Free ISO 27001 Gap Analysis Tool

Find out your level of compliance with ISO 27001

 

 

| Resume a previously saved form
Resume Later

In order to be able to resume this form later, please enter your email and choose a password.

* Please use a different unique password every time you are saving your progress and intend to resume later.
4.0 CONTEXT OF THE ORGANIZATION
4.1 UNDERSTANDING THE ORGANIZATION AND ITS CONTEXT






4.2 UNDERSTANDING THE NEEDS AND EXPECTATIONS OF INTERESTED PARTIES

The organization must define which interested parties are relevant to the information security management system (ISMS) (e.g.: critical clients and suppliers, employees, stakeholders, government agencies, etc.)

Click here to see an example Procedure for Identification of Requirements.

Requirements are needs and expectations that can be evaluated in a qualitative or quantitative way, and they need to be documented for the interested parties you defined as relevant to the ISMS.

4.3 DETERMINING THE SCOPE OF THE INFORMATION SECURITY MANAGEMENT SYSTEM

You need to define the scope of the ISMS, considering internal and external issues, relevant interested parties' requirements, and interfaces and dependencies between activities realized by the organization and those realized by other organizations.

Click here to see an example ISMS Scope Document.
4.4 INFORMATION SECURITY MANAGEMENT SYSTEM


5.0 LEADERSHIP
5.1 LEADERSHIP AND COMMITMENT






5.2 POLICY

Top management must define the Information Security Policy within the scope of the ISMS. The policy needs to be appropriate to your activities, include a commitment to continual improvement, and provide objectives & targets or a framework for their establishment.

Click here to see an example Information Security Policy.


5.3 ORGANIZATIONAL ROLES, RESPONSIBILITIES AND AUTHORITIES


6.0 PLANNING
6.1 ACTIONS TO ADDRESS RISKS AND OPPORTUNITIES
6.1.1 GENERAL


6.1.2 INFORMATION SECURITY RISK ASSESSMENT

There needs to be a process that establishes and maintains risk criteria as well as identifies, analyzes, and evaluates information security risks.

Click here to see an example Risk assessment methodology.
6.1.3 INFORMATION SECURITY RISK TREATMENT

There needs to be a process to treat information security risks by taking account of the risk assessment results and to create specific documents like Statement of Applicability.

6.2 INFORMATION SECURITY OBJECTIVES AND PLANNING TO ACHIEVE THEM



Plan(s) need to be in place to assure the availability of resources to achieve the objectives and targets, including the designated responsibility, evaluation method, and the time frame for the plan(s).

Click here to see an example Risk Treatment Plan.
6.3 PLANNING OF CHANGES


7.0 SUPPORT
7.1 RESOURCES


7.2 COMPETENCE

Appropriate competence needs to be assessed, and training provided where needed, for personnel doing tasks that can affect the information security. Records of competence must be maintained.

Click here to see an example Training and Awareness Plan.
7.3 AWARENESS

Awareness of the Information Security Policy, procedures, risks, roles, responsibilities, authorities, and consequences of departing from specified procedures must be promoted.

Click here to see an example Training and Awareness Plan.
7.4 COMMUNICATION


7.5 DOCUMENTED INFORMATION (7.5.1 GENERAL; 7.5.2 CREATING AND UPDATING; 7.5.3 CONTROL OF DOCUMENTED INFORMATION)



A procedure for control of documents should exist that specifies approval, review and update, change identification, relevant version availability, document legibility, control of external documents, and prevention of obsolete document use.

Click here to see an example Procedure for Document and Record Control.


8.0 OPERATION
8.1 OPERATIONAL PLANNING AND CONTROL



Documented information must be kept to the extent necessary to have confidence that the processes have been carried out as planned (e.g., procedures for operational control, operating criteria, etc.).

Click here to see an example Security Procedures for IT Department.




8.2 INFORMATION SECURITY RISK ASSESSMENT

The security assessment must be performed and evidences must be recorded.

Click here to see an example of Risk Assessment Table, and Risk Treatment Table.
8.3 INFORMATION RISK TREATMENT

Plan(s) need to be in place to achieve the objectives and targets and these need to include designated responsibility, evaluation method, and the means & time frame for the plan(s).

Click here to see an example Risk Treatment Plan.

Actions need to be established to treat the risks deemed unacceptable. These actions need to be implemented, reviewed, and revised and periodically tested where practicable.

Click here to see an example Risk Treatment Table, and Statement of Applicability.
9.0 PERFORMANCE EVALUATION
9.1 MONITORING, MEASUREMENT, ANALYSIS AND EVALUATION




9.2 INTERNAL AUDIT

Audit procedures must address audit responsibilities, reporting, recording criteria, scope frequency, and methods. The procedures need to include criteria for selection of auditors to maintain impartiality and objectivity.


Audit procedures must be in place to evaluate the ISMS against the planned arrangements (including proper implementation and maintenance) at planned intervals and results must be reported to management.

Click here to see an example Internal Audit Report.
9.3 MANAGEMENT REVIEW

Top management must review the ISMS at planned intervals to ensure suitability, adequacy, and effectiveness and assess opportunities for improvements. Records must be kept of the review.

Click here to see an example Management Review Minutes.

The outputs of management review must include decisions and actions related to possible changes of the Information Security Policy, objectives, targets, and other ISMS elements in order to continually improve the ISMS.

Click here to see an example of Management Review Minutes.
10.0 IMPROVEMENT
10.1 CONTINUAL IMPROVEMENT


10.2 NONCONFORMITY AND CORRECTIVE ACTION

A procedure(s) to deal with actual nonconformities, including taking corrective action, must be in place.

Click here to see an example Procedure for Corrective Action.

The procedure must include identification, investigating and determining causes and actions to prevent recurrence. These actions need to be appropriate to the magnitude of the nonconformity.

Click here to see an example Procedure for Corrective Action.

Records must be kept, and the effectiveness evaluated for corrective actions. Necessary changes in ISMS documentation must be made.

Click here to see an example Corrective Action Form.
REQUIREMENTS READINESS: 
%
A.5 ORGANIZATIONAL CONTROLS

Management needs to define Information Security Policies within the scope of the ISMS. The policies need to be appropriate to support information security and the business requirements, and must be reviewed at planned intervals to ensure suitability, adequacy, and effectiveness.












Information about attacks, methods and technologies used, and/or information about attack trends needs to be gathered in order to take appropriate mitigation actions.

Click here to see an example of an Incident Management Procedure

Information security rules need to be defined to include proper controls to protect information.

For new and existing information systems to be upgraded, security requirements should form part of the requirements assessment.

Click here to see an example of Specification of Information System Requirements

An inventory of assets need to help you to identify and organize the information assets and information process resources.

To ensure the proper handling and protection of an asset, an owner needs to be designated for it.

Click here to see an example of an Inventory of Assets, and IT Security Policy.

To ensure the proper handling and protection of an asset, according to the classified information it handles, a set of rules and procedures need to be defined.

Click here to see an example IT Security Policy, and Information Classification Policy.

To ensure the proper handling and protection of an asset, a set of rules need to be defined.

Click here to see an example IT Security Policy.

The existence of defined classification criteria ensures that all information need to receive a level of protection according to its value to the organization.

Click here to see an example Information Classification Policy.

The existence of labeling and handling procedures ensures that all classified information need to receive treatment according to its classification level.

Click here to see an example Information Classification Policy.

Formal policies and procedures, enforced by agreements and asset configurations, need to be in place to enforce the protection of information transfer.


Management needs to define an Access Control Policy within the scope of the ISMS. The policy needs to be appropriate to support information security and the business requirements, to ensure users have access only to those networks and services they are specifically authorized for.

Click here to see an example Access Control Policy.

A formal process need to be in place for the creation / exclusion of user accounts and attribution of user access rights.

Click here to see an example Access Control Policy, and Password Policy.

All information related to user authentication need to be protected (e.g.: passwords, passphrases, etc.), and provided in a way that only the user needs to know the authentication information (e.g.: passwords, passphrases, etc.).

Password management systems adopted by the organization need to be interactive, and ensure the creation of secure passwords.

Click here to see an example Access Control Policy, and Password Policy.

A formal process need to be in place to grant / revoke user access for all types of users to all systems and services, when there is a change in his/her situation, and to periodically verify user access to privileged rights.

Click here to see an example Access Control Policy.

A policy on how to treat the risks related to suppliers and partners need to be documented to help guide suppliers and partners relationships.

Click here to see an example Supplier Security Policy.

All the relevant security requirements need to be included in the agreements with the suppliers and partners to ensure they are committed to the same level of security defined for the organization.


Agreements with providers and other suppliers need to include security requirements for ensuring the reliable delivery of services.


Suppliers need to be regularly monitored, and audited if appropriate, for compliance with the security requirements.

Any changes in the provisioning of the services made by a supplier need to be managed and include re-assessment of risks.

Click here to see an example Supplier Security Policy.

Processes related to provided cloud services need to be established according to defined information security requirements.

Click here to see an example of a Supplier Security Policy.

Procedures and responsibilities for managing incidents need to be in place to ensure proper and prompt response.

Click here to see an example Incident Management Procedure.

Security events need to be assessed and classified properly to better allocate the available resources and to ensure prompt response.

Click here to see an example Incident Management Procedure.

Procedures on how to respond to incidents need to be documented to ensure a standardized response to security events.

Click here to see an example Incident Management Procedure.

Security incidents need to be analyzed in order to gain knowledge on how to prevent their recurrence.

Click here to see an example Incident Management Procedure, and Incident Log.

Procedures on how to collect evidence need to be in place to ensure they will be acceptable in the event that they are required during a legal process.

Click here to see an example Incident Management Procedure.

Requirements for continuity of information security need to be defined to ensure they are supporting the business even during a disruption event.

Procedures to ensure the continuity of information security during a crisis or a disaster need to be available to help speed up recovery of normal business operations and to support information protection during the restart of operations.

Exercising and testing need to be performed in order to ensure effective response in a real event.

Click here to see an example of a Disaster Recovery Plan.

ICT resources need to be planned, implemented, maintained, and tested considering business continuity objectives and ICT requirments.

Click here to see an example of a Disaster Recovery Plan.

All legislative, regulatory, contractual, and other security requirements need to be listed and documented to ensure a base for defining controls and compliance activities.


Procedures need to be available to ensure the enforcement of intellectual property rights, in particular, the use of licensed software.

Click here to see an example IT Security Policy.





Information security needs to be regularly reviewed by an independent auditor to ensure the management system's suitability, adequacy, and effectiveness, and to assess opportunities for improvements.

Click here to see an example Internal Audit Procedure.



Available documentation needs to help to ensure the proper operation and security of information processing resources.

Click here to see an example Security Procedures for IT Department.
A.6 PEOPLES CONTROLS



Before gaining access to information, employees and contractors need to be made aware of their information security responsibilities and agree to fulfill them.








The organization needs to ensure that all relevant confidentiality clauses to be included in agreements with third parties should be identified, reviewed, and documented.

Click here to see an example Confidentiality Statement.

Management needs to define policies for teleworking within the scope of the ISMS. The policies need to be appropriate to support information security and the business requirements.


Information security events and weaknesses need to be reported in a timely manner to minimize risks and damage to information, systems, and the business.

Click here to see an example of an Incident Management Procedure.
A.7 PHYSICAL CONTROLS







The organization's secure areas need to be continuously monitored.

Click here to see an example of Procedures for Working in Secure Areas.



Specific working procedures proportional to the sensitivity of the secure areas need to be in place to minimize incidents related to inappropriate actions.

Click here to see an example Procedures for Working in Secure Areas.

A policy needs to require users to remove papers and media, and lock their screens, when not present at their workstations.

Click here to see an example IT Security Policy, and Clear Desk and Clear Screen Policy.



Assets outside the organization's premises are exposed to more risks, and may require the application of stronger controls.


The existence of storage media handling procedures ensures that all storage media need to receive treatment according to the classified information they handle.








All the information and licensed software need to be removed from media or equipment containing media when these media are disposed of.

A.8 TECHNOLOGICAL CONTROLS

Management needs to define policies for mobile device handling within the scope of the ISMS. The policies need to be appropriate to support information security and the business requirements.

No equipment needs to be left unsupervised, but if there is no alternative, recommendations need to be provided to guide users' behavior.


A formal process to grant / revoke user access with privileged rights needs to be in place.

Click here to see an example Access Control Policy.

Access to databases and applications functions need to be restricted according to the Access Control Policy.

Click here to see an example Access Control Policy.



Systems developed or acquired by the organization need to consider log-on systems as one of their security requirements according to the Access Control Policy.

Click here to see an example of an Access Control Policy.



Anti-virus software, and other software for malware protection, need to be in place, and properly configured and updated.

Click here to see an example IT Security Policy.



Configuration of hardware, software, services, and networks needs to be established, documented, implemented, monitored, and reviewed.

Click here to see an example of Secure Procedures for IT Department.

Information in systems, devices, and storage media need to be deleted when no longer required.

Click here to see examples of the IT Security Policy and Disposal and Destruction Policy.

Data masking needs to consider access policies and business and legal requirements.


Assets related to processing, storage or transmission of sensitive information need to have data leakage prevention measures implemented.


A backup policy needs to be in place and it needs to be performed according to this policy.

Click here to see an example of Backup Policy.

IT infrastructure needs to have redundancy to help fulfill the expectations during disaster events.

Click here to see an example of a Disaster Recovery Plan.

User logs, administrators' logs, faults, and other relevant events from IT systems need to be logged and protected against unauthorized access and modification.

Click here to see an example of Security Procedures for IT Department.

Someone needs to monitor for anomalous behavior, so that proper actions are taken to prevent the compromise of systems, networks, and applications.

Click here to see an example of Security Procedures for IT Department.





There need to be defined rules and procedures to ensure that software installations are made in a proper and controlled way.

Click here to see an example IT Security Policy.

Networks need to be controlled to avoid information and systems compromise.

Click here to see an example Security Procedures for IT Department.

In-house and external network services need to have clear rules to protect information and systems, and these rules shall be defined and included in agreements.

Click here to see an example Security Procedures for IT Department.



Access to external websites needs to be controlled to decrease the risk of information compromise due to external malicious content.


Management needs to define a Cryptographic Control Policy within the scope of the ISMS. The policy need to be appropriate to support information security and the business requirements.

Click here to see an example Policy on the Use of Encryption.

Software and systems need to incorporate security since early stages of development, oriented by rules that consider the risks those software and systems will be exposed to.

Click here to see an example Secure Development Policy.

Public networks need to be considered insecure and proper controls need to be in place to protect application information, and transaction information, that is transferred through them.

Click here to see an example Secure Development Policy.

Systems need to incorporate security since early stages of development,  driven by principles for engineering security in their components and functions.

Click here to see an example Secure Development Policy.

Software code needs to be developed according to defined secure coding principles.

Click here to see an example of a Secure Development Policy.

Proper testing of security requirements implementation is critical and needs to be performed to ensure a system can achieve business and security objectives.

Criteria for accepting systems need to be defined to ensure a way to verify if all security and business needs were fulfilled.

Click here to see an example Secure Development Policy.

Outsourced development of systems needs to be monitored to ensure that business security requirements are properly fulfilled.


Separate environments need to be implemented to minimize risks related to unauthorized access or modification of information or resources, or the environments themselves.

Click here to see an example Secure Development Policy.

All the changes to IT systems, new or existing, and to other processes that could affect information security, need to be properly controlled, so only critical and relevant changes need to be allowed to be made, with change control and testing procedures in place to minimize information security risks during changes.


Test data need to be selected in a way to not allow inference of sensitive business data, while still being useful to validate a system.

Click here to see an example Secure Development Policy.



NOTE: Please open all the elements that you want to be e-mailed to you.

[The results will be sent to entered e-mail address]

For more information on what personal data we collect, why we need it, what we do with it, how long we keep it, and what your rights are, see this Privacy Notice.

dejan-circle-new

Dejan Kosutic
Lead ISO 27001/ISO 22301 Expert

Have questions about any step?

Talk with our consultants for free

SCHEDULE FREE CONSULTATION