rules to protect equipment when not in physical possession of its users?

YesNo

No equipment shall be left unsupervised, but if there is no alternative, recommendations shall be provided to guide users' behavior.

Click here to see an example Acceptable Use Policy, and Clear Desk and Clear Screen Policy.

97. Is there orientation for users about what to do when they are not present at their workstations?

YesNo

A policy shall require users to remove papers and media, and lock their screens, when not present at their workstations.

Click here to see an example Acceptable Use Policy, and Clear Desk and Clear Screen Policy.

A.12 OPERATIONAL SECURITY

98. Are operating procedures for IT processes documented?

YesNo

Available documentation shall help to ensure the proper operation and security of information processing resources.

Click here to see an example Operating Procedures for Information and Communication Technology.

99. Are changes that could affect information security strictly controlled?

YesNo

All the changes to IT systems, and to other processes that could affect information security shall be strictly controlled.

Click here to see an example Operating Procedures for Information and Communication Technology, and Change Management Policy.

100. Are resources monitored and plans made to ensure their capacity to fulfill users' demands?

YesNo

Someone shall monitor the use of resources and project the required capacity to ensure the maintenance of the accorded performance.

101. Are development, testing, and production environments separated?

YesNo

Separate environments shall be implemented to minimize risks related to unauthorized access or modification of information or resources.

102. Are anti-virus software, and other software for malware protection installed and properly used?

YesNo

Anti-virus software, and other software for malware protection, shall be in place, and properly configured and updated.

Click here to see an example Acceptable Use Policy.

103. Is a backup policy defined and performed properly?

YesNo

A backup policy shall be in place and it shall be performed according to this policy.

Click here to see an example Acceptable Use Policy, Operating Procedures for Information and Communication Technology, and Backup Policy.

104. Are relevant events from IT systems logged, and verified periodically?

YesNo

User logs, faults, and other relevant events from IT systems shall be logged, and someone shall check them periodically.

Click here to see an example Operating Procedures for Information and Communication Technology.

105. Are logs protected properly?

YesNo

Logs shall be protected against unauthorized access and modification.

106. Are administrator logs protected properly?

YesNo

Administrator logs shall be protected against unauthorized access and modification and shall be regularly checked.

Click here to see an example Operating Procedures for Information and Communication Technology.

107. Are clocks on all IT systems synchronized?

YesNo

IT systems' clocks shall be synchronized with a single source of correct time to ensure precise event logging.

108. Is installation of software strictly controlled?

YesNo

There shall be defined rules and procedures to ensure that software installations are made in a proper and controlled way.

Click here to see an example Acceptable Use Policy.

109. Are vulnerabilities' information and correction properly managed?

YesNo

Someone shall be in charge of collecting information about vulnerabilities, to speed up proper resolution of those identified as relevant to the organization.

110. Are there rules to define restrictions of software installation by users?

YesNo

There shall be defined rules and procedures to ensure that software installation made by users is done in a proper and controlled way.

Click here to see an example Acceptable Use Policy.

111. Are audits of production systems planned and executed properly?

YesNo

Audits of production systems shall be planned and executed in a way to not increase the risk of disruption of those systems.

A.13 COMMUNICATIONS SECURITY

112. Are the networks controlled to protect information in systems and applications?

YesNo

Networks shall be controlled to avoid information and systems compromise.

Click here to see an example Operating Procedures for Information and Communication Technology.

113. Are security requirements for network services defined, and included in agreements?

YesNo

In-house and external network services shall have clear rules to protect information and systems, and these rules shall be defined and included in agreements.

Click here to see an example Operating Procedures for Information and Communication Technology.

114. Are the networks segregated considering risks and assets classification?

YesNo

Users, services, and systems shall be segregated in different networks to minimize risks of information compromise.

115. Is the information transfer properly protected?

YesNo

Formal policies and procedures shall be in place to enforce the protection of information transfer.

Click here to see an example Operating Procedures for Information and Communication Technology, Information Transfer Policy, and Bring Your Own Device (BYOD) Policy.

116. Do agreements with third parties consider the protection during information transfer?

YesNo

To enforce the use of policies and procedures to protect information transfer by third parties, specific clauses shall be defined in agreements.

Click here to see an example Operating Procedures for Information and Communication Technology, and Information Transfer Policy.

117. Are the messages that are exchanged over the networks properly protected?

YesNo

The messages that are exchanged over the networks shall be protected against unauthorized access and modification.

Click here to see an example Acceptable Use Policy, and Information Classification Policy.

118. Does the organization list all the confidentiality clauses that need to be included in agreements with third parties?

YesNo

The organization shall ensure that all relevant confidentiality clauses to be included in agreements with third parties should be identified, reviewed, and documented.

Click here to see an example Confidentiality Statement.

A.14 SYSTEM ACQUISITION, DEVELOPMENT AND MAINTENANCE

119. Are security requirements defined for new information systems, or for any changes to them?

YesNo

Security requirements shall be part of the requirement assessment of new information systems, as well as for any changes planned to systems already in place.

Click here to see an example Specification of Information System Requirements.

120. Is application information transferred through public networks appropriately protected?

YesNo

Public networks shall be considered insecure and proper controls shall be in place to protect application information that is transferred through them.

Click here to see an example Secure Development Policy.

121. Is transaction information transferred through the public networks appropriately protected?

YesNo

Public networks shall be considered insecure and proper controls shall be in place to protect transaction information that is transferred through them.

Click here to see an example Secure Development Policy.

122. Are rules for the secure development of software and systems defined?

YesNo

Software and systems shall incorporate security since early stages of development, oriented by rules that consider the risks those software and systems will be exposed to.

Click here to see an example Secure Development Policy.

123. Are changes to new or existing systems properly controlled?

YesNo

Formal change control procedures shall be in place to minimize information security risks during changes to new or existing systems.

Click here to see an example Secure Development Policy.

124. Are critical applications properly tested after changes made in operating systems?

YesNo

Business critical applications could be negatively affected by changes made in operational systems, so they shall be tested to ensure they are still operating as expected.

Click here to see an example Operating Procedures for Information and Communication Technology, and Change Management Policy.

125. Are only necessary changes performed to information systems?

YesNo

Only critical and relevant changes shall be allowed to be made on information systems to minimize risks of system's compromise.

Click here to see an example Secure Development Policy.

126. Are principles for engineering secure systems applied to the organization system's development process?

YesNo

Systems shall incorporate security since early stages of development, driven by principles for engineering security in their components and functions.

Click here to see an example Secure Development Policy.

127. Is the development environment properly secured?

YesNo

Development environment shall be secured from unauthorized access and change.

Click here to see an example Secure Development Policy.

128. Is the outsourced development of systems monitored?

YesNo

Outsourced development of systems shall be monitored to ensure that business security requirements are properly fulfilled.

Click here to see an example Secure Development Policy, Supplier Security Policy, and Security Clauses for Suppliers and Partners.

129. Are security requirements implementation tested during system development?

YesNo

Proper testing of security requirements implementation is critical and shall be performed to ensure a system can achieve business and security objectives.

Click here to see an example Secure Development Policy.

130. Are criteria for accepting the systems defined?

YesNo

Criteria for accepting systems shall be defined to ensure a clear way to verify if all security and business needs were fulfilled.

Click here to see an example Secure Development Policy.

131. Are test data carefully selected and protected?

YesNo

Test data shall be selected in a way to not allow inference of sensitive business data, while still being useful to validate a system.

Click here to see an example Secure Development Policy.

A.15 SUPPLIER RELATIONSHIPS

132. Is there a policy on how to treat the risks related to suppliers and partners?

YesNo

A policy on how to treat the risks related to suppliers and partners shall be documented to help guide suppliers and partners relationships.

Click here to see an example Supplier Security Policy.

133. Are relevant security requirements included in the agreements with the suppliers and partners?

YesNo

All the relevant security requirements shall be included in the agreements with the suppliers and partners to ensure they are committed to the same level of security defined for the organization.

Click here to see an example Supplier Security Policy, Confidentiality Statement, and Security Clauses for Suppliers and Partners.

134. Do the agreements with providers and suppliers include security requirements?

YesNo

Agreements with providers and other suppliers shall include security requirements for ensuring the reliable delivery of services.

Click here to see an example Supplier Security Policy, and Security Clauses for Suppliers and Partners.

135. Are suppliers regularly monitored?

YesNo

Suppliers shall be regularly monitored, and audited if appropriate, for compliance with the security requirements.

Click here to see an example Supplier Security Policy.

136. Are changes involving arrangements and contracts with suppliers and partners taking into account risks and existing processes?

YesNo

Any changes in the provisioning of the services made by supplier shall be managed and include re-assessment of risks.

Click here to see an example Supplier Security Policy.

A.16 INFORMATION SECURITY INCIDENT MANAGEMENT

137. Are incidents managed properly?

YesNo

Procedures and responsibilities for managing incidents shall be in place to ensure proper and prompt response.

Click here to see an example Incident Management Procedure.

138. Are information security events reported in properly?

YesNo

Information security events shall be reported in a timely manner to minimize damage to information, systems, and the business.

139. Are employees and contractors reporting on security weaknesses?

YesNo

The reporting of security weaknesses is one of the main sources to minimize risks, so it shall be reported in a way to provide the most useful information.

Click here to see an example Incident Management Procedure.

140. Are security events assessed and classified properly?

YesNo

Security events shall be assessed and classified properly to better allocate the available resources and to ensure prompt response.

Click here to see an example Incident Management Procedure.

141. Are procedures on how to respond to incidents documented?

YesNo

Procedures on how to respond to incidents shall be documented to ensure a standardized response to security events.

Click here to see an example Incident Management Procedure.

142. Are security incidents analyzed properly?

YesNo

Security incidents shall be analyzed in order to gain knowledge on how to prevent their recurrence.

Click here to see an example Incident Management Procedure, and Incident Log.

143. Do procedures exist which define how to collect evidence?

YesNo

Procedures on how to collect evidence shall be in place to ensure they will be acceptable in the event that they are required during a legal process.

Click here to see an example Incident Management Procedure.

A.17. INFORMATION SECURITY ASPECTS OF BUSINESS CONTINUITY MANAGEMENT

144. Are requirements for continuity of information security defined?

YesNo

Requirements for continuity of information security shall be defined to ensure they are supporting the business even during a disruption event.

Click here to see an example Business Continuity Policy, and Business Impact Analysis Methodology.

145. Do procedures exist that ensure the continuity of information security during a crisis or a disaster?

YesNo

Procedures to ensure the continuity of information security during a crisis or a disaster shall be available to help speed up recovery of normal business operations and to support information protection during the restart of operations.

Click here to see an example Business Continuity Plan.

146. Is exercising and testing of continuity performed?

YesNo

Exercising and testing shall be performed in order to ensure effective response in a real event.

Click here to see an example Exercising and Testing Plan.

147. Does IT infrastructure have redundancy (e.g.: secondary location) included in its planning and operation?

YesNo

IT infrastructure shall have redundancy to help fulfill the expectations during disaster events.

Click here to see an example of a Disaster Recovery Plan.

A.18 COMPLIANCE

148. Are legislative, regulatory, contractual, and other security requirements known?

YesNo

All legislative, regulatory, contractual, and other security requirements shall be listed and documented to ensure a base for defining controls and compliance activities.

Click here to see an example of a List of legal, regulatory, contractual and other requirements.

149. Do procedures exist to protect intellectual property rights?

YesNo

Procedures shall be available to ensure the enforcement of intellectual property rights, in particular, the use of licensed software.

Click here to see an example Acceptable Use Policy.

150. Are records protected properly?

YesNo

All the records shall be protected according to identified regulatory, contractual, and other requirements.

151. Is personally identifiable information protected properly?

YesNo

Personally identifiable information shall be protected as required in laws and regulations.

152. Are cryptographic controls used properly?

YesNo

Cryptographic controls shall be used as required in laws and regulations.

Click here to see an example Policy on the Use of Cryptographic Controls.

153. Is information security regularly reviewed by an independent auditor?

YesNo

Information security shall be regularly reviewed by an independent auditor to ensure the management system's suitability, adequacy, and effectiveness, and to assess opportunities for improvements.

Click here to see an example Internal Audit Procedure.

154. Do the managers regularly review if the security policies and procedures are performed properly in their areas of responsibility?

YesNo

Managers shall regularly review if the security policies and procedures are performed properly in their areas of responsibility to ensure the controls' suitability, adequacy, and effectiveness, and to assess opportunities for improvements.

155. Are information systems regularly reviewed to check their compliance with the information security policies and standards?

YesNo

Information systems shall be regularly reviewed to check their compliance with the information security policies and standards to ensure their suitability, adequacy, and effectiveness, and to assess opportunities for improvements.

Number of controls complied with:

NOTE: Please open all the elements that you want to be e-mailed to you.

Enter your e-mail address

[The results will be sent to entered e-mail address]

Save my progress and resume later | Resume a previously saved form

Contact Information

Dejan Kosutic
Lead ISO 27001/ISO 22301 Expert

Have questions about any step?

Talk with our consultants for free

SCHEDULE FREE CONSULTATION

English

Deutsch
Español

Products
Products

Conformio

Toolkits

Training
Resources
Resources

Articles

Webinars

Courses

White Papers

Tools

Checklists

Live Consultations

Consultant Directory

Community
Standards & Regulations
Standards & Regulations

ISO 27001

ISO 13485

EU MDR

EU GDPR

ISO 14001

ISO 9001

ISO in General

ISO 17025

IATF 16949

AS9100

ISO 22301

ISO 20000

ISO 45001
Advisera
Advisera

About Us

For Partners

Careers

Contact Sales

Terms of Use
Help
Help

Help Center

Contact Support

Partnerships

Conformio

Documentation Toolkits

Training

By Type

By Standard

Other

Free ISO 27001 Gap Analysis Tool

Find out your level of compliance with ISO 27001

Have questions about any step?

Products

Resources

Standards & Regulations

Advisera

Help