CALL US 1-888-553-2256

Free ISO 27001 Gap Analysis Tool

Find out your level of compliance with ISO 27001

 

 

| Resume a previously saved form
Resume Later

In order to be able to resume this form later, please enter your email and choose a password.

* Please use a different unique password every time you are saving your progress and intend to resume later.
4.0 CONTEXT OF THE ORGANIZATION
4.1 UNDERSTANDING THE ORGANIZATION AND ITS CONTEXT






4.2 UNDERSTANDING THE NEEDS AND EXPECTATIONS OF INTERESTED PARTIES

The organization must define which interested parties are relevant to the information security management system (ISMS) (e.g.: critical clients and suppliers, employees, stakeholders, government agencies, etc.)

Click here to see an example Procedure for Identification of Requirements.

Requirements are needs and expectations that can be evaluated in a qualitative or quantitative way, and they need to be documented for the interested parties you defined as relevant to the ISMS.

4.3 DETERMINING THE SCOPE OF THE INFORMATION SECURITY MANAGEMENT SYSTEM

You need to define the scope of the ISMS, considering internal and external issues, relevant interested parties' requirements, and interfaces and dependencies between activities realized by the organization and those realized by other organizations.

Click here to see an example ISMS Scope Document.
4.4 INFORMATION SECURITY MANAGEMENT SYSTEM


5.0 LEADERSHIP
5.1 LEADERSHIP AND COMMITMENT






5.2 POLICY

Top management must define the Information Security Policy within the scope of the ISMS. The policy needs to be appropriate to your activities, include a commitment to continual improvement, and provide objectives & targets or a framework for their establishment.

Click here to see an example Information Security Policy.


5.3 ORGANIZATIONAL ROLES, RESPONSIBILITIES AND AUTHORITIES


6.0 PLANNING
6.1 ACTIONS TO ADDRESS RISKS AND OPPORTUNITIES
6.1.1 GENERAL


6.1.2 INFORMATION SECURITY RISK ASSESSMENT

There shall be a process that establishes and maintains risk criteria as well as identifies, analyzes, and evaluates information security risks.

Click here to see an example Risk assessment methodology.
6.1.3 INFORMATION SECURITY RISK TREATMENT

There needs to be a process to treat information security risks by taking account of the risk assessment results and to create specific documents like Statement of Applicability.

6.2 INFORMATION SECURITY OBJECTIVES AND PLANNING TO ACHIEVE THEM



Plan(s) need to be in place to assure the availability of resources to achieve the objectives and targets, including the designated responsibility, evaluation method, and the time frame for the plan(s).

Click here to see an example Risk Treatment Plan.
7.0 SUPPORT
7.1 RESOURCES


7.2 COMPETENCE

Appropriate competence needs to be assessed, and training provided where needed, for personnel doing tasks that can affect the information security. Records of competence must be maintained.

Click here to see an example Training and Awareness Plan.
7.3 AWARENESS

Awareness of the Information Security Policy, procedures, risks, roles, responsibilities, authorities, and consequences of departing from specified procedures must be promoted.

Click here to see an example Training and Awareness Plan.
7.4 COMMUNICATION


7.5 DOCUMENTED INFORMATION (7.5.1 GENERAL; 7.5.2 CREATING AND UPDATING; 7.5.3 CONTROL OF DOCUMENTED INFORMATION)



A procedure for control of documents should exist that specifies approval, review and update, change identification, relevant version availability, document legibility, control of external documents, and prevention of obsolete document use.

Click here to see an example Procedure for Document and Record Control.


8.0 OPERATION
8.1 OPERATIONAL PLANNING AND CONTROL

Documented information must be kept to the extent necessary to have confidence that the processes have been carried out as planned (e.g., procedures for operational control, operating criteria, etc.).





8.2 INFORMATION SECURITY RISK ASSESSMENT

The security assessment must be performed and evidences must be recorded.

Click here to see an example of Risk Assessment Table, and Risk Treatment Table.
8.3 INFORMATION RISK TREATMENT

Plan(s) need to be in place to achieve the objectives and targets and these need to include designated responsibility, evaluation method, and the means & time frame for the plan(s).

Click here to see an example Risk Treatment Plan.

Actions need to be established to treat the risks deemed unacceptable. These actions need to be implemented, reviewed, and revised and periodically tested where practicable.

Click here to see an example Risk Treatment Table, and Statement of Applicability.
9.0 PERFORMANCE EVALUATION
9.1 MONITORING, MEASUREMENT, ANALYSIS AND EVALUATION




9.2 INTERNAL AUDIT

Audit procedures must address audit responsibilities, reporting, recording criteria, scope frequency, and methods. The procedures need to include criteria for selection of auditors to maintain impartiality and objectivity.

Click here to see an example Audit Program and Internal Audit Procedure.

Audit procedures must be in place to evaluate the ISMS against the planned arrangements (including proper implementation and maintenance) at planned intervals and results must be reported to management.

Click here to see an example Internal Audit Report.
9.3 MANAGEMENT REVIEW

Top management must review the ISMS at planned intervals to ensure suitability, adequacy, and effectiveness and assess opportunities for improvements. Records must be kept of the review.

Click here to see an example Management Review Minutes.

The outputs of management review must include decisions and actions related to possible changes of the Information Security Policy, objectives, targets, and other ISMS elements in order to continually improve the ISMS.

Click here to see an example of Management Review Minutes.
10.0 IMPROVEMENT
10.1 NONCONFORMITY AND CORRECTIVE ACTION

A procedure(s) to deal with actual nonconformities, including taking corrective action, must be in place.

Click here to see an example Procedure for Corrective Action.

The procedure must include identification, investigating and determining causes and actions to prevent recurrence. These actions need to be appropriate to the magnitude of the nonconformity.

Click here to see an example Procedure for Corrective Action.

Records must be kept, and the effectiveness evaluated for corrective actions. Necessary changes in ISMS documentation must be made.

Click here to see an example Corrective Action Form.
10.2 CONTINUAL IMPROVEMENT


REQUIREMENTS READINESS: 
%
A.5 INFORMATION SECURITY POLICIES

Management shall define Information Security Policies within the scope of the ISMS. The policies need to be appropriate to support information security and the business requirements.



A.6 ORGANIZATION OF INFORMATION SECURITY











Management shall define policies for mobile device handling within the scope of the ISMS. The policies need to be appropriate to support information security and the business requirements.


Management shall define policies for teleworking within the scope of the ISMS. The policies need to be appropriate to support information security and the business requirements.

A.7 HUMAN RESOURCES SECURITY



Before gaining access to information, employees and contractors shall be made aware of their information security responsibilities and agree to fulfill them.









A.8 ASSET MANAGEMENT

An inventory of assets shall help you to identify and organize the information assets and information process resources.

Click here to see an example Inventory of assets.

To ensure the proper handling and protection of an asset, an owner shall be designated to it.

Click here to see an example Inventory of assets, and Acceptable Use Policy.

To ensure the proper handling and protection of an asset, a set of rules shall be defined.

Click here to see an example Acceptable Use Policy.

To ensure the proper handling and protection of an asset, a set of rules shall be defined.

Click here to see an example Acceptable Use Policy.

The existence of defined classification criteria ensures that all information shall receive a level of protection according to its value to the organization.

Click here to see an example Information Classification Policy.

The existence of labeling and handling procedures ensures that all classified information shall receive treatment according to its classification level.

Click here to see an example Information Classification Policy.

The existence of assets handling procedures ensures that all assets shall receive treatment according to the classified information they handle.

Click here to see an example Information Classification Policy.

The existence of removable media handling procedures ensures that all removable media shall receive treatment according to the classified information they handle.

Click here to see an example Information Classification Policy.

There shall be formal procedures to ensure that media no longer needed cannot be reused and that information contained in it be destroyed or made inaccessible.


The existence of removable media handling procedures ensures that all removable media shall receive treatment according to the classified information they handle.

Click here to see an example Information Classification Policy.
A.9 ACCESS CONTROL

Management shall define an Access Control Policy within the scope of the ISMS. The policy needs to be appropriate to support information security and the business requirements.

Click here to see an example Access Control Policy.

User shall have access only to those networks and services they are specifically authorized for.

Click here to see an example Access Control Policy.

A formal process shall be in place for the creation / exclusion of user accounts and attribution of user access rights.

Click here to see an example Access Control Policy, and Password Policy.

A formal process shall be in place to grant / revoke user access for all types of users to all systems and services.

Click here to see an example Access Control Policy, and Password Policy.

A formal process to grant / revoke user access with privileged rights shall be in place.

Click here to see an example Access Control Policy.

All information related to user authentication shall be provided in a way that only the user shall know the authentication information (e.g.: passwords, passphrases, etc.).

Click here to see an example Access Control Policy, and Password Policy.

A formal process to periodically verify user access to privileged rights shall be in place.

Click here to see an example Access Control Policy.

A formal process shall be in place to change / revoke user access for all types of users to all systems and services when there is a change in his/her situation.

Click here to see an example Access Control Policy.

All information related to user authentication shall be protected (e.g.: passwords, passphrases, etc.).


Access to databases and applications functions shall be restricted according to the Access Control Policy.

Click here to see an example Access Control Policy.



Password management systems adopted by the organization shall be interactive, and ensure the creation of secure passwords.

Click here to see an example Access Control Policy, and Password Policy.




A.10 CRYPTOGRAPHY

Management shall define a Cryptographic Control Policy within the scope of the ISMS. The policy need to be appropriate to support information security and the business requirements.

Click here to see an example Policy on the Use of Cryptographic Controls.

Cryptographic controls are as strong as their keys are kept secure, so the handling of cryptographic keys shall be managed properly.

Click here to see an example Policy on the Use of Cryptographic Controls.
A.11 PHYSICAL AND ENVIRONMENTAL SECURITY









Specific working procedures proportional to the sensitivity of the secure areas shall be in place to minimize incidents related to inappropriate actions.

Click here to see an example Procedures for working in secure areas.











Authorization for information and other assets to be removed to outside of the organization premises shall be given each time it is needed.

Click here to see an example Acceptable Use Policy.

Assets outside the organization's premises are exposed to more risks, and may require the application of stronger controls.


All the information and licensed software shall be removed from media or equipment containing media when these media are disposed of.


No equipment shall be left unsupervised, but if there is no alternative, recommendations shall be provided to guide users' behavior.


A policy shall require users to remove papers and media, and lock their screens, when not present at their workstations.

A.12 OPERATIONAL SECURITY

Available documentation shall help to ensure the proper operation and security of information processing resources.


All the changes to IT systems, and to other processes that could affect information security shall be strictly controlled.






Anti-virus software, and other software for malware protection, shall be in place, and properly configured and updated.

Click here to see an example Acceptable Use Policy.

A backup policy shall be in place and it shall be performed according to this policy.


User logs, faults, and other relevant events from IT systems shall be logged, and someone shall check them periodically.




Administrator logs shall be protected against unauthorized access and modification and shall be regularly checked.




There shall be defined rules and procedures to ensure that software installations are made in a proper and controlled way.

Click here to see an example Acceptable Use Policy.



There shall be defined rules and procedures to ensure that software installation made by users is done in a proper and controlled way.

Click here to see an example Acceptable Use Policy.


A.13 COMMUNICATIONS SECURITY

Networks shall be controlled to avoid information and systems compromise.


In-house and external network services shall have clear rules to protect information and systems, and these rules shall be defined and included in agreements.




Formal policies and procedures shall be in place to enforce the protection of information transfer.


To enforce the use of policies and procedures to protect information transfer by third parties, specific clauses shall be defined in agreements.


The messages that are exchanged over the networks shall be protected against unauthorized access and modification.

Click here to see an example Acceptable Use Policy, and Information Classification Policy.

The organization shall ensure that all relevant confidentiality clauses to be included in agreements with third parties should be identified, reviewed, and documented.

Click here to see an example Confidentiality Statement.
A.14 SYSTEM ACQUISITION, DEVELOPMENT AND MAINTENANCE

Security requirements shall be part of the requirement assessment of new information systems, as well as for any changes planned to systems already in place.


Public networks shall be considered insecure and proper controls shall be in place to protect application information that is transferred through them.

Click here to see an example Secure Development Policy.

Public networks shall be considered insecure and proper controls shall be in place to protect transaction information that is transferred through them.

Click here to see an example Secure Development Policy.

Software and systems shall incorporate security since early stages of development, oriented by rules that consider the risks those software and systems will be exposed to.

Click here to see an example Secure Development Policy.

Formal change control procedures shall be in place to minimize information security risks during changes to new or existing systems.

Click here to see an example Secure Development Policy.

Business critical applications could be negatively affected by changes made in operational systems, so they shall be tested to ensure they are still operating as expected.


Only critical and relevant changes shall be allowed to be made on information systems to minimize risks of system's compromise.

Click here to see an example Secure Development Policy.

Systems shall incorporate security since early stages of development,  driven by principles for engineering security in their components and functions.

Click here to see an example Secure Development Policy.

Development environment shall be secured from unauthorized access and change.

Click here to see an example Secure Development Policy.

Outsourced development of systems shall be monitored to ensure that business security requirements are properly fulfilled.


Proper testing of security requirements implementation is critical and shall be performed to ensure a system can achieve business and security objectives.

Click here to see an example Secure Development Policy.

Criteria for accepting systems shall be defined to ensure a clear way to verify if all security and business needs were fulfilled.

Click here to see an example Secure Development Policy.

Test data shall be selected in a way to not allow inference of sensitive business data, while still being useful to validate a system.

Click here to see an example Secure Development Policy.
A.15 SUPPLIER RELATIONSHIPS

A policy on how to treat the risks related to suppliers and partners shall be documented to help guide suppliers and partners relationships.

Click here to see an example Supplier Security Policy.

All the relevant security requirements shall be included in the agreements with the suppliers and partners to ensure they are committed to the same level of security defined for the organization.


Agreements with providers and other suppliers shall include security requirements for ensuring the reliable delivery of services.


Suppliers shall be regularly monitored, and audited if appropriate, for compliance with the security requirements.

Click here to see an example Supplier Security Policy.

Any changes in the provisioning of the services made by supplier shall be managed and include re-assessment of risks.

Click here to see an example Supplier Security Policy.
A.16 INFORMATION SECURITY INCIDENT MANAGEMENT

Procedures and responsibilities for managing incidents shall be in place to ensure proper and prompt response.

Click here to see an example Incident Management Procedure.



The reporting of security weaknesses is one of the main sources to minimize risks, so it shall be reported in a way to provide the most useful information.

Click here to see an example Incident Management Procedure.

Security events shall be assessed and classified properly to better allocate the available resources and to ensure prompt response.

Click here to see an example Incident Management Procedure.

Procedures on how to respond to incidents shall be documented to ensure a standardized response to security events.

Click here to see an example Incident Management Procedure.

Security incidents shall be analyzed in order to gain knowledge on how to prevent their recurrence.

Click here to see an example Incident Management Procedure, and Incident Log.

Procedures on how to collect evidence shall be in place to ensure they will be acceptable in the event that they are required during a legal process.

Click here to see an example Incident Management Procedure.
A.17. INFORMATION SECURITY ASPECTS OF BUSINESS CONTINUITY MANAGEMENT

Requirements for continuity of information security shall be defined to ensure they are supporting the business even during a disruption event.


Procedures to ensure the continuity of information security during a crisis or a disaster shall be available to help speed up recovery of normal business operations and to support information protection during the restart of operations.

Click here to see an example Business Continuity Plan.

Exercising and testing shall be performed in order to ensure effective response in a real event.

Click here to see an example Exercising and Testing Plan.

IT infrastructure shall have redundancy to help fulfill the expectations during disaster events.

Click here to see an example of a Disaster Recovery Plan.
A.18 COMPLIANCE

All legislative, regulatory, contractual, and other security requirements shall be listed and documented to ensure a base for defining controls and compliance activities.


Procedures shall be available to ensure the enforcement of intellectual property rights, in particular, the use of licensed software.

Click here to see an example Acceptable Use Policy.





Cryptographic controls shall be used as required in laws and regulations.

Click here to see an example Policy on the Use of Cryptographic Controls.

Information security shall be regularly reviewed by an independent auditor to ensure the management system's suitability, adequacy, and effectiveness, and to assess opportunities for improvements.

Click here to see an example Internal Audit Procedure.





NOTE: Please open all the elements that you want to be e-mailed to you.

[The results will be sent to entered e-mail address]
dejan-circle-new

Dejan Kosutic
Lead ISO 27001/22301 Expert

Have questions about any step?

Talk with our consultants for free

SCHEDULE FREE CONSULTATION

OUR CLIENTS

OUR PARTNERS

  • Advisera is Exemplar Global Certified TPECS Provider for the IS, QM, EM and AU Competency Units.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.