Professional Documents
Culture Documents
ISO 27001
Mandatory requirement for the ISMS Status
clause
4 Information Security Management System
4.1 General requirements
The organization shall establish, implement, operate, monitor, review,
4.1 D
maintain and improve a documented ISMS
4.2 Establishing and managing the ISMS
4.2.1 Establish the ISMS
4.2.1 (a) Define the scope and boundaries of the ISMS D
4.2.1 (b) Define an ISMS policy D
4.2.1 (c) Define the risk assessment approach D
4.2.1 (d) Identify the risks RD
4.2.1 (e) Analyse and evaluate the risks RD
4.2.1 (f) Identify and evaluate options for the treatment of risks RD
4.2.1 (g) Select control objectives and controls for the treatment of risks D
4.2.1 (h) Obtain management approval of the proposed residual risks RD
Obtain management authorization to implement and operate the
4.2.1 (i) RD
ISMS
4.2.1 (j) Prepare a Statement of Applicability [see the SoA spreadsheet] D
4.2.2 Implement the ISMS
4.2.2 (a) Formulate a risk treatment plan RD
Implement the risk treatment plan in order to achieve the identified
4.2.2 (b) RD
control objectives
4.2.2 (c) Implement controls selected in 4.2.1g to meet the control objectives RD
Addressing security when All identified security requirements shall be addressed before giving
A.6.2.2 IT D
dealing with customers customers access to the organization's information or assets.
Termination or change of To ensure that employees, contractors and third party users exit
A.8.3
employment an organization or change employment in an orderly manner.
The services, reports and records provided by the third party shall be
Monitoring and review of third
A10.2.2 regularly monitored and reviewed, and audits shall be carried out CISO D
party services
regularly.
Management of removable There shall be procedures in place for the management of removable
A10.7.1 Administration D
media media.
Media shall be disposed of securely and safely when no longer
A10.7.2 Disposal of media Administration D
required, using formal procedures.
Procedures for the handling and storage of information shall be
Information handling
A10.7.3 established to protect this information from unauthorized disclosure or Administration D
procedures
misuse.
Security of system System documentation shall be protected against unauthorized
A10.7.4 IT D
documentation access.
A11.2.2 Privilege management The allocation and use of privileges shall be restricted and controlled. IT D
The allocation of passwords shall be controlled through a formal
A11.2.3 User password management IT D
management process.
Management shall review users' access rights at regular intervals
A11.2.4 Review of user access rights IT D
using a formal process.
To prevent unauthorized user access, and compromise or theft of
A11.3 User responsibilities
information and information processing facilities.
Users shall be required to follow good security practices in the
A11.3.1 Password use IT D
selection and use of passwords.
Users shall ensure that unattended equipment has appropriate
A11.3.2 Unattended user equipment IT D
protection.
A clear desk policy for papers and removable storage media and a
Clear desk and clear screen
A11.3.3 clear screen policy for information processing facilities shall be IT D
policy
adopted.
Remote diagnostic and Physical and logical access to diagnostic and configuration ports shall
A11.4.4 IT D
configuration port protection be controlled.
Groups of information services, users and information systems shall be
A11.4.5 Segregation in networks IT D
segregated on networks.
For shared networks, especially those extending across the
organization's boundaries, the capability of users to connect to the
A11.4.6 Network connection control IT D
network shall be restricted, in line with the access control policy and
requirements of the business applications (see 11.1).
Routing controls shall be implemented for networks to ensure that
A11.4.7 Network routing control computer connections and information flows do not breach the access IT D
control policy of the business applications.
Operating system access
A11.5 To prevent unauthorized access to operating systems.
control
Access to operating systems shall be controlled by a secure log-on
A11.5.1 Secure log-on procedures IT D
procedure.
All users shall have a unique identifier (user ID) for their personal use
User identification and
A11.5.2 only, and a suitable authentication technique shall be chosen to IT D
authentication
substantiate the claimed identity of a user.
Password management Systems for managing passwords shall be interactive and shall ensure
A11.5.3 IT D
system quality passwords.
A11.5.5 Session time-out Inactive sessions shall be shut down after a defined period of inactivity. IT D
Restrictions on connection times shall be used to provide additional
A11.5.6 Limitation of connection time IT D
security for high-risk applications.
Application and information To prevent unauthorized access to information held in application
A11.6
access control systems.
Management of information
To ensure a consistent and effective approach is applied to the
A13.2 security incidents and
management of information security incidents.
improvements
Learning from information There shall be mechanisms in place to enable the types, volumes, and
A13.2.2 CISO D
security incidents costs of information security incidents to be quantified and monitored.
Data protection and privacy of Data protection and privacy shall be ensured as required in relevant
A15.1.4 Finance D
personal information legislation, regulations, and, if applicable, contractual clauses.
Prevention of misuse of
Users shall be deterred from using information processing facilities for
A15.1.5 information processing Administration D
unauthorized purposes.
facilities
Regulation of cryptographic Cryptographic controls shall be used in compliance with all relevant
A15.1.6 IT D
controls agreements, laws, and regulations.
Compliance with security
To ensure compliance of systems with organizational security
A15.2 policies and standards, and
policies and standards
technical compliance
Managers shall ensure that all security procedures within their area of
Compliance with security
A15.2.1 responsibility are carried out correctly to achieve compliance with Top Management D
policies and standards
security policies and standards.
Information systems shall be regularly checked for compliance with
A15.2.2 Technical compliance checking IT D
security implementation standards.
Information system audit To maximize the effectiveness of and to minimize interference
A15.3 D
considerations to/from the information systems audit process.
Audit requirements and activities involving checks on operational
Information systems audit
A15.3.1 systems shall be planned carefully and agreed to minimize the risk of IT D
controls
disruptions to business processes.
Protection of information Access to information systems audit tools shall be protected to prevent
A15.3.2 IT D
systems audit tools any possible misuse or compromise.
Legend
Count Status Code Meaning Contribution %
1; 1% 16; 14%
65; 55% 1; 1%
35; 30%
Status :- Process Implementation comply with ISO 27001:2005 standard and documented
In Percent
100%
90%
80%
70%
60%
50%
40%
30%
20%
10%
0%
t t t l t t t
ts S ts en en di ra pu pu en tio
n
tio
n
en IS
M en Au e In ut
em e em itm em S en w O em ac ac
ir th ir m ag M -G ie w ov iv
e
tiv
e
u
ng qu om an IS ev ie pr ct
eq gi re tC
l 7.
1
ev m re ve
n
R M na -R lI or
al an
a
tio
n en ce te
r 2 -R ua re
er ta m ur n 7. 3 in -C -P
en m n ge so -I 7. nt 2 3
an
d e a e 6 o 8. 8.
-G um an -R -C
4.
1 ng oc -M 2 8.
1
hi 5.
lis -D 5.
1
t ab 4.
3
- Es
2
4.
ISO 27001:2005 Annexure-A Controls Implementation Status by Classification in number and percentage
2; 2% 1; 1% 1; 1%
1; 1%
128; 96%
ISO 27001:2005 Annexure-A Controls Implementation Status by Classification in number and percentage
2; 2% 1; 1% 1; 1%
1; 1%
128; 96%
80
65
60
40 35
20 16
1 1
0
Process Comply withProcess
Standard
is implemented
and documented
Process and
is not
must
comply
be documented
with standard
Process
andismust
not in
beplace
redesigned
/ not implemented
Process is not applicable
Compliance percentage
Status :- Process Implementation comply with ISO 27001:2005 standard and documented
100%
90%
80%
70%
60%
Compliance
50% %
Goal
40%
30%
20%
10%
0%
n O e R IT t g
t io IS nc H S/
W en in
in
tr a C na em a
in
is Fi ag Tr
m an
Ad p
M
To
120%
100%
o p e ra t io n s m a n a g e m e n t
80%
y in c id e n t m a n a g e m e n t
Compliance
v iro n m e n t a l s e c u rit y
in f o rm a t io n s e c u rit y
t in u it y m a n a g e m e n t
60% %
Goal
s o u rc e s s e c u rit y
40%
t M anagem ent
c e s s C o n t ro l
c u rit y P o lic y
20%
o m p lia n c e
0%
20%
40%
60%
80%
100%
120%
0%
S e c u rit y P o lic y
O rg a n iz a t io n o f in f o rm a t io n s e c u rit y
H u m a n re s o u rc e s s e c u rit y
P h y s ic a l a n d e n v iro n m e n t a l s e c u rit y
C o m m u n ic a t io n s a n d o p e ra t io n s m a n a g e m e n t
A c c e s s C o n t ro l
I n f o rm a t io n s y s t e m s a c q u is it io n , d e v e lo p m e n t a n d m a in t e n a n c e
I n f o rm a t io n s e c u rit y in c id e n t m a n a g e m e n t
B u s in e s s c o n t in u it y m a n a g e m e n t
C o m p lia n c e
Annexure - A Controls Implementation Status by Domain
%
Goal
Compliance
1
ed
s not applicable
nted
Compliance
%
Goal
Compliance
%
Goal
Compliance
%
Goal
Legend
Implementation Status by ISO 27001:2005 - Clauses
Process is not
Process is
comply with
Process Comply with Standard implemented and
Reference standard and
and documented must be
must be
documented
redesigned
ISO Clauses 16 1 35
Controls
Controls implemented not
Controls documented and
Reference implemented must comply with
implemented
be documented standards, needs
to redesign
Controls 128 1 2
65 1 118
ure - A Controls
Control not
Controls not
implemented &
applicable
documented
1 1
Goal
100%
100%
100%
100%
100%
100%
100%
100%
100%
100%
100%
100%
Goal
100%
100%
100%
100%
100%
100%
100%
100%
100%
100%
100%
Note :
133