Home
Resources
ISO 27001 Gap Analysis

ISO 27001 Gap Analysis [Free Tool]

Find out your level of compliance with ISO 27001

Instructions: The questions below cover all relevant ISO 27001 requirements - by filling out the answers, this tool will automatically calculate your company's level of compliance with ISO 27001.

When answering questions, the following scale needs to be used:

1 — Not implemented: No process or activity implemented, or little/no evidence of any systematic achievement
2 — Planned: Activity or process is planned but is not implemented, or the implementation just started
3 — In progress: Activity or process is partially implemented, so that its full effects cannot be expected
4 — Mostly implemented: Activity or process is fully or mostly implemented, documented, and relevant people are trained, but monitoring, measurement, and improvement are not systematic
5 — Optimized: Activity or process is fully implemented, documented, and is continuously supervised, measured, and improved; relevant people are trained

4 CONTEXT OF THE ORGANIZATION

4.1 UNDERSTANDING THE ORGANIZATION AND ITS CONTEXT

1) Did the organization determine the purpose(s) of the ISMS?

1 — Not implemented 2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

You must determine the purpose of the ISMS (e.g.: assure compliance with legal obligations, improve operational resilience, improve product/service security, etc.).

2) Did the organization determine the internal and external issues that are relevant to the ISMS purpose?

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

You need to define which are internal and external issues that influence the business purpose and are relevant to information security (e.g.: internal culture, available resources, market share, client profile, suppliers availability, etc.).

3) Did the organization determine how internal and external issues could influence the ISMS ability to achieve its intended outcomes?

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

You need to define how internal and external issues can affect the ISMS ability to achieve its intended outcomes (e.g.: legal requirements change frequently, clients have to comply with specific standards, internal culture appreciates information sharing, etc.)

4.2 UNDERSTANDING THE NEEDS AND EXPECTATIONS OF INTERESTED PARTIES

4) Did the organization determine interested parties?

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

The organization must define which interested parties are relevant to the information security management system - (ISMS) (e.g.: critical clients and suppliers, employees, stakeholders, government agencies, etc.)

Click here to see an example Procedure for Identification of Requirements. See Preview

5) Does the list of all of interested parties’ requirements exist?

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Requirements are needs and expectations that can be evaluated in a qualitative or quantitative way, and they need to be documented for the interested parties you defined as relevant to the ISMS.

Click here to see an example List of Legal, Regulatory, Contractual and Other Requirements. See Preview

4.3 DETERMINING THE SCOPE OF THE INFORMATION SECURITY MANAGEMENT SYSTEM

6) Is the scope documented with clearly defined boundaries and applicability?

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

You need to define the scope of the ISMS, considering internal and external issues, relevant interested parties' requirements, and interfaces and dependencies between activities realized by the organization and those realized by other organizations.

Click here to see an example ISMS Scope Document. See Preview

4.4 INFORMATION SECURITY MANAGEMENT SYSTEM

7) Have you established, documented, implemented, maintained, and continually improved an information security management system, including needed processes and interactions, per ISO 27001 requirements?

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

You must establish, document, implement, maintain and continually improve an information security management system, including needed processes and interactions, per ISO 27001 requirements.

5 LEADERSHIP

5.1 LEADERSHIP AND COMMITMENT

8) Are the general ISMS objectives compatible with the strategic direction?

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

To be more valuable, an ISMS must support the achievement of the business objectives, and to better assure this, its proposed objectives must be aligned with the strategic direction.

9) Does management ensure the necessary ISMS resources are available as needed?

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

An ISMS without resources at the proper times cannot achieve its objectives, so management has to assure these resources are available when needed.

10) Does management ensure that ISMS achieves its intended outcomes?

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

An ISMS that can't deliver the expected results is a failure, even if it operates as planned and uses fewer resources than expected. To avoid this, the management must assure that the ISMS has achieved the proposed outcomes.

5.2 POLICY

11) Does an Information Security Policy exist with included objectives or a framework for setting objectives?

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Top management must define the Information Security Policy within the scope of the ISMS. The policy needs to be appropriate to your activities, include a commitment to continual improvement, and provide objectives & targets or a framework for their establishment.

Click here to see an example Information Security Policy. See Preview

12) Is the Information Security Policy documented and communicated within the company and to other interested parties?

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

The policy needs to be documented, be communicated to employees, and be available to other interested parties.

5.3 ORGANIZATIONAL ROLES, RESPONSIBILITIES AND AUTHORITIES

13) Are roles, responsibilities, and authorities for information security assigned and communicated?

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Responsibility and authority should be assigned by top management to organize information security activities, to ensure that the ISMS conforms to ISO 27001, and that reporting on the performance of the ISMS to the top management exists.

6 PLANNING

6.1 ACTIONS TO ADDRESS RISKS AND OPPORTUNITIES

6.1.1 GENERAL

14) Are internal and external issues, as well as interested parties' requirements, considered while addressing risks and opportunities?

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

The issues and requirements considered relevant to the interested parties need to be taken into account in the ISMS planning, to ensure its alignment with the business purposes and achievement of its intended goals.

6.1.2 INFORMATION SECURITY RISK ASSESSMENT

15) Is there a documented process to identify information security risks, including the risk acceptance criteria and criteria for risk assessment?

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

There needs to be a process that establishes and maintains risk criteria as well as identifies, analyzes, and evaluates information security risks.

Click here to see an example Risk Assessment Methodology. See Preview

6.1.3 INFORMATION SECURITY RISK TREATMENT

16) Is the risk treatment process documented, including the risk treatment options and how to create a Statement of Applicability?

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

There needs to be a process to treat information security risks by taking account of the risk assessment results and to create specific documents like Statement of Applicability.

Click here to see an example of Risk Treatment Methodology, Risk Treatment Plan, and Statement of Applicability. See Preview

6.2 INFORMATION SECURITY OBJECTIVES AND PLANNING TO ACHIEVE THEM

17) Are information security objectives and targets established at relevant functions of the organization, measured and monitored where practical, and consistent with the information security policy?

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

To make clear for the most critical actors involved in protecting information what is expected from them, and how they will be evaluated, information security objectives and targets must be established at relevant functions of the organization, measured and monitored where practical, and consistent with the Information Security Policy.

18) Is there a plan, or group of plans, in place to achieve the information security objectives and targets including designated responsibility, evaluation method, and the means & timeframe for the plan(s)?

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Plan(s) need to be in place to assure the availability of resources to achieve the objectives and targets, including the designated responsibility, evaluation method, and the time frame for the plan(s).

Click here to see an example Risk Treatment Plan. See Preview

6.3 PLANNING OF CHANGES

19) Are changes in the ISMS done in a planned manner?

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Changes to the ISMS need to be performed consistently by assessing whether they are needed and whether the resources are available.

7 SUPPORT

7.1 RESOURCES

20) Are adequate resources provided for all the elements of the ISMS?

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Resources (e.g.: equipments, facilities, money, etc.) must be made available for the ISMS establishment, implementation, ongoing operation, and improvement.

7.2 COMPETENCE

21) Is appropriate competence assessed, and training provided where needed, for personnel doing tasks that can affect the information security? Are records of competences maintained?

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Appropriate competence needs to be assessed, and training provided where needed, for personnel doing tasks that can affect the information security. Records of competence must be maintained.

Click here to see an example Training and Awareness Plan. See Preview

7.3 AWARENESS

22) Is the personnel aware of the Information Security Policy, of their role, and consequences of not complying with the rules?

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Awareness of the Information Security Policy, procedures, risks, roles, responsibilities, authorities, and consequences of departing from specified procedures must be promoted.

Click here to see an example Training and Awareness Plan. See Preview

7.4 COMMUNICATION

23) Are there identified needs for communication related to information security, including the responsibilities and what to communicate, to whom and when?

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Needs for communication internally and externally to the company need to be determined. If the decision is to communicate information security issues outside of the company, this must be included.

7.5 DOCUMENTED INFORMATION (7.5.1 GENERAL; 7.5.2 CREATING AND UPDATING; 7.5.3 CONTROL OF DOCUMENTED INFORMATION)

24) Does the documentation of the ISMS include the Information Security Policy, objectives & targets, the scope of the ISMS, the main elements and their interaction, documents and records of ISO 27001 and those identified by the company?

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Documentation of the ISMS must include the Information Security Policy, objectives & targets, the scope of the ISMS, the main elements and their interaction, documents and records of ISO 27001 and those identified by the company.

25) Is it ensured that managing of documents and records exists, including who reviews and approves documents, and where and how they are published, stored, and protected?

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

A procedure for control of documents should exist that specifies approval, review and update, change identification, relevant version availability, document legibility, control of external documents, and prevention of obsolete document use.

Click here to see an example Procedure for Document and Record Control. See Preview

26) Is documented information of external origin controlled?

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

External documented information handled by the organization must be controlled and protected in the same way as the internal.

8 OPERATION

8.1 OPERATIONAL PLANNING AND CONTROL

27) Does the organization have established criteria for processes, and has it implemented controls over them according to these criteria?

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Criteria for processes need to be established, and controls implemented over processes need to take these criteria into account.

28) Does the organization have the necessary documented information to be confident that its processes are being carried out as planned?

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Documented information must be kept to the extent necessary to have confidence that the processes have been carried out as planned (e.g., procedures for operational control, operating criteria, etc.).

Click here to see an example Security Procedures for IT Department. See Preview

29) Are planned changes controlled? Are consequences of unplanned changes reviewed to identify mitigation actions if necessary?

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

To minimize risks to information security, changes must be controlled.

30) Are outsourced processes identified and controlled?

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Outsourced processes must handle information security the same way as the organization itself.

8.2 INFORMATION SECURITY RISK ASSESSMENT

31) Are the risks, their owners, likelihood, consequences, and the level of risk identified? Are these results documented?

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

The security assessment must be performed and evidences must be recorded.

Click here to see an example of Risk Assessment Table, and Risk Treatment Table. See Preview

8.3 INFORMATION RISK TREATMENT

32) Does a risk treatment plan exist, approved by risk owners?

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Plan(s) need to be in place to achieve the objectives and targets and these need to include designated responsibility, evaluation method, and the means & time frame for the plan(s).

Click here to see an example Risk Treatment Plan. See Preview

33) Is there a documented list with all controls deemed as necessary, with proper justification and implementation status?

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Actions need to be established to treat the risks deemed unacceptable. These actions need to be implemented, reviewed, and revised and periodically tested where practicable.

Click here to see an example Risk Treatment Table, and Statement of Applicability. See Preview

9 PERFORMANCE EVALUATION

9.1 MONITORING, MEASUREMENT, ANALYSIS AND EVALUATION

34) Is it defined what needs to be measured, by which method, who is responsible, who will analyze and evaluate the results?

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

A process must exist to regularly monitor and measure key characteristics that can have impact over information security, including information for operational controls.

35) Are the results of measurement documented, analyzed, and evaluated by responsible persons?

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Results of measurements must be documented, analyzed, and evaluated by the responsible persons.

9.2 INTERNAL AUDIT

36) Does an audit program exist that defines the timing, responsibilities, reporting, audit criteria, and scope?

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Audit procedures must address audit responsibilities, reporting, recording criteria, scope frequency, and methods. The procedures need to include criteria for selection of auditors to maintain impartiality and objectivity.

Click here to see an example Annual Internal Audit Program and Internal Audit Procedure. See Preview

37) Are internal audits performed according to an audit program, results reported through an internal audit report, and relevant corrective actions raised?

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Audit procedures must be in place to evaluate the ISMS against the planned arrangements (including proper implementation and maintenance) at planned intervals and results must be reported to management.

Click here to see an example Internal Audit Report. See Preview

9.3 MANAGEMENT REVIEW

38) Is management review regularly performed, and are the results documented in minutes of the meeting?

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Top management must review the ISMS at planned intervals to ensure suitability, adequacy, and effectiveness and assess opportunities for improvements. Records must be kept of the review.

Click here to see an example Management Review Minutes. See Preview

39) Did management decide on all the crucial issues important for the success of the ISMS?

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

The outputs of management review must include decisions and actions related to possible changes of the Information Security Policy, objectives, targets, and other ISMS elements in order to continually improve the ISMS.

Click here to see an example of Management Review Minutes. See Preview

10 IMPROVEMENT

10.1 CONTINUAL IMPROVEMENT

40) Is the ISMS continuously adjusted to maintain its suitability, adequacy, and effectiveness?

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Risks and business requirements change over time, so your ISMS should be adjusted to reflect these new conditions to maintain or increase its value to the organization.

10.2 NONCONFORMITY AND CORRECTIVE ACTION

41) Does the organization react to every nonconformity?

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

A procedure(s) to deal with actual nonconformities, including taking corrective action, must be in place.

Click here to see an example Procedure for Corrective Action. See Preview

42) Does the organization consider eliminating the cause of the nonconformity and, where appropriate, take corrective action?

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

The procedure must include identification, investigating and determining causes and actions to prevent recurrence. These actions need to be appropriate to the magnitude of the nonconformity.

Click here to see an example Procedure for Corrective Action. See Preview

43) Are all nonconformities recorded, together with corrective actions?

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Records must be kept, and the effectiveness evaluated for corrective actions. Necessary changes in ISMS documentation must be made.

Click here to see an example Corrective Action Form. See Preview

ANNEX A. (Note: only the controls marked as applicable in the Statement of Applicability must be implemented.)

A.5 ORGANIZATIONAL CONTROLS

44) Are there published policies, approved by management, reviewed, and updated to support information security? (control A.5.1 Policies for information security)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Management needs to define Information Security Policies within the scope of the ISMS. The policies need to be appropriate to support information security and the business requirements, and must be reviewed at planned intervals to ensure suitability, adequacy, and effectiveness.

Click here to see an example Bring Your Own Device (BYOD) Policy, Mobile Device and Teleworking Policy, IT Security Policy, Information Classification Policy, Access Control Policy, Password Policy, Clear Desk and Clear Screen Policy, Disposal and Destruction Policy, Change Management Policy, Backup Policy, Information Transfer Policy, Secure Development Policy, and Supplier Security Policy.

See Preview

45) Are all information security responsibilities defined? (control A.5.2 Information security roles and responsibilities)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Responsibility needs to be assigned to organize information security activities, to ensure that the ISMS implementation and operation activities are performed.

46) Are duties and responsibilities properly segregated considering situations of conflict of interest? (control A.5.3 Segregation of duties)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Splitting critical activities into two or more steps, or between two or more people, can minimize the probability of an incident to occur.

47) Is management actively requiring all employees and contractors to comply with information security rules? (control A.5.4 Management responsibilities)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Management needs to publish an information security policy, define responsibilities, authorities and roles, and promote information security awareness to employees and contractors.

48) Are contacts with relevant authorities defined? (control A.5.5 Contact with authorities)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Contacts with authorities, and who needs to contact them, need to be clearly defined.

49) Are contacts with special interest groups or professional associations defined? (control A.5.6 Contact with special interest groups)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Contacts with special interest groups or professional associations, and respective responsibilities, need to be clearly defined.

50) Is information related to information security threats collected and analyzed to produce threat intelligence? (control A.5.7 Threat intelligence)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Information about attacks, methods and technologies used, and/or information about attack trends needs to be gathered in order to take appropriate mitigation actions.

Click here to see an example of an Incident Management Procedure. See Preview

51) Do projects consider information security aspects? (control A.5.8 Information security in project management)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Information security rules need to be defined to include proper controls to protect information.

For new and existing information systems to be upgraded, security requirements should form part of the requirements assessment.

Click here to see an example of Specification of Information System Requirements. See Preview

52) Does an Inventory of Assets exist, and does every asset in the inventory have a designated owner? (control A.5.9 Inventory of information and other associated assets)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

An inventory of assets need to help you to identify and organize the information assets and information process resources.

To ensure the proper handling and protection of an asset, an owner needs to be designated for it.

Click here to see an example of an Inventory of Assets, and IT Security Policy. See Preview

53) Are rules and procedures for handling of information and other associated assets defined? (control A.5.10 Acceptable use of information and other associated assets)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

To ensure the proper handling and protection of an asset, according to the classified information it handles, a set of rules and procedures need to be defined.

Click here to see an example IT Security Policy, and Information Classification Policy. See Preview

54) Are company assets returned by employees and contractors when their employment is terminated? (control A.5.11 Return of assets)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

To ensure the proper handling and protection of an asset, a set of rules need to be defined.

Click here to see an example IT Security Policy. See Preview

55) Are criteria to classify information defined? (control A.5.12 Classification of information)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

The existence of defined classification criteria ensures that all information need to receive a level of protection according to its value to the organization.

Click here to see an example Information Classification Policy. See Preview

56) Are there procedures which define how to label and handle classified information? (control A.5.13 Labelling of information)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

The existence of labeling and handling procedures ensures that all classified information need to receive treatment according to its classification level.

Click here to see an example Information Classification Policy. See Preview

57) Is the information transfer properly protected? (control A.5.14 Information transfer)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Formal policies and procedures, enforced by agreements and asset configurations, need to be in place to enforce the protection of information transfer.

Click here to see an example Information Transfer Policy , and Bring Your Own Device (BYOD) Policy. See Preview

58) Is there an Access Control Policy, and do users have access only to the resources they are allowed to use? (control A.5.15 Access control)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Management needs to define an Access Control Policy within the scope of the ISMS. The policy needs to be appropriate to support information security and the business requirements, to ensure users have access only to those networks and services they are specifically authorized for.

Click here to see an example Access Control Policy. See Preview

59) Are access rights provided via a formal registration process? (control A.5.16 Identity management)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

A formal process need to be in place for the creation / exclusion of user accounts and attribution of user access rights.

Click here to see an example Access Control Policy, and Password Policy. See Preview

60) Are there rules for passwords and other secret authentication information to be provided in a secure way, as well as for password management systems, and users, on how to manage and protect them? (control A.5.17 Authentication information)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

All information related to user authentication need to be protected (e.g.: passwords, passphrases, etc.), and provided in a way that only the user needs to know the authentication information (e.g.: passwords, passphrases, etc.).

Password management systems adopted by the organization need to be interactive, and ensure the creation of secure passwords.

Click here to see an example Access Control Policy, and Password Policy. See Preview

61) Is there a formal access management process to handle, review, and update access to information systems and users' access rights? (control A.5.18 Access rights)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

A formal process need to be in place to grant / revoke user access for all types of users to all systems and services, when there is a change in his/her situation, and to periodically verify user access to privileged rights.

Click here to see an example Access Control Policy. See Preview

62) Is there a policy on how to treat the risks related to suppliers and partners? (control A.5.19 Information security in supplier relationships)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

A policy on how to treat the risks related to suppliers and partners need to be documented to help guide suppliers and partners relationships.

Click here to see an example Supplier Security Policy. See Preview

63) Are relevant security requirements included in the agreements with the suppliers and partners? (control A.5.20 Addressing information security within supplier agreements)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

All the relevant security requirements need to be included in the agreements with the suppliers and partners to ensure they are committed to the same level of security defined for the organization.

Click here to see an example Supplier Security Policy, Confidentiality Statement, and Security Clauses for Suppliers and Partners. See Preview

64) Do the agreements with providers and suppliers include security requirements? (control A.5.21 Managing information security in the ICT supply chain)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Agreements with providers and other suppliers need to include security requirements for ensuring the reliable delivery of services.

Click here to see an example Supplier Security Policy, and Security Clauses for Suppliers and Partners. See Preview

65) Are suppliers regularly monitored, and are changes involving arrangements and contracts with suppliers and partners taking into account risks and existing processes? (control A.5.22 Monitoring, review and change management of supplier service)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Suppliers need to be regularly monitored, and audited if appropriate, for compliance with the security requirements.

Any changes in the provisioning of the services made by a supplier need to be managed and include re-assessment of risks.

Click here to see an example Supplier Security Policy. See Preview

66) Are cloud services acquired, used, managed, and canceled according to information security requirements? (control A.5.23 Information security for use of cloud services)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Processes related to provided cloud services need to be established according to defined information security requirements.

Click here to see an example of a Supplier Security Policy. See Preview

67) Are incidents managed properly? (control A.5.24 Information security incident management planning and preparation)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Procedures and responsibilities for managing incidents need to be in place to ensure proper and prompt response.

Click here to see an example Incident Management Procedure. See Preview

68) Are security events assessed and classified properly? (control A.5.25 Assessment and decision on information security events)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Security events need to be assessed and classified properly to better allocate the available resources and to ensure prompt response.

Click here to see an example Incident Management Procedure. See Preview

69) Are procedures on how to respond to incidents documented? (control A.5.26 Response to information security incidents)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Procedures on how to respond to incidents need to be documented to ensure a standardized response to security events.

Click here to see an example Incident Management Procedure. See Preview

70) Are security incidents analyzed properly? (control A.5.27 Learning from information security incidents)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Security incidents need to be analyzed in order to gain knowledge on how to prevent their recurrence.

Click here to see an example Incident Management Procedure, and Incident Log. See Preview

71) Do procedures exist which define how to collect evidence? (control A.5.28 Collection of evidence)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Procedures on how to collect evidence need to be in place to ensure they will be acceptable in the event that they are required during a legal process.

Click here to see an example Incident Management Procedure. See Preview

72) Are requirements for continuity of information security defined, implemented, exercised, and tested? (control A.5.29 Information security during disruption)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Requirements for continuity of information security need to be defined to ensure they are supporting the business even during a disruption event.

Procedures to ensure the continuity of information security during a crisis or a disaster need to be available to help speed up recovery of normal business operations and to support information protection during the restart of operations.

Exercising and testing need to be performed in order to ensure effective response in a real event.

Click here to see an example of a Disaster Recovery Plan. See Preview

73) Is ICT readiness managed according to business continuity objectives and ICT requirements? (control A.5.30 ICT readiness for business continuity)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

ICT resources need to be planned, implemented, maintained, and tested considering business continuity objectives and ICT requirments.

Click here to see an example of a Disaster Recovery Plan. See Preview

74) Are legislative, regulatory, contractual, and other security requirements listed? (control A.5.31 Legal, statutory, regulatory and contractual requirements)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

All legislative, regulatory, contractual, and other security requirements need to be listed and documented to ensure a base for defining controls and compliance activities.

Click here to see an example of a List of Legal, Regulatory, Contractual and Other Requirements. See Preview

75) Do procedures exist to protect intellectual property rights? (control A.5.32 Intellectual property rights)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Procedures need to be available to ensure the enforcement of intellectual property rights, in particular, the use of licensed software.

Click here to see an example IT Security Policy. See Preview

76) Are records protected properly? (control A.5.33 Protection of records)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

All the records need to be protected according to identified regulatory, contractual, and other requirements.

77) Is personally identifiable information protected properly? (control A.5.34 Privacy and protection of PII)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Personally identifiable information needs to be protected as required in laws and regulations.

78) Is information security regularly reviewed by an independent auditor? (control A.5.35 Independent review of information security)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Information security needs to be regularly reviewed by an independent auditor to ensure the management system's suitability, adequacy, and effectiveness, and to assess opportunities for improvements.

Click here to see an example Internal Audit Procedure. See Preview

79) Do the managers regularly review if the security policies and procedures are performed properly in their areas of responsibility, and that information systems are in compliance with the information security policies and standards? (control A.5.36 Compliance with policies, rules and standards for information security)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Managers need to regularly review if the security policies and procedures are performed properly in their areas of responsibility to ensure the controls' suitability, adequacy, and effectiveness, and to assess opportunities for improvements.

Information systems need to be regularly reviewed to check their compliance with the information security policies and standards to ensure their suitability, adequacy, and effectiveness, and to assess opportunities for improvements.

80) Are operating procedures for IT processes documented? (control A.5.37 Documented operating procedures)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Available documentation needs to help to ensure the proper operation and security of information processing resources.

Click here to see an example Security Procedures for IT Department. See Preview

A.6 PEOPLE CONTROLS

81) Does the organization perform background checks on candidates for employment or for contractors? (control A.6.1 Screening)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Background checks need to be done, according to your country's laws and business requirements, to avoid exposure of information to unnecessary risk.

82) Are there agreements with employees and contractors that specify information security responsibilities? (control A.6.2 Terms and conditions of employment)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Before gaining access to information, employees and contractors need to be made aware of their information security responsibilities and agree to fulfill them.

Click here to see an example Confidentiality Statement, and Statement of Acceptance of ISMS Documents. See Preview

83) Do employees and contractors attend trainings to better perform their security duties, and do the awareness programs exist? (control A.6.3 Information security awareness, education and training)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Employees and contractors need to be trained on the competencies required to fulfill their security duties and be aware of security issues relevant to the organization.

84) Does the organization have a formal disciplinary process? (control A.6.4 Disciplinary process)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

A disciplinary process needs to be in place to ensure a systematic application of penalties against employees and contractors who have committed a security breach and to avoid allegations of unfair treatment.

85) Are there agreements covering information security responsibilities that remain valid after the termination of employment? (control A.6.5 Responsibilities after termination or change of employment)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

The organization needs to define information security obligations to be fulfilled after the termination of employment, and make employees and contractors aware of these responsibilities.

86) Does the organization list all the confidentiality clauses that need to be included in agreements with third parties? (control A.6.6 Confidentiality or non-disclosure agreements)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

The organization needs to ensure that all relevant confidentiality clauses to be included in agreements with third parties should be identified, reviewed, and documented.

Click here to see an example Confidentiality Statement. See Preview

87) Are there rules defining how the organization's information is protected considering teleworking sites? (control A.6.7 Remote working)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Management needs to define policies for teleworking within the scope of the ISMS. The policies need to be appropriate to support information security and the business requirements.

Click here to see an example Bring Your Own Device (BYOD) Policy, Mobile Device and Teleworking Policy, and IT Security Policy. See Preview

88) Are information security events and weaknesses reported in properly by employees and contractors? (control A.6.8 Information security event reporting)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Information security events and weaknesses need to be reported in a timely manner to minimize risks and damage to information, systems, and the business.

Click here to see an example of an Incident Management Procedure. See Preview

A.7 PHYSICAL CONTROLS

89) Do secure areas that protect sensitive information exist? (control A.7.1 Physical security perimeters)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Physical areas need to offer an additional security layer to help protect sensitive information.

90) Are the entrances to secure areas protected? (control A.7.2 Physical entry)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

The entrance to secure areas need to be protected with controls that allow only the authorized persons to enter.

Delivery and loading areas need to be controlled in such a way that unauthorized persons cannot enter the company premises.

91) Are secure areas located in a protected way? (control A.7.3 Securing offices, rooms and facilities)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Secure areas need to be located in such a way that they are not visible to outsiders, and not easily reached from the outside.

92) Are premises monitored for unauthorized access? (control A.7.4 Physical security monitoring)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

The organization's secure areas need to be continuously monitored.

Click here to see an example of Procedures for Working in Secure Areas. See Preview

93) Are the alarms, fire protection, and other systems installed? (control A.7.5 Protecting against physical and environmental threats)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Physical protections need to be in place to minimize risk related to external and environmental threats.

94) Are working procedures for secure areas defined? (control A.7.6 Working in secure areas)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Specific working procedures proportional to the sensitivity of the secure areas need to be in place to minimize incidents related to inappropriate actions.

Click here to see an example Procedures for Working in Secure Areas. See Preview

95) Is there orientation for users about what to do when they are not present at their workstations? (control A.7.7 Clear desk and clear screen)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

A policy needs to require users to remove papers and media, and lock their screens, when not present at their workstations.

Click here to see an example IT Security Policy, and Clear Desk and Clear Screen Policy. See Preview

96) Is the equipment properly protected? (control A.7.8 Equipment siting and protection)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Equipment needs to be sited in such a way to protect it from unauthorized access, and from environmental threats.

97) Are the organization assets properly protected when they are not at the organization premises? (control A.7.9 Security of assets off-premises)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Assets outside the organization's premises are exposed to more risks, and may require the application of stronger controls.

Click here to see an example IT Security Policy, and Mobile Device and Teleworking Policy. See Preview

98) Are there procedures that define how to handle, protect, transport, and dispose of storage media, inside and outside the organization premises, in line with the classification rules and information sensitivity? (control A.7.10 Storage media)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

The existence of storage media handling procedures ensures that all storage media need to receive treatment according to the classified information they handle.

Click here to see examples of the Information Classification Policy, Disposal and Destruction Policy , Security Procedures for IT Department, and IT Security Policy. See Preview

99) Does the equipment have protection against energy variations? (control A.7.11 Supporting utilities)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Protections such as uninterrupted power supply (UPS) need to be considered to prevent energy levels higher or lower beyond the manufacturer's specifications from damaging equipment.

100) Are the power and telecommunication cables adequately protected? (control A.7.12 Cabling security)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Power and telecommunication cables can be a entrance point to an attack against information and system's resources and need to be protected.

101) Is the equipment maintained regularly? (control A.7.13 Equipment maintenance)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

To ensure systems' reliability, equipment needs to undergo maintenance procedures according to manufacturers’ specifications and good practices.

102) Is information properly removed from media or equipment that will be disposed of? (control A.7.14 Secure disposal or re-use of equipment)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

All the information and licensed software need to be removed from media or equipment containing media when these media are disposed of.

Click here to see an example of the Disposal and Destruction Policy , and Security Procedures for IT Department. See Preview

A.8 TECHNOLOGICAL CONTROLS

103) Are rules for the secure handling of mobile devices, and for protecting equipment when not in the physical possession of its users, defined? (control A.8.1 User endpoint devices)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Management needs to define policies for mobile device handling within the scope of the ISMS. The policies need to be appropriate to support information security and the business requirements.

No equipment needs to be left unsupervised, but if there is no alternative, recommendations need to be provided to guide users' behavior.

Click here to see an example Bring Your Own Device (BYOD) Policy, Mobile Device and Teleworking Policy, IT Security Policy, and Clear Desk and Clear Screen Policy. See Preview

104) Are privileged access rights managed with special care? (control A.8.2 Privileged access rights)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

A formal process to grant / revoke user access with privileged rights needs to be in place.

Click here to see an example Access Control Policy. See Preview

105) Is the access to information in systems restricted according to the access control policy? (control A.8.3 Information access restriction)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Access to databases and applications functions need to be restricted according to the Access Control Policy.

Click here to see an example Access Control Policy. See Preview

106) Is the access to source code restricted to authorized persons? (control A.8.4 Access to source code)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Source codes can have a huge impact to business systems if they are compromised, so they need to be handled with care and access to them should be restricted.

107) Is secure log-on required on systems according to the Access Control Policy? (control A.8.5 Secure authentication)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Systems developed or acquired by the organization need to consider log-on systems as one of their security requirements according to the Access Control Policy.

Click here to see an example of an Access Control Policy. See Preview

108) Are resources monitored and plans made to ensure their capacity to fulfill users' demands? (control A.8.6 Capacity management)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Someone needs to monitor the use of resources and project the required capacity to ensure the maintenance of the accorded performance.

109) Are anti-virus software, and other software for malware protection installed and properly used? (control A.8.7 Protection against malware)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Anti-virus software, and other software for malware protection, need to be in place, and properly configured and updated.

Click here to see an example IT Security Policy. See Preview

110) Is information about vulnerabilities properly managed, and are information systems regularly reviewed to check their compliance with the information security policies and standards? (control A.8.8 Management of technical vulnerabilities)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Someone needs to be in charge of collecting information about vulnerabilities, to speed up proper resolution of those identified as relevant to the organization.

Information systems need to be regularly reviewed to check their compliance with the information security policies and standards to ensure their suitability, adequacy, and effectiveness, and to assess opportunities for improvements.

111) Are configurations of relevant IT assets properly handled? (control A.8.9 Configuration management)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Configuration of hardware, software, services, and networks needs to be established, documented, implemented, monitored, and reviewed.

Click here to see an example of Security Procedures for IT Department. See Preview

112) Is data that is no longer required properly disposed of? (control A.8.10 Information deletion)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Information in systems, devices, and storage media need to be deleted when no longer required.

Click here to see examples of the IT Security Policy and Disposal and Destruction Policy. See Preview

113) Is data masking applied according to applicable requirements? (control A.8.11 Data masking)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Data masking needs to consider access policies and business and legal requirements.

Click here to see examples of the Information Classification Policy, Access Control Policy, and Secure Development Policy. See Preview

114) Do systems, networks, and devices include data leakage prevention measures? (control A.8.12 Data leakage prevention)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Assets related to processing, storage or transmission of sensitive information need to have data leakage prevention measures implemented.

Click here to see examples of the Information Classification Policy, IT Security Policy, and Security Procedures for IT Department. See Preview

115) Is a backup policy defined and performed properly? (control A.8.13 Information backup)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

A backup policy needs to be in place and it needs to be performed according to this policy.

Click here to see an example of Backup Policy. See Preview

116) Does IT infrastructure have redundancy (e.g.: secondary location) included in its planning and operation? (control A.8.14 Redundancy of information processing facilities)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

IT infrastructure needs to have redundancy to help fulfill the expectations during disaster events.

Click here to see an example of a Disaster Recovery Plan. See Preview

117) Are relevant events from IT systems logged periodically, and are logs protected properly? (control A.8.15 Logging)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

User logs, administrators' logs, faults, and other relevant events from IT systems need to be logged and protected against unauthorized access and modification.

Click here to see an example of Security Procedures for IT Department. See Preview

118) Are systems, networks, and applications monitored, and proper actions taken when anomalous behaviors are found? (control A.8.16 Monitoring activities)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Someone needs to monitor for anomalous behavior, so that proper actions are taken to prevent the compromise of systems, networks, and applications.

Click here to see an example of Security Procedures for IT Department. See Preview

119) Are clocks on all IT systems synchronized? (control A.8.17 Clock synchronization)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

IT systems' clocks need to be synchronized with a single source of correct time to ensure precise event logging.

120) Is the use of utility tools controlled and limited to specific employees? (control A.8.18 Use of privileged utility programs)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Some utility tools can override the security controls of applications and systems and need to be strictly controlled, including limiting their access to a narrow circle of employees.

121) Is installation of software strictly controlled? (control A.8.19 Installation of software on operational systems)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

There need to be defined rules and procedures to ensure that software installations are made in a proper and controlled way.

Click here to see an example IT Security Policy. See Preview

122) Are the networks controlled to protect information in systems and applications? (control A.8.20 Networks security)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Networks need to be controlled to avoid information and systems compromise.

Click here to see an example Security Procedures for IT Department. See Preview

123) Are security requirements for network services defined, and included in agreements? (control A.8.21 Security of network services)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

In-house and external network services need to have clear rules to protect information and systems, and these rules shall be defined and included in agreements.

Click here to see an example Security Procedures for IT Department. See Preview

124) Are the networks segregated considering risks and assets classification? (control A.8.22 Segregation of networks)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Users, services, and systems need to be segregated in different networks to minimize risks of information compromise.

125) Is access to external websites controlled? (control A.8.23 Web filtering)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Access to external websites needs to be controlled to decrease the risk of information compromise due to external malicious content.

Click here to see an example IT Security Policy, and Security Procedures for IT Department. See Preview

126) Does a policy to regulate encryption and other cryptographic controls exist? (control A.8.24 Use of cryptography)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Management needs to define a Cryptographic Control Policy within the scope of the ISMS. The policy need to be appropriate to support information security and the business requirements.

Click here to see an example Policy on the Use of Encryption. See Preview

127) Are rules for the secure development of software and systems defined? (control A.8.25 Secure development life cycle)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Software and systems need to incorporate security since early stages of development, oriented by rules that consider the risks those software and systems will be exposed to.

Click here to see an example Secure Development Policy. See Preview

128) Is application information, including transaction information, transferred through public networks appropriately protected? (control A.8.26 Application security requirements)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Public networks need to be considered insecure and proper controls need to be in place to protect application information, and transaction information, that is transferred through them.

Click here to see an example Secure Development Policy. See Preview

129) Are principles for engineering secure systems applied to the organization system's development process? (control A.8.27 Secure system architecture and engineering principles)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Systems need to incorporate security since early stages of development, driven by principles for engineering security in their components and functions.

Click here to see an example Secure Development Policy. See Preview

130) Is software code developed according to defined principles? (control A.8.28 Secure coding)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Software code needs to be developed according to defined secure coding principles.

Click here to see an example of a Secure Development Policy. See Preview

131) Is the implementation of security requirements tested during system development, and are the criteria for accepting the systems defined? (control A.8.29 Security testing in development and acceptance)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Proper testing of security requirements implementation is critical and needs to be performed to ensure a system can achieve business and security objectives.

Criteria for accepting systems need to be defined to ensure a way to verify if all security and business needs were fulfilled.

Click here to see an example Secure Development Policy. See Preview

132) Is the outsourced development of systems monitored? (control A.8.30 Outsourced development)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Outsourced development of systems needs to be monitored to ensure that business security requirements are properly fulfilled.

Click here to see an example Secure Development Policy, Supplier Security Policy, and Security Clauses for Suppliers and Partners. See Preview

133) Are development, testing, and production environments separated and properly secured? (control A.8.31 Separation of development, test and production environments)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Separate environments need to be implemented to minimize risks related to unauthorized access or modification of information or resources, or the environments themselves.

Click here to see an example Secure Development Policy. See Preview

134) Are changes that could affect the information security of new or existing systems properly controlled and tested? (control A.8.32 Change management)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

All the changes to IT systems, new or existing, and to other processes that could affect information security, need to be properly controlled, so only critical and relevant changes need to be allowed to be made, with change control and testing procedures in place to minimize information security risks during changes.

Click here to see an example Security Procedures for IT Department, Secure Development Policy, and Change Management Policy. See Preview

135) Are test data carefully selected and protected? (control A.8.33 Test information)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Test data need to be selected in a way to not allow inference of sensitive business data, while still being useful to validate a system.

Click here to see an example Secure Development Policy. See Preview

136) Are audits of production systems planned and executed properly? (control A.8.34 Protection of information systems during audit testing)

1 — Not implemented2 — Planned3 — In progress4 — Mostly implemented5 — Optimized

Tip

Audits of production systems need to be planned and executed in a way to not increase the risk of disruption of those systems.

Here's the percentage of your compliance with ISO 27001:

Enter your e-mail address

[The results will be sent to entered e-mail address]

For more information on what personal data we collect, why we need it, what we do with it, how long we keep it, and what your rights are, see this Privacy Notice.

English

Deutsch
Español

Products

Conformio

Toolkits

Training

Experta

Company Training Academy
Resources

Articles

Webinars

Courses

Free Downloads

Tools

Podcast

Live Consultations

Consultant Directory
Standards & Regulations

ISO 27001

ISO 22301

ISO 13485

ISO 9001

ISO 14001

ISO 45001

ISO 20000

ISO 17025

NIS 2

DORA

EU GDPR

EU MDR

IATF 16949

AS9100

Compliance in general
Advisera

About Us

For Consultants

Contact Sales

Terms of Use
Help

Help Center

Contact Support

Partnerships

Products by framework:

By Type

Where to Start

Other

Solutions for industries:

Dejan Kosutic

ISO 27001 Gap Analysis [Free Tool]

Find out your level of compliance with ISO 27001

4 CONTEXT OF THE ORGANIZATION

4.1 UNDERSTANDING THE ORGANIZATION AND ITS CONTEXT

4.2 UNDERSTANDING THE NEEDS AND EXPECTATIONS OF INTERESTED PARTIES

4.3 DETERMINING THE SCOPE OF THE INFORMATION SECURITY MANAGEMENT SYSTEM

4.4 INFORMATION SECURITY MANAGEMENT SYSTEM

5 LEADERSHIP

5.1 LEADERSHIP AND COMMITMENT

5.2 POLICY

5.3 ORGANIZATIONAL ROLES, RESPONSIBILITIES AND AUTHORITIES

6 PLANNING

6.1 ACTIONS TO ADDRESS RISKS AND OPPORTUNITIES

6.1.1 GENERAL

6.1.2 INFORMATION SECURITY RISK ASSESSMENT

6.1.3 INFORMATION SECURITY RISK TREATMENT

6.2 INFORMATION SECURITY OBJECTIVES AND PLANNING TO ACHIEVE THEM

6.3 PLANNING OF CHANGES

7 SUPPORT

7.1 RESOURCES

7.2 COMPETENCE

7.3 AWARENESS

7.4 COMMUNICATION

7.5 DOCUMENTED INFORMATION (7.5.1 GENERAL; 7.5.2 CREATING AND UPDATING; 7.5.3 CONTROL OF DOCUMENTED INFORMATION)

8 OPERATION

8.1 OPERATIONAL PLANNING AND CONTROL

8.2 INFORMATION SECURITY RISK ASSESSMENT

8.3 INFORMATION RISK TREATMENT

9 PERFORMANCE EVALUATION

9.1 MONITORING, MEASUREMENT, ANALYSIS AND EVALUATION

9.2 INTERNAL AUDIT

9.3 MANAGEMENT REVIEW

10 IMPROVEMENT

10.1 CONTINUAL IMPROVEMENT

10.2 NONCONFORMITY AND CORRECTIVE ACTION

ANNEX A. (Note: only the controls marked as applicable in the Statement of Applicability must be implemented.)

A.5 ORGANIZATIONAL CONTROLS

A.6 PEOPLE CONTROLS

A.7 PHYSICAL CONTROLS

A.8 TECHNOLOGICAL CONTROLS

Products

Resources

Standards & Regulations

Advisera

Help