ISO 27001 Complinace Checklist1

ISO 27001 Compliance Checklist
Kayzed Consultants Page 1 05/03/2014

Reference Audit area, objectie and !uestion Results
Checklist Standard Section Audit "uestion #indin$s
Securit% &olic%
1'1 ('1 Information Securit% &olic%
1.1.1 5.1.1 Information security policy document
1.1.2 5.1.2 e!ie" of Informational #ecurity Policy
Or$ani)ation of Information Securit%
2'1 *'1 Internal Or$ani)ation
2.11 $.11
2.1.2 $.1.2 Information #ecurity coordination
%&et&er t&ere e'ists an Information security policy( "&ic& is
appro!ed )y t&e management( pu)lis&ed and communicated as
appropriate to all employees.
%&et&er t&e policy states management commitment and sets
out t&e organizational approac& to managing information
security.
%&et&er t&e Information #ecurity Policy is re!ie"ed at
planned inter!als( or if significant c&anges occur to ensure its
continuing suita)ility( ade*uacy and effecti!eness.
%&et&er t&e Information #ecurity policy &as an o"ner( "&o
&as appro!ed management responsi)ility for de!elopment(
re!ie" and e!aluation of t&e security policy.
%&et&er any defined Information #ecurity Policy re!ie"
procedures e'ist and do t&ey include re*uirements for t&e
management re!ie".
%&et&er t&e results of t&e management re!ie" are ta+en
into account.
%&et&er management appro!al is o)tained for t&e re!ised
policy.
,anagement Commitment to Informaiton
#ecurity
%&et&er management demonstrates acti!e support for security
measures "it&in t&e organization. -&is can )e done !ia clear
direction( demonstrated commitment( e'plicit assignment and
ac+no"ledgement of information security responsi)ilities.
%&et&er information security acti!ities are coordinated )y
representati!es from di!erse parts of t&e organization( "it&
pertinent roles and responsi)ilities
2.1.3 $.1.3
2.1.4 $.1.4
2.1.5 $.1.5 Confidentiality .greements
2.1.$ $.1.$ Contact "it& .ut&orities
2.1./ $.1./ Contact "it& special interest groups
2.1.0 $.1.0 Independent re!ie" of Information #ecurity
2'2 *'2 +,ternal &arties
2.2.1 $.2.1
2.2.2 $.2.2
2.2.3 $.2.3 .ddressing security in t&ird party agreements
Asset -ana$ement
.llocation of Information #ecurity
responsi)ilities
%&et&er responsi)ilities for t&e protection of indi!idual
assets( and for carrying out specific security processes( "ere
clearly identified and defined.
.ut&orization process for Information
processing facilities
%&et&er management aut&orization process is defined and
implemented for any ne" information processing facility
"it&in t&e organization.
%&et&er t&e organization1s need for Confidentiality or 2on3
4isclosure .greement 524.6 for protection of information is
clearly defined and regularly re!ie"ed.
4oes t&is address t&e re*uirement to protect t&e confidential
information using legal enforcea)le terms
%&et&er t&ere e'ists a procedure t&at descri)es "&en( and )y
"&om7 rele!ant aut&orities suc& as 8a" enforcement( fire
department etc.( s&ould )e contacted( and &o" t&e incident
s&ould )e reported
%&et&er appropriate contacts "it& special interest groups or
ot&er specialist security forums( and professional associations
are maintained.
%&et&er t&e organization1s approac& to managing information
security( and its implementation( is re!ie"ed independently at
planned inter!als( or "&en ma9or c&anges to security
implementation occur.
Identification of ris+s related to e'ternal
parties
%&et&er ris+s to t&e organization1s information and
information processing facility( from a process in!ol!ing
e'ternal party access( is identified and appropriate control
measures implemented )efore granting access.
.ddressing security "&ile dealing "it&
customers
%&et&er all identified security re*uirements are fulfilled
)efore granting customer access to t&e organization1s
information or assets.
%&et&er t&e agreement "it& t&ird parties( in!ol!ing accessing(
processing( communicating or managing t&e organization1s
information or information processing facility( or introducing
products or ser!ices to information processing facility(
complies "it& all appropriate security re*uirements.
.'1 7'1 Responsibilit% for assets
3.1.1 /.1.1 In!entory of .ssets
3.1.2 /.1.2 :"ners&ip of .ssets
3.1.3 /.1.3 .ccepta)le use of assets
.'2 7'2 Information Classification
3.2.1 /.2.1 Classification guidelines
3.2.2 /.2.2 Information la)elling and &andling
/uman resources securit%
0'1 1'1 &rior to emplo%ment
4.1.1 0.1.1 oles and responsi)ilities
4.1.2 0.1.2 #creening
4.1.3 0.1.3 -erms and conditions of employment
%&et&er all assets are identified and an in!entory or register is
maintained "it& all t&e important assets.
%&et&er eac& asset identified &as an o"ner( a defined and
agreed3upon security classification( and access restrictions t&at
are periodically re!ie"ed.
%&et&er regulations for accepta)le use of information and
assets associated "it& an information processing facility "ere
identified( documented and implemented.
%&et&er t&e information is classified in terms of its !alue(
legal re*uirements( sensiti!ity and criticality to t&e
organization.
%&et&er an appropriate set of procedures are defined for
information la)elling and &andling( in accordance "it& t&e
classification sc&eme adopted )y t&e organization.
%&et&er employee security roles and responsi)ilities(
contractors and t&ird party users "ere defined and
documented in accordance "it& t&e organization1s
information security policy.
%ere t&e roles and responsi)ilities defined and clearly
communicated to 9o) candidates during t&e pre3employment
process
%&et&er )ac+ground !erification c&ec+s for all candidates for
employment( contractors( and t&ird party users "ere carried
out in accordance to t&e rele!ant regulations.
4oes t&e c&ec+ include c&aracter reference( confirmation of
claimed academic and professional *ualifications and
independent identity c&ec+s
%&et&er employee( contractors and t&ird party users are as+ed
to sign confidentiality or non3disclosure agreement as a part of
t&eir initial terms and conditions of t&e employment contract.
4.1.3 0.1.3 -erms and conditions of employment
0'2 1'2 2urin$ +mplo%ment
4.2.1 0.2.1 ,anagement esponsi)ilities
4.2.2 0.2.2
4.2.3 0.2.3 4isciplinary process
0'. 1'. 3ermination or chan$e of emplo%ment
4.3.1 0.3.1 -ermination responsi)ilities
4.3.2 0.3.2 eturn of assets
4.3.3 0.3.3 emo!al of access rig&ts
&h%sical and +niornmental securit%
('1 4'1 Secure Areas
5.1.1 ;.1.1 P&ysical security perimeter
5.1.2 ;.1.2 P&ysical entry controls
%&et&er t&is agreement co!ers t&e information security
responsi)ility of t&e organization and t&e employee( t&ird
party users and contractors.
%&et&er t&e management re*uires employees( contractors and
t&ird party users to apply security in accordance "it& t&e
esta)lis&ed policies and procedures of t&e organization.
Infromation security a"areness( education and
training
%&et&er all employees in t&e organization( and "&ere
rele!ant( contractors and t&ird party users( recei!e appropriate
security a"areness training and regular updates in
organizational policies and procedures as it pertains to t&eir
9o) function.
%&et&er t&ere is a formal disciplinary process for t&e
employees "&o &a!e committed a security )reac&.
%&et&er responsi)ilities for performing employment
termination( or c&ange of employment( are clearly defined and
assigned.
%&et&er t&ere is a process in place t&at ensures all employees(
contractors and t&ird party users surrender all of t&e
organization1s assets in t&eir possession upon termination of
t&eir employment( contract or agreement.
%&et&er access rig&ts of all employees( contractors and t&ird
party users( to information and information processing
facilities( "ill )e remo!ed upon termination of t&eir
employment( contract or agreement( or "ill )e ad9usted upon
c&ange.
%&et&er a p&ysical )order security facility &as )een
implemented to protect t&e information processing ser!ice.
#ome e'amples of suc& security facilities are card control
entry gates( "alls( manned reception( etc
%&et&er entry controls are in place to allo" only aut&orized
personnel into !arious areas "it&in t&e organization.
5.1.3 ;.1.3 #ecuring offices( rooms and facilities
5.1.4 ;.1.4
5.1.5 ;.1.5 %or+ing in secure areas
5.1.$ ;.1.$ Pu)lic access deli!ery and loading areas
('2 4'2 +!uipment Securit%
5.2.1 ;.2.1 <*uipment siting and protection
5.2.2 ;.2.2 #upporting utilities
5.2.3 ;.2.3 Ca)ling security
5.2.4 ;.2.4 <*uipment ,aintenance
%&et&er t&e rooms( "&ic& &a!e t&e information processing
ser!ice( are loc+ed or &a!e loc+a)le ca)inets or safes.
Protecting against e'ternal and en!iornmental
t&reats
%&et&er t&e p&ysical protection against damage from fire(
flood( eart&*ua+e( e'plosion( ci!il unrest and ot&er forms of
natural or man3made disaster s&ould )e designed and applied.
%&et&er t&ere is any potential t&reat from neig&)ouring
premises.
%&et&er p&ysical protection and guidelines for "or+ing in
secure areas is designed and implemented
%&et&er t&e deli!ery( loading( and ot&er areas "&ere
unaut&orized persons may enter t&e premises are controlled(
and information processing facilities are isolated( to a!oid
unaut&orized access.
%&et&er t&e e*uipment is protected to reduce t&e ris+s from
en!ironmental t&reats and &azards( and opportunities for
%&et&er t&e e*uipment is protected from po"er failures and
ot&er disruptions caused )y failures in supporting utilities.
%&et&er permanence of po"er supplies( suc& as a multiple
feed( an =ninterrupti)le Po"er #upply 5ups6( a )ac+up
generator( etc. are )eing utilized
%&et&er t&e po"er and telecommunications ca)le( carrying
data or supporting information ser!ices( is protected from
interception or damage
%&et&er t&ere are any additional security controls in place for
sensiti!e or critical information
%&et&er t&e e*uipment is correctly maintained to ensure its
continued a!aila)ility and integrity.
%&et&er t&e e*uipment is maintained( as per t&e supplier1s
recommended ser!ice inter!als and specifications.
%&et&er t&e maintenance is carried out only )y aut&orized
personnel.
Kayzed Consultants Page $ 05/03/2014
5.2.4 ;.2.4 <*uipment ,aintenance
5.2.5 ;.2.5 #ecuriing of e*uipment off3premises
5.2.$ ;.2.$ #ecure disposal or re3use of e*uipment
5.2./ ;.2./ emo!al of property
Communication and Operations -ana$ement
*'1 10'1 Operational procedures and responsibilites
$.1.1 10.1.1 4ocumented :perating procedures
$.1.2 10.1.2 C&ange ,anagement
$.1.3 10.1.3 #egregation of duties
%&et&er logs are maintained "it& all suspected or actual
faults and all pre!enti!e and correcti!e measures.
%&et&er appropriate controls are implemented "&ile sending
e*uipment off premises.
.re t&e e*uipment co!ered )y insurance and t&e insurance
re*uirements satisfied
%&et&er ris+s "ere assessed "it& regards to any e*uipment
usage outside an organization1s premises( and mitigation
controls implemented.
%&et&er t&e usage of an information processing facility
outside t&e organization &as )een aut&orized )y t&e
management.
%&et&er all e*uipment( containing storage media( is c&ec+ed
to ensure t&at any sensiti!e information or licensed soft"are is
p&ysically destroyed( or securely o!er3"ritten( prior to
disposal or reuse.
%&et&er any controls are in place so t&at e*uipment(
information and soft"are is not ta+en off3site "it&out prior
aut&orization.
%&et&er t&e operating procedure is documented( maintained
and a!aila)le to all users "&o need it.
%&et&er suc& procedures are treated as formal documents(
and t&erefore any c&anges made need management
aut&orization.
%&et&er all c&anges to information processing facilities and
systems are controlled.
%&et&er duties and areas of responsi)ility are separated( in
order to reduce opportunities for unaut&orized modification or
misuse of information( or ser!ices.
Kayzed Consultants Page / 05/03/2014
$.1.4 10.1.4
*'2 10'2 3hird part% serice delier% mana$ement
$.2.1 10.2.1 #er!ice deli!ery
$.2.2 10.2.2 ,onitoring and re!ie" of t&ird party ser!ices
$.2.3 10.2.3 ,anaging c&anges to t&ird party ser!ices
*'. 10'. S%stem plannin$ and acceptance
$.3.1 10.3.1 Capacity ,anagement
$.3.2 10.3.2 #ystem acceptance
*'0 10'0 &rotection a$ainst malicious and mobile code
#eperation of de!elopment( test and
operational facilities
%&et&er t&e de!elopment and testing facilities are isolated
from operational facilities. >or e'ample( de!elopment and
production soft"are s&ould )e run on different computers.
%&ere necessary( de!elopment and production net"or+s
s&ould )e +ept separate from eac& ot&er.
%&et&er measures are ta+en to ensure t&at t&e security
controls( ser!ice definitions and deli!ery le!els( included in
t&e t&ird party ser!ice deli!ery agreement( are implemented(
operated and maintained )y a t&ird party.
%&et&er t&e ser!ices( reports and records pro!ided )y t&ird
party are regularly monitored and re!ie"ed.
%&et&er audita are conducted on t&e a)o!e t&ird party
ser!ices( reports and records( on regular inter!al.
%&et&er c&anges to pro!ision of ser!ices( including
maintaining and impro!ing e'isting information security
policies( procedures and controls( are managed.
4oes t&is ta+e into account criticality of )usiness systems(
processes in!ol!ed and re3assessment of ris+s
%&et&er t&e capacity demands are monitored and pro9ections
of future capacity re*uirements are made( to ensure t&at
ade*uate processing po"er and storage are a!aila)le.
<'ample7 ,onitoring &ard dis+ space( ., and CP= on
critical ser!ers.
%&et&er system acceptance criteria are esta)lis&ed for ne"
information systems( upgrades and ne" !ersions.
%&et&er suita)le tests "ere carried out prior to acceptance.
$.4.1 10.4.1 Controls against malicious code
$.4.2 10.4.2 Controls against mo)ile code
*'( 10'( 5ackup
$.5.1 10.5.1 Information )ac+up
*'* 10'* 6et7ork Securit% -ana$ement
$.$.1 10.$.1 2et"or+ Controls
$.$.2 10.$.2 #ecurity of net"or+ ser!ices
*'7 10'7 -edia handlin$
%&et&er detection( pre!ention and reco!ery controls( to
protect against malicious code and appropriate user a"areness
procedures( "ere de!eloped and implemented
%&et&er only aut&orized mo)ile code is used.
%&et&er t&e configuration ensures t&at aut&orized mo)ile
code operates according to security policy.
%&et&er e'ecution of unaut&orized mo)ile code is pre!ented.
5,o)ile code is soft"are code t&at transfers from one
computer to anot&er computer and t&en e'ecutes
automatically. It performs a specific function "it& little or no
user inter!ention. ,o)ile code is associated "it& a num)er of
middle"are ser!ices.6
%&et&er )ac+3ups of information and soft"are is ta+en and
tested regularly in accordance "it& t&e agreed )ac+up policy.
%&et&er all essential information and soft"are can )e
reco!ered follo"ing a disaster or media failure.
%&et&er t&e net"or+ is ade*uately managed and controlled( to
protect from t&reats( and to maintain security for t&e systems
and applications using t&e net"or+( including t&e information
in transit.
%&et&er controls "ere implemented to ensure t&e security of
t&e information in net"or+s( and t&e protection of t&e
connected ser!ices from t&reats( suc& as unaut&orized access.
%&et&er security features( ser!ice le!els and management
re*uirements( of all net"or+ ser!ices( are identified and
included in any net"or+ ser!ices agreement.
%&et&er t&e a)ility of t&e net"or+ ser!ice pro!ider( to
manage agreed ser!ices in a secure "ay( is determined and
regularly monitored( and t&e rig&t to audit is agreed upon.
Kayzed Consultants Page ; 05/03/2014
$./.1 10./.1 ,anagement of remo!a)le media
$./.2 10./.2 4isposal of ,edia
$./.3 10./.3 Information &andling procedures
$./.4 10./.4 #ecurity of system documentation
*'1 10'1 +,chan$e of information
$.0.1 10.0.1 Information e'c&ange policies and procedures
$.0.2 10.0.2 <'c&ange .greements
$.0.3 10.0.3 P&ysical media in transit
$.0.4 10.0.4 <lectronic messaging
$.0.5 10.0.5 ?usiness Information systems
%&et&er procedures e'ist for management of remo!a)le
media( suc& as tapes( dis+s( cassettes( memory cards( and
reports.
%&et&er all procedures and aut&orization le!els are clearly
defined and documented.
%&et&er t&e media t&at are no longer re*uired are disposed of
securely and safely( as per formal procedures.
%&et&er a procedure e'ists for &andling information storage.
4oes t&is procedure address issues( suc& as information
protection( from unaut&orized disclosure or misuse
%&et&er t&e system documentation is protected against
%&et&er t&ere is a formal e'c&ange policy( procedure and
control in place to ensure t&e protection of information.
4oes t&e procedure and control co!er using electronic
communication facilities for information e'c&ange.
%&et&er agreements are esta)lis&ed concerning e'c&ange of
information and soft"are )et"een t&e organization and
e'ternal parties.
%&et&er t&e security content of t&e agreement reflects t&e
sensiti!ity of t&e )usiness information in!ol!ed.
%&et&er media containing information is protected against
unaut&orized access( misuse or corruption during
transportation )eyond t&e organization1s p&ysical )oundary.
%&et&er t&e information in!ol!ed in electronic messaging is
"ell protected.
5<lectronic messaging includes )ut is not restricted to <mail(
<lectronic 4ata Interc&ange( Instant ,essaging6
%&et&er policies and procedures are de!eloped and enforced
to protect information associated "it& t&e interconnection of
)usiness information systems.
*'4 10'4 +lectronic commerce serices
$.;.1 10.;.1 <lectronic commerce
$.;.2 10.;.2 :n3line transactions
$.;.3 10.;.3 Pu)licly a!aila)le information
*'10 10'10 -onitorin$
$.10.1 10.10.1 .udit 8ogging
$.10.2 10.10.2 ,onitoring system use
$.10.3 10.10.3 Protection of log information
$.10.4 10.10.4 .dministrator and operator log
%&et&er t&e information in!ol!ed in electronic commerce
passing o!er t&e pu)lic net"or+ is protected from fraudulent
acti!ity( contract dispute( and any unaut&orized access or
modification.
%&et&er #ecurity control suc& as application of cryptograp&ic
controls are ta+en into consideration
%&et&er electronic commerce arrangements )et"een trading
partners include a documented agreement( "&ic& commits
)ot& parties to t&e agreed terms of trading( including details of
security issues.
%&et&er information in!ol!ed in online transactions is
protected to pre!ent incomplete transmission( mis3routing(
unaut&orized message alteration( unaut&orized disclosure(
unaut&orized message duplication or replay
%&et&er t&e integrity of t&e pu)licly a!aila)le information is
protected against any unaut&orized modification.
%&et&er audit logs recording user acti!ities( e'ceptions( and
information security e!ents are produced and +ept for an
agreed period to assist in future in!estigations and access
control monitoring.
%&et&er appropriate Pri!acy protection measures are
considered in .udit log maintenance.
%&et&er procedures are de!eloped and enforced for
monitoring system use for information processing facility.
%&et&er t&e results of t&e monitoring acti!ity re!ie"ed
regularly.
%&et&er t&e le!el of monitoring re*uired for indi!idual
information processing facility is determined )y a ris+
assessment
%&et&er logging facility and log information are "ell
protected against tampering and unaut&orized access
%&et&er system administrator and system operator acti!ities
are logged.
$.10.4 10.10.4 .dministrator and operator log
$.10.5 10.10.5 >ault logging
$.10.$ 10.10.$ Cloc+ #ync&ronisation
Access Control
7'1 11'1 5usiness re!uirement for access control
/.1.1 11.1.1 .ccess Control policy
7'2 11'2 8ser Access -ana$ement
/.2.1 11.2.1 =ser egistration
/.2.2 11.2.2 Pri!ilege ,anagement
/.2.3 11.2.3 =ser Pass"ord ,anagement
%&et&er t&e logged acti!ities are re!ie"ed on regular )asis.
%&et&er faults are logged analysed and appropriate action
ta+en.
%&et&er le!el of logging re*uired for indi!idual system are
determined )y a ris+ assessment( ta+ing performance
degradation into account.
%&et&er system cloc+s of all information processing system
"it&in t&e organization or security domain is sync&ronised
"it& an agreed accurate time source.
5-&e correct setting of computer cloc+ is important to ensure
t&e accuracy of audit logs6
%&et&er an access control policy is de!eloped and re!ie"ed
)ased on t&e )usiness and security re*uirements.
%&et&er )ot& logical and p&ysical access control are ta+en
into consideration in t&e policy
%&et&er t&e users and ser!ice pro!iders "ere gi!en a clear
statement of t&e )usiness re*uirement to )e met )y access
controls
%&et&er t&ere is any formal user registration and de3
registration procedure for granting access to all information
systems and ser!ices.
%&et&er t&e allocation and use of any pri!ileges in
information system en!ironment is restricted and controlled
i.e.( Pri!ileges are allocated on need3to3use )asis( pri!ileges
are allocated only after formal aut&orization process.
-&e allocation and reallocation of pass"ords s&ould )e
controlled t&roug& a formal management process.
%&et&er t&e users are as+ed to sign a statement to +eep t&e
pass"ord confidential.
/.2.4 11.2.4
e!ie" of user access rig&ts
7'. 11'. 8ser Responsibilities
/.3.1 11.3.1 Pass"ord use
/.3.2 11.3.2 =nattended user e*uipment
/.3.3 11.3.3 Clear des+ and clear screen policy
7'0 11'0 6et7ork Access Control
/.4.1 11.4.1 Policy on use of net"or+ ser!ices
/.4.2 11.4.2
=ser aut&entication for e'ternal connections
/.4.3 11.4.3
<*uipment identification in net"or+s
/.4.4 11.4.4
/.4.5 11.4.5 #egregation in net"or+s
%&et&er t&ere e'ists a process to re!ie" user access rig&ts at
regular inter!als. <'ample7 #pecial pri!ilege re!ie" e!ery 3
mont&s( normal pri!ileges e!ery $ mont&s.
%&et&er t&ere are any security practice in place to guide users
in selecting and maintaining secure pass"ords
%&et&er t&e users and contractors are made a"are of t&e
security re*uirements and procedures for protecting
unattended e*uipment. .
<'ample7 8ogoff "&en session is finis&ed or set up auto log
off( terminate sessions "&en finis&ed etc.(
%&et&er t&e organisation &as adopted clear des+ policy "it&
regards to papers and remo!a)le storage media
%&et&er t&e organisation &as adopted clear screen policy "it&
regards to information processing facility
%&et&er users are pro!ided "it& access only to t&e ser!ices
t&at t&ey &a!e )een specifically aut&orized to use.
%&et&er t&ere e'ists a policy t&at does address concerns
relating to net"or+s and net"or+ ser!ices.
%&et&er appropriate aut&entication mec&anism is used to
control access )y remote users.
%&et&er automatic e*uipment identification is considered as a
means to aut&enticate connections from specific locations and
e*uipment.
emote diagnostic and configuration port
protection
%&et&er p&ysical and logical access to diagnostic ports are
securely controlled i.e.( protected )y a security mec&anism.
%&et&er groups of information ser!ices( users and
information systems are segregated on net"or+s.
%&et&er t&e net"or+ 5"&ere )usiness partner1s and/ or t&ird
parties need access to information system6 is segregated using
perimeter security mec&anisms suc& as fire"alls.
/.4.5 11.4.5 #egregation in net"or+s
/.4.$ 11.4.$ 2et"or+ connection control
/.4./ 11.4./ 2et"or+ routing control
7'( 11'( Operatin$ s%stem access control
/.5.1 11.5.1
#ecure log3on procedures
/.5.2 11.5.2 =ser Identification and aut&entication
/.5.3 11.5.3 Pass"ord ,anagement system
/.5.4 11.5.4 =se of system utilities
/.5.5 11.5.5 #ession time3out
%&et&er consideration is made to segregation of "ireless
net"or+s from internal and pri!ate net"or+s.
%&et&er t&ere e'ists an access control policy "&ic& states
net"or+ connection control for s&ared net"or+s( especially for
t&ose e'tend across organization1s )oundaries.
%&et&er t&e access control policy states routing controls are
to )e implemented for net"or+s
%&et&er t&e routing controls are )ased on t&e positi!e source
and destination identification mec&anism.
%&et&er access to operating system is controlled )y secure
log3on procedure.
%&et&er uni*ue identifier 5user I46 is pro!ided to e!ery user
suc& as operators( system administrators and all ot&er staff
including tec&nical.
%&et&er suita)le aut&entication tec&ni*ue is c&osen to
su)stantiate t&e claimed identity of user.
%&et&er generic user accounts are supplied only under
e'ceptional circumstances "&ere t&ere is a clear )usiness
)enefit. .dditional controls may )e necessary to maintain
accounta)ility.
%&et&er t&ere e'ists a pass"ord management system t&at
enforces !arious pass"ord controls suc& as7 indi!idual
pass"ord for accounta)ility( enforce pass"ord c&anges( store
pass"ords in encrypted form( not display pass"ords on screen
etc.(
%&et&er t&e utility programs t&at mig&t )e capa)le of
o!erriding system and application controls is restricted and
tig&tly controlled.
%&et&er inacti!e session is s&utdo"n after a defined period of
inacti!ity.
5. limited form of timeouts can )e pro!ided for some
systems( "&ic& clears t&e screen and pre!ents unaut&orized
access )ut does not close do"n t&e application or net"or+
sessions.6
/.5.$ 11.5.$ 8imitation of connection time
7'* 11'* Application and Information access control
/.$.1 11.$.1 Information access restriction
/.$.2 11.$.2 #ensiti!e system isolation
7'7 11'7 -obile computin$ and tele7orkin$
/./.1 11./.1 ,o)ile computing and communications
/./.2 11./.2
-ele"or+ing
Information s%stems ac!uisition, deelopment and maintenance
1'1 12'1 Securit% re!uirements of information s%stems
0.1.1 12.1.1
%&et&er t&ere e'ists restriction on connection time for &ig&3
ris+ applications. -&is type of set up s&ould )e considered for
sensiti!e applications for "&ic& t&e terminals are installed in
&ig&3ris+ locations.
%&et&er access to information and application system
functions )y users and support personnel is restricted in
accordance "it& t&e defined access control policy.
%&et&er sensiti!e systems are pro!ided "it& dedicated
5isolated6 computing en!ironment suc& as running on a
dedicated computer( s&are resources only "it& trusted
application systems( etc.(
%&et&er a formal policy is in place( and appropriate security
measures are adopted to protect against t&e ris+ of using
mo)ile computing and communication facilities.
#ome e'ample of ,o)ile computing and communications
facility include7 note)oo+s( palmtops( laptops( smart cards(
mo)ile p&ones.
%&et&er ris+s suc& as "or+ing in unprotected en!ironment is
ta+en into account )y ,o)ile computing policy.
%&et&er policy( operational plan and procedures are
de!eloped and implemented for tele"or+ing acti!ities.
%&et&er tele"or+ing acti!ity is aut&orized and controlled )y
management and does it ensure t&at suita)le arrangements are
in place for t&is "ay of "or+ing.
#ecurity re*uirements analysis and
specification
%&et&er security re*uirements for ne" information systems
and en&ancement to e'isting information system specify t&e
re*uirements for security controls.
0.1.1 12.1.1
1'2 12'2 Correct processin$ in applications
0.2.1 12.2.1 Input data !alidation
0.2.2 12.2.2 Control of internal processing
0.2.3 12.2.3 ,essage integrity
0.2.4 12.2.4 :utput data !alidation
1'. 12'. Cr%pto$raphic controls
0.3.1 12.3.1 Policy on use of cryptograp&ic controls
#ecurity re*uirements analysis and
specification
%&et&er t&e #ecurity re*uirements and controls identified
reflects t&e )usiness !alue of information assets in!ol!ed and
t&e conse*uence from failure of #ecurity.
%&et&er system re*uirements for information security and
processes for implementing security is integrated in t&e early
stages of information system pro9ects.
%&et&er data input to application system is !alidated to
ensure t&at it is correct and appropriate.
%&et&er t&e controls suc& as7 4ifferent types of inputs to
c&ec+ for error messages( Procedures for responding to
!alidation errors( defining responsi)ilities of all personnel
in!ol!ed in data input process etc.( are considered.
%&et&er !alidation c&ec+s are incorporated into applications
to detect any corruption of information t&roug& processing
errors or deli)erate acts.
%&et&er t&e design and implementation of applications ensure
t&at t&e ris+s of processing failures leading to a loss of
integrity are minimised.
%&et&er re*uirements for ensuring and protecting message
integrity in applications are identified( and appropriate
controls identified and implemented.
%&et&er an security ris+ assessment "as carried out to
determine if message integrity is re*uired( and to identify t&e
most appropriate met&od of implementation.
%&et&er t&e data output of application system is !alidated to
ensure t&at t&e processing of stored information is correct and
appropriate to circumstances.
%&et&er t&e organization &as Policy on use of cryptograp&ic
controls for protection of information. .
%&et&er t&e policy is successfully implemented.
Kayzed Consultants Page 1$ 05/03/2014
0.3.1 12.3.1 Policy on use of cryptograp&ic controls
0.3.2 12.3.2 Key ,anagement
1'0 12'0 Securit% of s%stem files
0.4.1 12.4.1 Control of operational soft"are
0.4.2 12.4.2 Protection of system test data
0.4.3 12.4.3 .ccess control to program source code
1'( 12'( Securit% in deelopment and support serices
0.5.1 12.5.1 C&ange control procedures
%&et&er t&e cryptograp&ic policy does consider t&e
management approac& to"ards t&e use of cryptograp&ic
controls( ris+ assessment results to identify re*uired le!el of
protection( +ey management met&ods and !arious standards
for effecti!e implementation
%&et&er +ey management is in place to support t&e
organizations use of cryptograp&ic tec&ni*ues.
%&et&er cryptograp&ic +eys are protected against
modification( loss( and destruction.
%&et&er secret +eys and pri!ate +eys are protected against
unaut&orized disclosure.
%&et&er e*uipments used to generate( store +eys are
p&ysically protected.
%&et&er t&e Key management system is )ased on agreed set
of standards( procedures and secure met&ods.
%&et&er t&ere are any procedures in place to control
installation of soft"are on operational systems. 5-&is is to
minimise t&e ris+ of corruption of operational systems.6
%&et&er system test data is protected and controlled.
%&et&er use of personal information or any sensiti!e
information for testing operational data)ase is s&unned
%&et&er strict controls are in place to restrict access to
program source li)raries.
5-&is is to a!oid t&e potential for unaut&orized( unintentional
c&anges.6
%&et&er t&ere is strict control procedure in place o!er
implementation of c&anges to t&e information system. 5-&is is
to minimise t&e corruption of information system.6
%&et&er t&is procedure addresses need for ris+ assessment(
analysis of impacts of c&anges(
Kayzed Consultants Page 1/ 05/03/2014
0.5.2 12.5.2
0.5.3 12.5.3 estrictions on c&anges to soft"are pac+ages
0.5.4 12.5.4 Information lea+age
0.5.5 12.5.5 :utsourced soft"are de!elopment
1'* 12'* 3echnical ulnerabilit% mana$ement
0.$.1 12.$.1 Control of tec&nical !ulnera)ilities
Information Securit% Incident -ana$ement
4'1 1.'1 Reportin$ information securit% eents and 7eaknesses
;.1.1 13.1.1 eporting information security e!ents
-ec&nical re!ie" of applications after
operating system c&anges
%&et&er t&ere is process or procedure in place to re!ie" and
test )usiness critical applications for ad!erse impact on
organizational operations or security after t&e c&ange to
:perating #ystems.
Periodically it is necessary to upgrade operating system i.e.( to
install ser!ice pac+s( patc&es( &ot fi'es etc.(
%&et&er modifications to soft"are pac+age is discouraged
and/ or limited to necessary c&anges.
%&et&er all c&anges are strictly controlled.
%&et&er controls are in place to pre!ent information lea+age.
%&et&er controls suc& as scanning of out)ound media( regular
monitoring of personnel and system acti!ities permitted under
local legislation( monitoring resource usage are considered.
%&et&er t&e outsourced soft"are de!elopment is super!ised
and monitored )y t&e organization.
%&et&er points suc& as7 8icensing arrangements( escro"
arrangements( contractual re*uirement for *uality assurance(
testing )efore installation to detect -ro9an code etc.( are
considered.
%&et&er timely information a)out tec&nical !ulnera)ilities of
information systems )eing used is o)tained.
%&et&er t&e organization1s e'posure to suc& !ulnera)ilities
e!aluated and appropriate measures ta+en to mitigate t&e
associated ris+.
%&et&er information security e!ents are reported t&roug&
appropriate management c&annels as *uic+ly as possi)le.
%&et&er formal information security e!ent reporting
procedure( Incident response and escalation procedure is
de!eloped and implemented.
;.1.2 13.1.2 eporting security "ea+nesses
4'2 1.'2 -ana$ement of information securit% incidents and improements
;.2.1 13.2.1 esponsi)ilities and procedures
;.2.2 13.2.2 8earning from information security incidents
;.2.3 13.2.3 Collection of e!idence
5usiness Continuit% -ana$ement
10'1 10'1 Information securit% aspects of business continuit% mana$ement
10.1.1 14.1.1
%&et&er t&ere e'ists a procedure t&at ensures all employees of
information systems and ser!ices are re*uired to note and
report any o)ser!ed or suspected security "ea+ness in t&e
system or ser!ices.
%&et&er management responsi)ilities and procedures "ere
esta)lis&ed to ensure *uic+( effecti!e and orderly response to
information security incidents.
%&et&er monitoring of systems( alerts and !ulnera)ilities are
used to detect information security incidents.
%&et&er t&e o)9ecti!e of information security incident
management is agreed "it& t&e management.
%&et&er t&ere is a mec&anism in place to identify and
*uantify t&e type( !olume and costs of information security
incidents.
%&et&er t&e information gained from t&e e!aluation of t&e
past information security incidents are used to identify
recurring or &ig& impact incidents.
%&et&er follo"3up action against a person or organization
after an information security incident in!ol!es legal action
5eit&er ci!il or criminal6.
%&et&er e!idence relating to t&e incident are collected(
retained and presented to conform to t&e rules for e!idence
laid do"n in t&e rele!ant 9urisdiction5s6.
%&et&er internal procedures are de!eloped and follo"ed
"&en collecting and presenting e!idence for t&e purpose of
disciplinary action "it&in t&e organization
Including informaiton security in t&e )usiness
continuity management process
%&et&er t&ere is a managed process in place t&at addresses t&e
information security re*uirements for de!eloping and
maintaining )usiness continuity t&roug&out t&e organization.
Kayzed Consultants Page 1; 05/03/2014
10.1.1 14.1.1
10.1.2 14.1.2 ?usiness continuity and ris+ assessement
10.1.3 14.1.3
10.1.4 14.1.4 ?usiness continuity planning frame"or+
10.1.5 14.1.5
Compliance
11'1 1('1 Compliance 7ith le$al re!uirements
Including informaiton security in t&e )usiness
continuity management process
%&et&er t&is process understands t&e ris+s t&e organization is
facing( identify )usiness critical assets( identify incident
impacts( consider t&e implementation of additional
pre!entati!e controls and documenting t&e )usiness continuity
plans addressing t&e security re*uirements.
%&et&er e!ents t&at cause interruption to )usiness process is
identified along "it& t&e pro)a)ility and impact of suc&
interruptions and t&eir conse*uence for information security.
4e!eloping and implementing continuity plans
including information security
%&et&er plans "ere de!eloped to maintain and restore
)usiness operations( ensure a!aila)ility of information "it&in
t&e re*uired le!el in t&e re*uired time frame follo"ing an
interruption or failure to )usiness processes.
%&et&er t&e plan considers identification and agreement of
responsi)ilities( identification of accepta)le loss(
implementation of reco!ery and restoration procedure(
documentation of procedure and regular testing.
%&et&er t&ere is a single frame"or+ of ?usiness continuity
plan.
%&et&er t&is frame"or+ is maintained to ensure t&at all plans
are consistent and identify priorities for testing and
maintenance.
%&et&er )usiness continuity plan addresses t&e identified
information security re*uirement.
-esting maintaining and re3assessing )usiness
continuity plans
%&et&er ?usiness continuity plans are tested regularly to
ensure t&at t&ey are up to date and effecti!e.
%&et&er )usiness continuity plan tests ensure t&at all
mem)ers of t&e reco!ery team and ot&er rele!ant staff are
a"are of t&e plans and t&eir responsi)ility for )usiness
continuity and information security and +no" t&eir role "&en
plan is e!o+ed.
11.1.1 15.1.1 Identification of applica)le legislation
11.1.2 15.1.2 Intellectual property rig&ts 5IP6
11.1.3 15.1.3 Protection of organizational records
11.1.4 15.1.4
11.1.5 15.1.5
%&et&er all rele!ant statutory( regulatory( contractual
re*uirements and organizational approac& to meet t&e
re*uirements "ere e'plicitly defined and documented for eac&
information system and organization.
%&et&er specific controls and indi!idual responsi)ilities to
meet t&ese re*uirements "ere defined and documented.
%&et&er t&ere are procedures to ensure compliance "it&
legislati!e( regulatory and contractual re*uirements on t&e use
of material in respect of "&ic& t&ere may )e intellectual
property rig&ts and on t&e use of proprietary soft"are
products.
%&et&er t&e procedures are "ell implemented.
%&et&er controls suc& as7 pu)lis&ing intellectual property
rig&ts compliance policy( procedures for ac*uiring soft"are(
policy a"areness( maintaining proof of o"ners&ip( complying
"it& soft"are terms and conditions are considered.
%&et&er important records of t&e organization is protected
from loss destruction and falsification( in accordance "it&
statutory( regulatory( contractual and )usiness re*uirement.
%&et&er consideration is gi!en to possi)ility of deterioration
of media used for storage of records.
%&et&er data storage systems "ere c&osen so t&at re*uired
data can )e retrie!ed in an accepta)le timeframe and format(
depending on re*uirements to )e fulfilled.
4ata protection and pri!acy of personal
information
%&et&er data protection and pri!acy is ensured as per rele!ant
legislation( regulations and if applica)le as per t&e contractual
clauses.
Pre!ention of misuse of information
processing facilities
%&et&er use of information processing facilities for any non3
)usiness or unaut&orized purpose( "it&out management
appro!al is treated as improper use of t&e facility.
11.1.5 15.1.5
11.1.$ 15.1.$ egulation of cryptograp&ic controls
11'2 1('2 Compliance 7ith techincal policies and standards and technical compliance
11.2.1 15.2.1
11.2.2 15.2.2 -ec&nical compliance c&ec+ing
11'. 1('. Information s%stems audit considerations
11.3.1 15.3.1 Information systems audit control
11.3.2 15.3.2 Protection of informaiton system audit tools
Pre!ention of misuse of information
processing facilities %&et&er a log3on a "arning message is presented on t&e
computer screen prior to log3on. %&et&er t&e user &as to
ac+no"ledge t&e "arning and react appropriately to t&e
message on t&e screen to continue "it& t&e log3on process.
%&et&er legal ad!ice is ta+en )efore implementing any
monitoring procedures.
%&et&er t&e cryptograp&ic controls are used in compliance
"it& all rele!ant agreements( la"s( and regulations.
Compliance "it& security policies and
standards
%&et&er managers ensure t&at all security procedures "it&in
t&eir area of responsi)ility are carried out correctly to ac&ie!e
compliance "it& security policies and standards.
4o managers regularly re!ie" t&e compliance of information
processing facility "it&in t&eir area of responsi)ility for
compliance "it& appropriate security policy and procedure
%&et&er information systems are regularly c&ec+ed for
compliance "it& security implementation standards.
%&et&er t&e tec&nical compliance c&ec+ is carried out )y( or
under t&e super!ision of( competent( aut&orized personnel
%&et&er audit re*uirements and acti!ities in!ol!ing c&ec+s on
operational systems s&ould )e carefully planned and agreed to
minimise t&e ris+ of disruptions to )usiness process.
%&et&er t&e audit re*uirements( scope are agreed "it&
appropriate management.
%&et&er access to information system audit tools suc& as
soft"are or data files are protected to pre!ent any possi)le
misuse or compromise.
%&et&er information system audit tools are separated from
de!elopment and operational systems( unless gi!en an
appropriate le!el of additional protection.
Results
Status 9:;
Securit% &olic%
Information Securit% &olic%
Internal Or$ani)ation
+,ternal &arties
Asset -ana$ement
Responsibilit% for assets
Information Classification
&rior to emplo%ment
2urin$ +mplo%ment
3ermination or chan$e of emplo%ment
Secure Areas
+!uipment Securit%
Operational procedures and responsibilites
3hird part% serice delier% mana$ement
S%stem plannin$ and acceptance
&rotection a$ainst malicious and mobile code
5ackup
-edia handlin$
+,chan$e of information
+lectronic commerce serices
-onitorin$
Access Control
5usiness re!uirement for access control
8ser Access -ana$ement
8ser Responsibilities
6et7ork Access Control
Operatin$ s%stem access control
Application and Information access control
-obile computin$ and tele7orkin$
Information s%stems ac!uisition, deelopment and maintenance
Securit% re!uirements of information s%stems
Correct processin$ in applications
Cr%pto$raphic controls
Securit% of s%stem files
Securit% in deelopment and support serices
3echnical ulnerabilit% mana$ement
Information Securit% Incident -ana$ement
Reportin$ information securit% eents and 7eaknesses
-ana$ement of information securit% incidents and improements
5usiness Continuit% -ana$ement
Information securit% aspects of business continuit% mana$ement
Compliance
Compliance 7ith le$al re!uirements
Compliance 7ith techincal policies and standards and technical compliance
Information s%stems audit considerations
2omain Objecties Status 9:;
Securit% &olic% Information #ecurity Policy 0%
Internal :rganization 0%
<'ternal Parties 0%
Asset -ana$ement
esponsi)ilities for assets 0%
Information Classification 0%
Prior to <mployment 0%
4uring <mployment 0%
-ermination or c&ange of employment 0%
#ecure .reas 0%
<*uipment #ecurity 0%
:perational procedures and responsi)ilities 0%
-&ird party ser!ice deli!ery management 0%
#ystem planning and acceptance 0%
Protection against malicious and mo)ile code 0%
?ac+up 0%
2et"or+ #ecurity ,anagement 0%
,edia &andling 0%
<'c&ange of information 0%
<lectronic commerce ser!ices 0%
,onitoring 0%
Access Control
?usiness Control for access control 0%
=ser .ccess ,anagement 0%
=ser esponsi)ilities 0%
2et"or+ .ccess control 0%
:perating system access control 0%
.pplication and information access control 0%
,o)ile computing and tele"or+ing 0%
Information s%stem ac!uisition, deelopment and maintanence
#ecurity re*uirements of information systems 0%
Correct processing in applications 0%
Cryptograp&ic controls 0%
#ecurity of system files 0%
#ecurity in de!elopment and support ser!ices 0%
-ec&nical !ulnera)ility management 0%
Information securit% incident mana$ement
eporting information security e!ents and "ea+nesses 0%
,anagement of information security incidents and impor!ements 0%
5usiness Continuit% -ana$ement Information security aspects of ?usiness continuity management 0%
Compliance
Compliance "it& legal re*uirements 0%
Complinace "it& tec&incal policies and standards and tec&nical complinace 0%
Information system audit considerations 0%
2omain Status 9:;
Securit% &olic% 0%
Or$ani)ation of Information Securit% 0%
Asset -ana$ement 0%
/uman resources securit% 0%
&h%sical and +niornmental securit% 0%
Communication and Operations -ana$ement 0%
Access Control 0%
Information s%stem ac!uisition, deelopment and maintanence 0%
Information securit% incident mana$ement 0%
5usiness Continuit% -ana$ement 0%
Compliance 0%
S
e
c
u
r
i
t
y

P
o
l
i
c
y
O
r
g
a
n
i
z
a
t
i
o
n

o
f

I
n
f
o
r
m
a
t
i
o
n

S
e
c
u
r
i
t
y
A
s
s
e
t

M
a
n
a
g
e
m
e
n
t
H
u
m
a
n

r
e
s
o
u
r
c
e
s

s
e
c
u
r
i
t
y
P
h
y
s
i
c
a
l

a
n
d

E
n
v
i
o
r
n
m
e
n
t
a
l

s
e
c
u
r
i
t
y
C
o
m
m
u
n
i
c
a
t
i
o
n

a
n
d

O
e
r
a
t
i
o
n
s

M
a
n
a
g
e
m
e
n
t
A
c
c
e
s
s

C
o
n
t
r
o
l
I
n
f
o
r
m
a
t
i
o
n

s
y
s
t
e
m

a
c
!
u
i
s
i
t
i
o
n
"

d
e
v
e
l
o
m
e
n
t

a
n
d

m
a
i
n
t
a
n
e
n
c
e
I
n
f
o
r
m
a
t
i
o
n

s
e
c
u
r
i
t
y

i
n
c
i
d
e
n
t

m
a
n
a
g
e
m
e
n
t
#
u
s
i
n
e
s
s

C
o
n
t
i
n
u
i
t
y

M
a
n
a
g
e
m
e
n
t
C
o
m
l
i
a
n
c
e
0%
$0%
%0%
&0%
'0%
(00%
0@ 0@ 0@ 0@ 0@ 0@ 0@ 0@ 0@ 0@ 0@
Compliance per 2omain 2omain
S
t
a
t
u
s
Compliance Checklist
. conditional formatting &as )een pro!ided on ACompliance c&ec+listA s&eet under t&e A#tatus 5@6A filed and is as mentioned )elo"
1 to 25
2$ to /5
/$ to 100
In t&e field A>indingsA fill in t&e e!idence t&at you sa" and your t&oug&ts of t&e implementation
In t&e field A#tatus 5@6A fill in t&e compliance le!el on t&e scale as mentioned a)o!e
If any of t&e controls in not applica)le( please put in A2.A or anyt&ing t&at denotes t&at particular control is not applica)le to t&e organization
Compliance &er Control
Compliance &er 2omain
Brap&ical epresentation
-&is "ill gi!e you a grap&ical representation of t&e status per domain. %&ic& can )e in3corporated into your presentation to t&e management
Kindly note7 t&is s&eet &as )een automated and "ill s&o" you t&e status pertaining to eac& control o)9ecti!e( as per your status in t&e
AComplinace C&ec+listA s&eet
Kindly note7 t&is s&eet &as )een automated and "ill s&o" you t&e status pertaining to eac& domain( as per your status in t&e AComplinace
C&ec+listA s&eet
. conditional formatting &as )een pro!ided on ACompliance c&ec+listA s&eet under t&e A#tatus 5@6A filed and is as mentioned )elo"
In t&e field A>indingsA fill in t&e e!idence t&at you sa" and your t&oug&ts of t&e implementation
In t&e field A#tatus 5@6A fill in t&e compliance le!el on t&e scale as mentioned a)o!e
If any of t&e controls in not applica)le( please put in A2.A or anyt&ing t&at denotes t&at particular control is not applica)le to t&e organization
-&is "ill gi!e you a grap&ical representation of t&e status per domain. %&ic& can )e in3corporated into your presentation to t&e management
Kindly note7 t&is s&eet &as )een automated and "ill s&o" you t&e status pertaining to eac& control o)9ecti!e( as per your status in t&e
Kindly note7 t&is s&eet &as )een automated and "ill s&o" you t&e status pertaining to eac& domain( as per your status in t&e AComplinace

ISO 27001 Complinace Checklist1

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ISO 27001 Complinace Checklist1

Uploaded by

Copyright:

Available Formats

ISO 27001 Compliance Checklist

Kayzed Consultants Page 1 05/03/2014

You might also like