ISO 27001 Project Tasks Last Updated: 2016-03-29
ISO 27001 Task Secon
Status
.esources / Customer
Phase 1: Deelop the In!ormaon Secur"t# $ana%ement S#stem S#stem &IS$S' ()*
In"aon
N/A
Approve the project
N/A
Set up up pr project ect co communicaons
N/A
Agree on on the the pr project meli eline
Part 1: "Plan" +
Conte,t o! the or%an"-aon
N/A
Create document list
N/A
Create an an Or Organizaon Ch Chart
N/A N/A
Iden Idenf fy y Key Key epar epartm tmen entt Sta! Sta! and and "roc "roces esss O#ne O#ners rs
N/A N/A
Crea Create te ini inia all mapp mappin ing g of ISO ISO $%&& $%&&' ' cont contro rols ls to to depa depart rtme ment ntss
N/A
Sch Schedul edule e ini inial al (ic( (ic(o! o! mee meengs ngs
N/A N/A
Sched Schedul ule e )rs )rstt ons onsit ite e tra trave vell for for Cons Consul ulta tant nt team team
N/A
"res "resen entt th the ini inia all (i (ic(o! c(o! mee meeng ngss
N/A
0e)ne the mapping of ISO $%&&' controls to speci)c applicaon/data applicaon/data o#ners
4.1 4.1 *+' *+'
Unders Unde rsttan andi ding ng the the org organ aniz iza aon on and and its its con conte text xt ocu ocume men nt e,te e,tern rnal al and and int inter erna nall rel relev evan antt issu issues es
* +'
etermine ap applica-ility
4.2 4.2 *+$+ *+$+a a
*+$+ *+$+*+' *+$ *+* 1+' 1+$+c2d 1+3
4.3
Unders Unde rsta tand ndin ing g the the need needss and and expe expect cta aon onss of int inter eres este ted d par pares es ocu ocume men nt in intere terest sted ed thir third d par pare ess
ocu ocume men nt re. re.u uirem iremen ents ts of int interes erestted thir third d par pare ess ra the Informaon Security "olicy
Determ Det ermini ining ng the sco scope pe of the inf inform orma aon on sec securi urit t mana managem gemen entt ss sstem tem !# !#$#% $#%
* +3
Create the Scope document
N/A
iscus cuss o-serva rvaons and per ernent ent details
*+3+a
Include scope item
*+3+a
Include 0is( 0egister
*+3+a
Include 0is( Analysis 0eport
*+3+a
Include Security 4uesonnaires
*+3+-
Include scope item
*+3+c
Include scope item
N/A
Approve th the Sc Scope do docum cument ent
4.4 4.4 ++
nform nfo rma aon on se secu curi rit t ma mana nage geme ment nt ss ste tem m ocument the IS5S
eadersh"p
&.1 1+' 1+$+c2d
'eadership an and co commitment Commit to the Informaon Security "olicy
&.2 1+$+a2-
Polic 3sta4l"sh the In!ormaon Secur"t# Pol"c#
N/A
Approve th the In Informaon Se Security "o "olicy
1+$+e
ocum cument th the In Informaon Sec Secu urity "olicy
1+$+ 1+$+ff
Int Interna ernallly pu-l u-lish ish the the Inf Informa ormao on n Sec Secur uriity "olicy licy
1+$+ 1+$+g g
6,t 6,terna ernallly pu-l pu-lis ish h th the Inf Informa ormao on n Sec Secu urity rity "olicy licy
&.3 &.3 1+3 1+3
(rgani (rga niza zao ona nall rol roles es)) res respo pons nsi* i*il ili ies es)) and and au auth thor ori ies es Assi Assign gn respo espon nsisi-ili ilies es an and aut autho hori rity ty
1+3+a
6nsure conformance #ith ISO $%&&'
1+3+-
6nsure performance reporng
5 +.1 +. 1 +.1.1 7+'+'+a
Plann"n% ,co ,c ons ns to ad addr dres esss ri riss-ss an and d op oppo port rtun uni ies es eneral 6nsure IS5S success
7+'+'+-
5inimize adverse e!ects
7+'+'+c '+c
8uild in connual improvement
7+'+ 7+'+'+ '+d d
"lan "lan aco acons ns to addr addres esss ris( ris(ss and and oppo opport rtun uni ies es
7+'+ 7+'+'+ '+e+ e+' '
"lan lan ho# to integr egrate thes these e int into IS5 IS5S proc proces essses
7+' 7+'+'+e++$
"lan ho ho# to to ev evaluate e! e!ecv cvenes enesss of of ac aco ons
* +3
Create the Scope document
N/A
iscus cuss o-serva rvaons and per ernent ent details
*+3+a
Include scope item
*+3+a
Include 0is( 0egister
*+3+a
Include 0is( Analysis 0eport
*+3+a
Include Security 4uesonnaires
*+3+-
Include scope item
*+3+c
Include scope item
N/A
Approve th the Sc Scope do docum cument ent
4.4 4.4 ++
nform nfo rma aon on se secu curi rit t ma mana nage geme ment nt ss ste tem m ocument the IS5S
eadersh"p
&.1 1+' 1+$+c2d
'eadership an and co commitment Commit to the Informaon Security "olicy
&.2 1+$+a2-
Polic 3sta4l"sh the In!ormaon Secur"t# Pol"c#
N/A
Approve th the In Informaon Se Security "o "olicy
1+$+e
ocum cument th the In Informaon Sec Secu urity "olicy
1+$+ 1+$+ff
Int Interna ernallly pu-l u-lish ish the the Inf Informa ormao on n Sec Secur uriity "olicy licy
1+$+ 1+$+g g
6,t 6,terna ernallly pu-l pu-lis ish h th the Inf Informa ormao on n Sec Secu urity rity "olicy licy
&.3 &.3 1+3 1+3
(rgani (rga niza zao ona nall rol roles es)) res respo pons nsi* i*il ili ies es)) and and au auth thor ori ies es Assi Assign gn respo espon nsisi-ili ilies es an and aut autho hori rity ty
1+3+a
6nsure conformance #ith ISO $%&&'
1+3+-
6nsure performance reporng
5 +.1 +. 1 +.1.1 7+'+'+a
Plann"n% ,co ,c ons ns to ad addr dres esss ri riss-ss an and d op oppo port rtun uni ies es eneral 6nsure IS5S success
7+'+'+-
5inimize adverse e!ects
7+'+'+c '+c
8uild in connual improvement
7+'+ 7+'+'+ '+d d
"lan "lan aco acons ns to addr addres esss ris( ris(ss and and oppo opport rtun uni ies es
7+'+ 7+'+'+ '+e+ e+' '
"lan lan ho# to integr egrate thes these e int into IS5 IS5S proc proces essses
7+' 7+'+'+e++$
"lan ho ho# to to ev evaluate e! e!ecv cvenes enesss of of ac aco ons
N/A +.1.2 +.1. 2 7+'+$+a
"ro "rovide vide inia niall con control trol lists ists nfo n form rma aon on sec secur urit it risris- ass asses essm smen ent t e)ne the ris( criteria
7+'+$+a+'
e)ne the ris( acceptance criteria
7+'+ 7+'+$+ $+a+ a+$ $
e)n e)ne e the the ris( ris( asse assess ssme men nt perf perfor orma man nce crit criter eriia
7+'+$+N/A 7+'+ 7+'+$+ $+c2d c2d
e)ne th the ri ris( as assess essment pr proces cess evelop the 0is( Assessment "rogram in accordance #ith the NIS9 :&&23& Standard+ Iden Idenf fy y and and anal analyz yze e the the info inform rma aon on secu securi rity ty ris( ris(ss
7+'+$+c2d ;part '<
0evie# the most recent 0is( Assessment
7+'+$+c2d ;part $<
0evie# the most recent security audit results
7+'+$+c2d ;part 3<
0evie# the most recent ris( .uesonnaires
N/A 7+'+ 7+'+$+ $+c2d c2d
Create discussion documents "erf "erfor orm m a 0is( 0is( Asse Assess ssme ment nt #ith #ith each each -usi -usine ness ss unit unit
7+'+$+c2d
Business unit: Informaon Security
7+'+$+c2d
Business unit: Lega!"ompiance
7+'+$+c2d
Business unit: Interna #udit
7+'+$+c2d
Business unit: I$
7+'+$+c2d
Business unit: %ngineering
7+'+$+c2d
Business unit: #ccounng
7+'+$+c2d
Business unit: &inance!Strategy
7+'+$+c2d
Business unit: '(# and Business #naysis
7+'+$+c2d
Business unit: )*
7+'+$+c2d
Business unit: Saes
7+'+$+c2d
Business unit: 'ar+eng
7+'+$+c2d
Business unit: "ustomer Support
7+'+ 7+'+$+ $+e e
6valu aluate th the in informa ormao on n sec secu urity rity ris( ris(ss
7+'+ 7+'+$+ $+e+ e+' '
0evi evie# the the iden den)ed )ed ris( ris(ss agai again nst the the crit criter eriia
7+'+$+e+$
"riorize the ris(s
+.1.3 +.1. 3 7+'+ 7+'+3 3
7+'+3+a 7+'+3+7+'+3+c N/A
nform nfo rma aon on sec secur urit it risris- tre treat atme men nt e)n e)ne e the the ris( ris( trea treatm tmen entt proc proces esss
9reat the ris(s Select controls Compare selected controls to ISO $%&&' controls 5ap the controls to the SOC frame#or(
7+'+3+d
ocument a Statement of Applica-ility
7+'+3+e
Create a 0is( 9reatment "lan
7+'+3+f
O-tain ris( accep ceptance/ ce/approval for migaon
+.2 +.2 7+$ 7+$
nform nfo rma aon on se secu curi rit t o* o*/e /ec c0e 0ess and and pl plan anni ning ng to ac achi hie0 e0e e the them m Inf Informa ormao on n sec secur urit ity y o-j o-jec ecv ves es and and pla plann nnin ing g
7+$+ 7+$+a2 a2e e
e)n e)ne e inf informa orma on secu securi rity ty o-je o-jec cv ves
7+$+ 7+$+ff2j
"lan "lan ho# ho# to to achi achiev eve e inf infor orma mao on n secu securi rity ty o-je o-jec cve vess
7+$+a2j
98= >uncon/level '
7+$+a2j
98= >uncon/level $
7+$+a2j
98= >uncon/level 3
7+$+a2j
?
Part 2: "Do" 7
Support
.1 %+' %+'
esources et etermi ermine ne ini inial al reso resour urce ce re.u re.uir irem emen ents ts
N/A
etermine client project resources
% +'
Idenfy Internal Audit re resource
N/A
"rovide esmate of Internal Audit cost
% +'
Select e, e,ternal au audit/cer)caon )r )rm
%+' %+'
et etermi ermine ne ongo ongoin ing g resou esourrce re.u re.uir irem emen ents ts
.2 %+$+ %+$+a a
ompetence e)n e)ne e comp compet eten ence ce re.ui e.uire reme ment ntss
%+$+ %+$+-
6valu valua ate comp compet eten ence ce of resou esourrces ces
%+$+c ;part '<
Ac.uire competence
%+$+c ;part $<
6valuate e!ecves of acons ta(en
%+$+d
e)ne record (eeping for competence
.3 %+3
,areness Security A#areness 9raining
.4 %+*
ommunicaon 6sta-lish Communicaon
.& N/A
Documented informaon Agree on documents to -e included
N/A
@pdate Secon %+1+' in this project plan
%+1
Create re6u"red documentaon
.&.1 %+1+'+a
eneral Scope of the IS5S *+3B
%+1+'+a
Informaon security policy and o-jecves 1+$ and 7+$B
%+1+'+a
0is( assessment methodology 7+'+$B
%+1+'+a
0is( treatment methodology 7+'+$B
%+1+'+a
Statement of Applica-ility 7+'+3 dB
%+1+'+a
0is( treatment plan 7+'+3 e and 7+$B
%+1+'+a
0is( assessment report :+$B
%+1+'+a
e)nion of security roles and responsi-ilies A+%+'+$ and A+'3+$+*B
%+1+'+a
Inventory of assets A+:+'+'B
%+1+'+a
Accepta-le use of assets A+:+'+3B
%+1+'+a
Access control policy A++'+'B
%+1+'+a
Operang procedures for I9 management A+'$+'+'B
%+1+'+a
Secure system engineering principles A+'*+$+1B
%+1+'+a
Supplier security policy A+'1+'+'B
%+1+'+a
Incident management procedure A+'7+'+1B
%+1+'+a
8usiness connuity procedures A+'%+'+$B
%+1+'+a
StatutoryD regulatoryD and contractual re.uirements A+':+'+'B
%+1+'+a
Create templates for re.uired records
%+1+'+a
Competence %+$B
%+1+'+a
5onitoring and measurement results +'B
%+1+'+a
Change control records implied in :+'B
%+1+'+a
Internal audit program +$B
%+1+'+a
0esults of internal audits +$B
%+1+'+a
0esults of the management revie# +3B
%+1+'+a
0esults of correcve acons '&+'B
%+1+'+a
Hogs of user acviesD e,ceponsD and security events A+'$+*+' and A+'$+*+3B
%+1+'+-
Create documentaon as appropriate
.&.2 %+1+$
reang and updang e)ne document creaon and updang process
%+1+$+a2-
6nsure appropriate contentD formatD and media
%+1+$+c
6nsure accepta-ility of IS5S documents
N/A
"erform revie# of IS5S documentaon
.&.3 %+1+3
ontrol of documented informaon e)ne control of IS5S documentaon
%+1+3+a
Availa-ility
%+1+3+-
"rotecon
%+1+3
ocument control of IS5S documentaon
%+1+3+c
9ransmission and access
%+1+3+d
Storage
%+1+3+e
Eersion control
%+1+3+f
0etenon and destrucon
%+1+3+F
Iden)caon of e,ternally originang documents
N/A
Create document management and #or(Go#
N/A
Setup project document repository
5.1 :+'
Operaon (peraonal planning and control Implement operaonal planning and control
:+'
Implement record (eeping for operaonal control
:+'
Implement change control
:+'
Control of outsourced processes
:+'
Create operaonal control records
5.2 :+$
nformaon securit ris- assessment Schedule informaon security ris( assessments
:+$
Specify criteria for unscheduled ris( assessments
:+$
e)ne record (eeping for ris( assessments
:+$
Create ris( assessment records
5.3 :+3
nformaon securit ris- treatment Implement the informaon security ris( treatment plan
:+3
Implement record (eeping for ris( treatments
:+3
Create ris( treatment records
Part 3: "hec-" 8 6.1 +'+a2f
+' +' 6.2 +$+a2f
+$+g
Per!ormance ealuaon $onitoring) measurement) analsis) and e0aluaon ocument the evaluaon process
e)ne record (eeping for monitoring and measurement Create monitoring and measurement records nternal audit ocument the audit program
e)ne record (eeping for internal audit
6.3 +3
$anagement re0ie ocument the management revie# process
+3
e)ne record (eeping for management revie#
Part 4: ",ct" 10 17.1
Improement 8onconformit and correc0e acon
'&+'+a2e
ocument the process for response to nonconformies
'&+'+f2g
e)ne record (eeping for correcve acon
17.2
onnual impro0ement Commit to connual improvement
Phase 2: Test and *ud"t the IS$S I
Internal *ud"t
nternal ,udit "roject manage and perform internal audit
Coordinate remediaon 5anagement revie#
II
3,ternal *ud"t &Part 1'
#tage 1 ,udit Coordinate the Stage ' audit schedule and acvies
ather supporng evidence >inish compiling evidence 0evie# Stage ' audit )ndings Coordinate remediaon
III
3,ternal *ud"t &Part 2'
#tage 2 ,udit Coordinate the Stage $ audit schedule and acvies
O-tain evidence re.uirements list ather re.uired evidence
Phase 9: *ch"ee Cerfcaon I
;"nal"-e Cerfcaon
#( 2771 er9caon 0eceive oJcial cer)caon
.esources / Consultant
ISO 27001 Implementaon and Cerfcaon Task Deta"ls and (e,t Steps
Schedule #ee(ly status meengs for the duraon of the project+ Con)rm the ming for the various #or( steps and (ey milestones -ased on the e,ternal cer)caon )rmLs audit scheduleD CustomerMs ming -oundaries and availa-ility of (ey contactsD and Consultant teamLs schedule+
Create comprehensive list of documents for consideraon for inclusion in the IS5S+ Add details for (ey sta! to "5 #or(-oo(+ Create visual organizaon chart+ Create inial mapping of ISO $%&&' controls to departmentsD indicang e,pected applica-ility of each+ @se the data to esmate re.uired intervie# me for each department+ "rovide the control mappings to the corresponding departments for inial feed-ac( and to help them -ecome familiar #ith the items of future discussions+
5eet (ey su-ject maer e,perts S56LsBD Customer commiee mem-ersD and layout the project plan and meline+ 5eet #ith -usiness unit leaders together to determine the -rea(do#n of future groups/meengs -ased on #hich data/applicaons they useB+ ,etermine eterna and interna issues t.at are ree/ant to its purpose and t.at aect its aiity to ac.ie/e t.e intended outco ocument e,ternal and internal issues relevant to the companyMs purpose and that a!ect its a-ility to achieve the IS5S goals+ 0evie# #ith each 8usiness @nit the ISO $%&&' 0e.uirements Anne, AB results of recent ris( analyses and/or related iniaves and 4uesonnaire results+ ,etermine ree/ant interested pares and t.eir re5uirements4 ocument interested pares that are relevant to the IS5S+ ocument the re.uirements of these interested pares relevant to informaon security+ Include or reference the follo#ing items= 'B 6,ternal and internal issues relevant to the companyMs purpose and that a!ect its a-ility to achieve the IS5S goals *+'B $B Interested pares and their re.uirements/o-jecves *+$B 3B Statement of leadership commitment 1+'D 1+$+cD 1+$+dB *B Assignment of (ey roles and responsi-ilies ;-y tles< 1+3B
,etermine t.e oundaries and appicaiity of t.e IS'S4
Create the Scope document as de)ned -elo#+ 0evie# any o-servaons prior to the start of the project+ Include e,ternal and internal issues relevant to the companyMs purpose and that a!ect its a-ility to achieve the IS5S goals+ 0evie# the most recent ris( analysisD and include the recommendaons to -e addressed in the Scope document+ 5ap the results of any recent ris( analyses to the ISO $%&&' re.uirements+ Include the ones to -e addressed in the Scope document+ 5ap the results of the internal security .uesonnaires to the ISO $%&&' re.uirements+ Include the ones to -e addressed in the Scope document+ Include interested pares and their re.uirements/o-jecves+ Include interfaces and dependencies -et#een internal and e,ternal acvies may -e speci)ed in the Informaon Security "olicyB+ Approve the Scope document+ %stais. impement maintain and connuay impro/e t.e I S'S4 Create the IS5S 5aster ocument+ ,emonstrate eaders.ip and commitment 7it. respect to t.e IS'S4 ave senior leadership revie# the Informaon Security "olicy and sign o! on the commitments speci)ed in Secons 1+'D 1+$+cD and 1+$+d of the standard+ %stais. an informaon security poicy4 ocument the Informaon Security "olicyD ma(ing sure that it= aB is appropriate to the purpose of the organizaon and -B includes the informaon security o-jecves determined in Sec on 7+$+ ave senior leadership revie# the Informaon Security "olicy and formally approve sign o! onB it+ ocument the Informaon Security "olicy+ "u-lish and announce to internal sta! the Informaon Security "olicy+ "u-lish and announce to e,ternal sta(eholders and interested pares the Informaon Security "olicy+ %nsure t.at t.e responsiiies and aut.ories for roes ree/ant to informaon security are assigned and communicated4 9op management shall ensure that the responsi-ilies and authories for roles relevant to informaon security are assigned and communicated+ Assign responsi-ilies and authority for ensuring that the I S5S conforms to the re.uirements of ISO $%&&'=$&'3+ Assign responsi-ilies and authority for reporng on the performance of the IS5S to top management+ #ddress ris+s and opportunies reated to t.e IS'S4 Incude interna and eterna issues and interested pares and t.eir re5uirements 7.en panning for t.e IS'S4 etermine and document ris(s and opportunies -ased on results of Secons *+' and *+$B that need to -e addressed to ensure the informaon security management system can achieve its intended outcomesB+ etermine and document ris(s and opportunies -ased on results of Secons *+' and *+$B that need to -e addressed to preventD or reduceD undesired e!ects+ etermine and document ris(s and opportunies -ased on results of Secons *+' and *+$B that need to -e addressed to achieve connual improvement+ "lan acons to address the ris(s and opportunies determined in Secons 7+'+'a2c+ "lan ho# to integrate and implement the acons determined in S econ 7+'+'+d into the IS5S processes+ "lan ho# to evaluate the e!ecveness of the acons implemented in Secon 7+'+'+e+'+
iscuss #hich -usiness units should receive inial control lists+ ,e8ne and appy an informaon security ris+ assessment process4 e)ne and document the 0is( Assessment criteria+ e)ne and document the ris( acceptance criteria+ e)ne and document the criteria for performing informaon security ris( assessments+ e)ne and document the 0is( Assessment process+ 0evie# the 0is( Assessment "rogram and align it #ith NIS9 Special "u-licaon :&&23& 0evision '+ Apply the informaon security ris( process idenfy the ris( o#ners and analyze the impact and li(elihood of each ris( and com-ine these to specify the level of each ris(+ 0evie# the most recent ris( assessment+ 0evie# the most recent security audit+ 0evie# results from Customer -usiness units Internal 0is( Analysis Scoping 4uesonnaires+ Com-ine the responses from the internal Security 4uesonnairesD ISO $%&&' controlsD and set of addional discussion items into a single document for each -usiness unit+ >acilitate discussions #ith each -usiness unit regarding their processes applica-le ISO $%&&' controls and ans#ers to the security .uesonnaires+
6valuate the informaon security ris(s+ Compare the results of ris( analysis #ith the ris( criteria esta-lished in 7+'+$+a+ 0an( the ris(s -y level as determined in Secon 7+'+$+c2dB+ ,e8ne and appy an informaon security ris+ treatment process4 e)ne and document the ris( treatment process+ >or each ris( iden)ed in the 0is( AssessmentD select a ris( treatment opon AcceptD 5igateD 9ransferD or AvoidB+ >or each ris( to -e migatedD determine the controls to -e implemented+ Compare the selected controls to the ''* controls in ISO $%&&' Anne, AD and include all relevant controls from the Anne,+ S Step 1; ISO $%&&' Anne, A controls and documentaon mapping P align #ith the e,isng SOC frame#or( #here relevant+
"roduce a Statement of Applica-ility that contains the necessary controls see 7+'+3+-2cB and jus)caon for inclusionsD #hether they are implemented or notD and the jus)caon for e,clusions of controls from Anne, A+ ocument the 0is( 9reatment "lan+ >or each 0is( 9reatment "lan itemD revie# #ith the -usiness unit managers and get their sign2o! for each ris(Ms treatment opon+ %stais. informaon security oor each funcon/level determined in Secon 7+$D #or( #ith the -usiness o#ners to determine and document the corresponding informaon security o-jecves+ 5a(e sure they are= aB -e consistent #ith the informaon security policy -B -e measura-le if pracca-leB cB ta(e into account applica-le informaon security re.uirementsD and results from ris( assessment and ris( treatment dB -e communicated and eB -e updated as appropriate+
>or each o-jecve determined in Secon 7+$D #or( #ith the -usiness o#ners to plan ho# to achieve the o-jecves -y determining= fB #hat #ill -e done gB #hat resources #ill -e re.uired see Secon %+'B hB #ho #ill -e responsi-le iB #hen it #ill -e completed and jB ho# the results #ill -e evaluated+
,etermine and pro/ide t.e resources needed for t.e IS'S4 etermine and document the resources re.uired to esta-lish and implement the IS5S+ etermine client resource to aend meengs #ith client process o#ners SOQ Step '& Customer "5 has selected Consultant to perform the internal audit funcon for this project+ As appropriate and possi-leD provide an esmate of internal audit costsD and coordinate the appropriate resource and scheduling+ Assist Customer #ith the selecon of the e,ternal cer)caon )rm+ 9his needs to -e iniated early in the project in order to ensure that the )rm can schedule and prepare for the audit and cer)caon #ithin our meframe+ etermine and document the resources re.uired to maintain and connuously improve the IS5S+ %nsure appropriate competence for a persons 7.ose 7or+ aects informaon security performance4 e)ne and document the necessary competence of all sta! #ho a!ect the performance of informaon security+ 0evie# the competence of the corresponding personnel -ased on the criteria de)ned in Secon %+$+a e+g+D educaonD trainingD and e,perienceB+
9a(e acons to -ring all relevant personnel to the re.uired levels of competence+ 6valuate the e!ecveness of acons ta(en to ensure competence of relevant sta!+ 0etain documented evidence of competence and records of competence evaluaonsB+ %nsure appropriate security a7areness for a persons doing 7or+ under t.e organi=aon>s contro4 0evie# the current security a#areness programD and enhance it as necessary to ensure that all personnel are a#are of= aB the informaon security policy -B their contri-uon to the e!ecveness of the informaon security management systemD including the -ene)ts of improved informaon security performance and cB the implicaons of not conforming #ith t he informaon security management system re.uirements+
,etermine and document t.e need for interna and eterna communicaons ree/ant to t.e IS'S4 etermine the need for internal and e,ternal communicaons relevant to the IS5S including= aB on #hat to communicate -B #hen to communicate cB #ith #hom to communicate dB #ho shall communicate and eB the processes -y #hich communicaon shall -e e!ected+
,ocumented informaon pernent to t.e organi=aon and t.e IS'S s.a e incuded4 Con)rm the documents intended to -e included in the IS5S implementaonD and approval from Customer "5+ @pdate Secon %+1+' -elo# #ith documents to -e included evelop the ISO $%&&' 0e.uired ocuments secon in accordance #ith secons *2: of the $&'3 Standard+ 6nsure "olicies and "rocedures ocumentaon is updated or developed to support the relevant Anne, A controls+ $.e IS'S s.a incude re5uired documented informaon4
Create this document+ Create this document+ Create this document+ Chec( #ith 0+ Create this document+ Create this document+ Create this document+ Create this document+ Create this document+ Create this document+ Create this document+
Create this document+ Create record templates as evidence of competence e+g+D records of trainingD s(illsD e,perience and .uali)caonsB %+$B+ Create this document+ Create this document+ Create this document+ Create this document+ Create this document+ Create this document+ Create this document+ etermine and create any addional documents necessary for the e!ecveness of the IS 5S+ See the ocuments #or(sheet+ .en creang and updang documented informaon appropriate measures 7i e ta+en4 e)ne the contentD formatD mediaD and revie#/approval process for the IS5S documentaon+ 0evie# the IS5S documents and ensure appropriate= aB iden)caon and descripon e+g+ a tleD dateD authorD or reference num-erB -B format e+g+ languageD so#are versionD graphicsB and media e+g+ paperD electronicB 0evie# the IS5S documents for suita-ility and ade.uacyD and approve them+ 4uality 0evie# P address completeness and accuracy of the enre documentaon set+ ,ocumented informaon re5uired y t.e IS'S s.a e controed4 etermine and document ho# the IS5S documented informaon #ill -e controlled in regards to the follo#ing= aB availa-ility and suita-ility -B protecon e+g+D from loss of con)denalityD improper useD or loss of integrityB ocument the policiesD proceduresD and controls for the IS 5S documentaon pertaining to= cB distri-uonD accessD retrieval and use dB storage and preservaonD including the preservaon of legi-ility eB control of changes e+g+ version controlB fB retenon and disposion FB iden)caon and inclusion of e,ternally originang IS5S documented informaon Setup document management to manage the project documentaon componentsD including the a-ility to handle version controlD #or(Go#D and approvals+ Create and specify a shared Customer locaon for the project documentaon+ ?an impement and contro t.e processes needed to meet informaon security re5uirements4 Implement acons and plans determined in Secons 7+' and 7+$+ e)ne the re.uirements for (eeping records as evidence that processes have -een carried out as planned+ ocument and implement change control policies and proceduresD including response to unintended changes and migaon of adverse e!ects+ ocument outsourced processes and ho# they are controlled+ 8ring this up during facilitated discussions #ith the -usiness units+ Create the appropriate operaonal control records+ ?erform informaon security ris+ assessments4 Specify the schedule of ris( assessments+
etermine triggers R#hen signi)cant changes are proposed or occurR for unscheduled ris( assessments+ e)ne the re.uirements for (eeping records as evidence that ris( assessments have -een carried out as plannedD and their results+ Create the appropriate ris( assessment records+ ?erform informaon security ris+ treatment4 Implement the ris( treatment plan documented and approved in Sec ons 7+'+3+e2f+ e)ne the re.uirements for (eeping records as evidence that ris( treatments have -een carried out as plannedD and their results+ Create the appropriate ris( treatment records+
%/auate t.e informaon security performance and t.e eec/eness of t.e IS'S4 ocument the methodology to evaluate the performance and e!ecveness of the IS5S+ etermine #hat needs to -e monitored and measuredD including informaon security processes and controls the methods for monitoringD measurementD analysis and evaluaon #hen the monitoring and measuring shall -e performed #ho shall perform the monitoring and measuring #hen the results from monitoring and measurement shall -e analyzed and evaluated and #ho shall analyze and evaluate these results+ e)ne the re.uirements for (eeping records as evidence that monitoring and measurement have -een carried out as plannedD and their results+ Create the appropriate monitoring and measurement records+ ?an estais. impement and maintain an interna audit program4 etermine and document the methodology to evaluate the performance and e!ecveness of the IS5S+ Specify the fre.uencyD methodsD responsi-iliesD planning re.uirementsD and reporng+ Also specify ho# the audit criteria and scope #ill -e de)ned for each audit ho# auditors #ill -e selected and audits #ill -e conducted to ensure o-jecvity and imparality f the audit process ho# and to #hom the audit results #ill -e reported and the records to -e retained as evidence of the audit program and the results of each audit+ e)ne the re.uirements for the records to -e retained as evidence of the audit program and the results of each audit+ *e/ie7 t.e IS'S at panned inter/as to ensure its connuing suitaiity ade5uacy and eec/eness4 ocument the management revie# process including= aB revie#s of the status of acons from previous management revie#s -B changes in e,ternal and internal issues that are relevant to the IS5S cB feed-ac( on the informaon security performance including trends in= 'B nonconformies and correcve acons $B monitoring and measurement results 3B audit results and *B ful)lment of informaon security o-jecvesB dB feed-ac( from interested pares eB results of ris( assessment and status of ris( treatment plan and fB opportunies for connual improvement+ 9he outputs of the management revie# shall include decisions related to connual improvement opportunies and any needs for changes to the informaon security management system+
e)ne the re.uirements for (eeping records as evidence that management revie#s have -een carried out as plannedD and their results+
*eact appropriatey to nonconformies4
ocument the process for response to nonconformiesD including ho# the organizaon= aB reacts to the nonconformity and as applica-le= 'B ta(es acon to control and correct it and $B deals #ith the conse.uencesB -B evaluates the need for acon to eliminate the causes of nonconformityD in order that it does not recur or occur else#here -y= 'B revie#ing the nonconformity $B determining the causes of the nonconformity and 3B determining if similar nonconformies e,istD or could potenally occurB cB implements any acon needed dB revie#s the e!ecveness of any correcve acon ta(en and eB ma(es changes to the IS5SD if necessary+
e)ne the re.uirements for (eeping records as evidence of fB the nature of the nonconformies and any su-se.uent acons ta(enD and gB the results of any correcve acon+ "onnuay impro/e t.e suitaiity ade5uacy and eec/eness of t.e IS'S4 No tas(s
"oordinate and perform interna audit4 Coordinate Internal Audit+ Coordinate remediaon in preparaon for "art ' audit+ >acilitate management revie# of internal audit )ndings+ "oordinate Stage 1 audit4 Coordinate the Stage ' audit+ 8egin pulling together the supporng evidence for the Stage $ audit+ >inish compiling evidence for the Stage $ audit+ >acilitate management revie# of Stage ' audit )ndings+ " oordinate remediaon in prep for Stage $ audit+ "oordinate Stage 2 audit4 Coordinate e,ternal cer)caon )rmLs ISO $%&&' Stage $ audit+ O-tain evidence re.uirements lisngs from the e,ternal cer)caon )rm+ Coordinate the evidence gathering+
"oordinate IS 2@001 cer8caon4 Coordinate the dra and )nalizaon of the cer)caon+
Dated Comments
es of its IS'S4
ISO 27001 *nne, * Control "st and Statement o! *ppl"ca4"l"t# Last Updated: 2016-02-16
Oers"%ht ISO 27001 Controls
y t i r u c e
S n o i t a m r o f n I
Control ID Section/Control Title
Section Objective/Control Description
e c n a i l p m o C / l a g e L
t i d u A l a n r e t n I
Techn"cal
;"nance
e r u t c u r t s a r f n I O T
y g e t a r t S e c n a n i F
p r o C T I
g n i r e e n i g n E O T
g n i t n u o c c A
Other s i s y l a n
A ! s u d n a
A & M e c n a n i F
# "
s e l a S
g n i t e $ r a M
ISO 27001 Statement o! *ppl"ca4"l"t# &So*' Control =usfcaon t r o p p u S r e
/ e%al > .e%ulator# C / Contractual < /
m o t s u C
Inclus"on
3,"sn% Controls
C
<
.
O
Comments
Suggested Effectiveness Mesure!ent"s#
A.5
Information Security Policies
A.5.1
Management direction $b%ective& To provide management direction and support for for information security information security in accordance with business re'uirements and relevant laws and regulations.
A.5.1.1
The policies for information security
A.5.1.2
"eview of the policies The policies for information security shall be reviewed at planned for information security intervals or if significant changes occur to ensure their continuing suitability( ade'uacy and effectiveness.
A.6
Organization of information security
A.6.1
Internal organization
A.6.1.1
Information security All information security roles and responsibilities shall be defined roles and responsibilities and allocated.
erform an annual review of information security roles and responsibilities.
A.6.1.2
Segregation of duties
erform an annual review of the segregation of duties re'uirements in the security policies as well as a review of any segregation of duties related security incidents.
A.6.1.3
Contact with authorities Appropriate contacts with relevant authorities shall be maintained.
+erify contact information on an annual basis during the policy and procedure review.
A.6.1.4
Contact with special interest groups
Appropriate contacts with special interest groups or oth er specialist security forums and professional associations shall be maintained.
"eview the group memberships on an annual basis ,measure their industry contributionand consider new groups if available.
A.6.1.5
Information security in pro%ect management
Information security shall be addressed in pro%ect management( regardless of the type of the pro%ect.
Audit the security incidents to identify any incidents related to the releases.
A.6.2
Mobile devices and teleworking
$b%ective& To ensure the security of teleworking and use of mobile devices.
A.6.2.1
Mobile device policy
A policy and supporting security measures shall be adopted to manage the risks introduced by us ing mobile devices.
"eview number of mobile device related security instances.
A.6.2.2
Teleworking
A policy and supporting security measures shall be implemented to protect information accessed( processed or stored at teleworking sites.
"eview number of mobile workers and security incidents involving offsite work.
A.7
Human resource security
A.7.1
rior to employment
$b%ective& To ensure that employees and contractors understand their responsibilities and are suitable for t he roles for which they are considered.
A.7.1.1
Screening
/ackground verification checks on all candidates for employment shall be carried out in accordance with relevant laws( regul ations and ethics and shall be proportional to the business re'uirements( the classification of the information to be accessed and the perceived risks.
A.7.1.2
Terms and conditions of The contractual agreements with employees and contractors shall employment state their and the organization*s responsibilities for information security.
A.7.2
#uring employment
$b%ective& To ensure that employees and contractors ar e aware of and fulfil their information security responsibilities.
A.7.2.1
Management responsibilities
Management shall re'uire all employees and contractors to apply information security in accordance with the established policies and procedures of the organization.
A.7.2.2
Information security All employees of the organization and( where relevant( contractors awareness( education and shall receive appropriate awareness education and training and training regular updates in organizational policies and procedures( as relevant for their %ob function.
Survey after training 2334 attendance by $ps and 23 'uestion 'uiz scores.
A.7.2.3
#isciplinary process
+erify employees have s igned off on the employee handbook and gather feedback on the disciplinary process from !".
A.7.3
Termination and change $b%ective& To protect the organization*s interests as part of the of employment process of changing or terminating employment.
A.7.3.1
Termination or change of Information security responsibilities and duties that remain valid after employment termination or change of employment shall be defined( communicated responsibilities to the employee or contractor and enforced.
A.
Asset management
A..1
"esponsibility for assets $b%ective& To identify organizational assets and define appropriate protection responsibilities.
A..1.1
Inventory of assets
Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained.
erform a biannual audit to ensure that assets are tracked in the system of record.
A..1.2
$wnership of assets
Assets maintained in the inventory shall be owned.
erform an annual audit to ensure asset owners are accurate.
A..1.3
Acceptable use of assets "ules for the acceptable use of information and of assets associated with information and information processing facilities shall be identified( documented and implemented.
0valuate the number of issues or disciplinary actions related to acceptable use of company assets.
A..1.4
"eturn of assets
erform an annual audit to ensure that terminated employees returned their e'uipment
A..2
Information classification $b%ective& To ensure that information receives an appropriate l evel of protection in accordance with its importance to the organization.
A..2.1
Classification of information
A..2.2
1abelling of information An appropriate set of procedures for information labelling shall be developed and implemented in accordance with the information classification scheme adopted by the organization.
erform an annual information security policy review and review any security incidents related to the labeling of sensitive information.
A..2.3
!andling of assets
rocedures for handling assets shall be developed and implemented in accordance with the information classification scheme adopted by the organization.
erform an annual information security policy review and review any security incidents related to the handling of sensitive information.
A..3
Media handling
$b%ective& To prevent unauthorized disclosure( modification( removal or destruction of information stored on media.
A..3.1
Management of removable media
rocedures shall be implemented for the management of removable media in accordance with the classification scheme adopted by t he organization.
Assess the use of removable media and any security incidents involving removable media.
A..3.2
#isposal of media
Media shall be disposed of securely when no longer re'uired( using formal procedures.
Assess the media disposal practices.
A..3.3
hysical media transfer Media containing information shall be protected against unauthorized
A set of policies for information security shall be defined( approved by management( published and communicated to employees and relevant e)ternal parties.
"eview policies on an annual basis and l ook for security issues related to policy controls. #iscuss the effectiveness of the review process with the management team.
$b%ective& To establish a management framework to initiate and control the implementation and operation of information security within the organization.
Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization*s assets.
There shall be a f ormal and communicated disciplinary process in place to take action against employees who have committed an information security breach.
All employees and e)ternal party users shall return all of the organizational assets in their possession upon termination of their employment( contract or agreement.
Information shall be classified in terms of legal re'uirements( value( criticality and sensitivity to unauthorised disclosure or modification.
Audit the service level agreement with !".
"eview the employee handbook.
0nsure all employees attest to agreeing to t he 0mployee !andbook at least once a year.
erform a 'uarterly user account and access audit to ensure that access was revoked for all terminated employees.
erform an annual information security policy review and review any security incidents related to the classification of s ensitive information.
Assess the use of removable media and any
A.7.2.2
Information security All employees of the organization and( where relevant( contractors awareness( education and shall receive appropriate awareness education and training and training regular updates in organizational policies and procedures( as relevant for their %ob function.
Survey after training 2334 attendance by $ps and 23 'uestion 'uiz scores.
A.7.2.3
#isciplinary process
+erify employees have s igned off on the employee handbook and gather feedback on the disciplinary process from !".
A.7.3
Termination and change $b%ective& To protect the organization*s interests as part of the of employment process of changing or terminating employment.
A.7.3.1
Termination or change of Information security responsibilities and duties that remain valid after employment termination or change of employment shall be defined( communicated responsibilities to the employee or contractor and enforced.
A.
Asset management
A..1
"esponsibility for assets $b%ective& To identify organizational assets and define appropriate protection responsibilities.
A..1.1
Inventory of assets
Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained.
erform a biannual audit to ensure that assets are tracked in the system of record.
A..1.2
$wnership of assets
Assets maintained in the inventory shall be owned.
erform an annual audit to ensure asset owners are accurate.
A..1.3
Acceptable use of assets "ules for the acceptable use of information and of assets associated with information and information processing facilities shall be identified( documented and implemented.
0valuate the number of issues or disciplinary actions related to acceptable use of company assets.
A..1.4
"eturn of assets
erform an annual audit to ensure that terminated employees returned their e'uipment
A..2
Information classification $b%ective& To ensure that information receives an appropriate l evel of protection in accordance with its importance to the organization.
A..2.1
Classification of information
A..2.2
1abelling of information An appropriate set of procedures for information labelling shall be developed and implemented in accordance with the information classification scheme adopted by the organization.
erform an annual information security policy review and review any security incidents related to the labeling of sensitive information.
A..2.3
!andling of assets
rocedures for handling assets shall be developed and implemented in accordance with the information classification scheme adopted by the organization.
erform an annual information security policy review and review any security incidents related to the handling of sensitive information.
A..3
Media handling
$b%ective& To prevent unauthorized disclosure( modification( removal or destruction of information stored on media.
A..3.1
Management of removable media
rocedures shall be implemented for the management of removable media in accordance with the classification scheme adopted by t he organization.
Assess the use of removable media and any security incidents involving removable media.
A..3.2
#isposal of media
Media shall be disposed of securely when no longer re'uired( using formal procedures.
Assess the media disposal practices.
A..3.3
hysical media transfer Media containing information shall be protected against unauthorized access( misuse or corruption during transportation.
A.!
Access control
A.!.1
/usiness re'uirements of $b%ective& To limit access to information and information processing access control facilities.
A.!.1.1
Access control policy
An access control policy shall be established( documented and reviewed based on business and information security re'uirements.
erform a 'uarterly user account and access audit.
A.!.1.2
Access to networks and network services
5sers shall only be provided with access to the network and network services that they have been specifically authorized to use.
erform a 'uarterly user account and access audit.
A.!.2
5ser access management $b%ective& To ensure authorized user access and to prevent unauthorized access to systems and services.
A.!.2.1
5ser registration and de A formal user registration and deregistration process shall be registration implemented to enable assignment of access rights.
erform a 'uarterly user account and access audit.
A.!.2.2
5ser access provisioning A formal user access provisioning process shall be implemented to assign or revoke access rights for all user types to all systems and services.
erform a 'uarterly user account and access audit.
A.!.2.3
Management of privileged access rights
The allocation and use of privileged access rights shall be restricted and controlled.
erform a 'uarterly user account and access audit.
A.!.2.4
Management of secret authentication information of users
The allocation of secret authentication information shall be controlled through a formal management process.
erform a 'uarterly user account and access audit.
A.!.2.5
"eview of user access rights
Asset owners shall review users* access rights at regular intervals.
erform a 'uarterly user account and access audit.
A.!.2.6
"emoval or ad%ustment of access rights
The access rights of all employees and e)ternal party users to information and information processing facilities shall be removed upon termination of their employment( contract or agreement( or ad%usted upon change.
erform a 'uarterly user account and access audit.
A.!.3
5ser responsibilities
$b%ective& To make users accountable for safeguarding their authentication information.
A.!.3.1
5se of secret authentication information
5sers shall be re'uired to follow the organization*s practices in the use of secret authentication information.
A.!.4
System and application access control
$b%ective& To prevent unauthorized access to systems and applications.
A.!.4.1
Information access restriction
Access to information and application system functions shall be restricted in accordance with the access control policy.
A.!.4.2
Secure logon procedures 7here re'uired by the access control policy( access to sys tems and applications shall be controlled by a secure logon procedure.
erform an annual information security policy review and review any security incidents related to authentication information.
A.!.4.3
assword management system
"eview password re'uirements during the annual policy review and review any security incidents related to passwords.
A.!.4.4
5se of privileged utility The use of utility programs that might be capable of overriding programs system and application controls shall be restricted and tightly controlled.
erform a 'uarterly user account and access audit.
A.!.4.5
Access control to program source code
erform a 'uarterly user account and access audit.
A.1"
#ry$togra$%y
A.1".1
Cryptographic controls
$b%ective& To ensure proper and effective use of cryptography to protect the confidentiality( authenticity and8or integrity of information.
A.1".1.1
olicy on the use of cryptographic controls
A policy on the use of cryptographic controls for protection of information shall be developed and implemented.
"eview encryption re'uirements during the annual policy review and review any security incidents related to information e)posure.
A.1".1.2
6ey management
A policy on the use( protection and lifetime of cryptographic keys shall be developed and implemented through their whole l ifecycle.
"eview encryption re'uirements during the annual policy review and review any security incidents related to information e)posure.
A.11
P%ysical an& en'ironmental security
There shall be a f ormal and communicated disciplinary process in place to take action against employees who have committed an information security breach.
All employees and e)ternal party users shall return all of the organizational assets in their possession upon termination of their employment( contract or agreement.
Information shall be classified in terms of legal re'uirements( value( criticality and sensitivity to unauthorised disclosure or modification.
assword management systems shall be interactive and shall e nsure 'uality passwords.
Access to program source code shall be restricted.
erform a 'uarterly user account and access audit to ensure that access was revoked for all terminated employees.
erform an annual information security policy review and review any security incidents related to the classification of s ensitive information.
Assess the use of removable media and any security incidents involving removable media.
erform an annual information security policy review and review any security incidents related to authentication information.
erform a 'uarterly user account and access audit.
A.!.2.2
5ser access provisioning A formal user access provisioning process shall be implemented to assign or revoke access rights for all user types to all systems and services.
erform a 'uarterly user account and access audit.
A.!.2.3
Management of privileged access rights
The allocation and use of privileged access rights shall be restricted and controlled.
erform a 'uarterly user account and access audit.
A.!.2.4
Management of secret authentication information of users
The allocation of secret authentication information shall be controlled through a formal management process.
erform a 'uarterly user account and access audit.
A.!.2.5
"eview of user access rights
Asset owners shall review users* access rights at regular intervals.
erform a 'uarterly user account and access audit.
A.!.2.6
"emoval or ad%ustment of access rights
The access rights of all employees and e)ternal party users to information and information processing facilities shall be removed upon termination of their employment( contract or agreement( or ad%usted upon change.
erform a 'uarterly user account and access audit.
A.!.3
5ser responsibilities
$b%ective& To make users accountable for safeguarding their authentication information.
A.!.3.1
5se of secret authentication information
5sers shall be re'uired to follow the organization*s practices in the use of secret authentication information.
A.!.4
System and application access control
$b%ective& To prevent unauthorized access to systems and applications.
A.!.4.1
Information access restriction
Access to information and application system functions shall be restricted in accordance with the access control policy.
A.!.4.2
Secure logon procedures 7here re'uired by the access control policy( access to sys tems and applications shall be controlled by a secure logon procedure.
erform an annual information security policy review and review any security incidents related to authentication information.
A.!.4.3
assword management system
"eview password re'uirements during the annual policy review and review any security incidents related to passwords.
A.!.4.4
5se of privileged utility The use of utility programs that might be capable of overriding programs system and application controls shall be restricted and tightly controlled.
erform a 'uarterly user account and access audit.
A.!.4.5
Access control to program source code
erform a 'uarterly user account and access audit.
A.1"
#ry$togra$%y
A.1".1
Cryptographic controls
$b%ective& To ensure proper and effective use of cryptography to protect the confidentiality( authenticity and8or integrity of information.
A.1".1.1
olicy on the use of cryptographic controls
A policy on the use of cryptographic controls for protection of information shall be developed and implemented.
"eview encryption re'uirements during the annual policy review and review any security incidents related to information e)posure.
A.1".1.2
6ey management
A policy on the use( protection and lifetime of cryptographic keys shall be developed and implemented through their whole l ifecycle.
"eview encryption re'uirements during the annual policy review and review any security incidents related to information e)posure.
assword management systems shall be interactive and shall e nsure 'uality passwords.
Access to program source code shall be restricted.
erform an annual information security policy review and review any security incidents related to authentication information.
erform a 'uarterly user account and access audit.
A.11
P%ysical an& en'ironmental security
A.11.1
Secure areas
$b%ective& To prevent unauthorized physical access( damage and interference to the organization*s information and information processing facilities.
A.11.1.1
hysical security perimeter
Security perimeters shall be defined and used to protect areas that contain either sensitive or critical information and i nformation processing facilities.
erform an annual review of the data center S$C8IS$ reports.
A.11.1.2
hysical entry controls
Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access.
erform an annual review of the data center S$C8IS$ reports.
A.11.1.3
Securing offices( rooms and facilities
hysical security for offices( rooms and facilities shall be designed and applied.
erform an annual review of the data center S$C8IS$ reports.
A.11.1.4
rotecting against e)ternal and environmental threats
hysical protection against natural disasters( malicious attack or accidents shall be designed and applied.
erform an annual review of the data center S$C8IS$ reports.
A.11.1.5
7orking in secure areas rocedures for working in secure areas shall be designed and applied.
erform an annual information security policy review.
A.11.1.6
#elivery and loading areas
Access points such as delivery and loading areas and other points where unauthorized persons could enter the premises shall be controlled and( if possible( isolated from information processing facilities to avoid unauthorized access.
"eview security incidents related to unauthorized physical access.
A.11.2
0'uipment
$b%ective& To prevent loss( damage( theft or compromise of assets and interruption to the organization9s operations.
A.11.2.1
0'uipment siting and protection
0'uipment shall be sited and protected to reduce the risks from environmental threats and hazards( and opportunities for unauthorized access.
erform an annual information security policy review. Annual review of S$C8IS$ reports
A.11.2.2
Supporting utilities
0'uipment shall be protected from power failures and other disruptions caused by failures in supporting utilities.
erform an annual information security policy review. Annual review of S$C8IS$ reports
A.11.2.3
Cabling security
ower and telecommunications cabling carrying data or supporting information services shall be protected from interception( interference or damage.
erform an annual information security policy review. Annual review of S$C8IS$ reports
A.11.2.4
0'uipment maintenance 0'uipment shall be correctly maintained to ensure its continued availability and integrity.
Annual e'uipment audit to ensure replacement of nonsupported hardware.
A.11.2.5
"emoval of assets
0'uipment( information or software shall not be taken offsite without prior authorization.
erform an annual information security policy review. Annual review of S$C8IS$ reports
A.11.2.6
Security of e'uipment and assets offpremises
Security shall be applied to offsite ass ets taking into account the different risks of working outside the organization*s premises.
erform an annual information security policy review.
A.11.2.7
Secure disposal or reuse All items of e'uipment containing storage media shall be verified to of e'uipment ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or reuse.
erform an annual information security policy review.
A.11.2.
5nattended user e'uipment
5sers shall ensure that unattended e'uipment has appropriate protection.
erform an annual information security policy review.
A.11.2.!
Clear desk and clear screen policy
A clear desk policy for papers and r emovable storage media and a clear screen policy for information processing facilities shall be adopted.
erform an annual information security policy review.
A.12
O$erations security
A.12.1
$perational procedures $b%ective& To ensure correct and secure operations of information and responsibilities processing facilities.
A.12.1.1
#ocumented operating procedures
$perating procedures shall be documented and made available to all users who need them.
erform an annual procedures audit.
A.12.1.2
Change management
Changes to the organization( business processes( information processing facilities and systems that affect information security shall be controlled.
Annual review of the change management process.
A.12.1.3
Capacity management
The use of resources shall be monitored( tuned and pro%ections made of future capacity re'uirements to ensure the re'uired system performance.
"eview the number of security or availability issues related to capacity management.
A.12.1.4
Separation of #evelopment( testing( and operational environments shall be development( testing and separated to reduce the risks of unauthorized access or changes to the operational environments operational environment.
A.12.2
rotection from malware $b%ective& To ensure that information and information processing facilities are protected against malware.
A.12.2.1
Controls against malware #etection( prevention and recovery controls to protect against malware shall be implemented( combined with appropriate user awareness.
A.12.3 A.12.3.1
/ackup Information backup
A.12.4
1ogging and monitoring $b%ective& To record events and generate evidence.
$b%ective& To protect against loss of data. /ackup copies of information( software and sys tem images shall be taken and tested regularly in accordance with an agreed backup policy.
"eview the re'uirements and any security incidents related to system isolation.
"eview the number of security incidents and impacs related to malware.
Success of restore procedures. 1og of restores re'uired
A.11.2.1
0'uipment siting and protection
0'uipment shall be sited and protected to reduce the risks from environmental threats and hazards( and opportunities for unauthorized access.
erform an annual information security policy review. Annual review of S$C8IS$ reports
A.11.2.2
Supporting utilities
0'uipment shall be protected from power failures and other disruptions caused by failures in supporting utilities.
erform an annual information security policy review. Annual review of S$C8IS$ reports
A.11.2.3
Cabling security
ower and telecommunications cabling carrying data or supporting information services shall be protected from interception( interference or damage.
erform an annual information security policy review. Annual review of S$C8IS$ reports
A.11.2.4
0'uipment maintenance 0'uipment shall be correctly maintained to ensure its continued availability and integrity.
Annual e'uipment audit to ensure replacement of nonsupported hardware.
A.11.2.5
"emoval of assets
0'uipment( information or software shall not be taken offsite without prior authorization.
erform an annual information security policy review. Annual review of S$C8IS$ reports
A.11.2.6
Security of e'uipment and assets offpremises
Security shall be applied to offsite ass ets taking into account the different risks of working outside the organization*s premises.
erform an annual information security policy review.
A.11.2.7
Secure disposal or reuse All items of e'uipment containing storage media shall be verified to of e'uipment ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or reuse.
erform an annual information security policy review.
A.11.2.
5nattended user e'uipment
5sers shall ensure that unattended e'uipment has appropriate protection.
erform an annual information security policy review.
A.11.2.!
Clear desk and clear screen policy
A clear desk policy for papers and r emovable storage media and a clear screen policy for information processing facilities shall be adopted.
erform an annual information security policy review.
A.12
O$erations security
A.12.1
$perational procedures $b%ective& To ensure correct and secure operations of information and responsibilities processing facilities.
A.12.1.1
#ocumented operating procedures
$perating procedures shall be documented and made available to all users who need them.
erform an annual procedures audit.
A.12.1.2
Change management
Changes to the organization( business processes( information processing facilities and systems that affect information security shall be controlled.
Annual review of the change management process.
A.12.1.3
Capacity management
The use of resources shall be monitored( tuned and pro%ections made of future capacity re'uirements to ensure the re'uired system performance.
"eview the number of security or availability issues related to capacity management.
A.12.1.4
Separation of #evelopment( testing( and operational environments shall be development( testing and separated to reduce the risks of unauthorized access or changes to the operational environments operational environment.
A.12.2
rotection from malware $b%ective& To ensure that information and information processing facilities are protected against malware.
A.12.2.1
Controls against malware #etection( prevention and recovery controls to protect against malware shall be implemented( combined with appropriate user awareness.
A.12.3 A.12.3.1
/ackup Information backup
A.12.4 A.12.4.1
1ogging and monitoring $b%ective& To record events and generate evidence. 0vent logging 0vent logs recording user activities( e)ceptions( faults and information security events shall be produced( kept and regularly reviewed.
A.12.4.2
rotection of log information
1ogging facilities and log information shall be protected against tampering and unauthorized access.
Annual review of controls and measure number of log releated security events.
A.12.4.3
Administrator and operator logs
System administrator and system operator activities shall be logged and the logs protected and regularly reviewed.
Annual review of the administrator access logging capabilties.
A.12.4.4
Clock synchronisation
The clocks of all relevant information processing systems within an organization or security domain shall be synchronised to a single reference time source.
Annual audit of time syncronization.
A.12.5
Control of operational software
$b%ective& To ensure the integrity of operational systems.
A.12.5.1
Installation of software on operational systems
rocedures shall be implemented to control the installation of software on operational systems.
A.12.6
Technical vulnerability management
$b%ective& To prevent e)ploitation of technical vulnerabilities.
A.12.6.1
Management of technical Information about technical vulnerabilities of information systems vulnerabilities being used shall be obtained in a timely fashion( the organization*s e)posure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk.
"eview the number of failures due to not acting on system vulnerbilities.
A.12.6.2
"estrictions on software "ules governing the installation of software by users shall be installation established and implemented.
erform an annual information security policy review.
A.12.7
Information systems audit considerations
$b%ective& To To minimise the impact of audit activities on operational systems.
A.12.7.1
Information systems audit controls
Audit re'uirements and activities involving verification of operational systems shall be carefully planned and agreed to minimise disruptions to business processes.
A.13 A.13 A.13.1
#omm #ommun unic icat atio ions ns secu securi rity ty :etwork security $b%ective& To To ensure the protection of information in networks and its management supporting information processing facilities.
A.13.1.1
:etwork controls
:etworks shall be managed and controlled to protect information information in systems and applications.
erform an annual information security policy and procedures review review..
A.13.1.2
Security of network services
Security mechanisms( service levels and management re'uirements of all network services shall be identified and included in network services agreements( whether these services are provided inhouse or outsourced.
"eview vendor S1As.
$b%ective& To protect against loss of data. /ackup copies of information( software and sys tem images shall be taken and tested regularly in accordance with an agreed backup policy.
"eview the re'uirements and any security incidents related to system isolation.
"eview the number of security incidents and impacs related to malware.
Success of restore procedures. 1og of restores re'uired
Annual review to confirm log file information is still sufficent and the availablity of the log files meets management8customer e)pectations.
Annual review of system failures and related security and operational system incidents.
erform an annual information security policy and procedures review review..
A.13.1.3
Segregation in networks ;roups of information services( users and information systems shall be segregated on networks.
A.13.2
Information transfer
erform an annual information security policy and procedures review review..
A.13.2.1
Information transfer
erform an annual information security policy and procedures review review..
A.13.2.2
Agreements on information transfer
Agreements shall address the secure transfer of business information between the organization organization and e)ternal parties. parties.
"eview =rd party contract language on an annual basis.
A.13.2.3
0lectronic messaging
Information involved in electronic messaging shall be appropriately protected.
erform an annual information security policy and procedures review review..
A.13.2.4
Confidentiality or nondisclosure agreements
"e'uirements for confidentiality or nondisclosure agreements reflecting the organization*s organization*s needs for the protection of information shall be identified( regularly reviewed and documented.
"eview the 1egal S1A.
$b%ective& To To maintain the security of information transferred within an organization and with any e)ternal entity.
A.14
System System ac(uisiti ac(uisition) on) &e'elo$me &e'elo$ment nt an& maintenan maintenance ce
A.14.1
Security re'uirements of $b%ective& To To ensure that information security is an integral part of information systems information systems across the entire lifecycle. This also includes the re'uirements for information systems which provide services over public networks.
A.14.1.1
Information security re'uirements analysis and specification
The information security related re'uirements shall be included in the re'uirements for new information systems or enhancements to e)isting information systems.
erform a review of the "elease Management and Software #eployment document.
A.14.1.2
Securing application services on public networks
Information involved in application services passing over public networks shall be protected from fraudulent activity( contract dispute and unauthorized disclosure and modification.
0nsure the use of SS18T1S is appropriate.
A.14.1.3
rotecting application services transactions
Information involved in application service transactions shall be protected to prevent incomplete incomplete transmission( misrouting( unauthorized message alteration( unauthorized disclosure( unauthorized message duplication or replay. replay.
0nsure the use of SS18T1S is appropriate.
A.14.2
Security in development $b%ective& To To ensure that information security is designed and and support processes implemented within the development lifecycle of information systems.
A.12.6.2
"estrictions on software "ules governing the installation of software by users shall be installation established and implemented.
A.12.7
Information systems audit considerations
$b%ective& To To minimise the impact of audit activities on operational systems.
erform an annual information security policy review.
A.12.7.1
Information systems audit controls
Audit re'uirements and activities involving verification of operational systems shall be carefully planned and agreed to minimise disruptions to business processes.
A.13 A.13 A.13.1
#omm #ommun unic icat atio ions ns secu securi rity ty :etwork security $b%ective& To To ensure the protection of information in networks and its management supporting information processing facilities.
A.13.1.1
:etwork controls
:etworks shall be managed and controlled to protect information information in systems and applications.
erform an annual information security policy and procedures review review..
A.13.1.2
Security of network services
Security mechanisms( service levels and management re'uirements of all network services shall be identified and included in network services agreements( whether these services are provided inhouse or outsourced.
"eview vendor S1As.
erform an annual information security policy and procedures review review..
A.13.1.3
Segregation in networks ;roups of information services( users and information systems shall be segregated on networks.
A.13.2
Information transfer
erform an annual information security policy and procedures review review..
A.13.2.1
Information transfer
erform an annual information security policy and procedures review review..
A.13.2.2
Agreements on information transfer
Agreements shall address the secure transfer of business information between the organization organization and e)ternal parties. parties.
"eview =rd party contract language on an annual basis.
A.13.2.3
0lectronic messaging
Information involved in electronic messaging shall be appropriately protected.
erform an annual information security policy and procedures review review..
A.13.2.4
Confidentiality or nondisclosure agreements
"e'uirements for confidentiality or nondisclosure agreements reflecting the organization*s organization*s needs for the protection of information shall be identified( regularly reviewed and documented.
"eview the 1egal S1A.
$b%ective& To To maintain the security of information transferred within an organization and with any e)ternal entity.
A.14
System System ac(uisiti ac(uisition) on) &e'elo$me &e'elo$ment nt an& maintenan maintenance ce
A.14.1
Security re'uirements of $b%ective& To To ensure that information security is an integral part of information systems information systems across the entire lifecycle. This also includes the re'uirements for information systems which provide services over public networks.
A.14.1.1
Information security re'uirements analysis and specification
The information security related re'uirements shall be included in the re'uirements for new information systems or enhancements to e)isting information systems.
erform a review of the "elease Management and Software #eployment document.
A.14.1.2
Securing application services on public networks
Information involved in application services passing over public networks shall be protected from fraudulent activity( contract dispute and unauthorized disclosure and modification.
0nsure the use of SS18T1S is appropriate.
A.14.1.3
rotecting application services transactions
Information involved in application service transactions shall be protected to prevent incomplete incomplete transmission( misrouting( unauthorized message alteration( unauthorized disclosure( unauthorized message duplication or replay. replay.
0nsure the use of SS18T1S is appropriate.
A.14.2
Security in development $b%ective& To To ensure that information security is designed and and support processes implemented within the development lifecycle of information systems.
A.14.2.1
Secure development policy
"ules for the development of software and systems shall be established and applied to developments within the organization.
"eview the 0ngineering S1A.
A.14.2.2
System change control procedures
Changes to systems within the development lifecycle shall be controlled by the use of formal change control procedures.
"eview the change management process.
A.14.2.3
Technical review of applications after operating platform changes
7hen operating platforms are changed( business critical applications shall be reviewed and tested to ensure there is no adverse impact on organizational operations or security.
"eview whether not operating platforms changed and if so( whether or not an application review was performed.
A.14.2.4
"estrictions on changes to software packages
Modifications to software packages shall be discouraged( limited to necessary changes and all changes shall be strictly controlled.
erform a review of the "elease Management and Software #eployment document.
A.14.2.5
Secure system engineering principles
rinciples for engineering secure systems shall be established( documented( maintained and applied to any information system implementation efforts.
"eview the 0ngineering S1A.
A.14.2.6
Secure development environment
$rganizations shall establish and appropriately protect secure development environments for system development and integration efforts that cover the entire sys tem development lifecycle.
"eview the 0ngineering S1A.
A.14.2.7
$utsourced development The organization shall supervise and monitor the activity of outsourced system development.
A.14.2.
System security testing
Testing Testing of security functionality shall be carried out during development.
"eview the 0ngineering S1A and perform a review of the "elease Management and Software #eployment document.
A.14.2.!
System acceptance testing
Acceptance testing programs and related criteria shall be established for new information systems( upgrades and new versions.
erform a review of the "elease Management and Software #eployment document.
A.14.3 A.14.3.1
Test da data rotecti rotection on of test test data
$b%ective& To en ensure th the pr protection of of da data us used fo for te testing. Test Test data data shall shall be selecte selected d carefull carefully y( protected protected and and controll controlled. ed.
A.15 A.15
Su$$ Su$$li lier er re rela lati tion ons% s%i$ i$ss
"eview the master information security policy and the 0ngineering S1A.
A.15.1
Information security in supplier relationships
To ensure protection of the organization*s organization*s assets that is accessible by suppliers.
A.15.1.1
Information security policy for supplier relationships
Information security re'uirements for mitigating the risks associated with supplier*s access to the organization*s assets shall be agreed with the supplier and documented.
Audit all failures due to supplier security events.
A.15.1.2
Addressing security within supplier agreements
All relevant information security re'uirements shall be established and agreed with each supplier that may access( process( store( communicate( or provide IT infrastructure components for( the organization*s organization*s information.
Audit all failures due to supplier security events.
A.15.1.3
Information and Agreements with suppliers shall include re'uirements to address t he communication information security risks associated with information and technology supply chain communications technology services and product supply chain.
A.15.2
Supplier service delivery $b%ective& To To maintain an agreed level of information security and management service delivery in line with supplier agreements.
Audit all failures due to supplier security events.
A.15.2.1
Monitoring and review of supplier services
$rganizations shall regularly monitor( review and audit supplier service delivery.
Supplier review results.
A.15.2.2
Managing changes to supplier services
Changes to the provision of services by suppliers( including maintaining and improving e)isting information security policies( procedures and controls( shall be managed( managed( taking account of the criticality of business information( systems and processes involved and reassessment of risks.
Supplier review results.
A.16 A.16
Inform Informati ation on securi security ty inci&e inci&ent nt manage managemen mentt
A.16.1
Management of information security incidents and improvements
$b%ective& To To ensure a consistent and effective approach to the management of information security incidents( including communication on security events and weaknesses.
A.16.1.1
"esponsibilities and procedures
Management responsibilities and procedures shall be established to ensure a 'uick( effective and orderly response to information security incidents.
erform a review of the incident response procedures.
A.16.1.2
"eporting information security events
Information security events shall be reported through appropriate management channels as 'uickly as possible.
erform a review of the incident response procedures.
A.16.1.3
"eporting information security weaknesses
0mployees and contractors using the organization*s organization*s information systems and services shall be re'uired to note and report any observed or suspected information security weaknesses in systems or services.
erform a review of the incident response procedures.
A.16.1.4
Assessment of and Information security events shall be assessed and it shall be decided if decision on information they are to be classified as information security incidents. security events
erform a review of the incident response procedures.
A.16.1.5
"esponse to information Information security incidents shall be responded to in accordance
erform a review of the incident response
A.14.2.
System security testing
Testing Testing of security functionality shall be carried out during development.
"eview the 0ngineering S1A and perform a review of the "elease Management and Software #eployment document.
A.14.2.!
System acceptance testing
Acceptance testing programs and related criteria shall be established for new information systems( upgrades and new versions.
erform a review of the "elease Management and Software #eployment document.
A.14.3 A.14.3.1
Test da data rotecti rotection on of test test data
$b%ective& To en ensure th the pr protection of of da data us used fo for te testing. Test Test data data shall shall be selecte selected d carefull carefully y( protected protected and and controll controlled. ed.
A.15 A.15
Su$$ Su$$li lier er re rela lati tion ons% s%i$ i$ss
"eview the master information security policy and the 0ngineering S1A.
A.15.1
Information security in supplier relationships
To ensure protection of the organization*s organization*s assets that is accessible by suppliers.
A.15.1.1
Information security policy for supplier relationships
Information security re'uirements for mitigating the risks associated with supplier*s access to the organization*s assets shall be agreed with the supplier and documented.
Audit all failures due to supplier security events.
A.15.1.2
Addressing security within supplier agreements
All relevant information security re'uirements shall be established and agreed with each supplier that may access( process( store( communicate( or provide IT infrastructure components for( the organization*s organization*s information.
Audit all failures due to supplier security events.
A.15.1.3
Information and Agreements with suppliers shall include re'uirements to address t he communication information security risks associated with information and technology supply chain communications technology services and product supply chain.
A.15.2
Supplier service delivery $b%ective& To To maintain an agreed level of information security and management service delivery in line with supplier agreements.
Audit all failures due to supplier security events.
A.15.2.1
Monitoring and review of supplier services
$rganizations shall regularly monitor( review and audit supplier service delivery.
Supplier review results.
A.15.2.2
Managing changes to supplier services
Changes to the provision of services by suppliers( including maintaining and improving e)isting information security policies( procedures and controls( shall be managed( managed( taking account of the criticality of business information( systems and processes involved and reassessment of risks.
Supplier review results.
A.16 A.16
Inform Informati ation on securi security ty inci&e inci&ent nt manage managemen mentt
A.16.1
Management of information security incidents and improvements
$b%ective& To To ensure a consistent and effective approach to the management of information security incidents( including communication on security events and weaknesses.
A.16.1.1
"esponsibilities and procedures
Management responsibilities and procedures shall be established to ensure a 'uick( effective and orderly response to information security incidents.
erform a review of the incident response procedures.
A.16.1.2
"eporting information security events
Information security events shall be reported through appropriate management channels as 'uickly as possible.
erform a review of the incident response procedures.
A.16.1.3
"eporting information security weaknesses
0mployees and contractors using the organization*s organization*s information systems and services shall be re'uired to note and report any observed or suspected information security weaknesses in systems or services.
erform a review of the incident response procedures.
A.16.1.4
Assessment of and Information security events shall be assessed and it shall be decided if decision on information they are to be classified as information security incidents. security events
erform a review of the incident response procedures.
A.16.1.5
"esponse to information Information security incidents shall be responded to in accordance security incidents with the documented procedures.
erform a review of the incident response procedures.
A.16.1.6
1earning from information security incidents
6nowledge gained from analysing and resolving information security incidents shall be used to reduce the likelihood or impact of future incidents.
erform a review of the incident response procedures.
A.16.1.7
Collection of evidence
The organization shall define and apply procedures for the identification( collection( ac'uisition and preservation of information( which can serve as evidence.
erform a review of the incident response procedures.
A.17
Informati Information on security security as$ects as$ects of *usiness *usiness continuit continuity y managemen managementt
A.17.1
Information security continuity
$b%ective& Information security continuity shall be embedded in the organization*s organization*s business continuity management systems.
A.17.1.1
lanning information security continuity
The organization shall determine its re'uirements for information security and the continuity of i nformation security management in adverse situations( e.g. during a crisis or disaster.
"eview the /C8#" table top test results.
A.17.1.2
Implementing information security continuity
The organization shall establish( document( implement and maintain processes( procedures and controls to ensure the re'uired re'uired level of continuity for information security during an adverse situation.
"eview the /C8#" table top test results.
A.17.1.3
+erify( review and evaluate information security continuity
The organization shall verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations.
"eview the /C8#" table top test results.
A.17.2
"edu "edund ndan anci cies es
$b%e $b%ect ctiv ive& e& To ensu ensure re avai availa labi bili lity ty of info inform rmat atio ion n proc proces essi sing ng faci facili liti ties es..
A.17.2.1
Availability of information processing facilities
Information processing facilities shall be implemented with redundancy sufficient to meet availability re'uirements.
"eview any incidents related to the availability of the data centers.
A.1
#om$liance
A.1.1
Compliance with legal and contractual re'uirements
A.1.1.1
Identification of All relevant legislative statutory( statutory( regulatory( contractual re'uirements applicable legislation and and the organization*s approach to meet these re'uirements shall be contractual re'uirements e)plicitly identified( documented and kept up to date for each information system and the organization.
"eview the 1egal S1A.
A.1.1.2
Intellectual property rights
Appropriate procedures shall be implemented to ensure compliance with legislative( regulatory and contractual re'uirements related to intellectual property rights and use of proprietary software products.
erform an annual information security policy and procedures review review..
A.1.1.3
rotection of records
"ecords shall be protected from loss( destruction( falsification( unauthorized access and unauthorized release( in accordance with legislatory( legislatory( regulatory( contractual and business re'uirements.
erform an annual information security policy and procedures review review..
A.1.1.4
rivacy and protection of rivacy and protection of personally identifiable information shall be personally identifiable ensured as re'uired in r elevant legislation and regulation where information applicable.
Annual review of privacy policy and privacy related incidents.
A.1.1.5
"egulation of cryptographic controls
Cryptographic controls shall be used in compliance with all relevant agreements( legislation and regulations.
"eview the 1egal S1A.
A.1.2
Information security reviews
$b%ective& To To ensure that information security is implemented and operated in accordance with the organizational policies and procedures.
A.1.2.1
Independent review of information security
The organization*s organization*s approach to managing information security and its implementation ,i.e. control ob%ectives( controls( policies( processes and procedures for information security- shall be reviewed independently at planned intervals or when significant changes occur.
Annual review of internal audit and management review findings
A.1.2.2
Compliance with security policies and standards
Managers shall regularly review the compliance of information processing and procedures within their their area of responsibility with the appropriate security policies( standards and any other security re'uirements.
Annual review of internal audit and management review findings
A.1.2.3
Technical compliance review
Information systems shall be r egularly reviewed for compliance with the organization*s information security policies and standards.
Annual review of internal audit and management review findings
$b%ective& To To avoid breaches of legal( statutory( regulatory or contractual obligations related to information security and of any security re'uirements.
A.17.2
"edu "edund ndan anci cies es
$b%e $b%ect ctiv ive& e& To ensu ensure re avai availa labi bili lity ty of info inform rmat atio ion n proc proces essi sing ng faci facili liti ties es..
A.17.2.1
Availability of information processing facilities
Information processing facilities shall be implemented with redundancy sufficient to meet availability re'uirements.
"eview any incidents related to the availability of the data centers.
A.1
#om$liance
A.1.1
Compliance with legal and contractual re'uirements
A.1.1.1
Identification of All relevant legislative statutory( statutory( regulatory( contractual re'uirements applicable legislation and and the organization*s approach to meet these re'uirements shall be contractual re'uirements e)plicitly identified( documented and kept up to date for each information system and the organization.
"eview the 1egal S1A.
A.1.1.2
Intellectual property rights
Appropriate procedures shall be implemented to ensure compliance with legislative( regulatory and contractual re'uirements related to intellectual property rights and use of proprietary software products.
erform an annual information security policy and procedures review review..
A.1.1.3
rotection of records
"ecords shall be protected from loss( destruction( falsification( unauthorized access and unauthorized release( in accordance with legislatory( legislatory( regulatory( contractual and business re'uirements.
erform an annual information security policy and procedures review review..
A.1.1.4
rivacy and protection of rivacy and protection of personally identifiable information shall be personally identifiable ensured as re'uired in r elevant legislation and regulation where information applicable.
Annual review of privacy policy and privacy related incidents.
A.1.1.5
"egulation of cryptographic controls
Cryptographic controls shall be used in compliance with all relevant agreements( legislation and regulations.
"eview the 1egal S1A.
A.1.2
Information security reviews
$b%ective& To To ensure that information security is implemented and operated in accordance with the organizational policies and procedures.
A.1.2.1
Independent review of information security
The organization*s organization*s approach to managing information security and its implementation ,i.e. control ob%ectives( controls( policies( processes and procedures for information security- shall be reviewed independently at planned intervals or when significant changes occur.
Annual review of internal audit and management review findings
A.1.2.2
Compliance with security policies and standards
Managers shall regularly review the compliance of information processing and procedures within their their area of responsibility with the appropriate security policies( standards and any other security re'uirements.
Annual review of internal audit and management review findings
A.1.2.3
Technical compliance review
Information systems shall be r egularly reviewed for compliance with the organization*s information security policies and standards.
Annual review of internal audit and management review findings
$b%ective& To To avoid breaches of legal( statutory( regulatory or contractual obligations related to information security and of any security re'uirements.
ISO 27001 Documents Last Updated: 2016-02-11
Doc ID
ISO 27001 Clause
Doc Short Descr"pon
692&&'
N/A
ISO2&&'
* +'
IS$S $aster Document 6,ternal and internal issues relevant to the companyMs purpose and that a!ect its a-ility to achieve the IS5S goals
ISO2&&$
* +'
"rocedure for Idenfying Interested "ares and their relevant 0e.uirements
ISO2&&3
* +$
Interested "ares and their relevant 0e.uirements
ISO2&&*
* +3
IS5S Scope
ISO2&&1
* +*
6vidence of IS5S Implementaon
ISO2&&7
1 +'
IS5S 0e.uirements
I SO & & %
1$
In!ormaon Secur"t# Pol"c#
ISO 27001 Documents Last Updated: 2016-02-11
Doc ID
ISO 27001 Clause
Doc Short Descr"pon
692&&'
N/A
ISO2&&'
* +'
IS$S $aster Document 6,ternal and internal issues relevant to the companyMs purpose and that a!ect its a-ility to achieve the IS5S goals
ISO2&&$
* +'
"rocedure for Idenfying Interested "ares and their relevant 0e.uirements
ISO2&&3
* +$
Interested "ares and their relevant 0e.uirements
ISO2&&*
* +3
IS5S Scope
ISO2&&1
* +*
6vidence of IS5S Implementaon
ISO2&&7
1 +'
IS5S 0e.uirements
ISO2&&%
1 +$
ISO2&&:
7+'+'
ISO2&&
7+'+'
ISO2&'&
7+'+$
In!ormaon Secur"t# Pol"c# IS5S 0is(s and Opportunies Acon "lan to Address 0is(s and Opportunies Informaon Security 0is( Assessment 5ethodology
ISO2&''
7+'+$
0is( Assessment 0eport
ISO2&'$
7+'+$
0is( Assessment 9emplate
ISO2&'3
7+'+3
Informaon Security 0is( 9reatment 5ethodology
ISO2&'*
7+'+3+d
Statement of Applica-ility
ISO2&'1
7+'+3+e
0is( 9reatment "lan
ISO2&'7
7+'+3
ISO2&'%
7 +$
Informaon Security O-jecves
ISO2&':
7 +$
"lan to Achieve Informaon Security O-jecves
ISO2&'
% +'
IS5S 0e.uired 0esources
ISO2&$&
% +$ + a
escripon of Necessary Competence
ISO2&$'
%+$+%+$+c
Competence eterminaon/0evie# "rocedure
ISO2&$$
%+$+c
Competence Ac Achievement "lan
ISO2&$3
%+$+d
6vidence of Competence
ISO2&$*
% +3
ISO2&$1
% +*
ISO2&$7
% +*
ISO2&
%$%+1+'+-
ISO2&$:
%+1+$ %+1+3
0is( 9reatment 0eport
Secur"t# *?areness Pro%ram Security A#areness 9raining Slide ec( Communicaon "rocess ocumented informaon informaon determined -y the organizaon as -eing necessary for the e!ecveness of the IS5S ocument Control "olicy including Creang and @pdang 0e.uirements and Control of 0ecordsB
ISO2&$
%+1+$ %+1+3
ocument Control 5ethodology including Creang and @pdang 0e.uirements and Control of 0ecordsB
ISO2&3&
:+'
6vidence of compleon of the "lan to Achieve Informaon Security O-jecves
ISO2&3'
:+'
eterminaon and Control of Outsourced "rocesses
ISO2&3$
:+$
0esults of the Informaon Security 0is( Assessment 0is( Assessment 0eportB
ISO2&33
:+3
0esults of the Informaon Security 0is( 9reatment 0is( 9reatment 0eportB
ISO2&3*
+'
5onitoring and 5easurement 5ethodology
ISO2&31
+'
6vidence of the 5onitoring and 5easurement 0esults
ISO2&37
+'
Analysis and 6valuaon 5ethodology
ISO2&3%
+'
6vidence of the Analysis and 6valuaon 0esults
ISO2&3:
+$ A+'$+%+'
ISO2&3
+$
6vidence of Internal Audit "rogram 0evie#s
ISO2&*&
+$
Internal Audit "rocedure
ISO2&*'
+$
IS5S Audit Chec(list
ISO2&*$
+$
6vidence of Internal Audit "rocedure 0evie#s
ISO2&*3
+$+g
6vidence of Internal Audit 0esults
ISO2&**
+$g
IS5S Correcve Acon >orm
ISO2&*1
+3
5anagement 0evie# of the IS5S
ISO2&*7
+3
>orm for 5anagement 0evie# 5inutes
ISO2&*%
+3
6vidence of 5anagement 0evie#s of the IS5SD and their 0esults
ISO2&*:
'&+'
Nonconformity 0esponse and Correcve Acon "rocedures
ISO2&*
'&+'+f
6vidence 0egarding Nonconformies
ISO2&1&
'&+'+g
6vidence of the 0esults of any Correcve Acon
ISO2&1'
'&+$
ISO2&1$
A+1+'+'
ISO2&13
A+1+'+$
Set o! In!ormaon Secur"t# Pol"c"es 6vidence of 0evie# of Informaon Security "olicies
ISO2&1*
A+1+'+'
Set of Informaon Security "rocedures
ISO2&11
A+7+'+'
Informaon Security 0oles and 0esponsi-ilies also Secon 1+3B
ISO2&17
A+7+'+'+
6vidence that Informaon Security 0esponsi-ilies are enacted 0ecordsB
ISO2&1%
A+7+'+$
Segregaon of ues "rocess
ISO2&1:
A+7+'+3
Authority Contacts
ISO2&1
A+7+'+*
Special Interest roup Contacts
ISO2&7&
A+7+'+1
Informaon Security "rocess for "roject 5anagement
ISO2&7'
A+7+$+'
5o-ile evice "olicy
ISO2&7$
A+7+$+$
8TO "olicy
ISO2&73
A+7+$+$
9ele#or(ing "olicy
ISO2&7*
A+%+'+'
8ac(ground Chec( "rocess
Internal *ud"t Pro%ram
Connual Improvement "rocess
ISO2&71
A+%+'+'
6vidence of 8ac(ground Chec(s 0ecordsB
ISO2&77
A+%+'+$
6mployment Contract Security 0esponsi-ility Spulaons
ISO2&7%
A+%+'+$
6vidence of Security 0esponsi-ility Spulaons in 6mployment Contracts 0ecordsB
ISO2&7:
A+%+$+$
6vidence of Security A#areness 9raining
ISO2&7
A+%+$+$
6vidence of Communicaon of Informaon Security "olicy ChangesB 0ecordsB
ISO2&%&
A+%+$+3
isciplinary "rocess including communicaon of itB
ISO2&%'
A+%+$+3
6vidence that isciplinary "rocess is -eing communicated 0ecordsB
ISO2&%$
A+%+$+3
6vidence that isciplinary "rocess is -eing carried out 0ecordsB
ISO2&%3
A+%+3+'
Change of 6mployment "rocedures 0egarding Informaon Security 0esponsi-ilies
ISO2&%*
A+%+3+'
6vidence that 6mployment "rocedures for InfoSec 0esponsi-ilies are enacted 0ecordsB
ISO2&%1
A+:
ISO2&%7
A+:+'+' A+:+'+$
Asset Inventory including 5anagement O#nership
ISO2&%%
A+:+'+' A+:+'+$
Asset Inventory 0evie# "rocess
ISO2&%:
A+:+'+' A+:+'+$
6vidence of Asset Inventory 0evie#s 0ecordsB
ISO2&%
A+:+'+3
0ules for the Accepta-le @se of Informaon and of Assets Accepta-le @se "olicyB
ISO2&:&
A+:+'+3
6vidence of Communicaon of Accepta-le @se of Informaon and of Assets 0ecordsB
ISO2&:'
A+:+'+*
Asset 0eturn "rocess
ISO2&:$
A+:+'+*
6vidence of Asset 0eturns 0ecordsB
ISO2&:3
A+:+$+' A+:+$+$
Informaon Classi)caon Schema
ISO2&:*
A+:+$+' A+:+$+$
Informaon Classi)caon and Ha-eling "rocess
ISO2&:1
A+:+$+' A+:+$+$
6vidence of Informaon Classi)caon and Ha-eling 0evie#s 0ecordsB
ISO2&:7
A+:+$+3
Asset andling "rocedures
ISO2&:%
A+:+$+3
6vidence of Implementaon of Asset andling "rocedures 0ecordsB
ISO2&::
A+:+3+'
5anagement of 0emova-le 5edia "olicy
ISO2&:
A+:+3+'
5anagement of 0emova-le 5edia "rocedures
ISO2&&
A+:+3+'
6vidence that 0emova-le 5edia "rocedures are enacted 0ecordsB
ISO2&'
A+:+3+$
isposal of 5edia "olicy
ISO2&$
A+:+3+$
isposal of 5edia "rocedures
ISO2&3
A+:+3+$
6vidence that isposal of 5edia "rocedures are enacted 0ecordsB
ISO2&*
A+:+3+3
"hysical 5edia 9ransfer "olicy
ISO2&1
A+:+3+3
"hysical 5edia 9ransfer "rocedures
ISO2&7
A+:+3+3
6vidence that "hysical 5edia 9ransfer "rocedures are enacted 0ecordsB
ISO2&%
A++'+'
Access Control "olicy
Asset 5anagement "rogram
ISO2&:
A++'+'
Access Control "olicy 0evie# "rocess
ISO2&
A++'+'
6vidence of Access Control "olicy 0evie#s 0ecordsB
ISO2'&&
A++'+$
Net#or( and Net#or( Service Access Authorizaon "rocedure
ISO2'&'
A++'+$
6vidence that Net#or( and Net#or( Service Access Authorizaon "rocedure is enacted 0ecordsB
ISO2'&$
A++$+'
@ser 0egistraon and e2registraon "rocess
ISO2'&3
A++$+'
6vidence that @ser 0egistraon and e2registraon "rocesses are enacted 0ecordsB
ISO2'&*
A++$+$
@ser Access "rovisioning "rocess
ISO2'&1
A++$+$
6vidence that @ser Access "rovisioning "rocess is enacted 0ecordsB
ISO2'&7
A++$+3
"rivileged Access 5anagement "rocess
ISO2'&%
A++$+3
6vidence that "rivileged Access 5anagement "rocess is enacted 0ecordsB
ISO2'&:
A++$+*
Secret Authencaon e+g+D "ass#ordB "olicy
ISO2'&
A++$+*
Secret Authencaon e+g+D "ass#ordB Informaon 5anagement "rocess
ISO2''&
A++$+*
6vidence that Secret Authencaon Informaon 5anagement "rocess is enacted 0ecordsB
ISO2'''
A++$+1
Asset Access 0evie# "rocess
ISO2''$
A++$+1
6vidence of Asset Access 0evie#s 0ecordsB
ISO2''3
A++$+7
0emoval or Adjustment of Access 0ights "rocess
ISO2''*
A++$+7
6vidence that 0emoval or Adjustment of Access 0ights "rocess is enacted 0ecordsB
ISO2''1
A++3+'
Authencaon Safeguarding "olicy
ISO2''7
A++3+'
Authencaon Safeguarding "rocess
ISO2''%
A++3+'
6vidence that Authencaon Safeguarding "rocess is enacted
ISO2'':
A++*+'
ata and Applicaon Access Authorizaon "rocedure
ISO2''
A++*+'
ata and Applicaon Access 0e.uest and Authorizaon >orm
ISO2'$&
A++*+'
6vidence that ata and Applicaon Access Authorizaon "rocedure is enacted
ISO2'$'
A++*+$
Secure Hog2on "rocedure if re.uired -y Access Control "olicyB
ISO2'$$
A++*+$
6vidence that Secure Hog2on "rocedure is enacted
ISO2'$3
A++*+3
"ass#ord 5anagement System escripon
ISO2'$*
A++*+3
6vidence that "ass#ord 5anagement System is enacted
ISO2'$1
A++*+*
@lity "rogram "olicy
ISO2'$7
A++*+*
@lity "rogram 0evie# "rocess
ISO2'
%$A++*+*
ata and Applicaon Access 0e.uest and Authorizaon >orm
ISO2'$:
A++*+1
Access Control to Source Code Authorizaon "rocess
ISO2'$
A++*+1
Source Code Access 0e.uest and Authorizaon >orm
ISO2'3&
A+'&+'+'
Cryptographic Controls "olicy
ISO2'3'
A+'&+'+'
Cryptographic Controls "rocess
ISO2'3$
A+'&+'+'
6vidence that Cryptograpic Controls "rocess is enacted
ISO2'33
A+'&+'+$
Key 5anagement "olicy
ISO2'3*
A+'&+'+$
Key 5anagement "rocess
ISO2'31
A+'&+'+$
6vidence that Key 5anagement "rocess is enacted
ISO2'37
A+''+'+'
"hysical Security "erimeters e)nion
ISO2'3%
A+''+'+'
6vidence of "hysical Security "erimeters e)nion 0evie#s
ISO2'3:
A+''+'+$
"hysical 6ntry Controls
ISO2'3
A+''+'+$
6vidence of "hysical 6ntry Controls 0evie#s
ISO2'*&
A+''+'+3
"hysical Security esign
ISO2'*'
A+''+'+3
6vidence of "hysical Security esign 0evie#s
ISO2'*$
A+''+'+*
esign for "rotecon Against 6,ternal and 6nvironmental 9hreats
ISO2'*3
A+''+'+*
6vidence of esign for "rotecon Against 6,ternal and 6nvironmental 9hreats 0evie#s
ISO2'**
A+''+'+1
"rocedures for Qor(ing in Secured Areas
ISO2'*1
A+''+'+1
6vidence of 0evie#s of "rocedures for Qor(ing in Secured Areas
ISO2'*7
A+''+'+7
"hysical Access "oint Security esigns
ISO2'*%
A+''+'+7
6vidence of 0evie#s of "hysical Access "oint Security esigns
ISO2'*:
A+''+$+'
6.uipment Sing and "rotecon esign
ISO2'*
A+''+$+'
6vidence of 6.uipment Sing and "rotecon esign 0evie#s
ISO2'1&
A+''+$+$
esign for "rotecon Against @lity >ailures
ISO2'1'
A+''+$+$
6vidence of esign for "rotecon Against @lity >ailures 0evie#s
ISO2'1$
A+''+$+3
Ca-ling "rotecon esign
ISO2'13
A+''+$+3
6vidence of Ca-ling "rotecon esign 0evie#s
ISO2'1*
A+''+$+*
6.uipment 5aintenance "rocess
ISO2'11
A+''+$+*
6vidence of 6.uipment 5aintenance "rocess 0evie#s
ISO2'17
A+''+$+*
6vidence that 6.uipment 5aintenance "rocess is enacted
ISO2'1%
A+''+$+1
0emoval of Asset Authorizaon "rocess
ISO2'1:
A+''+$+1
6vidence of 0emoval of Asset Authorizaon "rocess 0evie#s
ISO2'1
A+''+$+1
0emoval of Asset Authorizaon >orm
ISO2'7&
A+''+$+7
O!site Asset Security "rocess
ISO2'7'
A+''+$+7
6vidence of O!site Asset Security "rocess 0evie#s
ISO2'7$
A+''+$+%
Secure 5edia isposal and 0e2use "olicy
ISO2'73
A+''+$+%
6vidence of Secure 5edia isposal and 0e2use "olicy 0evie#s
ISO2'7*
A+''+$+%
Secure 5edia isposal and 0e2use "rocess
ISO2'71
A+''+$+%
6vidence of Secure 5edia isposal and 0e2use "rocess 0evie#s
ISO2'77
A+''+$+:
"rotecon of @naended 6.uipment "olicy
ISO2'7%
A+''+$+:
6vidence of "rotecon of @naended 6.uipment "olicy 0evie#s
ISO2'7:
A+''+$+:
"rotecon of @naended 6.uipment "rocess
ISO2'7
A+''+$+:
6vidence of "rotecon of @naended 6.uipment "rocess 0evie#s
ISO2'%&
A+''+$+
ISO2'%'
A+''+$+
Clear Desk Pol"c# 6vidence of Clear es( "olicy 0evie#s
ISO2'%$
A+''+$+
ISO2'%3
A+''+$+
ISO2'%*
A+'$+'+'
ISO2'%1
A+'$+'+'
ISO2'%7
:+' A+'$+'+$ A+'*+$+$ A+'*+$+3 A+'*+$+*
ISO2'%%
:+' A+'$+'+$ A+'*+$+$ A+'*+$+3 A+'*+$+*
6vidence of Change 5anagement "olicy 0evie#s
ISO2'%:
:+' A+'$+'+$ A+'*+$+$ A+'*+$+3 A+'*+$+*
Change 5anagement "rocess
ISO2'%
:+' A+'$+'+$ A+'*+$+$ A+'*+$+3 A+'*+$+*
6vidence of Change 5anagement "rocess 0evie#s
ISO2':&
A+'$+'+3
Capacity 5anagement "rocess
ISO2':'
A+'$+'+3
6vidence of Capacity 5anagement "rocess 0evie#s
ISO2':$
A+'$+'+3
Capacity 5anagement "lans/0eports
ISO2':3
A+'$+'+*
Separaon of 6nvironments "olicy
ISO2':*
A+'$+'+*
6vidence of Separaon of 6nvironments "olicy 0evie#s
ISO2':1
A+'$+'+*
Separaon of 6nvironments esign
ISO2':7
A+'$+'+*
6vidence of Separaon of 6nvironments esign 0evie#s
ISO2':%
A+'$+$+'
5al#are "rotecon "olicy
ISO2'::
A+'$+$+'
6vidence of 5al#are "rotecon "olicy 0evie#s
ISO2':
A+'$+$+'
5al#are "rotecon esign
ISO2'&
A+'$+$+'
6vidence of 5al#are "rotecon esign 0evie#s
ISO2''
A+'$+3+'
ata 8ac(up and 0ecovery "olicy
ISO2'$
A+'$+3+'
6vidence of ata 8ac(up and 0ecovery "olicy 0evie#s
ISO2'3
A+'$+3+'
ata 8ac(up and 0ecovery "rocedures
ISO2'*
A+'$+3+'
6vidence of ata 8ac(up and 0ecovery "rocedures 0evie#s
ISO2'1
A+'$+3+'
ata 8ac(up and 0ecovery 9est "rocess
ISO2'7
A+'$+3+'
6vidence of ata 8ac(up and 0ecovery 9est "rocess 0evie#s
Clear Screen Pol"c# 6vidence of Clear Screen "olicy 0evie#s Operang "rocedures 6vidence of Operang "rocedures 0evie#s Change 5anagement "olicy
ISO2'%
A+'$+*+'
6vent Hogging esign
ISO2':
A+'$+*+'
6vidence of 6vent Hogging esign 0evie#s
ISO2'
A+'$+*+'
6vent Hog 0evie#s
ISO2$&&
A+'$+*+$
esign for "rotecon of Hog Informaon
ISO2$&'
A+'$+*+$
6vidence of 0evie#s of esign for "rotecon of Hog Informaon
ISO2$&$
A+'$+*+3
Operator Hogging esign
ISO2$&3
A+'$+*+3
6vidence of Operator Hogging esign 0evie#s
ISO2$&*
A+'$+*+3
Operator Hog 0evie# "rocess
ISO2$&1
A+'$+*+3
6vidence of Operator Hog 0evie#s
ISO2$&7
A+'$+*+*
Cloc( Synchronizaon esign
ISO2$&%
A+'$+*+*
6vidence of Cloc( Synchronizaon 0evie#s
ISO2$&:
A+'$+1+' A+'$+7+$
So#are Installaon "olicy
ISO2$&
A+'$+1+' A+'$+7+$
6vidence of So#are Installaon "olicy 0evie#s
ISO2$'&
A+'$+1+' A+'$+7+$
So#are Installaon Control "rocedures
ISO2$''
A+'$+1+' A+'$+7+$
6vidence of So#are Installaon Control "rocedures 0evie#s
ISO2$'$
A+'$+7+'
Eulnera-ility 5anagement "olicy
ISO2$'3
A+'$+7+'
6vidence of Eulnera-ility 5anagement "olicy 0evie#s
ISO2$'*
A+'$+7+'
Eulnera-ility 5anagement "rocess
ISO2$'1
A+'$+7+'
6vidence that Eulnera-ility 5anagement "rocess is enacted
ISO2$'7
A+'$+%+'
6,ternal Audit Acvity "lanning "rocess
ISO2$'%
A+'$+%+'
6vidence that 6,ternal Audit Acvity "lanning "rocess is enacted
ISO2$':
A+'$+%+'
6,ternal Audit Acvity 0eport
692&&$
N/A
ISO2$$&
A+'3+'+'
esign of Net#or( Controls
ISO2$$'
A+'3+'+'
6vidence of esign of Net#or( Controls 0evie#s
ISO2$$$
A+'3+'+$
esign of Controls for Net#or( Services
ISO2$$3
A+'3+'+$
6vidence of esign of Controls for Net#or( Services 0evie#s
ISO2$$*
A+'3+'+3
esign of Net#or( Segregaon
ISO2$$1
A+'3+'+3
6vidence of esign of Net#or( Segregaon 0evie#s
ISO2$$7
A+'3+$+'
Informaon 9ransfer "olicies
ISO2$
%$A+'3+$+'
6vidence of Informaon 9ransfer "olicies 0evie#s
ISO2$$:
A+'3+$+'
Informaon 9ransfer "rocedures
ISO2$$
A+'3+$+'
6vidence of Informaon 9ransfer "rocedures 0evie#s
ISO2$3&
A+'3+$+'
Informaon 9ransfer Control esign
ISO2$3'
A+'3+$+'
6vidence of Informaon 9ransfer Control esign 0evie#s
ISO2$3$
A+'3+$+$
Informaon 9ransfer Agreement "olicy
ISO2$33
A+'3+$+$
6vidence of Informaon 9ransfer Agreement "olicy 0evie#s
ISO2$3*
A+'3+$+$
Informaon 9ransfer Agreement 9emplate
Net#or( Security "olicy
ISO2$31
A+'3+$+$
6vidence of Informaon 9ransfer Agreements
ISO2$37
A+'3+$+3
Secure 6lectronic 5essaging "olicy
ISO2$3%
A+'3+$+3
6vidence of Secure 6lectronic 5essaging "olicy 0evie#s
ISO2$3:
A+'3+$+3
Secure 6lectronic 5essaging "rocedure
ISO2$3
A+'3+$+3
6vidence of Secure 6lectronic 5essaging "rocedure 0evie#s
ISO2$*&
A+'3+$+*
Con)denality and NA 0e.uirements esign
ISO2$*'
A+'3+$+*
6vidence of Con)denality and NA 0e.uirements esign 0evie#s
ISO2$*$
A+'*+'+'
Security in Ne# or 5odi)ed Systems "olicy
ISO2$*3
A+'*+'+'
6vidence of Security in Ne# or 5odi)ed Systems "olicy 0evie#s
ISO2$**
A+'*+'+' A+'*+$+1
Security in Ne# or 5odi)ed Systems "rocess
ISO2$*1
A+'*+'+' A+'*+$+1
6vidence of Security in Ne# or 5odi)ed Systems "rocess 0evie#s
ISO2$*7
A+'*+'+$
"rotecon of Applicaons on "u-lic Net#or(s esign
ISO2$*%
A+'*+'+$
6vidence of "rotecon of Applicaons on "u-lic Net#or(s esign 0evie#s
ISO2$*:
A+'*+'+3
Applicaon Service 9ransacon "rotecon esign
ISO2$*
A+'*+'+3
6vidence of Applicaon Service 9ransacon "rotecon esign 0evie#s
ISO2$1&
A+'*+$+' A+'*+$+7 A+'*+$+% A+'*+$+: A+'*+$+
Secure SHC "olicy
ISO2$1'
A+'*+$+' A+'*+$+7 A+'*+$+% A+'*+$+: A+'*+$+
6vidence of Secure SHC "olicy 0evie#s
ISO2$1$
A+'*+$+' A+'*+$+7 A+'*+$+% A+'*+$+: A+'*+$+
Secure SHC "rocess
ISO2$13
A+'*+$+' A+'*+$+7 A+'*+$+% A+'*+$+: A+'*+$+
6vidence of Secure SHC "rocess 0evie#s
ISO2$1*
A+'*+3+'
"rotecon of 9est ata "rocess
ISO2$11
A+'*+3+'
6vidence of "rotecon of 9est ata "rocess 0evie#s
ISO2$17
A+'1+'+' A+'1+'+$
Supplier Security "olicy
ISO2$1%
A+'1+'+' A+'1+'+$
6vidence of Supplier Security "olicy 0evie#s
ISO2$1:
A+'1+'+$
Supplier Security 9emplate
ISO2$1
A+'1+'+$
6vidence of Informaon Security in Supplier Agreements
ISO2$7&
A+'1+'+3
Informaon Security for I9 Service "roviders "olicy
ISO2$7'
A+'1+'+3
6vidence of Informaon Security for I9 Service "roviders "olicy 0evie#s
ISO2$7$
A+'1+'+3
Informaon Security for I9 Service "roviders 9emplate
ISO2$73
A+'1+$+' A+'1+$+$
Supplier Services 5anagement "rocess
ISO2$7*
A+'1+$+' A+'1+$+$
6vidence of Supplier Services 5anagement "rocess 0evie#s
ISO2$71
A+'1+$+' A+'1+$+$
6vidence of Supplier Services 5anagement 0evie#s
ISO2$77
A+'1+$+' A+'1+$+$
Supplier Services 0evie# 9emplate
ISO2$7%
A+'7
Incident 5anagement "olicy
ISO2$7:
A+'7
6vidence of Incident 5anagement "olicy 0evie#s
ISO2$7
A+'7+'+'
Incident 5anagement 0oles and 0esponsi-ilies
ISO2$%&
A+'7+'+'
6vidence of Incident 5anagement 0oles and 0esponsi-ilies 0evie#s
ISO2$%'
A+'7+'+'
Incident 5anagement "rocedures
ISO2$%$
A+'7+'+'
6vidence of Incident 5anagement "rocedures 0evie#s
ISO2$%3
A+'7+'+$
Incident 0eport 9emplate
ISO2$%*
A+'7+'+$
6vidence of Incident 0eports
ISO2$%1
A+'7+'+3
Security Qea(ness 0eporng "rocess
ISO2$%7
A+'7+'+3
6vidence of Security Qea(ness 0eporng "rocess 0evie#s
ISO2$%%
A+'7+'+3
Security Qea(ness 0eport 9emplate
ISO2$%:
A+'7+'+*
Incident Assessment "rocess
ISO2$%
A+'7+'+1
6vidence of Incident Assessment "rocess 0evie#s
ISO2$:&
A+'7+'+7
Incidence 0esponse "rocess
ISO2$:'
A+'7+'+7
6vidence of Incident 0esponse "rocess 0evie#s
ISO2$:$
A+'7+'+7
6vidence of Incident 0esponse
ISO2$:3
A+'7+'+%
6vidence Collecon "rocedures
ISO2$:*
A+'7+'+%
6vidence of 6vidence Collecon "rocedures 0evie#s
ISO2$:1
A+'7+'+%
6vidence Collecon 9emplate
ISO2$:7
A+'%
8usiness Connuity 5anagement "olicy
ISO2$:%
A+'%
6vidence of 8usiness Connuity 5anagement "olicy 0evie#s
ISO2$::
A+'%
8usiness Connuity Strategy
ISO2$:
A+'%
6vidence of 8usiness Connuity Strategy 0evie#s
692&&3
N/A
Supplier Security Chec(list
ISO2$'
A+'%
8usiness Connuity "lan
ISO2$$
A+'%
6vidence of 8usiness Connuity "lan 0evie#s
ISO2$3
A+'%
8usiness Connuity 5anagement System 5aintenance and 0evie# "lan
ISO2$*
A+'%
6vidence of 8usiness Connuity 5anagement System 5aintenance and 0evie# "lan 0evie#s
ISO2$1
A+'%+'+'
8usiness Connuity 0e.uirements
ISO2$7
A+'%+'+'
6vidence of 8usiness Connuity 0e.uirements 0evie#s
ISO2$%
A+'%+'+'
8usiness Impact Analysis
ISO2$:
A+'%+'+'
8usiness Impact Analysis 9emplate
ISO2$
A+'%+'+'
8usiness Impact Analysis Analysis 4uesonnairesB
ISO23&&
A+'%+'+$
8usiness Connuity "rocess
ISO23&'
A+'%+'+$
6vidence of 8usiness Connuity "rocess 0evie#s
ISO23&$
A+'%+'+$
8usiness Connuity "rocedures
ISO23&3
A+'%+'+$
6vidence of 8usiness Connuity "rocedures 0evie#s
ISO23&*
A+'%+'+$
8usiness Connuity Controls
ISO23&1
A+'%+'+$ A+'%+'+3
6vidence of 8usiness Connuity Controls 0evie#s
ISO23&7
A+'%+'+3
8usiness Connuity 6,ercising and 9esng "lan
ISO23&%
A+'%+'+3
6vidence of 8usiness Connuity 6,ercising and 9esng "lan 0evie#s
ISO23&:
A+'%+'+3
8usiness Connuity 6,ercises and 9ests
ISO23&
A+'%+'+3
8usiness Connuity "ost2Incident 0evie# >orm
ISO23'&
A+'%
isaster 0ecovery "lan
ISO23''
A+'%
6vidence of isaster 0ecovery "lan 0evie#s
ISO23'$
A+'%+'+'
isaster 0ecovery 0e.uirements
ISO23'3
A+'%+'+'
6vidence of isaster 0ecovery 0e.uirements 0evie#s
ISO23'*
A+'%+'+$
isaster 0ecovery "rocess
ISO23'1
A+'%+'+$
6vidence of isaster 0ecovery "rocess 0evie#s
ISO23'7
A+'%+'+$
isaster 0ecovery "rocedures
ISO23'%
A+'%+'+$
6vidence of isaster 0ecovery "rocedures 0evie#s
ISO23':
A+'%+'+$
isaster 0ecovery Controls
ISO23'
A+'%+'+$ A+'%+'+3
6vidence of isaster 0ecovery Controls 0evie#s
ISO23$&
A+'%+'+3
isaster 0ecovery 6,ercises and 9ests
ISO23$'
A+'%+'+3
isaster 0ecovery "ost2Incident 0evie# >orm
ISO23$$
A+'%+$+'
0edundancy 0e.uirements
ISO23$3
A+'%+$+'
6vidence of 0edundancy 0e.uirements 0evie#s
ISO23$*
A+':+'+'
HegalD 0egulatory and Contractual 0e.uirements
ISO23$1
A+':+'+'
6vidence of HegalD 0egulatory and Contractual 0e.uirements 0evie#s
ISO23$7
A+':+'+$
Intellectual "roperty Compliance "rocedure
ISO23
%$A+':+'+$
6vidence of Intellectual "roperty Compliance "rocedure 0evie#s
ISO23$:
A+':+'+3
0ecord "rotecon
ISO23$
A+':+'+3
6vidence of 0ecord "rotecon 0evie#s
ISO233&
A+':+'+*
"rivacy and "rotecon of "II
ISO233'
A+':+'+*
6vidence of "rivacy and "rotecon of "II 0evie#s
ISO233$
A+':+'+1
0egulaon of Cryptographic Controls
ISO2333
A+':+'+1
6vidence of 0egulaon of Cryptographic Controls 0evie#s
ISO233*
A+':+$+'
6,ternal Audit "lan
ISO2331
A+':+$+'
6vidence of 6,ternal Audit "lan 0evie#s
ISO2337
A+':+$+'
6vidence of 6,ternal Audits
ISO233%
A+':+$+$
5anagement Compliance 0evie# "rocess
ISO233:
A+':+$+$
6vidence of 5anagement Compliance 0evie# "rocess 0evie#s
ISO233
A+':+$+$
6vidence of 5anagement Compliance 0evie#s
ISO23*&
A+':+$+3
9echnical Compliance 0evie# "rocess
ISO23*'
A+':+$+3
6vidence of 9echnical Compliance 0evie# "rocess 0evie#s
ISO23*$
A+':+$+3
6vidence of 9echnical Compliance 0evie#s
692&&*
N/A
CSQ "rogram
692&&1
N/A
Informaon Security 0is( Council "rogram
692&&7
N/A
Security Integraon "lan
692&&%
N/A
Security Integraon 4uesonnaire
692&&:
N/A
0 6mployee Change "rocedure
692&&
N/A
ata overnance "olicy
692&&
N/A
Security 0evie# Chec(list
692&&
N/A
5ul2>actor Authencaon "rocedure
9otal
31&
Hin( to mandatory/non2mandatory documents= hp=//advisera+com/$%&&'academy/(no#led
Conta"ned In
.e6u"rement
Doc T#pe
IS$S Scope
O#n oc
Oponal
escripon
No
"art of 692&&'
Implied
0ecord
Tes
98
Implied
"rocedure
Tes
"art of 692&&'
Implied
0ecord
Tes
"art of 692&&'
0e.uired
escripon
Tes
98
Implied
0ecord
Tes
98
Implied
escripon
Tes
O#n oc
0e.uired
"olicy
Tes
98
Implied
0ecord
Tes
98
Implied
"lan
Tes
98
0e.uired
"rocess
Tes
O#n oc
Implied
0ecord
Tes
O#n oc
Oponal
>orm or 9emplate
Tes
"art of 692&&'
0e.uired
"rocess
Tes
O#n oc
0e.uired
0ecord
Tes
O#n oc
0e.uired
"lan
Tes
98
Implied
0ecord
Tes
"art of 692&&'
0e.uired
0ecord
Tes
98
Implied
"lan
Tes
"art of 692&&'
Implied
0ecord
Tes
"art of 692&&'
Implied
escripon
Tes
98
Implied
"rocedure
Tes
98
Implied
"lan
Tes
O#n oc
0e.uired
0ecord
Tes
O#n oc
Implied
"rocess
Tes
O#n oc
Oponal
"art of 692&&'
Implied
"rocess
Tes
"art of 692&&'
0e.uired
0ecord
Tes
98
Implied
"olicy
Tes
No
Project Scope
Included
98
Implied
"rocess
Tes
98
0e.uired
0ecord
Tes
98
Implied
"olicy
Tes
"art of ISO2&''
0e.uired
0ecord
Tes
"art of ISO2&'7
0e.uired
0ecord
Tes
98
Implied
"rocedure
Tes
98
0e.uired
0ecord
Tes
98
Implied
"rocedure
Tes
98
Implied
0ecord
Tes
O#n oc
0e.uired
escripon
Tes
"art of ISO2&3:
Implied
0ecord
Tes
O#n oc
Oponal
"rocess
Tes
O#n oc
Oponal
>orm or 9emplate
Tes
"art of ISO2&*&
Oponal
0ecord
Tes
O#n oc
0e.uired
0ecord
Tes
O#n oc
Oponal
>orm or 9emplate
Tes
98
Implied
"rocess
Tes
98
Oponal
>orm or 9emplate
Tes
98
0e.uired
0ecord
Tes
98
Implied
"rocedure
Tes
98
0e.uired
0ecord
Tes
98
0e.uired
0ecord
Tes
98
Implied
"rocess
Tes
O#n oc
0e.uired
"olicy
Tes
98
0e.uired
0ecord
Tes
98
Oponal
"rocedure
Tes
"art of 692&&'
0e.uired
0ecord
Tes
98
Implied
0ecord
Tes
98
Implied
"rocess
Tes
98
0e.uired
0ecord
Tes
98
0e.uired
0ecord
Tes
98
Implied
"rocess
Tes
"art of ISO2&1$
0e.uired
"olicy
Tes
"art of ISO2&1$
Oponal
"olicy
Tes
"art of ISO2&1$
0e.uired
"olicy
Tes
98
Implied
"rocess
Tes
98
Implied
0ecord
Tes
98
Implied
0ecord
Tes
98
Implied
0ecord
Tes
98
Implied
0ecord
Tes
98
Implied
0ecord
Tes
98
0e.uired
"rocess
Tes
98
Implied
0ecord
Tes
98
Implied
0ecord
Tes
"art of ISO2&77
0e.uired
"rocedure
Tes
98
Implied
0ecord
Tes
O#n oc
Oponal
escripon
Tes
O#n oc
0e.uired
0ecord
Tes
"art of ISO2&%1
Implied
"rocess
Tes
98
Implied
0ecord
Tes
"art of ISO2&1$
0e.uired
"olicy
Tes
98
Implied
0ecord
Tes
"art of ISO2&%1
Implied
"rocess
Tes
98
Implied
0ecord
Tes
98
Implied
escripon
Tes
98
Implied
"rocess
Tes
98
Implied
0ecord
Tes
"art of ISO2&%1
0e.uired
"rocedure
Tes
98
Implied
0ecord
Tes
"art of ISO2&1$
0e.uired
"olicy
Tes
"art of ISO2&1*
Implied
"rocedure
Tes
98
Implied
0ecord
Tes
"art of ISO2&1$
0e.uired
"olicy
Tes
"art of ISO2&1*
Implied
"rocedure
Tes
98
Implied
0ecord
Tes
"art of ISO2&1$
Implied
"olicy
Tes
"art of ISO2&1*
Implied
"rocedure
Tes
98
Implied
0ecord
Tes
"art of ISO2&1$
0e.uired
"olicy
Tes
98
Implied
"rocess
Tes
98
Implied
0ecord
Tes
98
Implied
"rocedure
Tes
98
Implied
0ecord
Tes
98
0e.uired
"rocess
Tes
98
Implied
0ecord
Tes
98
0e.uired
"rocess
Tes
98
Implied
0ecord
Tes
98
Implied
"rocess
Tes
98
Implied
0ecord
Tes
98
Implied
"olicy
Tes
98
Implied
"rocess
Tes
98
Implied
0ecord
Tes
98
Implied
"rocess
Tes
98
Implied
0ecord
Tes
98
Implied
"rocess
Tes
98
Implied
0ecord
Tes
"art of ISO2&1$
Implied
"rocess
Tes
98
Implied
"rocess
Tes
98
Implied
0ecord
Tes
"art of ISO2&1*
Implied
"rocedure
Tes
98
Oponal
>orm or 9emplate
Tes
98
Implied
0ecord
Tes
"art of ISO2&1*
Implied
"rocedure
Tes
98
Implied
0ecord
Tes
98
Implied
escripon
Tes
98
Implied
0ecord
Tes
"art of ISO2&1$
Implied
"olicy
Tes
98
Implied
"rocess
Tes
98
Oponal
>orm or 9emplate
Tes
98
Implied
"rocess
Tes
98
Oponal
>orm or 9emplate
Tes
"art of ISO2&1$
0e.uired
"olicy
Tes
98
Implied
"rocess
Tes
98
Implied
0ecord
Tes
"art of ISO2&1$
0e.uired
"olicy
Tes
98
Implied
"rocess
Tes
98
Implied
0ecord
Tes
98
Implied
escripon
Tes
98
Implied
0ecord
Tes
98
Implied
escripon
Tes
98
Implied
0ecord
Tes
98
Implied
escripon
Tes
98
Implied
0ecord
Tes
98
Implied
escripon
Tes
98
Implied
0ecord
Tes
98
0e.uired
"rocedure
Tes
98
Implied
0ecord
Tes
98
Implied
escripon
Tes
98
Implied
0ecord
Tes
98
Implied
escripon
Tes
98
Implied
0ecord
Tes
98
Implied
escripon
Tes
98
Implied
0ecord
Tes
98
Implied
escripon
Tes
98
Implied
0ecord
Tes
98
Implied
"rocess
Tes
98
Implied
0ecord
Tes
98
Implied
0ecord
Tes
"art of ISO2&%1
Implied
"rocess
Tes
98
Implied
0ecord
Tes
98
Oponal
>orm or 9emplate
Tes
98
Implied
"rocess
Tes
98
Implied
0ecord
Tes
"art of ISO2&1$
Oponal
"olicy
Tes
98
Oponal
0ecord
Tes
98
Implied
"rocess
Tes
98
Implied
0ecord
Tes
"art of ISO2&1$
Oponal
"olicy
Tes
98
Oponal
0ecord
Tes
98
Implied
"rocess
Tes
98
Implied
0ecord
Tes
"art of ISO2&1$
0e.uired
"olicy
Tes
98
Implied
0ecord
Tes
"art of ISO2&1$
0e.uired
"olicy
Tes
98
Implied
0ecord
Tes
98
0e.uired
"rocedure
Tes
98
Implied
0ecord
Tes
"art of ISO2&1$
Implied
0ecord
Tes
98
Implied
"rocess
Tes
98
Implied
"rocess
Tes
98
Implied
"rocess
Tes
98
Implied
"rocess
Tes
98
Implied
0ecord
Tes
98
Implied
"lan
Tes
"art of ISO2&1$
Implied
"olicy
Tes
98
Implied
0ecord
Tes
98
Implied
escripon
Tes
98
Implied
0ecord
Tes
"art of ISO2&1$
Oponal
"olicy
Tes
98
Implied
0ecord
Tes
98
Implied
escripon
Tes
98
Implied
0ecord
Tes
"art of ISO2&1$
0e.uired
"olicy
Tes
98
Implied
0ecord
Tes
98
Implied
"rocedure
Tes
98
Implied
0ecord
Tes
98
Implied
"rocess
Tes
98
Implied
0ecord
Tes
98
Implied
escripon
Tes
98
Implied
0ecord
Tes
98
0e.uired
0ecord
Tes
98
Implied
escripon
Tes
98
Implied
0ecord
Tes
98
Implied
escripon
Tes
98
Implied
0ecord
Tes
98
Implied
"rocess
Tes
98
0e.uired
0ecord
Tes
98
Implied
escripon
Tes
98
Implied
0ecord
Tes
"art of ISO2&1$
Oponal
"olicy
Tes
98
Oponal
0ecord
Tes
98
Implied
"rocedure
Tes
98
Implied
0ecord
Tes
"art of ISO2&1$
Oponal
"olicy
Tes
98
Oponal
0ecord
Tes
98
Implied
"rocess
Tes
98
Implied
0ecord
Tes
98
Implied
"lan
Tes
98
Implied
0ecord
Tes
98
Oponal
0ecord
Tes
"art of ISO2&1$
Oponal
"olicy
Tes
98
Implied
escripon
Tes
98
Implied
0ecord
Tes
98
Implied
escripon
Tes
98
Implied
0ecord
Tes
98
Implied
escripon
Tes
98
Implied
0ecord
Tes
"art of ISO2&1$
0e.uired
"olicy
Tes
98
Implied
0ecord
Tes
98
0e.uired
"rocedure
Tes
98
Implied
0ecord
Tes
98
Implied
escripon
Tes
98
Implied
0ecord
Tes
"art of ISO2&1$
Oponal
"olicy
Tes
98
Oponal
0ecord
Tes
98
Oponal
>orm or 9emplate
Tes
98
Implied
0ecord
Tes
"art of ISO2&1$
Oponal
"olicy
Tes
98
Oponal
0ecord
Tes
98
Implied
"rocedure
Tes
98
Implied
0ecord
Tes
98
0e.uired
escripon
Tes
98
Implied
0ecord
Tes
"art of ISO2&1$
Oponal
"olicy
Tes
98
Oponal
0ecord
Tes
98
Implied
"rocess
Tes
98
Implied
0ecord
Tes
98
Implied
escripon
Tes
98
Implied
0ecord
Tes
98
Implied
escripon
Tes
98
Implied
0ecord
Tes
"art of ISO2&1$
0e.uired
"olicy
Tes
98
Implied
0ecord
Tes
98
Implied
"rocess
Tes
98
Implied
0ecord
Tes
98
Implied
"rocess
Tes
98
Implied
0ecord
Tes
"art of ISO2&1$
0e.uired
"olicy
Tes
98
Implied
0ecord
Tes
98
Oponal
>orm or 9emplate
Tes
98
Implied
0ecord
Tes
"art of ISO2&1$
Implied
"olicy
Tes
98
Implied
0ecord
Tes
98
Oponal
>orm or 9emplate
Tes
98
Implied
"rocess
Tes
98
Implied
0ecord
Tes
98
Implied
0ecord
Tes
98
Oponal
>orm or 9emplate
Tes
"art of ISO2&1$
Oponal
"olicy
Tes
98
Oponal
0ecord
Tes
98
Implied
escripon
Tes
98
Implied
0ecord
Tes
98
Implied
"rocedure
Tes
98
Implied
0ecord
Tes
98
Oponal
>orm or 9emplate
Tes
98
Oponal
0ecord
Tes
98
Implied
"rocess
Tes
98
Implied
0ecord
Tes
98
Oponal
>orm or 9emplate
Tes
98
Implied
"rocess
Tes
98
Implied
0ecord
Tes
98
Implied
"rocess
Tes
98
Implied
0ecord
Tes
98
Implied
0ecord
Tes
98
Implied
"rocedure
Tes
98
Implied
0ecord
Tes
98
Oponal
>orm or 9emplate
Tes
"art of ISO2&1$
Oponal
"olicy
Tes
98
Oponal
0ecord
Tes
98
Oponal
escripon
Tes
98
Oponal
0ecord
Tes
O#n oc
Oponal
>orm or 9emplate
No
98
Oponal
"lan
Tes
98
Oponal
0ecord
Tes
98
Oponal
"lan
Tes
98
Oponal
0ecord
Tes
98
Implied
escripon
Tes
98
Implied
0ecord
Tes
98
Implied
escripon
Tes
98
Oponal
>orm or 9emplate
Tes
98
Oponal
>orm or 9emplate
Tes
98
0e.uired
"rocess
Tes
98
Implied
0ecord
Tes
98
0e.uired
"rocedure
Tes
98
Implied
0ecord
Tes
98
0e.uired
escripon
Tes
98
Implied
0ecord
Tes
98
Oponal
"lan
Tes
98
Oponal
0ecord
Tes
98
Implied
0ecord
Tes
98
Oponal
>orm or 9emplate
Tes
98
Oponal
"lan
Tes
98
Oponal
0ecord
Tes
98
Oponal
escripon
Tes
98
Oponal
0ecord
Tes
98
Oponal
"rocess
Tes
98
Oponal
0ecord
Tes
98
Oponal
"rocedure
Tes
98
Oponal
0ecord
Tes
98
Oponal
escripon
Tes
98
Oponal
0ecord
Tes
98
Oponal
0ecord
Tes
98
Oponal
>orm or 9emplate
Tes
98
Implied
escripon
Tes
98
Implied
0ecord
Tes
98
0e.uired
escripon
Tes
98
0e.uired
0ecord
Tes
98
Implied
"rocedure
Tes
98
Implied
0ecord
Tes
98
Implied
escripon
Tes
98
Implied
0ecord
Tes
98
Implied
escripon
Tes
98
Implied
0ecord
Tes
98
Implied
escripon
Tes
98
Implied
0ecord
Tes
"art of ISO2&3:
Implied
"rocedure
Tes
98
Implied
0ecord
Tes
98
Implied
0ecord
Tes
98
Implied
"rocess
Tes
98
Implied
0ecord
Tes
98
Implied
0ecord
Tes
98
Implied
"rocess
Tes
98
Implied
0ecord
Tes
98
Implied
0ecord
Tes
O#n oc
Oponal
escripon
No
O#n oc
Oponal
escripon
No
98
Oponal
"lan
No
98
Oponal
>orm or 9emplate
No
O#n oc
Oponal
"rocedure
No
O#n oc
Oponal
"olicy
No
"art of ISO2&1*
Oponal
>orm or 9emplate
No
O#n oc
Oponal
"rocedure
No
0e.uired
1*
"olicy
37
Implied
$$'
"rocess
1'
Oponal
%1
"rocedure
$:
"lan
''
escripon
*$
@ni.ue ocs
$3
>orm or 9emplate $$ 0ecord 9otal Included
'1
&
ISO 27001 Documents
?oicy
?rocess
?rocedure
?an
,escripon
Impemented
&
&
&
&
&
#ppro/ed
&
&
&
&
&
riAen
&
&
&
&
&
In ?rogress
&
&
&
&
&
aing
&
&
&
&
&
?.ase 2
&
&
&
&
&
Un+no7n
&
&
&
&
&
Total
&
&
&
&
&
ISO 27001 Documents Phase 1
?oicy
?rocess
?rocedure
?an
,escripon
Impemented
&
&
&
&
&
#ppro/ed
&
&
&
&
&
riAen
&
&
&
&
&
In ?rogress
&
&
&
&
&
Total
&
&
&
&
&
ge-ase/list2of2mandatory2documents2re.uired2-y2iso2$%&&'2$&'32revision/
Due
Status
Consultant O?ner
3st Consultant @rs
Customer Comments O?ner
Implemented
&
Approved
&
Qrien
&
In "rogress
&
Qaing
&
"hase $
&
@n(no#n
&
S(ipped
&
&
&orm or $empate
*ecord
Total
A
&
&
&
UIE/&V
&
&
&
UIE/&V
&
&
&
UIE/&V
&
&
&
UIE/&V
&
&
&
UIE/&V
&
&
&
UIE/&V
&
&
&
UIE/&V
&
&
0
UIE/&V
&orm or $empate
*ecord
Total
A
&
&
&
UIE/&V
&
&
&
UIE/&V
&
&
&
UIE/&V
&
&
&
UIE/&V
&
&
0
UIE/&V
*pproed 4#
Date ast *pproed
ocaon
Document (ame