Transcription
ISO 27001 INFO SECCertified SystemISO27001:2013INFORMATION TECHNOLOGY,SECURITY TECHNIQUES &MANAGEMENT SYSTEMSSELF ASSESSMENT CHECKLISTCOMPASS ASSURANCE SERVICES PTY LTDNOTE: THIS IS A SIMPLIFIED SUMMARY OF THE REQUIREMENTS OF ISO 27001:2013 INFORMATIONSECURITY MANAGEMENT SYSTEM – REQUIREMENTS FOR THE SPECIFIC PURPOSE OF HELPINGORGANISATIONS UNDERTAKE A PRELIMINARY CHECK OF THEIR READINESS FOR AN ISO27001:2013 INFOMATION SECURITY AUDIT OR ASSESSMENT.
ISO 27001 INFO SECCertified SystemISO27001:2013 INFORMATION TECHNOLOGY, SECURITYTECHNIQUES & MANAGEMENT SYSTEMS SELF ASSESSMENTCHECKLISTMANDATORY DOCUMENTSANNEX A DOCUMENTATIONInformation Security Policy (5.1.2)Rules for Acceptable use of Assets(A.8.1.3)Scope (4.3)Access control policy (A.9.1.1)Information Security Risks (6.1.3)Documented operating procedures.(A.12.1.1)Objectives (6.2)Competencies of persons undertakingwork (7.2)Operational planning (8.1)Confidentiality or nondisclosureagreements. (A.13.2.4)Secure system engineering principles.(A.14.2.5)Information security policy for supplierrelation-ships. (A.15.1.1)Risk Assessments (8.2)Response to information securityincidents. (A.16.1.5)Risk Treatment Plan (8.3)Monitoring and Measurement (9.1)Implementing information securitycontinuity. (A.17.1.2)Internal Audit (9.2)Management Review (9.3)Nonconformance’s and Corrective actions(10.1)Identification of applicable legislationand contractual requirements.(A.18.1.1)ISO 27001:2013 Information SecuritySelf Assessment Checklist1
4. CONTEXT OF THE ORGANISATION4.1 ORGANISATION & CONTEXTHave we determined the external and internal issues that are relevant to our business andthat affect its ability to achieve the intended outcome(s) of its information securitymanagement system?4.2 EXTERNAL PARTIESHave we determined:Interested parties that are relevant to the information security management system ;The requirements of these inerested parties relevant to information security4.3 SCOPE OF THE SYSTEMHave we determined the boundaries and applicability of the information security managementsystem to establish and document it’s scope?Have we considered:the external and internal issuesthe needs and expectations of interested partiesinterfaces and dependencies between activities performed by our business, and thosethat are performed by other organisations4.4 INFORMATION SECURITY MANAGEMENT SYSTEMHave we established, implemented, maintained and continually improved an informationsecurity management system, in accordance with the requirements of this internationalstandard?ISO 27001:2013 Information SecuritySelf Assessment Checklist2
5. LEADERSHIP5.1 LEADERSHIP AND COMMITMENTHas top management demonstrated leadership and commitment to the information securitymanagement system by:a)ensuring the information security policy and the information security objectivesare established and compatible with the strategic direction of the organisation;b)ensuring the integration of the information security management systemrequirements into the organisation’s processes;c)ensuring that the resources needed for the information security managementsystem are available;d)communicating the importance of effective information security management andof conforming to the information security management system requirements;e)ensuring that the information security management system achieves its intendedoutcome(s);f)directing and supporting persons to contribute to the effectiveness of theinformation security management system;g)promoting continual improvement; andh)supporting other relevant management5.2 POLICYHave we established an information security policy that:a)is appropriate to the purpose of the organisation;b)includes information security objectives (see 6.2) or provides the framework forsetting information security objectives;c)includes a commitment to satisfy applicable requirements related to informationsecurity; andd)includes a commitment to continual improvement of the information securitymanagement system.ISO 27001:2013 Information SecuritySelf Assessment Checklist3
Is information security policy:e)available as documented information;f)communicated within the organisation; andg)available to interested parties, as appropriate.5.3 ORGANIZATIONAL ROLES, RESPONSIBILITIES AND AUTHORITIESHave we ensured that the responsibilities and authorities for roles relevant to informationsecurity are assigned and communicated?Have we assigned the responsibility and authority fora)ensuring that the information security management system conforms to therequirements of this International Standard; and5.3 ORGANIZATIONALROLES, RESPONSIBILITIES AND AUTHORITIESb)reporting on the performance of the information security management system totop management.6. PLANNING6.1 RISKS AND OPPORTUNITIES6.1.1 GeneralHave we considered, for our information security management system, the external andinternal issues (see 4.1), the requirements of interested parties (see 4.2) and determined therisks and opportunities that need to be addressed toa)ensure it can achieve the intended outcomes;b)prevent, or reduce, undesired effects; andc)achieve continual improvement.Have we planned;d)actions to address these risks and opportunities, ande)how to1.integrate and implement the actions into our information securitymanagement system processes; and2.evaluate the effectiveness of these actions.ISO 27001:2013 Information SecuritySelf Assessment Checklist4
6.1.2 Information security risk assessmentHave we defined and applied an information security risk assessment process that:a)establishes and maintains information security risk criteria that includes1.the risk acceptance criteria; and2.criteria for performing information security risk assessments;e)b)ensures that repeated information security risk assessments produce consistent,valid and comparable results;c)identifies the information security risks1.through a risk assessment process, to identify risks associated with the lossof confidentiality, integrity and availability for information; and2.identify the risk owners;d)analyses the information security risks and1.assess the potential consequences that would result if the risks identified in6.1.2 c) 1 were to materialise; and2.assess the realistic likelihood of the occurrence of the risks identified in6.1.2 c) 1; and3.determine the levels of risk,evaluates the information security risks and1.compares the results of risk analysis with the risk criteria established in6.1.2.a); and2.prioritises the analysed risks for risk treatment.Do we retain documented information about the information security risk assessment process?6.1.3 Information Security Risk ManagementHave we defined and applied an information security risk treatment process to:a)select appropriate information security risk treatment options, taking account ofthe risk assessment results;b)determine (and design as required) all controls that are necessary to implementthe information security risk treatment option(s) chosen;ISO 27001:2013 Information SecuritySelf Assessment Checklist5
c)compare the controls determined in 6.1.3 b) with those in Annex A and verify thatno necessary controls have been omitted;d)produce a Statement of Applicability that contains the necessary controls andjustification for inclusions, whether they are implemented or not, and thejustification for exclusions of controls from Annex A;e)formulate an information security risk treatment plan; andf)obtain risk owners’ approval of the information security risk treatment plan andacceptance of the residual information security risks.Do we retain documented information about the information security risk treatment process.6.2 INFORMATION SECURITY OBJECTIVESHave we established information security objectives at relevant functions and levels thata)are consistent with the information security policy;b)are measurable (if practicable);c)d)take into account applicable information security requirements, and results fromrisk assessment and risk treatment;are communicatede)are updated as appropriate; andf)do we retain documented information on the information security objectives?When planning how to achieve our information security objectives have we determinedg)what will be done;h)what resources will be required;i)who will be responsible;j)when it will be completed; andk)how the results will be evaluated.ISO 27001:2013 Information SecuritySelf Assessment Checklist6
7. SUPPORT7.1 RESOURCESHave we determined and provided the resources needed for the implementation, maintenanceand continual improvement of the information security management system?7.2 COMPETENCEHave wea)determined the necessary competence of person(s) doing work under its controlthat affects its information security performance;b)ensured that these persons are competent on the basis of appropriate education,training, or experience;c)where applicable, taken actions to acquire the necessary competence, andevaluate the effectiveness of the actions taken; andd)retained appropriate documented information as evidence of competence.7.3 AWARENESSAre persons under our businesses control aware of:a)the information security policy;b)their contribution to the effectiveness of the information security managementsystem, including the benefits of improved information security performance; andc)the implications of not conforming with the information security managementsystem requirements.7.4 COMMUNICATIONHave we determined the need for internal and external communications relevant to theincluding:a)on what to communicate;b)when to communicate;c)with whom to communicate;ISO 27001:2013 Information SecuritySelf Assessment Checklist7
d)who shall communicate; ande)the processes by which communication shall be effected.7.5 DOCUMENTED INFORMATIONHave we implemented documented information required by the standard and determinednecessary for the effectiveness of the information security management system.When creating and updating documented information have we ensured appropriate:a)identification and description (e.g. a title, date, author, or reference number);b)format (e.g. language, software version, graphics) and media (e.g. paper,electronic); andc)review and approval for suitability and adequacy.the effectiveness of the information security management system.Do we have processes to control documented information to ensure ita)is available and suitable for use, where and when it is needed; andb)is adequately protected (e.g. from loss of confidentiality, improper use, or loss ofintegrity)?Do these processes address the following activities (as applicable)c)distribution, access, retrieval and use;d)storage and preservation, including the preservation of legibility;e)control of changes (e.g. version control); and retention and disposition?Do we identify and control documented information of external origin, determined asnecessary for the planning and operation of the information security management system?8. OPERATION8.1 OPERATIONAL PLANNING AND CONTROLHave we planned, implemented and controlled the processes needed to meetinformation security requirements and implemented the actions determined in 6.1; andto achieve information security objectives determined in 6.2?ISO 27001:2013 Information SecuritySelf Assessment Checklist8
Have we kept documented information to have confidence that the processes have beencarried out as planned?Have we controlled, planned changes and reviewed the consequences of unintended changes,taking action to mitigate any adverse effects, as necessary?Have we ensured that outsourced processes are determined and controlled?8.2 & 8.3 INFORMATION SECURITY RISK ASSESSMENT & TREATMENTDo we perform information security risk assessments at planned intervals or when significantchanges are proposed or occur?Do we retain documented information of the results of the information security riskassessments?Have we implemented and information security risk treatment plan?Do we retain documented information of the results of the information security risk treatment?9. PERFORMANCE EVALUATION9.1 MONITORING, MEASUREMENT, ANALYSIS AND EVALUATIONHave we determined:a)what needs to be monitored and measured, including information securityprocesses and controlsb)the methods for monitoring, measurement, analysis and evaluation to ensure validresults (methods selected should produce comparable and reproducible results tobe considered valid).c)when the monitoring and measuring shall be performed;d)who shall monitor and measure;e)when the results from monitoring and measurement shall be analysed andevaluated; andf)who shall analyse and evaluate these results.Do we retain appropriate documented information as evidence of the monitoring andmeasurement results?ISO 27001:2013 Information SecuritySelf Assessment Checklist9
(9.2 INTERNAL AUDITDo we conduct internal audits at planned intervals to provide information on whether theinformation security management system is effectively implemented and maintained andconforms to1.the organization’s own requirements for its information security managementsystem; and2.the requirements of this International Standard;Have wea)b)planned, implemented and maintained an audit programme(s), including thefrequency, methods, responsibilities, planning requirements and reporting.1.Does the audit programme(s) take into consideration theimportance of the processes concerned and the results of previousaudits;defined the audit criteria and scope for each audit;c)selected auditors and conduct audits that ensure objectivity and the impartialityof the audit process;d)ensured that the results of the audits are reported to relevant management; ande)retained documented information as evidence of the audit programme(s) and theaudit results.9.3 MANAGEMENT REVIEWDoes the management review include consideration of:a)the status of actions from previous management reviews;b)changes in external and internal issues that are relevant to the informationsecurit
27001:2013 INFOMATION SECURITY AUDIT OR ASSESSMENT. ISO 27001 INFO SEC Certified System. ISO27001:2013 INFORMATION TECHNOLOGY, SECURITY TECHNIQUES & MANAGEMENT SYSTEMS SELF ASSESSMENT CHECKLIST MANDATORY DOCUMENTS ANNEX A DOCUMENTATION Information Security Policy (5.1.2) Scope (4.3) Information Security Risks (6.1.3)
