ISO 27001 Project Template Pbmnpd (1)

ISO 27001 Project Tasks Last Updated: 2016-03-29

ISO 27001 Task Secon

Status

.esources / Customer

Phase 1: Deelop the In!ormaon Secur"t# $ana%ement S#stem S#stem &IS$S' ()*

In"aon

N/A

Approve the project

N/A

Set up up pr project ect co communicaons

N/A

Agree on on the the pr project meli eline

Part 1: "Plan" +

Conte,t o! the or%an"-aon

N/A

Create document list

N/A

Create an an Or Organizaon Ch Chart

N/A N/A

Iden Idenf fy y Key Key epar epartm tmen entt Sta! Sta! and and "roc "roces esss O#ne O#ners rs

N/A N/A

Crea Create te ini inia all mapp mappin ing g of ISO ISO $%&& $%&&' ' cont contro rols ls to to depa depart rtme ment ntss

N/A

Sch Schedul edule e ini inial al (ic( (ic(o! o! mee meengs ngs

N/A N/A

Sched Schedul ule e )rs )rstt ons onsit ite e tra trave vell for for Cons Consul ulta tant nt team team

N/A

"res "resen entt th the ini inia all (i (ic(o! c(o! mee meeng ngss

N/A

0e)ne the mapping of ISO $%&&' controls to speci)c applicaon/data applicaon/data o#ners

4.1 4.1 *+' *+'

Unders Unde rsttan andi ding ng the the org organ aniz iza aon on and and its its con conte text xt ocu ocume men nt e,te e,tern rnal al and and int inter erna nall rel relev evan antt issu issues es

* +'

etermine ap applica-ility

4.2 4.2 *+$+ *+$+a a

*+$+ *+$+*+' *+$ *+* 1+' 1+$+c2d 1+3

4.3

Unders Unde rsta tand ndin ing g the the need needss and and expe expect cta aon onss of int inter eres este ted d par pares es ocu ocume men nt in intere terest sted ed thir third d par pare ess

ocu ocume men nt re. re.u uirem iremen ents ts of int interes erestted thir third d par pare ess ra the Informaon Security "olicy

Determ Det ermini ining ng the sco scope pe of the inf inform orma aon on sec securi urit t mana managem gemen entt ss sstem tem !# !#$#% $#%

* +3

Create the Scope document

N/A

iscus cuss o-serva rvaons and per ernent ent details

*+3+a

Include scope item

*+3+a

Include 0is( 0egister

*+3+a

Include 0is( Analysis 0eport

*+3+a

Include Security 4uesonnaires

*+3+-

Include scope item

*+3+c

Include scope item

N/A

Approve th the Sc Scope do docum cument ent

4.4 4.4 ++

nform nfo rma aon on se secu curi rit t ma mana nage geme ment nt ss ste tem m ocument the IS5S



eadersh"p

&.1 1+' 1+$+c2d

'eadership an and co commitment Commit to the Informaon Security "olicy

&.2 1+$+a2-

Polic 3sta4l"sh the In!ormaon Secur"t# Pol"c#

N/A

Approve th the In Informaon Se Security "o "olicy

1+$+e

ocum cument th the In Informaon Sec Secu urity "olicy

1+$+ 1+$+ff

Int Interna ernallly pu-l u-lish ish the the Inf Informa ormao on n Sec Secur uriity "olicy licy

1+$+ 1+$+g g

6,t 6,terna ernallly pu-l pu-lis ish h th the Inf Informa ormao on n Sec Secu urity rity "olicy licy

&.3 &.3 1+3 1+3

(rgani (rga niza zao ona nall rol roles es)) res respo pons nsi* i*il ili ies es)) and and au auth thor ori ies es Assi Assign gn respo espon nsisi-ili ilies es an and aut autho hori rity ty

1+3+a

6nsure conformance #ith ISO $%&&'

1+3+-

6nsure performance reporng

5 +.1 +. 1 +.1.1 7+'+'+a

Plann"n% ,co ,c ons ns to ad addr dres esss ri riss-ss an and d op oppo port rtun uni ies es eneral 6nsure IS5S success

7+'+'+-

5inimize adverse e!ects

7+'+'+c '+c

8uild in connual improvement

7+'+ 7+'+'+ '+d d

"lan "lan aco acons ns to addr addres esss ris( ris(ss and and oppo opport rtun uni ies es

7+'+ 7+'+'+ '+e+ e+' '

"lan lan ho# to integr egrate thes these e int into IS5 IS5S proc proces essses

7+' 7+'+'+e++$

"lan ho ho# to to ev evaluate e! e!ecv cvenes enesss of of ac aco ons

* +3

Create the Scope document

N/A

iscus cuss o-serva rvaons and per ernent ent details

*+3+a

Include scope item

*+3+a

Include 0is( 0egister

*+3+a

Include 0is( Analysis 0eport

*+3+a

Include Security 4uesonnaires

*+3+-

Include scope item

*+3+c

Include scope item

N/A

Approve th the Sc Scope do docum cument ent

4.4 4.4 ++

nform nfo rma aon on se secu curi rit t ma mana nage geme ment nt ss ste tem m ocument the IS5S



eadersh"p

&.1 1+' 1+$+c2d

'eadership an and co commitment Commit to the Informaon Security "olicy

&.2 1+$+a2-

Polic 3sta4l"sh the In!ormaon Secur"t# Pol"c#

N/A

Approve th the In Informaon Se Security "o "olicy

1+$+e

ocum cument th the In Informaon Sec Secu urity "olicy

1+$+ 1+$+ff

Int Interna ernallly pu-l u-lish ish the the Inf Informa ormao on n Sec Secur uriity "olicy licy

1+$+ 1+$+g g

6,t 6,terna ernallly pu-l pu-lis ish h th the Inf Informa ormao on n Sec Secu urity rity "olicy licy

&.3 &.3 1+3 1+3

(rgani (rga niza zao ona nall rol roles es)) res respo pons nsi* i*il ili ies es)) and and au auth thor ori ies es Assi Assign gn respo espon nsisi-ili ilies es an and aut autho hori rity ty

1+3+a

6nsure conformance #ith ISO $%&&'

1+3+-

6nsure performance reporng

5 +.1 +. 1 +.1.1 7+'+'+a

Plann"n% ,co ,c ons ns to ad addr dres esss ri riss-ss an and d op oppo port rtun uni ies es eneral 6nsure IS5S success

7+'+'+-

5inimize adverse e!ects

7+'+'+c '+c

8uild in connual improvement

7+'+ 7+'+'+ '+d d

"lan "lan aco acons ns to addr addres esss ris( ris(ss and and oppo opport rtun uni ies es

7+'+ 7+'+'+ '+e+ e+' '

"lan lan ho# to integr egrate thes these e int into IS5 IS5S proc proces essses

7+' 7+'+'+e++$

"lan ho ho# to to ev evaluate e! e!ecv cvenes enesss of of ac aco ons

N/A +.1.2 +.1. 2 7+'+$+a

"ro "rovide vide inia niall con control trol lists ists nfo n form rma aon on sec secur urit it  risris- ass asses essm smen ent t e)ne the ris( criteria

7+'+$+a+'

e)ne the ris( acceptance criteria

7+'+ 7+'+$+ $+a+ a+$ $

e)n e)ne e the the ris( ris( asse assess ssme men nt perf perfor orma man nce crit criter eriia

7+'+$+N/A 7+'+ 7+'+$+ $+c2d c2d

e)ne th the ri ris( as assess essment pr proces cess evelop the 0is( Assessment "rogram in accordance #ith the NIS9 :&&23& Standard+ Iden Idenf fy y and and anal analyz yze e the the info inform rma aon on secu securi rity ty ris( ris(ss

7+'+$+c2d ;part '<

0evie# the most recent 0is( Assessment

7+'+$+c2d ;part $<

0evie# the most recent security audit results

7+'+$+c2d ;part 3<

0evie# the most recent ris( .uesonnaires

N/A 7+'+ 7+'+$+ $+c2d c2d

Create discussion documents "erf "erfor orm m a 0is( 0is( Asse Assess ssme ment nt #ith #ith each each -usi -usine ness ss unit unit

7+'+$+c2d

Business unit: Informaon Security

7+'+$+c2d

Business unit: Lega!"ompiance

7+'+$+c2d

Business unit: Interna #udit

7+'+$+c2d

Business unit: I$

7+'+$+c2d

Business unit: %ngineering

7+'+$+c2d

Business unit: #ccounng

7+'+$+c2d

Business unit: &inance!Strategy

7+'+$+c2d

Business unit: '(# and Business #naysis

7+'+$+c2d

Business unit: )*

7+'+$+c2d

Business unit: Saes

7+'+$+c2d

Business unit: 'ar+eng

7+'+$+c2d

Business unit: "ustomer Support

7+'+ 7+'+$+ $+e e

6valu aluate th the in informa ormao on n sec secu urity rity ris( ris(ss

7+'+ 7+'+$+ $+e+ e+' '

0evi evie# the the iden den)ed )ed ris( ris(ss agai again nst the the crit criter eriia

7+'+$+e+$

"riorize the ris(s

+.1.3 +.1. 3 7+'+ 7+'+3 3

7+'+3+a 7+'+3+7+'+3+c N/A

nform nfo rma aon on sec secur urit it  risris- tre treat atme men nt e)n e)ne e the the ris( ris( trea treatm tmen entt proc proces esss

9reat the ris(s Select controls Compare selected controls to ISO $%&&' controls 5ap the controls to the SOC frame#or(

7+'+3+d

ocument a Statement of Applica-ility

7+'+3+e

Create a 0is( 9reatment "lan

7+'+3+f

O-tain ris( accep ceptance/ ce/approval for migaon

+.2 +.2 7+$ 7+$

nform nfo rma aon on se secu curi rit t o* o*/e /ec c0e 0ess and and pl plan anni ning ng to ac achi hie0 e0e e the them m Inf Informa ormao on n sec secur urit ity y o-j o-jec ecv ves es and and pla plann nnin ing g

7+$+ 7+$+a2 a2e e

e)n e)ne e inf informa orma on secu securi rity ty o-je o-jec cv ves

7+$+ 7+$+ff2j

"lan "lan ho# ho# to to achi achiev eve e inf infor orma mao on n secu securi rity ty o-je o-jec cve vess

7+$+a2j

98= >uncon/level '

7+$+a2j

98= >uncon/level $

7+$+a2j

98= >uncon/level 3

7+$+a2j

?

Part 2: "Do" 7

Support

.1 %+' %+'

esources et etermi ermine ne ini inial al reso resour urce ce re.u re.uir irem emen ents ts

N/A

etermine client project resources

% +'

Idenfy Internal Audit re resource

N/A

"rovide esmate of Internal Audit cost

% +'

Select e, e,ternal au audit/cer)caon )r )rm

%+' %+'

et etermi ermine ne ongo ongoin ing g resou esourrce re.u re.uir irem emen ents ts

.2 %+$+ %+$+a a

ompetence e)n e)ne e comp compet eten ence ce re.ui e.uire reme ment ntss

%+$+ %+$+-

6valu valua ate comp compet eten ence ce of resou esourrces ces

%+$+c ;part '<

Ac.uire competence

%+$+c ;part $<

6valuate e!ecves of acons ta(en

%+$+d

e)ne record (eeping for competence

.3 %+3

,areness Security A#areness 9raining

.4 %+*

ommunicaon 6sta-lish Communicaon

.& N/A

Documented informaon Agree on documents to -e included

N/A

@pdate Secon %+1+' in this project plan

%+1

Create re6u"red documentaon

.&.1 %+1+'+a

eneral Scope of the IS5S *+3B

%+1+'+a

Informaon security policy and o-jecves 1+$ and 7+$B

%+1+'+a

0is( assessment methodology 7+'+$B

%+1+'+a

0is( treatment methodology 7+'+$B

%+1+'+a

Statement of Applica-ility 7+'+3 dB

%+1+'+a

0is( treatment plan 7+'+3 e and 7+$B

%+1+'+a

0is( assessment report :+$B

%+1+'+a

e)nion of security roles and responsi-ilies A+%+'+$ and A+'3+$+*B

%+1+'+a

Inventory of assets A+:+'+'B

%+1+'+a

Accepta-le use of assets A+:+'+3B

%+1+'+a

Access control policy A++'+'B

%+1+'+a

Operang procedures for I9 management A+'$+'+'B

%+1+'+a

Secure system engineering principles A+'*+$+1B

%+1+'+a

Supplier security policy A+'1+'+'B

%+1+'+a

Incident management procedure A+'7+'+1B

%+1+'+a

8usiness connuity procedures A+'%+'+$B

%+1+'+a

StatutoryD regulatoryD and contractual re.uirements A+':+'+'B

%+1+'+a

Create templates for re.uired records

%+1+'+a

Competence %+$B

%+1+'+a

5onitoring and measurement results +'B

%+1+'+a

Change control records implied in :+'B

%+1+'+a

Internal audit program +$B

%+1+'+a

0esults of internal audits +$B

%+1+'+a

0esults of the management revie# +3B

%+1+'+a

0esults of correcve acons '&+'B

%+1+'+a

Hogs of user acviesD e,ceponsD and security events A+'$+*+' and A+'$+*+3B

%+1+'+-

Create documentaon as appropriate

.&.2 %+1+$

reang and updang e)ne document creaon and updang process

%+1+$+a2-

6nsure appropriate contentD formatD and media

%+1+$+c

6nsure accepta-ility of IS5S documents

N/A

"erform revie# of IS5S documentaon

.&.3 %+1+3

ontrol of documented informaon e)ne control of IS5S documentaon

%+1+3+a

Availa-ility

%+1+3+-

"rotecon

%+1+3

ocument control of IS5S documentaon

%+1+3+c

9ransmission and access

%+1+3+d

Storage

%+1+3+e

Eersion control

%+1+3+f

0etenon and destrucon

%+1+3+F

Iden)caon of e,ternally originang documents

N/A

Create document management and #or(Go#

N/A

Setup project document repository

 5.1 :+'

Operaon (peraonal planning and control Implement operaonal planning and control

:+'

Implement record (eeping for operaonal control

:+'

Implement change control

:+'

Control of outsourced processes

:+'

Create operaonal control records

5.2 :+$

nformaon securit ris- assessment Schedule informaon security ris( assessments

:+$

Specify criteria for unscheduled ris( assessments

:+$

e)ne record (eeping for ris( assessments

:+$

Create ris( assessment records

5.3 :+3

nformaon securit ris- treatment Implement the informaon security ris( treatment plan

:+3

Implement record (eeping for ris( treatments

:+3

Create ris( treatment records

Part 3: "hec-" 8 6.1 +'+a2f

+' +' 6.2 +$+a2f

+$+g

Per!ormance ealuaon $onitoring) measurement) analsis) and e0aluaon ocument the evaluaon process

e)ne record (eeping for monitoring and measurement Create monitoring and measurement records nternal audit ocument the audit program

e)ne record (eeping for internal audit

6.3 +3

$anagement re0ie ocument the management revie# process

+3

e)ne record (eeping for management revie#

Part 4: ",ct" 10 17.1

Improement 8onconformit and correc0e acon

'&+'+a2e

ocument the process for response to nonconformies

'&+'+f2g

e)ne record (eeping for correcve acon

17.2

onnual impro0ement Commit to connual improvement

Phase 2: Test and *ud"t the IS$S I

Internal *ud"t

nternal ,udit "roject manage and perform internal audit

Coordinate remediaon 5anagement revie#

II

3,ternal *ud"t &Part 1'

#tage 1 ,udit Coordinate the Stage ' audit schedule and acvies

ather supporng evidence >inish compiling evidence 0evie# Stage ' audit )ndings Coordinate remediaon

III

3,ternal *ud"t &Part 2'

#tage 2 ,udit Coordinate the Stage $ audit schedule and acvies

O-tain evidence re.uirements list ather re.uired evidence

Phase 9: *ch"ee Cerfcaon I

;"nal"-e Cerfcaon

#( 2771 er9caon 0eceive oJcial cer)caon

.esources / Consultant

ISO 27001 Implementaon and Cerfcaon Task Deta"ls and (e,t Steps

Schedule #ee(ly status meengs for the duraon of the project+ Con)rm the ming for the various #or( steps and (ey milestones -ased on the e,ternal cer)caon )rmLs audit scheduleD CustomerMs ming -oundaries and availa-ility of (ey contactsD and Consultant teamLs schedule+

Create comprehensive list of documents for consideraon for inclusion in the IS5S+ Add details for (ey sta! to "5 #or(-oo(+ Create visual organizaon chart+ Create inial mapping of ISO $%&&' controls to departmentsD indicang e,pected applica-ility of each+ @se the data to esmate re.uired intervie# me for each department+ "rovide the control mappings to the corresponding departments for inial feed-ac( and to help them -ecome familiar #ith the items of future discussions+

5eet (ey su-ject maer e,perts S56LsBD Customer commiee mem-ersD and layout the project plan and meline+ 5eet #ith -usiness unit leaders together to determine the -rea(do#n of future groups/meengs -ased on #hich data/applicaons they useB+ ,etermine eterna and interna issues t.at are ree/ant to its purpose and t.at aect its aiity to ac.ie/e t.e intended outco ocument e,ternal and internal issues relevant to the companyMs purpose and that a!ect its a-ility to achieve the IS5S goals+ 0evie# #ith each 8usiness @nit the ISO $%&&' 0e.uirements Anne, AB results of recent ris( analyses and/or related iniaves and 4uesonnaire results+ ,etermine ree/ant interested pares and t.eir re5uirements4 ocument interested pares that are relevant to the IS5S+ ocument the re.uirements of these interested pares relevant to informaon security+ Include or reference the follo#ing items= 'B 6,ternal and internal issues relevant to the companyMs purpose and that a!ect its a-ility to achieve the IS5S goals *+'B $B Interested pares and their re.uirements/o-jecves *+$B 3B Statement of leadership commitment 1+'D 1+$+cD 1+$+dB *B Assignment of (ey roles and responsi-ilies ;-y tles< 1+3B

,etermine t.e oundaries and appicaiity of t.e IS'S4

Create the Scope document as de)ned -elo#+ 0evie# any o-servaons prior to the start of the project+ Include e,ternal and internal issues relevant to the companyMs purpose and that a!ect its a-ility to achieve the IS5S goals+ 0evie# the most recent ris( analysisD and include the recommendaons to -e addressed in the Scope document+ 5ap the results of any recent ris( analyses to the ISO $%&&' re.uirements+ Include the ones to -e addressed in the Scope document+ 5ap the results of the internal security .uesonnaires to the ISO $%&&' re.uirements+ Include the ones to -e addressed in the Scope document+ Include interested pares and their re.uirements/o-jecves+ Include interfaces and dependencies -et#een internal and e,ternal acvies may -e speci)ed in the Informaon Security "olicyB+ Approve the Scope document+ %stais. impement maintain and connuay impro/e t.e I S'S4 Create the IS5S 5aster ocument+ ,emonstrate eaders.ip and commitment 7it. respect to t.e IS'S4 ave senior leadership revie# the Informaon Security "olicy and sign o! on the commitments speci)ed in Secons 1+'D 1+$+cD and 1+$+d of the standard+ %stais. an informaon security poicy4 ocument the Informaon Security "olicyD ma(ing sure that it= aB is appropriate to the purpose of the organizaon and -B includes the informaon security o-jecves determined in Sec on 7+$+ ave senior leadership revie# the Informaon Security "olicy and formally approve sign o! onB it+ ocument the Informaon Security "olicy+ "u-lish and announce to internal sta! the Informaon Security "olicy+ "u-lish and announce to e,ternal sta(eholders and interested pares the Informaon Security "olicy+ %nsure t.at t.e responsiiies and aut.ories for roes ree/ant to informaon security are assigned and communicated4 9op management shall ensure that the responsi-ilies and authories for roles relevant to informaon security are assigned and communicated+ Assign responsi-ilies and authority for ensuring that the I S5S conforms to the re.uirements of ISO $%&&'=$&'3+ Assign responsi-ilies and authority for reporng on the performance of the IS5S to top management+ #ddress ris+s and opportunies reated to t.e IS'S4 Incude interna and eterna issues and interested pares and t.eir re5uirements 7.en panning for t.e IS'S4 etermine and document ris(s and opportunies -ased on results of Secons *+' and *+$B that need to -e addressed to ensure the informaon security management system can achieve its intended outcomesB+ etermine and document ris(s and opportunies -ased on results of Secons *+' and *+$B that need to -e addressed to preventD or reduceD undesired e!ects+ etermine and document ris(s and opportunies -ased on results of Secons *+' and *+$B that need to -e addressed to achieve connual improvement+ "lan acons to address the ris(s and opportunies determined in Secons 7+'+'a2c+ "lan ho# to integrate and implement the acons determined in S econ 7+'+'+d into the IS5S processes+ "lan ho# to evaluate the e!ecveness of the acons implemented in Secon 7+'+'+e+'+

iscuss #hich -usiness units should receive inial control lists+ ,e8ne and appy an informaon security ris+ assessment process4 e)ne and document the 0is( Assessment criteria+ e)ne and document the ris( acceptance criteria+ e)ne and document the criteria for performing informaon security ris( assessments+ e)ne and document the 0is( Assessment process+ 0evie# the 0is( Assessment "rogram and align it #ith NIS9 Special "u-licaon :&&23& 0evision '+ Apply the informaon security ris( process idenfy the ris( o#ners and analyze the impact and li(elihood of each ris( and com-ine these to specify the level of each ris(+ 0evie# the most recent ris( assessment+ 0evie# the most recent security audit+ 0evie# results from Customer -usiness units Internal 0is( Analysis Scoping 4uesonnaires+ Com-ine the responses from the internal Security 4uesonnairesD ISO $%&&' controlsD and set of addional discussion items into a single document for each -usiness unit+ >acilitate discussions #ith each -usiness unit regarding their processes applica-le ISO $%&&' controls and ans#ers to the security .uesonnaires+

6valuate the informaon security ris(s+ Compare the results of ris( analysis #ith the ris( criteria esta-lished in 7+'+$+a+ 0an( the ris(s -y level as determined in Secon 7+'+$+c2dB+ ,e8ne and appy an informaon security ris+ treatment process4 e)ne and document the ris( treatment process+ >or each ris( iden)ed in the 0is( AssessmentD select a ris( treatment opon AcceptD 5igateD 9ransferD or AvoidB+ >or each ris( to -e migatedD determine the controls to -e implemented+ Compare the selected controls to the ''* controls in ISO $%&&' Anne, AD and include all relevant controls from the Anne,+ S Step 1; ISO $%&&' Anne, A controls and documentaon mapping P align #ith the e,isng SOC frame#or( #here relevant+

"roduce a Statement of Applica-ility that contains the necessary controls see 7+'+3+-2cB and jus)caon for inclusionsD #hether they are implemented or notD and the jus)caon for e,clusions of controls from Anne, A+ ocument the 0is( 9reatment "lan+ >or each 0is( 9reatment "lan itemD revie# #ith the -usiness unit managers and get their sign2o! for each ris(Ms treatment opon+ %stais. informaon security oor each funcon/level determined in Secon 7+$D #or( #ith the -usiness o#ners to determine and document the corresponding informaon security o-jecves+ 5a(e sure they are= aB -e consistent #ith the informaon security policy -B -e measura-le if pracca-leB cB ta(e into account applica-le informaon security re.uirementsD and results from ris( assessment and ris( treatment dB -e communicated and eB -e updated as appropriate+

>or each o-jecve determined in Secon 7+$D #or( #ith the -usiness o#ners to plan ho# to achieve the o-jecves -y determining= fB #hat #ill -e done gB #hat resources #ill -e re.uired see Secon %+'B hB #ho #ill -e responsi-le iB #hen it #ill -e completed and jB ho# the results #ill -e evaluated+

,etermine and pro/ide t.e resources needed for t.e IS'S4 etermine and document the resources re.uired to esta-lish and implement the IS5S+ etermine client resource to aend meengs #ith client process o#ners SOQ Step '& Customer "5 has selected Consultant to perform the internal audit funcon for this project+ As appropriate and possi-leD provide an esmate of internal audit costsD and coordinate the appropriate resource and scheduling+ Assist Customer #ith the selecon of the e,ternal cer)caon )rm+ 9his needs to -e iniated early in the project in order to ensure that the )rm can schedule and prepare for the audit and cer)caon #ithin our meframe+ etermine and document the resources re.uired to maintain and connuously improve the IS5S+ %nsure appropriate competence for a persons 7.ose 7or+ aects informaon security performance4 e)ne and document the necessary competence of all sta! #ho a!ect the performance of informaon security+ 0evie# the competence of the corresponding personnel -ased on the criteria de)ned in Secon %+$+a e+g+D educaonD trainingD and e,perienceB+

9a(e acons to -ring all relevant personnel to the re.uired levels of competence+ 6valuate the e!ecveness of acons ta(en to ensure competence of relevant sta!+ 0etain documented evidence of competence and records of competence evaluaonsB+ %nsure appropriate security a7areness for a persons doing 7or+ under t.e organi=aon>s contro4 0evie# the current security a#areness programD and enhance it as necessary to ensure that all personnel are a#are of= aB the informaon security policy -B their contri-uon to the e!ecveness of the informaon security management systemD including the -ene)ts of improved informaon security performance and cB the implicaons of not conforming #ith t he informaon security management system re.uirements+

,etermine and document t.e need for interna and eterna communicaons ree/ant to t.e IS'S4 etermine the need for internal and e,ternal communicaons relevant to the IS5S including= aB on #hat to communicate -B #hen to communicate cB #ith #hom to communicate dB #ho shall communicate and eB the processes -y #hich communicaon shall -e e!ected+

,ocumented informaon pernent to t.e organi=aon and t.e IS'S s.a e incuded4 Con)rm the documents intended to -e included in the IS5S implementaonD and approval from Customer "5+ @pdate Secon %+1+' -elo# #ith documents to -e included evelop the ISO $%&&' 0e.uired ocuments secon in accordance #ith secons *2: of the $&'3 Standard+ 6nsure "olicies and "rocedures ocumentaon is updated or developed to support the relevant Anne, A controls+ $.e IS'S s.a incude re5uired documented informaon4

Create this document+ Create this document+ Create this document+ Chec( #ith 0+ Create this document+ Create this document+ Create this document+ Create this document+ Create this document+ Create this document+ Create this document+

Create this document+ Create record templates as evidence of competence e+g+D records of trainingD s(illsD e,perience and .uali)caonsB %+$B+ Create this document+ Create this document+ Create this document+ Create this document+ Create this document+ Create this document+ Create this document+ etermine and create any addional documents necessary for the e!ecveness of the IS 5S+ See the ocuments #or(sheet+ .en creang and updang documented informaon appropriate measures 7i e ta+en4 e)ne the contentD formatD mediaD and revie#/approval process for the IS5S documentaon+ 0evie# the IS5S documents and ensure appropriate= aB iden)caon and descripon e+g+ a tleD dateD authorD or reference num-erB -B format e+g+ languageD so#are versionD graphicsB and media e+g+ paperD electronicB 0evie# the IS5S documents for suita-ility and ade.uacyD and approve them+ 4uality 0evie# P address completeness and accuracy of the enre documentaon set+ ,ocumented informaon re5uired y t.e IS'S s.a e controed4 etermine and document ho# the IS5S documented informaon #ill -e controlled in regards to the follo#ing= aB availa-ility and suita-ility -B protecon e+g+D from loss of con)denalityD improper useD or loss of integrityB ocument the policiesD proceduresD and controls for the IS 5S documentaon pertaining to= cB distri-uonD accessD retrieval and use dB storage and preservaonD including the preservaon of legi-ility eB control of changes e+g+ version controlB fB retenon and disposion FB iden)caon and inclusion of e,ternally originang IS5S documented informaon Setup document management to manage the project documentaon componentsD including the a-ility to handle version controlD #or(Go#D and approvals+ Create and specify a shared Customer locaon for the project documentaon+ ?an impement and contro t.e processes needed to meet informaon security re5uirements4 Implement acons and plans determined in Secons 7+' and 7+$+ e)ne the re.uirements for (eeping records as evidence that processes have -een carried out as planned+ ocument and implement change control policies and proceduresD including response to unintended changes and migaon of adverse e!ects+ ocument outsourced processes and ho# they are controlled+ 8ring this up during facilitated discussions #ith the -usiness units+ Create the appropriate operaonal control records+ ?erform informaon security ris+ assessments4 Specify the schedule of ris( assessments+

etermine triggers R#hen signi)cant changes are proposed or occurR for unscheduled ris( assessments+ e)ne the re.uirements for (eeping records as evidence that ris( assessments have -een carried out as plannedD and their results+ Create the appropriate ris( assessment records+ ?erform informaon security ris+ treatment4 Implement the ris( treatment plan documented and approved in Sec ons 7+'+3+e2f+ e)ne the re.uirements for (eeping records as evidence that ris( treatments have -een carried out as plannedD and their results+ Create the appropriate ris( treatment records+

%/auate t.e informaon security performance and t.e eec/eness of t.e IS'S4 ocument the methodology to evaluate the performance and e!ecveness of the IS5S+ etermine #hat needs to -e monitored and measuredD including informaon security processes and controls the methods for monitoringD measurementD analysis and evaluaon #hen the monitoring and measuring shall -e performed #ho shall perform the monitoring and measuring #hen the results from monitoring and measurement shall -e analyzed and evaluated and #ho shall analyze and evaluate these results+ e)ne the re.uirements for (eeping records as evidence that monitoring and measurement have -een carried out as plannedD and their results+ Create the appropriate monitoring and measurement records+ ?an estais. impement and maintain an interna audit program4 etermine and document the methodology to evaluate the performance and e!ecveness of the IS5S+ Specify the fre.uencyD methodsD responsi-iliesD planning re.uirementsD and reporng+ Also specify ho# the audit criteria and scope #ill -e de)ned for each audit ho# auditors #ill -e selected and audits #ill -e conducted to ensure o-jecvity and imparality f the audit process ho# and to #hom the audit results #ill -e reported and the records to -e retained as evidence of the audit program and the results of each audit+ e)ne the re.uirements for the records to -e retained as evidence of the audit program and the results of each audit+ *e/ie7 t.e IS'S at panned inter/as to ensure its connuing suitaiity ade5uacy and eec/eness4 ocument the management revie# process including= aB revie#s of the status of acons from previous management revie#s -B changes in e,ternal and internal issues that are relevant to the IS5S cB feed-ac( on the informaon security performance including trends in= 'B nonconformies and correcve acons $B monitoring and measurement results 3B audit results and *B ful)lment of informaon security o-jecvesB dB feed-ac( from interested pares eB results of ris( assessment and status of ris( treatment plan and fB opportunies for connual improvement+ 9he outputs of the management revie# shall include decisions related to connual improvement opportunies and any needs for changes to the informaon security management system+

e)ne the re.uirements for (eeping records as evidence that management revie#s have -een carried out as plannedD and their results+

*eact appropriatey to nonconformies4

ocument the process for response to nonconformiesD including ho# the organizaon= aB reacts to the nonconformity and as applica-le= 'B ta(es acon to control and correct it and $B deals #ith the conse.uencesB -B evaluates the need for acon to eliminate the causes of nonconformityD in order that it does not recur or occur else#here -y= 'B revie#ing the nonconformity $B determining the causes of the nonconformity and 3B determining if similar nonconformies e,istD or could potenally occurB cB implements any acon needed dB revie#s the e!ecveness of any correcve acon ta(en and eB ma(es changes to the IS5SD if necessary+

e)ne the re.uirements for (eeping records as evidence of fB the nature of the nonconformies and any su-se.uent acons ta(enD and gB the results of any correcve acon+ "onnuay impro/e t.e suitaiity ade5uacy and eec/eness of t.e IS'S4 No tas(s

"oordinate and perform interna audit4 Coordinate Internal Audit+ Coordinate remediaon in preparaon for "art ' audit+ >acilitate management revie# of internal audit )ndings+ "oordinate Stage 1 audit4 Coordinate the Stage ' audit+ 8egin pulling together the supporng evidence for the Stage $ audit+ >inish compiling evidence for the Stage $ audit+ >acilitate management revie# of Stage ' audit )ndings+ " oordinate remediaon in prep for Stage $ audit+ "oordinate Stage 2 audit4 Coordinate e,ternal cer)caon )rmLs ISO $%&&' Stage $ audit+ O-tain evidence re.uirements lisngs from the e,ternal cer)caon )rm+ Coordinate the evidence gathering+

"oordinate IS 2@001 cer8caon4 Coordinate the dra and )nalizaon of the cer)caon+

Dated Comments

es of its IS'S4

ISO 27001 *nne, * Control "st and Statement o! *ppl"ca4"l"t# Last Updated: 2016-02-16

Oers"%ht ISO 27001 Controls

y t i r u c e

S n o i t a m r o f n I

Control ID Section/Control Title

Section Objective/Control Description

e c n a i l p m o C / l a g e L

t i d u A l a n r e t n I

Techn"cal

;"nance

e r u t c u r t s a r f n I O T

y g e t a r t S e c n a n i F

p r o C T I

g n i r e e n i g n E O T

g n i t n u o c c A

Other s i s y l a n

A ! s u  d n a

A & M e c n a n i F

# "

s e l a S

g n i t e $ r a M

ISO 27001 Statement o! *ppl"ca4"l"t# &So*' Control =usfcaon t r o p p u S r e

 / e%al > .e%ulator# C / Contractual < /
m o t s u C

Inclus"on

3,"sn% Controls



C

<

.

O

Comments

Suggested Effectiveness Mesure!ent"s#

A.5

Information Security Policies

A.5.1

Management direction $b%ective& To provide management direction and support for for information security information security in accordance with business re'uirements and relevant laws and regulations.

A.5.1.1

The policies for information security

A.5.1.2

"eview of the policies The policies for information security shall be reviewed at planned for information security intervals or if significant changes occur to ensure their continuing suitability( ade'uacy and effectiveness.

A.6

Organization of information security

A.6.1

Internal organization

A.6.1.1

Information security All information security roles and responsibilities shall be defined roles and responsibilities and allocated.

erform an annual review of information security roles and responsibilities.

A.6.1.2

Segregation of duties

erform an annual review of the segregation of duties re'uirements in the security policies as well as a review of any segregation of duties related security incidents.

A.6.1.3

Contact with authorities Appropriate contacts with relevant authorities shall be maintained.

+erify contact information on an annual basis during the policy and procedure review.

A.6.1.4

Contact with special interest groups

Appropriate contacts with special interest groups or oth er specialist security forums and professional associations shall be maintained.

"eview the group memberships on an annual basis ,measure their industry contributionand consider new groups if available.

A.6.1.5

Information security in pro%ect management

Information security shall be addressed in pro%ect management( regardless of the type of the pro%ect.

Audit the security incidents to identify any incidents related to the releases.

A.6.2

Mobile devices and teleworking

$b%ective& To ensure the security of teleworking and use of mobile devices.

A.6.2.1

Mobile device policy

A policy and supporting security measures shall be adopted to manage the risks introduced by us ing mobile devices.

"eview number of mobile device related security instances.

A.6.2.2

Teleworking

A policy and supporting security measures shall be implemented to protect information accessed( processed or stored at teleworking sites.

"eview number of mobile workers and security incidents involving offsite work.

A.7

Human resource security

A.7.1

rior to employment

$b%ective& To ensure that employees and contractors understand their responsibilities and are suitable for t he roles for which they are considered.

A.7.1.1

Screening

/ackground verification checks on all candidates for employment shall be carried out in accordance with relevant laws( regul ations and ethics and shall be proportional to the business re'uirements( the classification of the information to be accessed and the perceived risks.

A.7.1.2

Terms and conditions of The contractual agreements with employees and contractors shall employment state their and the organization*s responsibilities for information security.

A.7.2

#uring employment

$b%ective& To ensure that employees and contractors ar e aware of and fulfil their information security responsibilities.

A.7.2.1

Management responsibilities

Management shall re'uire all employees and contractors to apply information security in accordance with the established policies and procedures of the organization.

A.7.2.2

Information security All employees of the organization and( where relevant( contractors awareness( education and shall receive appropriate awareness education and training and training regular updates in organizational policies and procedures( as relevant for their %ob function.

Survey after training  2334 attendance by $ps and 23 'uestion 'uiz scores.

A.7.2.3

#isciplinary process

+erify employees have s igned off on the employee handbook and gather feedback on the disciplinary process from !".

A.7.3

Termination and change $b%ective& To protect the organization*s interests as part of the of employment process of changing or terminating employment.

A.7.3.1

Termination or change of Information security responsibilities and duties that remain valid after employment termination or change of employment shall be defined( communicated responsibilities to the employee or contractor and enforced.

A.

Asset management

A..1

"esponsibility for assets $b%ective& To identify organizational assets and define appropriate protection responsibilities.

A..1.1

Inventory of assets

Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained.

erform a biannual audit to ensure that assets are tracked in the system of record.

A..1.2

$wnership of assets

Assets maintained in the inventory shall be owned.

erform an annual audit to ensure asset owners are accurate.

A..1.3

Acceptable use of assets "ules for the acceptable use of information and of assets associated with information and information processing facilities shall be identified( documented and implemented.

0valuate the number of issues or disciplinary actions related to acceptable use of company assets.

A..1.4

"eturn of assets

erform an annual audit to ensure that terminated employees returned their e'uipment

A..2

Information classification $b%ective& To ensure that information receives an appropriate l evel of protection in accordance with its importance to the organization.

A..2.1

Classification of information

A..2.2

1abelling of information An appropriate set of procedures for information labelling shall be developed and implemented in accordance with the information classification scheme adopted by the organization.

erform an annual information security policy review and review any security incidents related to the labeling of sensitive information.

A..2.3

!andling of assets

rocedures for handling assets shall be developed and implemented in accordance with the information classification scheme adopted by the organization.

erform an annual information security policy review and review any security incidents related to the handling of sensitive information.

A..3

Media handling

$b%ective& To prevent unauthorized disclosure( modification( removal or destruction of information stored on media.

A..3.1

Management of removable media

rocedures shall be implemented for the management of removable media in accordance with the classification scheme adopted by t he organization.

Assess the use of removable media and any security incidents involving removable media.

A..3.2

#isposal of media

Media shall be disposed of securely when no longer re'uired( using formal procedures.

Assess the media disposal practices.

A..3.3

hysical media transfer Media containing information shall be protected against unauthorized

A set of policies for information security shall be defined( approved by management( published and communicated to employees and relevant e)ternal parties.

"eview policies on an annual basis and l ook for security issues related to policy controls. #iscuss the effectiveness of the review process with the management team.

$b%ective& To establish a management framework to initiate and control the implementation and operation of information security within the organization.

Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization*s assets.

There shall be a f ormal and communicated disciplinary process in place to take action against employees who have committed an information security breach.

All employees and e)ternal party users shall return all of the organizational assets in their possession upon termination of their employment( contract or agreement.

Information shall be classified in terms of legal re'uirements( value( criticality and sensitivity to unauthorised disclosure or modification.

Audit the service level agreement with !".

"eview the employee handbook.

0nsure all employees attest to agreeing to t he 0mployee !andbook at least once a year.

erform a 'uarterly user account and access audit to ensure that access was revoked for all terminated employees.

erform an annual information security policy review and review any security incidents related to the classification of s ensitive information.

Assess the use of removable media and any

A.7.2.2

Information security All employees of the organization and( where relevant( contractors awareness( education and shall receive appropriate awareness education and training and training regular updates in organizational policies and procedures( as relevant for their %ob function.

Survey after training  2334 attendance by $ps and 23 'uestion 'uiz scores.

A.7.2.3

#isciplinary process

+erify employees have s igned off on the employee handbook and gather feedback on the disciplinary process from !".

A.7.3

Termination and change $b%ective& To protect the organization*s interests as part of the of employment process of changing or terminating employment.

A.7.3.1

Termination or change of Information security responsibilities and duties that remain valid after employment termination or change of employment shall be defined( communicated responsibilities to the employee or contractor and enforced.

A.

Asset management

A..1

"esponsibility for assets $b%ective& To identify organizational assets and define appropriate protection responsibilities.

A..1.1

Inventory of assets

Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained.

erform a biannual audit to ensure that assets are tracked in the system of record.

A..1.2

$wnership of assets

Assets maintained in the inventory shall be owned.

erform an annual audit to ensure asset owners are accurate.

A..1.3

Acceptable use of assets "ules for the acceptable use of information and of assets associated with information and information processing facilities shall be identified( documented and implemented.

0valuate the number of issues or disciplinary actions related to acceptable use of company assets.

A..1.4

"eturn of assets

erform an annual audit to ensure that terminated employees returned their e'uipment

A..2

Information classification $b%ective& To ensure that information receives an appropriate l evel of protection in accordance with its importance to the organization.

A..2.1

Classification of information

A..2.2

1abelling of information An appropriate set of procedures for information labelling shall be developed and implemented in accordance with the information classification scheme adopted by the organization.

erform an annual information security policy review and review any security incidents related to the labeling of sensitive information.

A..2.3

!andling of assets

rocedures for handling assets shall be developed and implemented in accordance with the information classification scheme adopted by the organization.

erform an annual information security policy review and review any security incidents related to the handling of sensitive information.

A..3

Media handling

$b%ective& To prevent unauthorized disclosure( modification( removal or destruction of information stored on media.

A..3.1

Management of removable media

rocedures shall be implemented for the management of removable media in accordance with the classification scheme adopted by t he organization.


A..3.2

#isposal of media

Media shall be disposed of securely when no longer re'uired( using formal procedures.

Assess the media disposal practices.

A..3.3

hysical media transfer Media containing information shall be protected against unauthorized access( misuse or corruption during transportation.

A.!

Access control

A.!.1

/usiness re'uirements of $b%ective& To limit access to information and information processing access control facilities.

A.!.1.1

Access control policy

An access control policy shall be established( documented and reviewed based on business and information security re'uirements.

erform a 'uarterly user account and access audit.

A.!.1.2

Access to networks and network services

5sers shall only be provided with access to the network and network services that they have been specifically authorized to use.


A.!.2

5ser access management $b%ective& To ensure authorized user access and to prevent unauthorized access to systems and services.

A.!.2.1

5ser registration and de A formal user registration and deregistration process shall be registration implemented to enable assignment of access rights.


A.!.2.2

5ser access provisioning A formal user access provisioning process shall be implemented to assign or revoke access rights for all user types to all systems and services.


A.!.2.3

Management of privileged access rights

The allocation and use of privileged access rights shall be restricted and controlled.


A.!.2.4

Management of secret authentication information of users

The allocation of secret authentication information shall be controlled through a formal management process.


A.!.2.5

"eview of user access rights

Asset owners shall review users* access rights at regular intervals.


A.!.2.6

"emoval or ad%ustment of access rights

The access rights of all employees and e)ternal party users to information and information processing facilities shall be removed upon termination of their employment( contract or agreement( or ad%usted upon change.


A.!.3

5ser responsibilities

$b%ective& To make users accountable for safeguarding their authentication information.

A.!.3.1

5se of secret authentication information

5sers shall be re'uired to follow the organization*s practices in the use of secret authentication information.

A.!.4

System and application access control

$b%ective& To prevent unauthorized access to systems and applications.

A.!.4.1

Information access restriction

Access to information and application system functions shall be restricted in accordance with the access control policy.

A.!.4.2

Secure logon procedures 7here re'uired by the access control policy( access to sys tems and applications shall be controlled by a secure logon procedure.

erform an annual information security policy review and review any security incidents related to authentication information.

A.!.4.3

assword management system

"eview password re'uirements during the annual policy review and review any security incidents related to passwords.

A.!.4.4

5se of privileged utility The use of utility programs that might be capable of overriding programs system and application controls shall be restricted and tightly controlled.


A.!.4.5

Access control to program source code


A.1"

#ry$togra$%y

A.1".1

Cryptographic controls

$b%ective& To ensure proper and effective use of cryptography to protect the confidentiality( authenticity and8or integrity of information.

A.1".1.1

olicy on the use of cryptographic controls

A policy on the use of cryptographic controls for protection of information shall be developed and implemented.

"eview encryption re'uirements during the annual policy review and review any security incidents related to information e)posure.

A.1".1.2

6ey management

A policy on the use( protection and lifetime of cryptographic keys shall be developed and implemented through their whole l ifecycle.


A.11

P%ysical an& en'ironmental security

There shall be a f ormal and communicated disciplinary process in place to take action against employees who have committed an information security breach.

All employees and e)ternal party users shall return all of the organizational assets in their possession upon termination of their employment( contract or agreement.

Information shall be classified in terms of legal re'uirements( value( criticality and sensitivity to unauthorised disclosure or modification.

assword management systems shall be interactive and shall e nsure 'uality passwords.

Access to program source code shall be restricted.

erform a 'uarterly user account and access audit to ensure that access was revoked for all terminated employees.

erform an annual information security policy review and review any security incidents related to the classification of s ensitive information.




A.!.2.2

5ser access provisioning A formal user access provisioning process shall be implemented to assign or revoke access rights for all user types to all systems and services.


A.!.2.3

Management of privileged access rights

The allocation and use of privileged access rights shall be restricted and controlled.


A.!.2.4

Management of secret authentication information of users

The allocation of secret authentication information shall be controlled through a formal management process.


A.!.2.5

"eview of user access rights

Asset owners shall review users* access rights at regular intervals.


A.!.2.6

"emoval or ad%ustment of access rights

The access rights of all employees and e)ternal party users to information and information processing facilities shall be removed upon termination of their employment( contract or agreement( or ad%usted upon change.


A.!.3

5ser responsibilities

$b%ective& To make users accountable for safeguarding their authentication information.

A.!.3.1

5se of secret authentication information

5sers shall be re'uired to follow the organization*s practices in the use of secret authentication information.

A.!.4

System and application access control

$b%ective& To prevent unauthorized access to systems and applications.

A.!.4.1

Information access restriction

Access to information and application system functions shall be restricted in accordance with the access control policy.

A.!.4.2

Secure logon procedures 7here re'uired by the access control policy( access to sys tems and applications shall be controlled by a secure logon procedure.


A.!.4.3

assword management system

"eview password re'uirements during the annual policy review and review any security incidents related to passwords.

A.!.4.4

5se of privileged utility The use of utility programs that might be capable of overriding programs system and application controls shall be restricted and tightly controlled.


A.!.4.5

Access control to program source code


A.1"

#ry$togra$%y

A.1".1

Cryptographic controls

$b%ective& To ensure proper and effective use of cryptography to protect the confidentiality( authenticity and8or integrity of information.

A.1".1.1

olicy on the use of cryptographic controls

A policy on the use of cryptographic controls for protection of information shall be developed and implemented.


A.1".1.2

6ey management

A policy on the use( protection and lifetime of cryptographic keys shall be developed and implemented through their whole l ifecycle.


assword management systems shall be interactive and shall e nsure 'uality passwords.

Access to program source code shall be restricted.



A.11

P%ysical an& en'ironmental security

A.11.1

Secure areas

$b%ective& To prevent unauthorized physical access( damage and interference to the organization*s information and information processing facilities.

A.11.1.1

hysical security perimeter

Security perimeters shall be defined and used to protect areas that contain either sensitive or critical information and i nformation processing facilities.

erform an annual review of the data center S$C8IS$ reports.

A.11.1.2

hysical entry controls

Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access.


A.11.1.3

Securing offices( rooms and facilities

hysical security for offices( rooms and facilities shall be designed and applied.


A.11.1.4

rotecting against e)ternal and environmental threats

hysical protection against natural disasters( malicious attack or accidents shall be designed and applied.


A.11.1.5

7orking in secure areas rocedures for working in secure areas shall be designed and applied.

erform an annual information security policy review.

A.11.1.6

#elivery and loading areas

Access points such as delivery and loading areas and other points where unauthorized persons could enter the premises shall be controlled and( if possible( isolated from information processing facilities to avoid unauthorized access.

"eview security incidents related to unauthorized physical access.

A.11.2

0'uipment

$b%ective& To prevent loss( damage( theft or compromise of assets and interruption to the organization9s operations.

A.11.2.1

0'uipment siting and protection

0'uipment shall be sited and protected to reduce the risks from environmental threats and hazards( and opportunities for unauthorized access.

erform an annual information security policy review. Annual review of S$C8IS$ reports

A.11.2.2

Supporting utilities

0'uipment shall be protected from power failures and other disruptions caused by failures in supporting utilities.


A.11.2.3

Cabling security

ower and telecommunications cabling carrying data or supporting information services shall be protected from interception( interference or damage.


A.11.2.4

0'uipment maintenance 0'uipment shall be correctly maintained to ensure its continued availability and integrity.

Annual e'uipment audit to ensure replacement of nonsupported hardware.

A.11.2.5

"emoval of assets

0'uipment( information or software shall not be taken offsite without prior authorization.


A.11.2.6

Security of e'uipment and assets offpremises

Security shall be applied to offsite ass ets taking into account the different risks of working outside the organization*s premises.


A.11.2.7

Secure disposal or reuse All items of e'uipment containing storage media shall be verified to of e'uipment ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or reuse.


A.11.2.

5nattended user e'uipment

5sers shall ensure that unattended e'uipment has appropriate protection.


A.11.2.!

Clear desk and clear screen policy

A clear desk policy for papers and r emovable storage media and a clear screen policy for information processing facilities shall be adopted.


A.12

O$erations security

A.12.1

$perational procedures $b%ective& To ensure correct and secure operations of information and responsibilities processing facilities.

A.12.1.1

#ocumented operating procedures

$perating procedures shall be documented and made available to all users who need them.

erform an annual procedures audit.

A.12.1.2

Change management

Changes to the organization( business processes( information processing facilities and systems that affect information security shall be controlled.

Annual review of the change management process.

A.12.1.3

Capacity management

The use of resources shall be monitored( tuned and pro%ections made of future capacity re'uirements to ensure the re'uired system performance.

"eview the number of security or availability issues related to capacity management.

A.12.1.4

Separation of #evelopment( testing( and operational environments shall be development( testing and separated to reduce the risks of unauthorized access or changes to the operational environments operational environment.

A.12.2

rotection from malware $b%ective& To ensure that information and information processing facilities are protected against malware.

A.12.2.1

Controls against malware #etection( prevention and recovery controls to protect against malware shall be implemented( combined with appropriate user awareness.

A.12.3 A.12.3.1

/ackup Information backup

A.12.4

1ogging and monitoring $b%ective& To record events and generate evidence.

$b%ective& To protect against loss of data. /ackup copies of information( software and sys tem images shall be taken and tested regularly in accordance with an agreed backup policy.

"eview the re'uirements and any security incidents related to system isolation.

"eview the number of security incidents and impacs related to malware.

Success of restore procedures. 1og of restores re'uired

A.11.2.1

0'uipment siting and protection

0'uipment shall be sited and protected to reduce the risks from environmental threats and hazards( and opportunities for unauthorized access.


A.11.2.2

Supporting utilities

0'uipment shall be protected from power failures and other disruptions caused by failures in supporting utilities.


A.11.2.3

Cabling security

ower and telecommunications cabling carrying data or supporting information services shall be protected from interception( interference or damage.


A.11.2.4

0'uipment maintenance 0'uipment shall be correctly maintained to ensure its continued availability and integrity.

Annual e'uipment audit to ensure replacement of nonsupported hardware.

A.11.2.5

"emoval of assets

0'uipment( information or software shall not be taken offsite without prior authorization.


A.11.2.6

Security of e'uipment and assets offpremises

Security shall be applied to offsite ass ets taking into account the different risks of working outside the organization*s premises.


A.11.2.7

Secure disposal or reuse All items of e'uipment containing storage media shall be verified to of e'uipment ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or reuse.


A.11.2.

5nattended user e'uipment

5sers shall ensure that unattended e'uipment has appropriate protection.


A.11.2.!

Clear desk and clear screen policy

A clear desk policy for papers and r emovable storage media and a clear screen policy for information processing facilities shall be adopted.


A.12

O$erations security

A.12.1

$perational procedures $b%ective& To ensure correct and secure operations of information and responsibilities processing facilities.

A.12.1.1

#ocumented operating procedures

$perating procedures shall be documented and made available to all users who need them.

erform an annual procedures audit.

A.12.1.2

Change management

Changes to the organization( business processes( information processing facilities and systems that affect information security shall be controlled.

Annual review of the change management process.

A.12.1.3

Capacity management

The use of resources shall be monitored( tuned and pro%ections made of future capacity re'uirements to ensure the re'uired system performance.

"eview the number of security or availability issues related to capacity management.

A.12.1.4

Separation of #evelopment( testing( and operational environments shall be development( testing and separated to reduce the risks of unauthorized access or changes to the operational environments operational environment.

A.12.2

rotection from malware $b%ective& To ensure that information and information processing facilities are protected against malware.

A.12.2.1

Controls against malware #etection( prevention and recovery controls to protect against malware shall be implemented( combined with appropriate user awareness.

A.12.3 A.12.3.1

/ackup Information backup

A.12.4 A.12.4.1

1ogging and monitoring $b%ective& To record events and generate evidence. 0vent logging 0vent logs recording user activities( e)ceptions( faults and information security events shall be produced( kept and regularly reviewed.

A.12.4.2

rotection of log information

1ogging facilities and log information shall be protected against tampering and unauthorized access.

Annual review of controls and measure number of log releated security events.

A.12.4.3

Administrator and operator logs

System administrator and system operator activities shall be logged and the logs protected and regularly reviewed.

Annual review of the administrator access logging capabilties.

A.12.4.4

Clock synchronisation

The clocks of all relevant information processing systems within an organization or security domain shall be synchronised to a single reference time source.

Annual audit of time syncronization.

A.12.5

Control of operational software

$b%ective& To ensure the integrity of operational systems.

A.12.5.1

Installation of software on operational systems

rocedures shall be implemented to control the installation of software on operational systems.

A.12.6

Technical vulnerability management

$b%ective& To prevent e)ploitation of technical vulnerabilities.

A.12.6.1

Management of technical Information about technical vulnerabilities of information systems vulnerabilities being used shall be obtained in a timely fashion( the organization*s e)posure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk.

"eview the number of failures due to not acting on system vulnerbilities.

A.12.6.2

"estrictions on software "ules governing the installation of software by users shall be installation established and implemented.


A.12.7

Information systems audit considerations

$b%ective& To To minimise the impact of audit activities on operational systems.

A.12.7.1

Information systems audit controls

Audit re'uirements and activities involving verification of operational systems shall be carefully planned and agreed to minimise disruptions to business processes.

A.13 A.13 A.13.1

#omm #ommun unic icat atio ions ns secu securi rity ty :etwork security $b%ective& To To ensure the protection of information in networks and its management supporting information processing facilities.

A.13.1.1

:etwork controls

:etworks shall be managed and controlled to protect information information in systems and applications.

erform an annual information security policy and procedures review review..

A.13.1.2

Security of network services

Security mechanisms( service levels and management re'uirements of all network services shall be identified and included in network services agreements( whether these services are provided inhouse or outsourced.

"eview vendor S1As.

$b%ective& To protect against loss of data. /ackup copies of information( software and sys tem images shall be taken and tested regularly in accordance with an agreed backup policy.

"eview the re'uirements and any security incidents related to system isolation.

"eview the number of security incidents and impacs related to malware.

Success of restore procedures. 1og of restores re'uired

Annual review to confirm log file information is still sufficent and the availablity of the log files meets management8customer e)pectations.

Annual review of system failures and related security and operational system incidents.


A.13.1.3

Segregation in networks ;roups of information services( users and information systems shall be segregated on networks.

A.13.2

Information transfer


A.13.2.1


A.13.2.2

Agreements on information transfer

Agreements shall address the secure transfer of business information between the organization organization and e)ternal parties. parties.

"eview =rd party contract language on an annual basis.

A.13.2.3

0lectronic messaging

Information involved in electronic messaging shall be appropriately protected.


A.13.2.4

Confidentiality or nondisclosure agreements

"e'uirements for confidentiality or nondisclosure agreements reflecting the organization*s organization*s needs for the protection of information shall be identified( regularly reviewed and documented.

"eview the 1egal S1A.

$b%ective& To To maintain the security of information transferred within an organization and with any e)ternal entity.

A.14

System System ac(uisiti ac(uisition) on) &e'elo$me &e'elo$ment nt an& maintenan maintenance ce

A.14.1

Security re'uirements of $b%ective& To To ensure that information security is an integral part of information systems information systems across the entire lifecycle. This also includes the re'uirements for information systems which provide services over public networks.

A.14.1.1

Information security re'uirements analysis and specification

The information security related re'uirements shall be included in the re'uirements for new information systems or enhancements to e)isting information systems.

erform a review of the "elease Management and Software #eployment document.

A.14.1.2

Securing application services on public networks

Information involved in application services passing over public networks shall be protected from fraudulent activity( contract dispute and unauthorized disclosure and modification.

0nsure the use of SS18T1S is appropriate.

A.14.1.3

rotecting application services transactions

Information involved in application service transactions shall be protected to prevent incomplete incomplete transmission( misrouting( unauthorized message alteration( unauthorized disclosure( unauthorized message duplication or replay. replay.


A.14.2

Security in development $b%ective& To To ensure that information security is designed and and support processes implemented within the development lifecycle of information systems.

A.12.6.2

"estrictions on software "ules governing the installation of software by users shall be installation established and implemented.

A.12.7

Information systems audit considerations

$b%ective& To To minimise the impact of audit activities on operational systems.


A.12.7.1

Information systems audit controls

Audit re'uirements and activities involving verification of operational systems shall be carefully planned and agreed to minimise disruptions to business processes.

A.13 A.13 A.13.1

#omm #ommun unic icat atio ions ns secu securi rity ty :etwork security $b%ective& To To ensure the protection of information in networks and its management supporting information processing facilities.

A.13.1.1

:etwork controls

:etworks shall be managed and controlled to protect information information in systems and applications.


A.13.1.2

Security of network services

Security mechanisms( service levels and management re'uirements of all network services shall be identified and included in network services agreements( whether these services are provided inhouse or outsourced.

"eview vendor S1As.


A.13.1.3

Segregation in networks ;roups of information services( users and information systems shall be segregated on networks.

A.13.2



A.13.2.1


A.13.2.2

Agreements on information transfer

Agreements shall address the secure transfer of business information between the organization organization and e)ternal parties. parties.

"eview =rd party contract language on an annual basis.

A.13.2.3

0lectronic messaging

Information involved in electronic messaging shall be appropriately protected.


A.13.2.4

Confidentiality or nondisclosure agreements

"e'uirements for confidentiality or nondisclosure agreements reflecting the organization*s organization*s needs for the protection of information shall be identified( regularly reviewed and documented.


$b%ective& To To maintain the security of information transferred within an organization and with any e)ternal entity.

A.14

System System ac(uisiti ac(uisition) on) &e'elo$me &e'elo$ment nt an& maintenan maintenance ce

A.14.1

Security re'uirements of $b%ective& To To ensure that information security is an integral part of information systems information systems across the entire lifecycle. This also includes the re'uirements for information systems which provide services over public networks.

A.14.1.1

Information security re'uirements analysis and specification

The information security related re'uirements shall be included in the re'uirements for new information systems or enhancements to e)isting information systems.


A.14.1.2

Securing application services on public networks

Information involved in application services passing over public networks shall be protected from fraudulent activity( contract dispute and unauthorized disclosure and modification.


A.14.1.3

rotecting application services transactions

Information involved in application service transactions shall be protected to prevent incomplete incomplete transmission( misrouting( unauthorized message alteration( unauthorized disclosure( unauthorized message duplication or replay. replay.


A.14.2

Security in development $b%ective& To To ensure that information security is designed and and support processes implemented within the development lifecycle of information systems.

A.14.2.1

Secure development policy

"ules for the development of software and systems shall be established and applied to developments within the organization.

"eview the 0ngineering S1A.

A.14.2.2

System change control procedures

Changes to systems within the development lifecycle shall be controlled by the use of formal change control procedures.

"eview the change management process.

A.14.2.3

Technical review of applications after operating platform changes

7hen operating platforms are changed( business critical applications shall be reviewed and tested to ensure there is no adverse impact on organizational operations or security.

"eview whether not operating platforms changed and if so( whether or not an application review was performed.

A.14.2.4

"estrictions on changes to software packages

Modifications to software packages shall be discouraged( limited to necessary changes and all changes shall be strictly controlled.


A.14.2.5

Secure system engineering principles

rinciples for engineering secure systems shall be established( documented( maintained and applied to any information system implementation efforts.


A.14.2.6

Secure development environment

$rganizations shall establish and appropriately protect secure development environments for system development and integration efforts that cover the entire sys tem development lifecycle.


A.14.2.7

$utsourced development The organization shall supervise and monitor the activity of outsourced system development.

A.14.2.

System security testing

Testing Testing of security functionality shall be carried out during development.

"eview the 0ngineering S1A and perform a review of the "elease Management and Software #eployment document.

A.14.2.!

System acceptance testing

Acceptance testing programs and related criteria shall be established for new information systems( upgrades and new versions.


A.14.3 A.14.3.1

Test da data rotecti rotection on of test test data

$b%ective& To en ensure th the pr protection of of da data us used fo for te testing. Test Test data data shall shall be selecte selected d carefull carefully y( protected protected and and controll controlled. ed.

A.15 A.15

Su$$ Su$$li lier er re rela lati tion ons% s%i$ i$ss

"eview the master information security policy and the 0ngineering S1A.

A.15.1

Information security in supplier relationships

To ensure protection of the organization*s organization*s assets that is accessible by suppliers.

A.15.1.1

Information security policy for supplier relationships

Information security re'uirements for mitigating the risks associated with supplier*s access to the organization*s assets shall be agreed with the supplier and documented.

Audit all failures due to supplier security events.

A.15.1.2

Addressing security within supplier agreements

All relevant information security re'uirements shall be established and agreed with each supplier that may access( process( store( communicate( or provide IT infrastructure components for( the organization*s organization*s information.


A.15.1.3

Information and Agreements with suppliers shall include re'uirements to address t he communication information security risks associated with information and technology supply chain communications technology services and product supply chain.

A.15.2

Supplier service delivery $b%ective& To To maintain an agreed level of information security and management service delivery in line with supplier agreements.


A.15.2.1

Monitoring and review of supplier services

$rganizations shall regularly monitor( review and audit supplier service delivery.

Supplier review results.

A.15.2.2

Managing changes to supplier services

Changes to the provision of services by suppliers( including maintaining and improving e)isting information security policies( procedures and controls( shall be managed( managed( taking account of the criticality of business information( systems and processes involved and reassessment of risks.


A.16 A.16

Inform Informati ation on securi security ty inci&e inci&ent nt manage managemen mentt

A.16.1

Management of information security incidents and improvements

$b%ective& To To ensure a consistent and effective approach to the management of information security incidents( including communication on security events and weaknesses.

A.16.1.1

"esponsibilities and procedures

Management responsibilities and procedures shall be established to ensure a 'uick( effective and orderly response to information security incidents.

erform a review of the incident response procedures.

A.16.1.2

"eporting information security events

Information security events shall be reported through appropriate management channels as 'uickly as possible.


A.16.1.3

"eporting information security weaknesses

0mployees and contractors using the organization*s organization*s information systems and services shall be re'uired to note and report any observed or suspected information security weaknesses in systems or services.


A.16.1.4

Assessment of and Information security events shall be assessed and it shall be decided if decision on information they are to be classified as information security incidents. security events


A.16.1.5

"esponse to information Information security incidents shall be responded to in accordance

erform a review of the incident response

A.14.2.

System security testing

Testing Testing of security functionality shall be carried out during development.

"eview the 0ngineering S1A and perform a review of the "elease Management and Software #eployment document.

A.14.2.!

System acceptance testing

Acceptance testing programs and related criteria shall be established for new information systems( upgrades and new versions.


A.14.3 A.14.3.1

Test da data rotecti rotection on of test test data

$b%ective& To en ensure th the pr protection of of da data us used fo for te testing. Test Test data data shall shall be selecte selected d carefull carefully y( protected protected and and controll controlled. ed.

A.15 A.15

Su$$ Su$$li lier er re rela lati tion ons% s%i$ i$ss

"eview the master information security policy and the 0ngineering S1A.

A.15.1

Information security in supplier relationships

To ensure protection of the organization*s organization*s assets that is accessible by suppliers.

A.15.1.1

Information security policy for supplier relationships

Information security re'uirements for mitigating the risks associated with supplier*s access to the organization*s assets shall be agreed with the supplier and documented.


A.15.1.2

Addressing security within supplier agreements

All relevant information security re'uirements shall be established and agreed with each supplier that may access( process( store( communicate( or provide IT infrastructure components for( the organization*s organization*s information.


A.15.1.3

Information and Agreements with suppliers shall include re'uirements to address t he communication information security risks associated with information and technology supply chain communications technology services and product supply chain.

A.15.2

Supplier service delivery $b%ective& To To maintain an agreed level of information security and management service delivery in line with supplier agreements.


A.15.2.1

Monitoring and review of supplier services

$rganizations shall regularly monitor( review and audit supplier service delivery.


A.15.2.2

Managing changes to supplier services

Changes to the provision of services by suppliers( including maintaining and improving e)isting information security policies( procedures and controls( shall be managed( managed( taking account of the criticality of business information( systems and processes involved and reassessment of risks.


A.16 A.16

Inform Informati ation on securi security ty inci&e inci&ent nt manage managemen mentt

A.16.1

Management of information security incidents and improvements

$b%ective& To To ensure a consistent and effective approach to the management of information security incidents( including communication on security events and weaknesses.

A.16.1.1

"esponsibilities and procedures

Management responsibilities and procedures shall be established to ensure a 'uick( effective and orderly response to information security incidents.


A.16.1.2

"eporting information security events

Information security events shall be reported through appropriate management channels as 'uickly as possible.


A.16.1.3

"eporting information security weaknesses

0mployees and contractors using the organization*s organization*s information systems and services shall be re'uired to note and report any observed or suspected information security weaknesses in systems or services.


A.16.1.4

Assessment of and Information security events shall be assessed and it shall be decided if decision on information they are to be classified as information security incidents. security events


A.16.1.5

"esponse to information Information security incidents shall be responded to in accordance security incidents with the documented procedures.


A.16.1.6

1earning from information security incidents

6nowledge gained from analysing and resolving information security incidents shall be used to reduce the likelihood or impact of future incidents.


A.16.1.7

Collection of evidence

The organization shall define and apply procedures for the identification( collection( ac'uisition and preservation of information( which can serve as evidence.


A.17

Informati Information on security security as$ects as$ects of *usiness *usiness continuit continuity y managemen managementt

A.17.1

Information security continuity

$b%ective& Information security continuity shall be embedded in the organization*s organization*s business continuity management systems.

A.17.1.1

lanning information security continuity

The organization shall determine its re'uirements for information security and the continuity of i nformation security management in adverse situations( e.g. during a crisis or disaster.

"eview the /C8#" table top test results.

A.17.1.2

Implementing information security continuity

The organization shall establish( document( implement and maintain processes( procedures and controls to ensure the re'uired re'uired level of continuity for information security during an adverse situation.


A.17.1.3

+erify( review and evaluate information security continuity

The organization shall verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations.


A.17.2

"edu "edund ndan anci cies es

$b%e $b%ect ctiv ive& e& To ensu ensure re avai availa labi bili lity ty of info inform rmat atio ion n proc proces essi sing ng faci facili liti ties es..

A.17.2.1

Availability of information processing facilities

Information processing facilities shall be implemented with redundancy sufficient to meet availability re'uirements.

"eview any incidents related to the availability of the data centers.

A.1

#om$liance

A.1.1

Compliance with legal and contractual re'uirements

A.1.1.1

Identification of All relevant legislative statutory( statutory( regulatory( contractual re'uirements applicable legislation and and the organization*s approach to meet these re'uirements shall be contractual re'uirements e)plicitly identified( documented and kept up to date for each information system and the organization.


A.1.1.2

Intellectual property rights

Appropriate procedures shall be implemented to ensure compliance with legislative( regulatory and contractual re'uirements related to intellectual property rights and use of proprietary software products.


A.1.1.3

rotection of records

"ecords shall be protected from loss( destruction( falsification( unauthorized access and unauthorized release( in accordance with legislatory( legislatory( regulatory( contractual and business re'uirements.


A.1.1.4

rivacy and protection of rivacy and protection of personally identifiable information shall be personally identifiable ensured as re'uired in r elevant legislation and regulation where information applicable.

Annual review of privacy policy and privacy related incidents.

A.1.1.5

"egulation of cryptographic controls

Cryptographic controls shall be used in compliance with all relevant agreements( legislation and regulations.


A.1.2

Information security reviews

$b%ective& To To ensure that information security is implemented and operated in accordance with the organizational policies and procedures.

A.1.2.1

Independent review of information security

The organization*s organization*s approach to managing information security and its implementation ,i.e. control ob%ectives( controls( policies( processes and procedures for information security- shall be reviewed independently at planned intervals or when significant changes occur.

Annual review of internal audit and management review findings

A.1.2.2

Compliance with security policies and standards

Managers shall regularly review the compliance of information processing and procedures within their their area of responsibility with the appropriate security policies( standards and any other security re'uirements.


A.1.2.3

Technical compliance review

Information systems shall be r egularly reviewed for compliance with the organization*s information security policies and standards.


$b%ective& To To avoid breaches of legal( statutory( regulatory or contractual obligations related to information security and of any security re'uirements.

A.17.2

"edu "edund ndan anci cies es

$b%e $b%ect ctiv ive& e& To ensu ensure re avai availa labi bili lity ty of info inform rmat atio ion n proc proces essi sing ng faci facili liti ties es..

A.17.2.1

Availability of information processing facilities

Information processing facilities shall be implemented with redundancy sufficient to meet availability re'uirements.

"eview any incidents related to the availability of the data centers.

A.1

#om$liance

A.1.1

Compliance with legal and contractual re'uirements

A.1.1.1

Identification of All relevant legislative statutory( statutory( regulatory( contractual re'uirements applicable legislation and and the organization*s approach to meet these re'uirements shall be contractual re'uirements e)plicitly identified( documented and kept up to date for each information system and the organization.


A.1.1.2

Intellectual property rights

Appropriate procedures shall be implemented to ensure compliance with legislative( regulatory and contractual re'uirements related to intellectual property rights and use of proprietary software products.


A.1.1.3

rotection of records

"ecords shall be protected from loss( destruction( falsification( unauthorized access and unauthorized release( in accordance with legislatory( legislatory( regulatory( contractual and business re'uirements.


A.1.1.4

rivacy and protection of rivacy and protection of personally identifiable information shall be personally identifiable ensured as re'uired in r elevant legislation and regulation where information applicable.

Annual review of privacy policy and privacy related incidents.

A.1.1.5

"egulation of cryptographic controls

Cryptographic controls shall be used in compliance with all relevant agreements( legislation and regulations.


A.1.2

Information security reviews

$b%ective& To To ensure that information security is implemented and operated in accordance with the organizational policies and procedures.

A.1.2.1

Independent review of information security

The organization*s organization*s approach to managing information security and its implementation ,i.e. control ob%ectives( controls( policies( processes and procedures for information security- shall be reviewed independently at planned intervals or when significant changes occur.


A.1.2.2

Compliance with security policies and standards

Managers shall regularly review the compliance of information processing and procedures within their their area of responsibility with the appropriate security policies( standards and any other security re'uirements.


A.1.2.3

Technical compliance review

Information systems shall be r egularly reviewed for compliance with the organization*s information security policies and standards.


$b%ective& To To avoid breaches of legal( statutory( regulatory or contractual obligations related to information security and of any security re'uirements.

ISO 27001 Documents Last Updated: 2016-02-11

Doc ID

ISO 27001 Clause

Doc Short Descr"pon

692&&'

N/A

ISO2&&'

* +'

IS$S $aster Document 6,ternal and internal issues relevant to the companyMs purpose and that a!ect its a-ility to achieve the IS5S goals

ISO2&&$

* +'

"rocedure for Idenfying Interested "ares and their relevant 0e.uirements

ISO2&&3

* +$

Interested "ares and their relevant 0e.uirements

ISO2&&*

* +3

IS5S Scope

ISO2&&1

* +*

6vidence of IS5S Implementaon

ISO2&&7

1 +'

IS5S 0e.uirements

I SO & & %

1$

In!ormaon Secur"t# Pol"c#

ISO 27001 Documents Last Updated: 2016-02-11

Doc ID

ISO 27001 Clause

Doc Short Descr"pon

692&&'

N/A

ISO2&&'

* +'

IS$S $aster Document 6,ternal and internal issues relevant to the companyMs purpose and that a!ect its a-ility to achieve the IS5S goals

ISO2&&$

* +'

"rocedure for Idenfying Interested "ares and their relevant 0e.uirements

ISO2&&3

* +$

Interested "ares and their relevant 0e.uirements

ISO2&&*

* +3

IS5S Scope

ISO2&&1

* +*

6vidence of IS5S Implementaon

ISO2&&7

1 +'

IS5S 0e.uirements

ISO2&&%

1 +$

ISO2&&:

7+'+'

ISO2&&

7+'+'

ISO2&'&

7+'+$

In!ormaon Secur"t# Pol"c# IS5S 0is(s and Opportunies Acon "lan to Address 0is(s and Opportunies Informaon Security 0is( Assessment 5ethodology

ISO2&''

7+'+$

0is( Assessment 0eport

ISO2&'$

7+'+$

0is( Assessment 9emplate

ISO2&'3

7+'+3

Informaon Security 0is( 9reatment 5ethodology

ISO2&'*

7+'+3+d

Statement of Applica-ility

ISO2&'1

7+'+3+e

0is( 9reatment "lan

ISO2&'7

7+'+3

ISO2&'%

7 +$

Informaon Security O-jecves

ISO2&':

7 +$

"lan to Achieve Informaon Security O-jecves

ISO2&'

% +'

IS5S 0e.uired 0esources

ISO2&$&

% +$ + a

escripon of Necessary Competence

ISO2&$'

%+$+%+$+c

Competence eterminaon/0evie# "rocedure

ISO2&$$

%+$+c

Competence Ac Achievement "lan

ISO2&$3

%+$+d

6vidence of Competence

ISO2&$*

% +3

ISO2&$1

% +*

ISO2&$7

% +*

ISO2&

%$%+1+'+-

ISO2&$:

%+1+$ %+1+3

0is( 9reatment 0eport

Secur"t# *?areness Pro%ram Security A#areness 9raining Slide ec( Communicaon "rocess ocumented informaon informaon determined -y the organizaon as -eing necessary for the e!ecveness of the IS5S ocument Control "olicy including Creang and @pdang 0e.uirements and Control of 0ecordsB

ISO2&$

%+1+$ %+1+3

ocument Control 5ethodology including Creang and @pdang 0e.uirements and Control of 0ecordsB

ISO2&3&

:+'

6vidence of compleon of the "lan to Achieve Informaon Security O-jecves

ISO2&3'

:+'

eterminaon and Control of Outsourced "rocesses

ISO2&3$

:+$

0esults of the Informaon Security 0is( Assessment 0is( Assessment 0eportB

ISO2&33

:+3

0esults of the Informaon Security 0is( 9reatment 0is( 9reatment 0eportB

ISO2&3*

+'

5onitoring and 5easurement 5ethodology

ISO2&31

+'

6vidence of the 5onitoring and 5easurement 0esults

ISO2&37

+'

Analysis and 6valuaon 5ethodology

ISO2&3%

+'

6vidence of the Analysis and 6valuaon 0esults

ISO2&3:

+$ A+'$+%+'

ISO2&3

+$

6vidence of Internal Audit "rogram 0evie#s

ISO2&*&

+$

Internal Audit "rocedure

ISO2&*'

+$

IS5S Audit Chec(list

ISO2&*$

+$

6vidence of Internal Audit "rocedure 0evie#s

ISO2&*3

+$+g

6vidence of Internal Audit 0esults

ISO2&**

+$g

IS5S Correcve Acon >orm

ISO2&*1

+3

5anagement 0evie# of the IS5S

ISO2&*7

+3

>orm for 5anagement 0evie# 5inutes

ISO2&*%

+3

6vidence of 5anagement 0evie#s of the IS5SD and their 0esults

ISO2&*:

'&+'

Nonconformity 0esponse and Correcve Acon "rocedures

ISO2&*

'&+'+f

6vidence 0egarding Nonconformies

ISO2&1&

'&+'+g

6vidence of the 0esults of any Correcve Acon

ISO2&1'

'&+$

ISO2&1$

A+1+'+'

ISO2&13

A+1+'+$

Set o! In!ormaon Secur"t# Pol"c"es 6vidence of 0evie# of Informaon Security "olicies

ISO2&1*

A+1+'+'

Set of Informaon Security "rocedures

ISO2&11

A+7+'+'

Informaon Security 0oles and 0esponsi-ilies also Secon 1+3B

ISO2&17

A+7+'+'+

6vidence that Informaon Security 0esponsi-ilies are enacted 0ecordsB

ISO2&1%

A+7+'+$

Segregaon of ues "rocess

ISO2&1:

A+7+'+3

Authority Contacts

ISO2&1

A+7+'+*

Special Interest roup Contacts

ISO2&7&

A+7+'+1

Informaon Security "rocess for "roject 5anagement

ISO2&7'

A+7+$+'

5o-ile evice "olicy

ISO2&7$

A+7+$+$

8TO "olicy

ISO2&73

A+7+$+$

9ele#or(ing "olicy

ISO2&7*

A+%+'+'

8ac(ground Chec( "rocess

Internal *ud"t Pro%ram

Connual Improvement "rocess

ISO2&71

A+%+'+'

6vidence of 8ac(ground Chec(s 0ecordsB

ISO2&77

A+%+'+$

6mployment Contract Security 0esponsi-ility Spulaons

ISO2&7%

A+%+'+$

6vidence of Security 0esponsi-ility Spulaons in 6mployment Contracts 0ecordsB

ISO2&7:

A+%+$+$

6vidence of Security A#areness 9raining

ISO2&7

A+%+$+$

6vidence of Communicaon of Informaon Security "olicy ChangesB 0ecordsB

ISO2&%&

A+%+$+3

isciplinary "rocess including communicaon of itB

ISO2&%'

A+%+$+3

6vidence that isciplinary "rocess is -eing communicated 0ecordsB

ISO2&%$

A+%+$+3

6vidence that isciplinary "rocess is -eing carried out 0ecordsB

ISO2&%3

A+%+3+'

Change of 6mployment "rocedures 0egarding Informaon Security 0esponsi-ilies

ISO2&%*

A+%+3+'

6vidence that 6mployment "rocedures for InfoSec 0esponsi-ilies are enacted 0ecordsB

ISO2&%1

A+:

ISO2&%7

A+:+'+' A+:+'+$

Asset Inventory including 5anagement O#nership

ISO2&%%

A+:+'+' A+:+'+$

Asset Inventory 0evie# "rocess

ISO2&%:

A+:+'+' A+:+'+$

6vidence of Asset Inventory 0evie#s 0ecordsB

ISO2&%

A+:+'+3

0ules for the Accepta-le @se of Informaon and of Assets Accepta-le @se "olicyB

ISO2&:&

A+:+'+3

6vidence of Communicaon of Accepta-le @se of Informaon and of Assets 0ecordsB

ISO2&:'

A+:+'+*

Asset 0eturn "rocess

ISO2&:$

A+:+'+*

6vidence of Asset 0eturns 0ecordsB

ISO2&:3

A+:+$+' A+:+$+$

Informaon Classi)caon Schema

ISO2&:*

A+:+$+' A+:+$+$

Informaon Classi)caon and Ha-eling "rocess

ISO2&:1

A+:+$+' A+:+$+$

6vidence of Informaon Classi)caon and Ha-eling 0evie#s 0ecordsB

ISO2&:7

A+:+$+3

Asset andling "rocedures

ISO2&:%

A+:+$+3

6vidence of Implementaon of Asset andling "rocedures 0ecordsB

ISO2&::

A+:+3+'

5anagement of 0emova-le 5edia "olicy

ISO2&:

A+:+3+'

5anagement of 0emova-le 5edia "rocedures

ISO2&&

A+:+3+'

6vidence that 0emova-le 5edia "rocedures are enacted 0ecordsB

ISO2&'

A+:+3+$

isposal of 5edia "olicy

ISO2&$

A+:+3+$

isposal of 5edia "rocedures

ISO2&3

A+:+3+$

6vidence that isposal of 5edia "rocedures are enacted 0ecordsB

ISO2&*

A+:+3+3

"hysical 5edia 9ransfer "olicy

ISO2&1

A+:+3+3

"hysical 5edia 9ransfer "rocedures

ISO2&7

A+:+3+3

6vidence that "hysical 5edia 9ransfer "rocedures are enacted 0ecordsB

ISO2&%

A++'+'

Access Control "olicy

Asset 5anagement "rogram

ISO2&:

A++'+'

Access Control "olicy 0evie# "rocess

ISO2&

A++'+'

6vidence of Access Control "olicy 0evie#s 0ecordsB

ISO2'&&

A++'+$

Net#or( and Net#or( Service Access Authorizaon "rocedure

ISO2'&'

A++'+$

6vidence that Net#or( and Net#or( Service Access Authorizaon "rocedure is enacted 0ecordsB

ISO2'&$

A++$+'

@ser 0egistraon and e2registraon "rocess

ISO2'&3

A++$+'

6vidence that @ser 0egistraon and e2registraon "rocesses are enacted 0ecordsB

ISO2'&*

A++$+$

@ser Access "rovisioning "rocess

ISO2'&1

A++$+$

6vidence that @ser Access "rovisioning "rocess is enacted 0ecordsB

ISO2'&7

A++$+3

"rivileged Access 5anagement "rocess

ISO2'&%

A++$+3

6vidence that "rivileged Access 5anagement "rocess is enacted 0ecordsB

ISO2'&:

A++$+*

Secret Authencaon e+g+D "ass#ordB "olicy

ISO2'&

A++$+*

Secret Authencaon e+g+D "ass#ordB Informaon 5anagement "rocess

ISO2''&

A++$+*

6vidence that Secret Authencaon Informaon 5anagement "rocess is enacted 0ecordsB

ISO2'''

A++$+1

Asset Access 0evie# "rocess

ISO2''$

A++$+1

6vidence of Asset Access 0evie#s 0ecordsB

ISO2''3

A++$+7

0emoval or Adjustment of Access 0ights "rocess

ISO2''*

A++$+7

6vidence that 0emoval or Adjustment of Access 0ights "rocess is enacted 0ecordsB

ISO2''1

A++3+'

Authencaon Safeguarding "olicy

ISO2''7

A++3+'

Authencaon Safeguarding "rocess

ISO2''%

A++3+'

6vidence that Authencaon Safeguarding "rocess is enacted

ISO2'':

A++*+'

ata and Applicaon Access Authorizaon "rocedure

ISO2''

A++*+'

ata and Applicaon Access 0e.uest and Authorizaon >orm

ISO2'$&

A++*+'

6vidence that ata and Applicaon Access Authorizaon "rocedure is enacted

ISO2'$'

A++*+$

Secure Hog2on "rocedure if re.uired -y Access Control "olicyB

ISO2'$$

A++*+$

6vidence that Secure Hog2on "rocedure is enacted

ISO2'$3

A++*+3

"ass#ord 5anagement System escripon

ISO2'$*

A++*+3

6vidence that "ass#ord 5anagement System is enacted

ISO2'$1

A++*+*

@lity "rogram "olicy

ISO2'$7

A++*+*

@lity "rogram 0evie# "rocess

ISO2'

%$A++*+*

ata and Applicaon Access 0e.uest and Authorizaon >orm

ISO2'$:

A++*+1

Access Control to Source Code Authorizaon "rocess

ISO2'$

A++*+1

Source Code Access 0e.uest and Authorizaon >orm

ISO2'3&

A+'&+'+'

Cryptographic Controls "olicy

ISO2'3'

A+'&+'+'

Cryptographic Controls "rocess

ISO2'3$

A+'&+'+'

6vidence that Cryptograpic Controls "rocess is enacted

ISO2'33

A+'&+'+$

Key 5anagement "olicy

ISO2'3*

A+'&+'+$

Key 5anagement "rocess

ISO2'31

A+'&+'+$

6vidence that Key 5anagement "rocess is enacted

ISO2'37

A+''+'+'

"hysical Security "erimeters e)nion

ISO2'3%

A+''+'+'

6vidence of "hysical Security "erimeters e)nion 0evie#s

ISO2'3:

A+''+'+$

"hysical 6ntry Controls

ISO2'3

A+''+'+$

6vidence of "hysical 6ntry Controls 0evie#s

ISO2'*&

A+''+'+3

"hysical Security esign

ISO2'*'

A+''+'+3

6vidence of "hysical Security esign 0evie#s

ISO2'*$

A+''+'+*

esign for "rotecon Against 6,ternal and 6nvironmental 9hreats

ISO2'*3

A+''+'+*

6vidence of esign for "rotecon Against 6,ternal and 6nvironmental 9hreats 0evie#s

ISO2'**

A+''+'+1

"rocedures for Qor(ing in Secured Areas

ISO2'*1

A+''+'+1

6vidence of 0evie#s of "rocedures for Qor(ing in Secured Areas

ISO2'*7

A+''+'+7

"hysical Access "oint Security esigns

ISO2'*%

A+''+'+7

6vidence of 0evie#s of "hysical Access "oint Security esigns

ISO2'*:

A+''+$+'

6.uipment Sing and "rotecon esign

ISO2'*

A+''+$+'

6vidence of 6.uipment Sing and "rotecon esign 0evie#s

ISO2'1&

A+''+$+$

esign for "rotecon Against @lity >ailures

ISO2'1'

A+''+$+$

6vidence of esign for "rotecon Against @lity >ailures 0evie#s

ISO2'1$

A+''+$+3

Ca-ling "rotecon esign

ISO2'13

A+''+$+3

6vidence of Ca-ling "rotecon esign 0evie#s

ISO2'1*

A+''+$+*

6.uipment 5aintenance "rocess

ISO2'11

A+''+$+*

6vidence of 6.uipment 5aintenance "rocess 0evie#s

ISO2'17

A+''+$+*

6vidence that 6.uipment 5aintenance "rocess is enacted

ISO2'1%

A+''+$+1

0emoval of Asset Authorizaon "rocess

ISO2'1:

A+''+$+1

6vidence of 0emoval of Asset Authorizaon "rocess 0evie#s

ISO2'1

A+''+$+1

0emoval of Asset Authorizaon >orm

ISO2'7&

A+''+$+7

O!site Asset Security "rocess

ISO2'7'

A+''+$+7

6vidence of O!site Asset Security "rocess 0evie#s

ISO2'7$

A+''+$+%

Secure 5edia isposal and 0e2use "olicy

ISO2'73

A+''+$+%

6vidence of Secure 5edia isposal and 0e2use "olicy 0evie#s

ISO2'7*

A+''+$+%

Secure 5edia isposal and 0e2use "rocess

ISO2'71

A+''+$+%

6vidence of Secure 5edia isposal and 0e2use "rocess 0evie#s

ISO2'77

A+''+$+:

"rotecon of @naended 6.uipment "olicy

ISO2'7%

A+''+$+:

6vidence of "rotecon of @naended 6.uipment "olicy 0evie#s

ISO2'7:

A+''+$+:

"rotecon of @naended 6.uipment "rocess

ISO2'7

A+''+$+:

6vidence of "rotecon of @naended 6.uipment "rocess 0evie#s

ISO2'%&

A+''+$+

ISO2'%'

A+''+$+

Clear Desk Pol"c# 6vidence of Clear es( "olicy 0evie#s

ISO2'%$

A+''+$+

ISO2'%3

A+''+$+

ISO2'%*

A+'$+'+'

ISO2'%1

A+'$+'+'

ISO2'%7

:+' A+'$+'+$ A+'*+$+$ A+'*+$+3 A+'*+$+*

ISO2'%%

:+' A+'$+'+$ A+'*+$+$ A+'*+$+3 A+'*+$+*

6vidence of Change 5anagement "olicy 0evie#s

ISO2'%:

:+' A+'$+'+$ A+'*+$+$ A+'*+$+3 A+'*+$+*

Change 5anagement "rocess

ISO2'%

:+' A+'$+'+$ A+'*+$+$ A+'*+$+3 A+'*+$+*

6vidence of Change 5anagement "rocess 0evie#s

ISO2':&

A+'$+'+3

Capacity 5anagement "rocess

ISO2':'

A+'$+'+3

6vidence of Capacity 5anagement "rocess 0evie#s

ISO2':$

A+'$+'+3

Capacity 5anagement "lans/0eports

ISO2':3

A+'$+'+*

Separaon of 6nvironments "olicy

ISO2':*

A+'$+'+*

6vidence of Separaon of 6nvironments "olicy 0evie#s

ISO2':1

A+'$+'+*

Separaon of 6nvironments esign

ISO2':7

A+'$+'+*

6vidence of Separaon of 6nvironments esign 0evie#s

ISO2':%

A+'$+$+'

5al#are "rotecon "olicy

ISO2'::

A+'$+$+'

6vidence of 5al#are "rotecon "olicy 0evie#s

ISO2':

A+'$+$+'

5al#are "rotecon esign

ISO2'&

A+'$+$+'

6vidence of 5al#are "rotecon esign 0evie#s

ISO2''

A+'$+3+'

ata 8ac(up and 0ecovery "olicy

ISO2'$

A+'$+3+'

6vidence of ata 8ac(up and 0ecovery "olicy 0evie#s

ISO2'3

A+'$+3+'

ata 8ac(up and 0ecovery "rocedures

ISO2'*

A+'$+3+'

6vidence of ata 8ac(up and 0ecovery "rocedures 0evie#s

ISO2'1

A+'$+3+'

ata 8ac(up and 0ecovery 9est "rocess

ISO2'7

A+'$+3+'

6vidence of ata 8ac(up and 0ecovery 9est "rocess 0evie#s

Clear Screen Pol"c# 6vidence of Clear Screen "olicy 0evie#s Operang "rocedures 6vidence of Operang "rocedures 0evie#s Change 5anagement "olicy

ISO2'%

A+'$+*+'

6vent Hogging esign

ISO2':

A+'$+*+'

6vidence of 6vent Hogging esign 0evie#s

ISO2'

A+'$+*+'

6vent Hog 0evie#s

ISO2$&&

A+'$+*+$

esign for "rotecon of Hog Informaon

ISO2$&'

A+'$+*+$

6vidence of 0evie#s of esign for "rotecon of Hog Informaon

ISO2$&$

A+'$+*+3

Operator Hogging esign

ISO2$&3

A+'$+*+3

6vidence of Operator Hogging esign 0evie#s

ISO2$&*

A+'$+*+3

Operator Hog 0evie# "rocess

ISO2$&1

A+'$+*+3

6vidence of Operator Hog 0evie#s

ISO2$&7

A+'$+*+*

Cloc( Synchronizaon esign

ISO2$&%

A+'$+*+*

6vidence of Cloc( Synchronizaon 0evie#s

ISO2$&:

A+'$+1+' A+'$+7+$

So#are Installaon "olicy

ISO2$&

A+'$+1+' A+'$+7+$

6vidence of So#are Installaon "olicy 0evie#s

ISO2$'&

A+'$+1+' A+'$+7+$

So#are Installaon Control "rocedures

ISO2$''

A+'$+1+' A+'$+7+$

6vidence of So#are Installaon Control "rocedures 0evie#s

ISO2$'$

A+'$+7+'

Eulnera-ility 5anagement "olicy

ISO2$'3

A+'$+7+'

6vidence of Eulnera-ility 5anagement "olicy 0evie#s

ISO2$'*

A+'$+7+'

Eulnera-ility 5anagement "rocess

ISO2$'1

A+'$+7+'

6vidence that Eulnera-ility 5anagement "rocess is enacted

ISO2$'7

A+'$+%+'

6,ternal Audit Acvity "lanning "rocess

ISO2$'%

A+'$+%+'

6vidence that 6,ternal Audit Acvity "lanning "rocess is enacted

ISO2$':

A+'$+%+'

6,ternal Audit Acvity 0eport

692&&$

N/A

ISO2$$&

A+'3+'+'

esign of Net#or( Controls

ISO2$$'

A+'3+'+'

6vidence of esign of Net#or( Controls 0evie#s

ISO2$$$

A+'3+'+$

esign of Controls for Net#or( Services

ISO2$$3

A+'3+'+$

6vidence of esign of Controls for Net#or( Services 0evie#s

ISO2$$*

A+'3+'+3

esign of Net#or( Segregaon

ISO2$$1

A+'3+'+3

6vidence of esign of Net#or( Segregaon 0evie#s

ISO2$$7

A+'3+$+'

Informaon 9ransfer "olicies

ISO2$

%$A+'3+$+'

6vidence of Informaon 9ransfer "olicies 0evie#s

ISO2$$:

A+'3+$+'

Informaon 9ransfer "rocedures

ISO2$$

A+'3+$+'

6vidence of Informaon 9ransfer "rocedures 0evie#s

ISO2$3&

A+'3+$+'

Informaon 9ransfer Control esign

ISO2$3'

A+'3+$+'

6vidence of Informaon 9ransfer Control esign 0evie#s

ISO2$3$

A+'3+$+$

Informaon 9ransfer Agreement "olicy

ISO2$33

A+'3+$+$

6vidence of Informaon 9ransfer Agreement "olicy 0evie#s

ISO2$3*

A+'3+$+$

Informaon 9ransfer Agreement 9emplate

Net#or( Security "olicy

ISO2$31

A+'3+$+$

6vidence of Informaon 9ransfer Agreements

ISO2$37

A+'3+$+3

Secure 6lectronic 5essaging "olicy

ISO2$3%

A+'3+$+3

6vidence of Secure 6lectronic 5essaging "olicy 0evie#s

ISO2$3:

A+'3+$+3

Secure 6lectronic 5essaging "rocedure

ISO2$3

A+'3+$+3

6vidence of Secure 6lectronic 5essaging "rocedure 0evie#s

ISO2$*&

A+'3+$+*

Con)denality and NA 0e.uirements esign

ISO2$*'

A+'3+$+*

6vidence of Con)denality and NA 0e.uirements esign 0evie#s

ISO2$*$

A+'*+'+'

Security in Ne# or 5odi)ed Systems "olicy

ISO2$*3

A+'*+'+'

6vidence of Security in Ne# or 5odi)ed Systems "olicy 0evie#s

ISO2$**

A+'*+'+' A+'*+$+1

Security in Ne# or 5odi)ed Systems "rocess

ISO2$*1

A+'*+'+' A+'*+$+1

6vidence of Security in Ne# or 5odi)ed Systems "rocess 0evie#s

ISO2$*7

A+'*+'+$

"rotecon of Applicaons on "u-lic Net#or(s esign

ISO2$*%

A+'*+'+$

6vidence of "rotecon of Applicaons on "u-lic Net#or(s esign 0evie#s

ISO2$*:

A+'*+'+3

Applicaon Service 9ransacon "rotecon esign

ISO2$*

A+'*+'+3

6vidence of Applicaon Service 9ransacon "rotecon esign 0evie#s

ISO2$1&

A+'*+$+' A+'*+$+7 A+'*+$+% A+'*+$+: A+'*+$+

Secure SHC "olicy

ISO2$1'

A+'*+$+' A+'*+$+7 A+'*+$+% A+'*+$+: A+'*+$+

6vidence of Secure SHC "olicy 0evie#s

ISO2$1$

A+'*+$+' A+'*+$+7 A+'*+$+% A+'*+$+: A+'*+$+

Secure SHC "rocess

ISO2$13

A+'*+$+' A+'*+$+7 A+'*+$+% A+'*+$+: A+'*+$+

6vidence of Secure SHC "rocess 0evie#s

ISO2$1*

A+'*+3+'

"rotecon of 9est ata "rocess

ISO2$11

A+'*+3+'

6vidence of "rotecon of 9est ata "rocess 0evie#s

ISO2$17

A+'1+'+' A+'1+'+$

Supplier Security "olicy

ISO2$1%

A+'1+'+' A+'1+'+$

6vidence of Supplier Security "olicy 0evie#s

ISO2$1:

A+'1+'+$

Supplier Security 9emplate

ISO2$1

A+'1+'+$

6vidence of Informaon Security in Supplier Agreements

ISO2$7&

A+'1+'+3

Informaon Security for I9 Service "roviders "olicy

ISO2$7'

A+'1+'+3

6vidence of Informaon Security for I9 Service "roviders "olicy 0evie#s

ISO2$7$

A+'1+'+3

Informaon Security for I9 Service "roviders 9emplate

ISO2$73

A+'1+$+' A+'1+$+$

Supplier Services 5anagement "rocess

ISO2$7*

A+'1+$+' A+'1+$+$

6vidence of Supplier Services 5anagement "rocess 0evie#s

ISO2$71

A+'1+$+' A+'1+$+$

6vidence of Supplier Services 5anagement 0evie#s

ISO2$77

A+'1+$+' A+'1+$+$

Supplier Services 0evie# 9emplate

ISO2$7%

A+'7

Incident 5anagement "olicy

ISO2$7:

A+'7

6vidence of Incident 5anagement "olicy 0evie#s

ISO2$7

A+'7+'+'

Incident 5anagement 0oles and 0esponsi-ilies

ISO2$%&

A+'7+'+'

6vidence of Incident 5anagement 0oles and 0esponsi-ilies 0evie#s

ISO2$%'

A+'7+'+'

Incident 5anagement "rocedures

ISO2$%$

A+'7+'+'

6vidence of Incident 5anagement "rocedures 0evie#s

ISO2$%3

A+'7+'+$

Incident 0eport 9emplate

ISO2$%*

A+'7+'+$

6vidence of Incident 0eports

ISO2$%1

A+'7+'+3

Security Qea(ness 0eporng "rocess

ISO2$%7

A+'7+'+3

6vidence of Security Qea(ness 0eporng "rocess 0evie#s

ISO2$%%

A+'7+'+3

Security Qea(ness 0eport 9emplate

ISO2$%:

A+'7+'+*

Incident Assessment "rocess

ISO2$%

A+'7+'+1

6vidence of Incident Assessment "rocess 0evie#s

ISO2$:&

A+'7+'+7

Incidence 0esponse "rocess

ISO2$:'

A+'7+'+7

6vidence of Incident 0esponse "rocess 0evie#s

ISO2$:$

A+'7+'+7

6vidence of Incident 0esponse

ISO2$:3

A+'7+'+%

6vidence Collecon "rocedures

ISO2$:*

A+'7+'+%

6vidence of 6vidence Collecon "rocedures 0evie#s

ISO2$:1

A+'7+'+%

6vidence Collecon 9emplate

ISO2$:7

A+'%

8usiness Connuity 5anagement "olicy

ISO2$:%

A+'%

6vidence of 8usiness Connuity 5anagement "olicy 0evie#s

ISO2$::

A+'%

8usiness Connuity Strategy

ISO2$:

A+'%

6vidence of 8usiness Connuity Strategy 0evie#s

692&&3

N/A

Supplier Security Chec(list

ISO2$'

A+'%

8usiness Connuity "lan

ISO2$$

A+'%

6vidence of 8usiness Connuity "lan 0evie#s

ISO2$3

A+'%

8usiness Connuity 5anagement System 5aintenance and 0evie# "lan

ISO2$*

A+'%

6vidence of 8usiness Connuity 5anagement System 5aintenance and 0evie# "lan 0evie#s

ISO2$1

A+'%+'+'

8usiness Connuity 0e.uirements

ISO2$7

A+'%+'+'

6vidence of 8usiness Connuity 0e.uirements 0evie#s

ISO2$%

A+'%+'+'

8usiness Impact Analysis

ISO2$:

A+'%+'+'

8usiness Impact Analysis 9emplate

ISO2$

A+'%+'+'

8usiness Impact Analysis Analysis 4uesonnairesB

ISO23&&

A+'%+'+$

8usiness Connuity "rocess

ISO23&'

A+'%+'+$

6vidence of 8usiness Connuity "rocess 0evie#s

ISO23&$

A+'%+'+$

8usiness Connuity "rocedures

ISO23&3

A+'%+'+$

6vidence of 8usiness Connuity "rocedures 0evie#s

ISO23&*

A+'%+'+$

8usiness Connuity Controls

ISO23&1

A+'%+'+$ A+'%+'+3

6vidence of 8usiness Connuity Controls 0evie#s

ISO23&7

A+'%+'+3

8usiness Connuity 6,ercising and 9esng "lan

ISO23&%

A+'%+'+3

6vidence of 8usiness Connuity 6,ercising and 9esng "lan 0evie#s

ISO23&:

A+'%+'+3

8usiness Connuity 6,ercises and 9ests

ISO23&

A+'%+'+3

8usiness Connuity "ost2Incident 0evie# >orm

ISO23'&

A+'%

isaster 0ecovery "lan

ISO23''

A+'%

6vidence of isaster 0ecovery "lan 0evie#s

ISO23'$

A+'%+'+'

isaster 0ecovery 0e.uirements

ISO23'3

A+'%+'+'

6vidence of isaster 0ecovery 0e.uirements 0evie#s

ISO23'*

A+'%+'+$

isaster 0ecovery "rocess

ISO23'1

A+'%+'+$

6vidence of isaster 0ecovery "rocess 0evie#s

ISO23'7

A+'%+'+$

isaster 0ecovery "rocedures

ISO23'%

A+'%+'+$

6vidence of isaster 0ecovery "rocedures 0evie#s

ISO23':

A+'%+'+$

isaster 0ecovery Controls

ISO23'

A+'%+'+$ A+'%+'+3

6vidence of isaster 0ecovery Controls 0evie#s

ISO23$&

A+'%+'+3

isaster 0ecovery 6,ercises and 9ests

ISO23$'

A+'%+'+3

isaster 0ecovery "ost2Incident 0evie# >orm

ISO23$$

A+'%+$+'

0edundancy 0e.uirements

ISO23$3

A+'%+$+'

6vidence of 0edundancy 0e.uirements 0evie#s

ISO23$*

A+':+'+'

HegalD 0egulatory and Contractual 0e.uirements

ISO23$1

A+':+'+'

6vidence of HegalD 0egulatory and Contractual 0e.uirements 0evie#s

ISO23$7

A+':+'+$

Intellectual "roperty Compliance "rocedure

ISO23

%$A+':+'+$

6vidence of Intellectual "roperty Compliance "rocedure 0evie#s

ISO23$:

A+':+'+3

0ecord "rotecon

ISO23$

A+':+'+3

6vidence of 0ecord "rotecon 0evie#s

ISO233&

A+':+'+*

"rivacy and "rotecon of "II

ISO233'

A+':+'+*

6vidence of "rivacy and "rotecon of "II 0evie#s

ISO233$

A+':+'+1

0egulaon of Cryptographic Controls

ISO2333

A+':+'+1

6vidence of 0egulaon of Cryptographic Controls 0evie#s

ISO233*

A+':+$+'

6,ternal Audit "lan

ISO2331

A+':+$+'

6vidence of 6,ternal Audit "lan 0evie#s

ISO2337

A+':+$+'

6vidence of 6,ternal Audits

ISO233%

A+':+$+$

5anagement Compliance 0evie# "rocess

ISO233:

A+':+$+$

6vidence of 5anagement Compliance 0evie# "rocess 0evie#s

ISO233

A+':+$+$

6vidence of 5anagement Compliance 0evie#s

ISO23*&

A+':+$+3

9echnical Compliance 0evie# "rocess

ISO23*'

A+':+$+3

6vidence of 9echnical Compliance 0evie# "rocess 0evie#s

ISO23*$

A+':+$+3

6vidence of 9echnical Compliance 0evie#s

692&&*

N/A

CSQ "rogram

692&&1

N/A

Informaon Security 0is( Council "rogram

692&&7

N/A

Security Integraon "lan

692&&%

N/A

Security Integraon 4uesonnaire

692&&:

N/A

0 6mployee Change "rocedure

692&&

N/A

ata overnance "olicy

692&&

N/A

Security 0evie# Chec(list

692&&

N/A

5ul2>actor Authencaon "rocedure

9otal

31&

Hin( to mandatory/non2mandatory documents= hp=//advisera+com/$%&&'academy/(no#led

Conta"ned In

.e6u"rement

Doc T#pe

IS$S Scope

O#n oc

Oponal

escripon

No

"art of 692&&'

Implied

0ecord

Tes

98

Implied

"rocedure

Tes

"art of 692&&'

Implied

0ecord

Tes

"art of 692&&'

0e.uired

escripon

Tes

98

Implied

0ecord

Tes

98

Implied

escripon

Tes

O#n oc

0e.uired

"olicy

Tes

98

Implied

0ecord

Tes

98

Implied

"lan

Tes

98

0e.uired

"rocess

Tes

O#n oc

Implied

0ecord

Tes

O#n oc

Oponal

>orm or 9emplate

Tes

"art of 692&&'

0e.uired

"rocess

Tes

O#n oc

0e.uired

0ecord

Tes

O#n oc

0e.uired

"lan

Tes

98

Implied

0ecord

Tes

"art of 692&&'

0e.uired

0ecord

Tes

98

Implied

"lan

Tes

"art of 692&&'

Implied

0ecord

Tes

"art of 692&&'

Implied

escripon

Tes

98

Implied

"rocedure

Tes

98

Implied

"lan

Tes

O#n oc

0e.uired

0ecord

Tes

O#n oc

Implied

"rocess

Tes

O#n oc

Oponal

"art of 692&&'

Implied

"rocess

Tes

"art of 692&&'

0e.uired

0ecord

Tes

98

Implied

"olicy

Tes

No

Project Scope

Included

98

Implied

"rocess

Tes

98

0e.uired

0ecord

Tes

98

Implied

"olicy

Tes

"art of ISO2&''

0e.uired

0ecord

Tes

"art of ISO2&'7

0e.uired

0ecord

Tes

98

Implied

"rocedure

Tes

98

0e.uired

0ecord

Tes

98

Implied

"rocedure

Tes

98

Implied

0ecord

Tes

O#n oc

0e.uired

escripon

Tes

"art of ISO2&3:

Implied

0ecord

Tes

O#n oc

Oponal

"rocess

Tes

O#n oc

Oponal

>orm or 9emplate

Tes

"art of ISO2&*&

Oponal

0ecord

Tes

O#n oc

0e.uired

0ecord

Tes

O#n oc

Oponal

>orm or 9emplate

Tes

98

Implied

"rocess

Tes

98

Oponal

>orm or 9emplate

Tes

98

0e.uired

0ecord

Tes

98

Implied

"rocedure

Tes

98

0e.uired

0ecord

Tes

98

0e.uired

0ecord

Tes

98

Implied

"rocess

Tes

O#n oc

0e.uired

"olicy

Tes

98

0e.uired

0ecord

Tes

98

Oponal

"rocedure

Tes

"art of 692&&'

0e.uired

0ecord

Tes

98

Implied

0ecord

Tes

98

Implied

"rocess

Tes

98

0e.uired

0ecord

Tes

98

0e.uired

0ecord

Tes

98

Implied

"rocess

Tes

"art of ISO2&1$

0e.uired

"olicy

Tes

"art of ISO2&1$

Oponal

"olicy

Tes

"art of ISO2&1$

0e.uired

"olicy

Tes

98

Implied

"rocess

Tes

98

Implied

0ecord

Tes

98

Implied

0ecord

Tes

98

Implied

0ecord

Tes

98

Implied

0ecord

Tes

98

Implied

0ecord

Tes

98

0e.uired

"rocess

Tes

98

Implied

0ecord

Tes

98

Implied

0ecord

Tes

"art of ISO2&77

0e.uired

"rocedure

Tes

98

Implied

0ecord

Tes

O#n oc

Oponal

escripon

Tes

O#n oc

0e.uired

0ecord

Tes

"art of ISO2&%1

Implied

"rocess

Tes

98

Implied

0ecord

Tes

"art of ISO2&1$

0e.uired

"olicy

Tes

98

Implied

0ecord

Tes

"art of ISO2&%1

Implied

"rocess

Tes

98

Implied

0ecord

Tes

98

Implied

escripon

Tes

98

Implied

"rocess

Tes

98

Implied

0ecord

Tes

"art of ISO2&%1

0e.uired

"rocedure

Tes

98

Implied

0ecord

Tes

"art of ISO2&1$

0e.uired

"olicy

Tes

"art of ISO2&1*

Implied

"rocedure

Tes

98

Implied

0ecord

Tes

"art of ISO2&1$

0e.uired

"olicy

Tes

"art of ISO2&1*

Implied

"rocedure

Tes

98

Implied

0ecord

Tes

"art of ISO2&1$

Implied

"olicy

Tes

"art of ISO2&1*

Implied

"rocedure

Tes

98

Implied

0ecord

Tes

"art of ISO2&1$

0e.uired

"olicy

Tes

98

Implied

"rocess

Tes

98

Implied

0ecord

Tes

98

Implied

"rocedure

Tes

98

Implied

0ecord

Tes

98

0e.uired

"rocess

Tes

98

Implied

0ecord

Tes

98

0e.uired

"rocess

Tes

98

Implied

0ecord

Tes

98

Implied

"rocess

Tes

98

Implied

0ecord

Tes

98

Implied

"olicy

Tes

98

Implied

"rocess

Tes

98

Implied

0ecord

Tes

98

Implied

"rocess

Tes

98

Implied

0ecord

Tes

98

Implied

"rocess

Tes

98

Implied

0ecord

Tes

"art of ISO2&1$

Implied

"rocess

Tes

98

Implied

"rocess

Tes

98

Implied

0ecord

Tes

"art of ISO2&1*

Implied

"rocedure

Tes

98

Oponal

>orm or 9emplate

Tes

98

Implied

0ecord

Tes

"art of ISO2&1*

Implied

"rocedure

Tes

98

Implied

0ecord

Tes

98

Implied

escripon

Tes

98

Implied

0ecord

Tes

"art of ISO2&1$

Implied

"olicy

Tes

98

Implied

"rocess

Tes

98

Oponal

>orm or 9emplate

Tes

98

Implied

"rocess

Tes

98

Oponal

>orm or 9emplate

Tes

"art of ISO2&1$

0e.uired

"olicy

Tes

98

Implied

"rocess

Tes

98

Implied

0ecord

Tes

"art of ISO2&1$

0e.uired

"olicy

Tes

98

Implied

"rocess

Tes

98

Implied

0ecord

Tes

98

Implied

escripon

Tes

98

Implied

0ecord

Tes

98

Implied

escripon

Tes

98

Implied

0ecord

Tes

98

Implied

escripon

Tes

98

Implied

0ecord

Tes

98

Implied

escripon

Tes

98

Implied

0ecord

Tes

98

0e.uired

"rocedure

Tes

98

Implied

0ecord

Tes

98

Implied

escripon

Tes

98

Implied

0ecord

Tes

98

Implied

escripon

Tes

98

Implied

0ecord

Tes

98

Implied

escripon

Tes

98

Implied

0ecord

Tes

98

Implied

escripon

Tes

98

Implied

0ecord

Tes

98

Implied

"rocess

Tes

98

Implied

0ecord

Tes

98

Implied

0ecord

Tes

"art of ISO2&%1

Implied

"rocess

Tes

98

Implied

0ecord

Tes

98

Oponal

>orm or 9emplate

Tes

98

Implied

"rocess

Tes

98

Implied

0ecord

Tes

"art of ISO2&1$

Oponal

"olicy

Tes

98

Oponal

0ecord

Tes

98

Implied

"rocess

Tes

98

Implied

0ecord

Tes

"art of ISO2&1$

Oponal

"olicy

Tes

98

Oponal

0ecord

Tes

98

Implied

"rocess

Tes

98

Implied

0ecord

Tes

"art of ISO2&1$

0e.uired

"olicy

Tes

98

Implied

0ecord

Tes

"art of ISO2&1$

0e.uired

"olicy

Tes

98

Implied

0ecord

Tes

98

0e.uired

"rocedure

Tes

98

Implied

0ecord

Tes

"art of ISO2&1$

Implied

0ecord

Tes

98

Implied

"rocess

Tes

98

Implied

"rocess

Tes

98

Implied

"rocess

Tes

98

Implied

"rocess

Tes

98

Implied

0ecord

Tes

98

Implied

"lan

Tes

"art of ISO2&1$

Implied

"olicy

Tes

98

Implied

0ecord

Tes

98

Implied

escripon

Tes

98

Implied

0ecord

Tes

"art of ISO2&1$

Oponal

"olicy

Tes

98

Implied

0ecord

Tes

98

Implied

escripon

Tes

98

Implied

0ecord

Tes

"art of ISO2&1$

0e.uired

"olicy

Tes

98

Implied

0ecord

Tes

98

Implied

"rocedure

Tes

98

Implied

0ecord

Tes

98

Implied

"rocess

Tes

98

Implied

0ecord

Tes

98

Implied

escripon

Tes

98

Implied

0ecord

Tes

98

0e.uired

0ecord

Tes

98

Implied

escripon

Tes

98

Implied

0ecord

Tes

98

Implied

escripon

Tes

98

Implied

0ecord

Tes

98

Implied

"rocess

Tes

98

0e.uired

0ecord

Tes

98

Implied

escripon

Tes

98

Implied

0ecord

Tes

"art of ISO2&1$

Oponal

"olicy

Tes

98

Oponal

0ecord

Tes

98

Implied

"rocedure

Tes

98

Implied

0ecord

Tes

"art of ISO2&1$

Oponal

"olicy

Tes

98

Oponal

0ecord

Tes

98

Implied

"rocess

Tes

98

Implied

0ecord

Tes

98

Implied

"lan

Tes

98

Implied

0ecord

Tes

98

Oponal

0ecord

Tes

"art of ISO2&1$

Oponal

"olicy

Tes

98

Implied

escripon

Tes

98

Implied

0ecord

Tes

98

Implied

escripon

Tes

98

Implied

0ecord

Tes

98

Implied

escripon

Tes

98

Implied

0ecord

Tes

"art of ISO2&1$

0e.uired

"olicy

Tes

98

Implied

0ecord

Tes

98

0e.uired

"rocedure

Tes

98

Implied

0ecord

Tes

98

Implied

escripon

Tes

98

Implied

0ecord

Tes

"art of ISO2&1$

Oponal

"olicy

Tes

98

Oponal

0ecord

Tes

98

Oponal

>orm or 9emplate

Tes

98

Implied

0ecord

Tes

"art of ISO2&1$

Oponal

"olicy

Tes

98

Oponal

0ecord

Tes

98

Implied

"rocedure

Tes

98

Implied

0ecord

Tes

98

0e.uired

escripon

Tes

98

Implied

0ecord

Tes

"art of ISO2&1$

Oponal

"olicy

Tes

98

Oponal

0ecord

Tes

98

Implied

"rocess

Tes

98

Implied

0ecord

Tes

98

Implied

escripon

Tes

98

Implied

0ecord

Tes

98

Implied

escripon

Tes

98

Implied

0ecord

Tes

"art of ISO2&1$

0e.uired

"olicy

Tes

98

Implied

0ecord

Tes

98

Implied

"rocess

Tes

98

Implied

0ecord

Tes

98

Implied

"rocess

Tes

98

Implied

0ecord

Tes

"art of ISO2&1$

0e.uired

"olicy

Tes

98

Implied

0ecord

Tes

98

Oponal

>orm or 9emplate

Tes

98

Implied

0ecord

Tes

"art of ISO2&1$

Implied

"olicy

Tes

98

Implied

0ecord

Tes

98

Oponal

>orm or 9emplate

Tes

98

Implied

"rocess

Tes

98

Implied

0ecord

Tes

98

Implied

0ecord

Tes

98

Oponal

>orm or 9emplate

Tes

"art of ISO2&1$

Oponal

"olicy

Tes

98

Oponal

0ecord

Tes

98

Implied

escripon

Tes

98

Implied

0ecord

Tes

98

Implied

"rocedure

Tes

98

Implied

0ecord

Tes

98

Oponal

>orm or 9emplate

Tes

98

Oponal

0ecord

Tes

98

Implied

"rocess

Tes

98

Implied

0ecord

Tes

98

Oponal

>orm or 9emplate

Tes

98

Implied

"rocess

Tes

98

Implied

0ecord

Tes

98

Implied

"rocess

Tes

98

Implied

0ecord

Tes

98

Implied

0ecord

Tes

98

Implied

"rocedure

Tes

98

Implied

0ecord

Tes

98

Oponal

>orm or 9emplate

Tes

"art of ISO2&1$

Oponal

"olicy

Tes

98

Oponal

0ecord

Tes

98

Oponal

escripon

Tes

98

Oponal

0ecord

Tes

O#n oc

Oponal

>orm or 9emplate

No

98

Oponal

"lan

Tes

98

Oponal

0ecord

Tes

98

Oponal

"lan

Tes

98

Oponal

0ecord

Tes

98

Implied

escripon

Tes

98

Implied

0ecord

Tes

98

Implied

escripon

Tes

98

Oponal

>orm or 9emplate

Tes

98

Oponal

>orm or 9emplate

Tes

98

0e.uired

"rocess

Tes

98

Implied

0ecord

Tes

98

0e.uired

"rocedure

Tes

98

Implied

0ecord

Tes

98

0e.uired

escripon

Tes

98

Implied

0ecord

Tes

98

Oponal

"lan

Tes

98

Oponal

0ecord

Tes

98

Implied

0ecord

Tes

98

Oponal

>orm or 9emplate

Tes

98

Oponal

"lan

Tes

98

Oponal

0ecord

Tes

98

Oponal

escripon

Tes

98

Oponal

0ecord

Tes

98

Oponal

"rocess

Tes

98

Oponal

0ecord

Tes

98

Oponal

"rocedure

Tes

98

Oponal

0ecord

Tes

98

Oponal

escripon

Tes

98

Oponal

0ecord

Tes

98

Oponal

0ecord

Tes

98

Oponal

>orm or 9emplate

Tes

98

Implied

escripon

Tes

98

Implied

0ecord

Tes

98

0e.uired

escripon

Tes

98

0e.uired

0ecord

Tes

98

Implied

"rocedure

Tes

98

Implied

0ecord

Tes

98

Implied

escripon

Tes

98

Implied

0ecord

Tes

98

Implied

escripon

Tes

98

Implied

0ecord

Tes

98

Implied

escripon

Tes

98

Implied

0ecord

Tes

"art of ISO2&3:

Implied

"rocedure

Tes

98

Implied

0ecord

Tes

98

Implied

0ecord

Tes

98

Implied

"rocess

Tes

98

Implied

0ecord

Tes

98

Implied

0ecord

Tes

98

Implied

"rocess

Tes

98

Implied

0ecord

Tes

98

Implied

0ecord

Tes

O#n oc

Oponal

escripon

No

O#n oc

Oponal

escripon

No

98

Oponal

"lan

No

98

Oponal

>orm or 9emplate

No

O#n oc

Oponal

"rocedure

No

O#n oc

Oponal

"olicy

No

"art of ISO2&1*

Oponal

>orm or 9emplate

No

O#n oc

Oponal

"rocedure

No

0e.uired

1*

"olicy

37

Implied

$$'

"rocess

1'

Oponal

%1

"rocedure

$:

"lan

''

escripon

*$

@ni.ue ocs

$3

>orm or 9emplate $$ 0ecord 9otal Included

'1

&

ISO 27001 Documents

?oicy

?rocess

?rocedure

?an

,escripon

Impemented

&

&

&

&

&

#ppro/ed

&

&

&

&

&

riAen

&

&

&

&

&

In ?rogress

&

&

&

&

&

aing

&

&

&

&

&

?.ase 2

&

&

&

&

&

Un+no7n

&

&

&

&

&

Total

&

&

&

&

&

ISO 27001 Documents Phase 1

?oicy

?rocess

?rocedure

?an

,escripon

Impemented

&

&

&

&

&

#ppro/ed

&

&

&

&

&

riAen

&

&

&

&

&

In ?rogress

&

&

&

&

&

Total

&

&

&

&

&

ge-ase/list2of2mandatory2documents2re.uired2-y2iso2$%&&'2$&'32revision/

Due

Status

Consultant O?ner

3st Consultant @rs

Customer Comments O?ner

Implemented

&

Approved

&

Qrien

&

In "rogress

&

Qaing

&

"hase $

&

@n(no#n

&

S(ipped

&

&

&orm or $empate

*ecord

Total

A

&

&

&

UIE/&V

&

&

&

UIE/&V

&

&

&

UIE/&V

&

&

&

UIE/&V

&

&

&

UIE/&V

&

&

&

UIE/&V

&

&

&

UIE/&V

&

&

0

UIE/&V

&orm or $empate

*ecord

Total

A

&

&

&

UIE/&V

&

&

&

UIE/&V

&

&

&

UIE/&V

&

&

&

UIE/&V

&

&

0

UIE/&V

*pproed 4#

Date ast *pproed

ocaon

Document (ame

ISO 27001 Project Template Pbmnpd (1)

Recommend Documents