Title Page
-
Client Name
-
Client Logo
-
Site conducted
-
Conducted on
-
Prepared by
ISO 27001 Checklist
Clause 4: Context of the Organisation
-
4.1 Have external and internal issues that affect the ISMS been identified and documented?
-
4.2 Are the needs and expectations of interested parties identified and documented?
-
4.3 Is the scope of the ISMS clearly defined, including boundaries and applicability?
-
4.4 Is the ISMS established, implemented, maintained and continually improved?
Section 5: Leadership
-
5.1 Does top management demonstrate leadership and commitment to the ISMS?
-
5.2 Is there an information security policy that is appropriate, communicated, and regularly reviewed?
-
5.3 Are roles, responsibilities and authorities for ISMS clearly assigned and communicated?
Clause 6: Planning
-
6.1 Are risks and opportunities that could impact ISMS objectives identified and addressed?
-
6.1.1 Is there a documnented risk assessment process in place?
-
6.1.2 Is there a risk tratment plan with selected controls based on Annex A?
-
6.2 Are information security objectives established, measurable and consistent with the ISMS policy?
-
6.3 Are planned changed to the ISMS documented and effectively controlled?
Clause 7: Support
-
7.1 Are adequate resources allocated for the ISMS?
-
7.2 Is staff competence verified and maintained through training and qualifications?
-
7.3 Are employees aware of their roles in maintaining information security?
-
7.4 Are internal and external communication processes for ISMS defined and documented?
-
7.5 Is all required ISMS documentation created, controlled and accessible?
Clause 8: Operation
-
8.1 Are ISMS processes planned, implemented and controlled effectively?
-
8.2 Is a formal and documented information security risk assessment conducted reqularly?
-
8.3 Are risk treatment plans implemented and controls applied effectively?
Clause 9: Performance Evaluation
-
9.1 Are ISMS performance metrics defined, monitored and analyzed?
-
9.2 Are internal audits conducted regularly, with findings documented and reviewed?
-
9.3 Dies top management cibduct periodic management reviews of the ISMS?
Clause 10: Improvement
-
10.1 Are non-comformities addressed with root cause analysis and corrective actions?
-
10.2 Is the ISMS continually improved to enhance its effectiveness and adapt to changes?
Annex A: Information Security Controls
-
A.5: Information Security Policies<br>Objective: Ensure that information security policies are in place and aligned with the organization’s strategic direction.<br><br>Controls:<br>A.5.1.1: Policies for information security are defined, approved, communicated, and reviewed.<br>Evidence Required:<br>Approved and signed information security policy.<br>Evidence of policy communication and periodic reviews
-
A.6: Organization of Information Security<br>Objective: Establish a framework to manage information security responsibilities.<br><br>Controls:<br>A.6.1.1: Allocation of information security roles and responsibilities.<br>A.6.1.2: Segregation of conflicting duties to reduce risk.<br>A.6.1.3: Contact with authorities regarding information security matters.<br>A.6.1.4: Contact with special interest groups for information sharing.<br>A.6.2.1: Mobile device and teleworking policies.<br>Evidence Required:<br>Organizational charts, roles, and responsibilities.<br>Policies for mobile devices, teleworking, and segregation of duties.<br>
-
A.7: Human Resource Security<br>Objective: Ensure employees and contractors understand their responsibilities and are suitable for their roles.<br><br>Controls:<br>A.7.1.1: Screening processes for employees.<br>A.7.2.1: Information security awareness and training.<br>A.7.3.1: Disciplinary processes for security breaches.<br>Evidence Required:<br>Pre-employment screening records.<br>Training attendance logs and materials.<br>Disciplinary policy and records of actions taken.
-
A.8: Asset Management<br>Objective: Identify and protect organizational assets.<br><br>Controls:<br>A.8.1.1: Asset inventory management.<br>A.8.1.2: Ownership of assets.<br>A.8.2.1: Classification of information.<br>A.8.3.1: Secure disposal of assets.<br>Evidence Required:<br>Asset registers.<br>Information classification policies.<br>Records of secure data and asset disposal.
-
A.9: Access Control<br>Objective: Ensure access to information is restricted to authorized users.<br><br>Controls:<br>A.9.1.1: Access control policy.<br>A.9.2.1: User access management processes.<br>A.9.3.1: Secure user authentication techniques.<br>A.9.4.1: Secure system and application access.<br>Evidence Required:<br>Access control policy.<br>User access logs, approvals, and reviews.<br>Evidence of secure authentication (e.g., MFA logs).
-
A.10: Cryptography<br>Objective: Ensure the confidentiality, integrity, and availability of information through cryptographic techniques.<br><br>Controls:<br>A.10.1.1: Cryptographic controls policy.<br>A.10.1.2: Key management practices.<br>Evidence Required:<br>Cryptographic policies and procedures.<br>Encryption implementation records and key management logs.
-
A.11: Physical and Environmental Security<br>Objective: Prevent unauthorized physical access, damage, and interference to information.<br><br>Controls:<br>A.11.1.1: Secure areas (e.g., locked server rooms).<br>A.11.2.1: Equipment security.<br>A.11.2.7: Secure disposal of equipment.<br>Evidence Required:<br>Physical access control logs.<br>Equipment maintenance and secure disposal records.
-
A.12: Operations Security<br>Objective: Ensure information processing facilities operate securely.<br><br>Controls:<br>A.12.1.1: Operational procedures and responsibilities.<br>A.12.3.1: Backup policy and implementation.<br>A.12.4.1: Event logging and monitoring.<br>A.12.5.1: Installation of software on operational systems.<br>Evidence Required:<br>Operational procedure documents.<br>Backup logs and recovery test records.<br>Event and activity logs.
-
A.13: Communications Security<br>Objective: Ensure the security of information in networks and its transfer.<br><br>Controls:<br>A.13.1.1: Network controls to protect data in transit.<br>A.13.2.1: Secure transfer of information.<br>Evidence Required:<br>Network architecture diagrams.<br>Evidence of encryption for data in transit.
-
A.14: System Acquisition, Development, and Maintenance<br>Objective: Ensure security is integrated into the development lifecycle.<br><br>Controls:<br>A.14.1.1: Secure development policies.<br>A.14.2.1: Secure testing of systems.<br>Evidence Required:<br>Development and testing policies.<br>Security test results for new systems.
-
A.15: Supplier Relationships<br>Objective: Ensure suppliers protect organizational information.<br><br>Controls:<br>A.15.1.1: Information security in supplier agreements.<br>A.15.2.1: Monitoring supplier service delivery.<br>Evidence Required:<br>Supplier contracts with security clauses.<br>Supplier performance and audit reports.<br>
-
A.16: Information Security Incident Management<br>Objective: Ensure a consistent response to security incidents.<br><br>Controls:<br>A.16.1.1: Incident management responsibilities and procedures.<br>A.16.1.2: Incident reporting and escalation.<br>A.16.1.3: Learning from incidents.<br>Evidence Required:<br>Incident response plan and records.<br>Incident logs and root cause analysis reports.
-
A.17: Information Security Aspects of Business Continuity Management<br>Objective: Ensure business continuity in the event of a security incident.<br><br>Controls:<br>A.17.1.1: Information security continuity planning.<br>A.17.2.1: Testing and reviewing continuity plans.<br>Evidence Required:<br>Business continuity plans.<br>Records of continuity plan tests and updates.
Declaration
-
Auditor Sign off
-
Client Sign off
