Transcription of ISO 27001 : 2013 COMPLIANCE CHECKLIST
1 ISO 27001 : 2013 COMPLIANCE CHECKLIST . REFERENCE COMPLIANCE ASSESSMENT AREA RESULT. STANDARDS SECTION INITIAL ASSESSMENT FINDINGS STATUS. POINTS. INFORMATION SECURITY POLICIES. MANAGEMENT DIRECTION FOR INFORMATION SECURITY. Policies for information security 1. Do Security policies exist? 2. Are all policies approved by management? 0%. 3. Are policies properly communicated to employees? Review of the policies for information security 1. Are security policies subject to review? 2. Are the reviews conducted at regular 0%. intervals? 3. Are reviews conducted when circumstances change? ORGANIZATION OF INFORMATION SECURITY. INTERNAL ORGANIZATION. Are responsibilities for the protection of individual assets, Information security and for carrying out specific roles and security processes, clearly 0%.
2 Responsibilities identified and defined and communicated to the relevant parties? Are duties and areas of responsibility separated, in order 0%. Segregation of duties to reduce opportunities for unauthorized modification or ISO 27001 : 2013 COMPLIANCE CHECKLIST . misuse of information, or services? 1. Is there a procedure documenting when, and by whom, contact with relevant authorities (law enforcement Contact with authorities etc.) will be made? 2. Is there a process which 0%. details how and when contact is required? 3. Is there a process for routine contact and intelligence sharing? Do relevant individuals within the Contact with special interest groups organization maintain active 0%. membership in relevant special interest groups? Information security in Do all projects go through some project management form of information security 0%.
3 Assessment? MOBILE DEVICE AND TELEWORKING. 1. Does a mobile device policy exist? 2. Does the policy have Mobile device policy management approval? 3. Does the policy document and 0%. address additional risks from using mobile devices ( Theft of asset, use of open wireless hotspots etc.). 1. Is there a policy for teleworking? 2. Does this have management 0%. Teleworking approval? 3. Is there a set process for ISO 27001 : 2013 COMPLIANCE CHECKLIST . remote workers to get access? 4. Are teleworkers given the advice and equipment to protect their assets? HUMAN RESOURCES SECURITY. PRIOR TO EMPLOYMENT. 1. Are background verification checks carried out on all new candidates for employment? 2. Are these checks approved Screening by appropriate management authority? 0%. 3. Are the checks compliant with relevant laws, regulations and ethics?
4 4. Are the level of checks required supported by business risk assessments? 1. Are all employees, contractors and third party users asked to sign Terms and conditions of confidentiality and non- employment 0%. disclosure agreements? 2. Do employment / service contracts specifically cover the need to protect business information? DURING EMPLOYMENT. 1. Are managers (of all levels) engaged in driving security within the 0%. Management responsibilities business? 2. Does management ISO 27001 : 2013 COMPLIANCE CHECKLIST . behaviour and policy drive, and encourage, all employees, contractors and 3rd party users to apply security in accordance with established policies and procedures? Do all employees, contractors and 3rd party users undergo Information security awareness, education and training regular security awareness 0%.
5 Training appropriate to their role and function within the organization? 1. Is there a formal disciplinary process which allows the organization to take action Disciplinary process against employees who have 0%. committed an information security breach? 2. Is this communicated to all employees? TERMINATION AND CHANGE OF EMPLOYMENT. 1. Is there a documented process for terminating or changing employment duties? Termination or change of 2. Are any information security duties which survive employment responsibilities 0%. employment communicated to the employee or contractor? 3. Is the organization able to enforce COMPLIANCE with any duties that survive employment? ASSET MANAGEMENT. ISO 27001 : 2013 COMPLIANCE CHECKLIST . RESPONSIBILITY FOR ASSETS. 1. Is there an inventory of all assets associated with Inventory of assets information and information 0%.
6 Processing facilities? 2. Is the inventory accurate and kept up to date? All information assets must have a Ownership of assets clearly defined owner who is 0%. aware of their responsibilities. 1. Is there an acceptable use policy for each class / type of Acceptable use of assets information asset? 0%. 2. Are users made aware of this policy prior to use? Is there a process in place to ensure all employees and external Return of assets users return the organization's 0%. assets on termination of their employment, contract or agreement? INFORMATION CLASSIFICATION. 1. Is there a policy governing information Classification of information classification? 0%. 2. Is there a process by which all information can be appropriately classified? Is there a process or procedure for Labelling of information ensuring information classification is appropriately 0%.
7 Marked on each asset? 1. Is there a procedure for handling each information 0%. Handling of assets ISO 27001 : 2013 COMPLIANCE CHECKLIST . classification? 2. Are users of information assets made aware of this procedure? MEDIA HANDLING. 1. Is there a policy governing removable media? Management of removable media 2. Is there a process covering how removable media is 0%. managed? 3. Are the policy and process communicated to all employees using removable media? Is there a formal procedure Disposal of media governing how removable media 0%. is disposed? 1. Is there a documented policy and process detailing how Physical media transfer physical media should be transported? 0%. 2. Is media in transport protected against un authorized access, misuse or corruption? ACCESS CONTROL. BUSINESS REQUIREMENTS FOR ACCESS CONTROL.
8 1. Is there a documented access control policy? Access control policy 2. Is the policy 0%. based on business requirements? 3. Is the policy communicated appropriately? ISO 27001 : 2013 COMPLIANCE CHECKLIST . Are controls in place to ensure users only have access to the Access to networks and network 0%. network resources they have been services specially authorised to use and are required for their duties? USER ACCESS MANAGEMENT. Is there a formal user access User registration and de-registration registration process in place? 0%. Is there a formal user access User access provisioning provisioning process in place to 0%. assign access rights for all user types and services? Are privileged access accounts Management of privileged access rights separately managed and 0%. controlled?
9 Is there a formal management Management of secret authentication process in place to control information of users 0%. allocation of secret authentication information? 1. Is there a process for asset owners to review Review of user access rights access rights to their assets 0%. on a regular basis? 2. Is this review process verified? Is there a process to ensure user Removal or adjustment of access access rights are removed on rights termination of employment or 0%. contract, or adjusted upon change of role? USER RESPONSIBILITIES. 1. Is there a policy document covering the organizations 0%. Use of secret authentication practices in how secret information ISO 27001 : 2013 COMPLIANCE CHECKLIST . authentication information must be handled? 2. Is this communicated to all users? SYSTEM AND APPLICATION ACCESS CONTROL.
10 Is access to information and Information access restriction application system functions restricted in line with the access 0%. control policy? Where the access control policy Secure log-on procedures requires it, is access controlled by 0%. a secure log-on procedure? 1. Are password systems Password management system interactive? 0%. 2. Are complex passwords required? Are privilege utility programs Use of privileged utility programs 0%. restricted and monitored? Is access to the source code of the Access control to program source 0%. Access Control System protected? code CRYPTOGRAPHY. CRYPTOGRAPHIC CONTROLS. Is there a policy on the use of Policy on the use of cryptographic 0%. cryptographic controls? controls Is there a policy governing the Key management whole lifecycle of cryptographic 0%.
