ISO 27001 CHECKLIST TEMPLATE - Smartsheet Inc.

1 ISO 27001 CHECKLIST TEMPLATE ISO 27001 CONTROLIMPLEMENTATION PHASESTASKSIN COMPLIANCE? Policies exist? for information securityAll policies approved by management?Evidence of compliance? roles and responsibilitiesRoles and responsibilities defined? of dutiesSegregation of duties defined? with authoritiesVerification body / authority contacted for compliance verification? with special interest groupsEstablish contact with special interest groups regarding compliance? security in project managementEvidence of information security in project management? device policyDefined policy for mobile devices? policy for working remotely?

2 Policy for screening employees prior to employment? and conditions of employmentDefined policy for HR terms and conditions of employment? responsibilitiesDefined policy for management responsibilities? security awareness, education, and trainingDefined policy for information security awareness, education, and training? processDefined policy for disciplinary process regarding information security? Information Security PoliciesHuman resource securityMobile devices and teleworkinginformation security roles and responsibilitiesOrganization of information securityManagement direction for information securityDuring employmentPrior to or change of employment responsibilitiesDefined policy for HR termination or change-of-employment policy regarding information security?

3 Of assetsComplete inventory list of assets? of assetsComplete ownership list of use of assetsDefined "acceptable use" of assets of assetsDefined return of assets policy? of informationDefined policy for classification of information? of informationDefined policy for labeling information? of assetsDefined policy for handling of assets? of removable mediaDefined policy for management of removable media? of mediaDefined policy for disposal of media? media transferDefined policy for physical media transfer? policy controlDefined policy for access control policy? to netwo rks and network servicesDefined policy for access to networks and network services?

4 Registration and de-registrationDefined policy for user asset registration and de-registration? access provisioningDefined policy for user access provisioning? of privileged access rightsDefined policy for management of privileged access rights? Responsibilities for assetsAsset managementTermination and change of employmentResponsibilities for assetsResponsibilities for assetsAccess controlMedia handlingInformation of secret authentication information of usersDefined policy for management of secret authentication information of users? of user access rightsDefined policy for review of user access rights?

5 Or adjustment of access rightsDefined policy for removal or adjustment of access rights? of secret authentication informationDefined policy for use of secret authentication information? access restrictionsDefined policy for information access restrictions? log-on proceduresDefined policy for secure log-in procedures? management systemDefined policy for password management systems? of privileged utility programsDefined policy for use of privileged utility programs? control to program source co deDefined policy for access control to pro gram so urce co de? on the use of cryptographic controlsDefined policy for use of cryptographic controls?

6 ManagementDefined policy for key management? security perimeterDefined policy for physical security perimeter? entry controlsDefined policy for physical entry controls? offices, rooms and facilitiesDefined policy for securing offices, rooms and facilities? against external and environmental threatsDefined policy for protection against external and environmental threats? in secure areasDefined policy for working in secure areas? and loading areasDefined policy for delivery and loading areas? Physical and environmental securityCryptographic controlsCryptographySystem and application access controlUser responsibilitiesSecure siting and protectionDefined policy for equipment siting and protection?

7 UtilitiesDefined policy for supporting utilities? securityDefined policy for cabling security? maintenanceDefined policy for equipment maintenance? of assetsDefined policy for removal of assets? of equipment and assets off-premisesDefined policy for security of equipment and assets off-premises? disposal or re-use of equipmentSecure disposal or re-use of equipment? user equipmentDefined policy for unattended user equipment? desk and clear screen policyDefined policy for clear desk and clear screen policy? operating proceduresDefined policy for documented operating procedures? managementDefined policy for change management?

8 ManagementDefined policy for capacity management? of development, testing and operational environmentsDefined policy for separation of development, testing and operational environments? against malwareDefined policy for controls against malware? policy for backing up systems? BackupDefined policy for information backup? loggingDefined policy for event logging? Protection from malwareOperational procedures and responsibilitiesOperations securityEquipmentLogging and MonitoringSystem of log informationDefined policy for protection of log information? and operator logDefined policy for administrator and operator log?

9 SynchronizationDefined policy for clock synchronization? of software on operational systemsDefined policy for installation of software on operational systems? of technical vulnerabilitiesDefined policy for management of technical vulnerabilities? on software installationDefined policy for restriction on software installation? system audit controlDefined policy for information system audit control? controlsDefined policy for network controls? of network servicesDefined policy for security of network services? in networksDefined policy for segregation in networks? transfer policies and proceduresDefined policy for information transfer policies and procedures?

10 On information transferDefined policy for agreements on information transfer? messagingDefined policy for electronic messaging? or non-disclosure agreementsDefined policy for confidentiality or non-disclosure agreements? acquisition, development and maintenanceDefined policy for system acquisition, development and maintenance? security requirements analysis and specificationDefined policy for information security requirements analysis and specification? Information systems audit considerationsTechnical vulnerability managementControl of operational softwareSecurity requirements of information systemsSystem acquisition, development and maintenanceInformation transferNetwork security managementCommunications application services on public networksDefined policy for securing application services on public networks?