Home
All industries
ISO27001:2005 A10 Communications & Ops Management, A11 Access Control & A12 Ecryption
ISO27001:2005 A10 Communications & Ops Management, A11 Access Control & A12 Ecryption
Anonymous

ISO27001:2005 A10 Communications & Ops Management, A11 Access Control & A12 Ecryption

Use this Template
Print as PDF
graphic of a hand making an okay sign ×

Free ISO27001:2005 A10 Communications & Ops Management, A11 Access Control & A12 Ecryption Checklist

Use this Template

Information

  • Audit Title

  • Document No.

  • Client / Site

  • Conducted on

  • Prepared by

  • Location

  • Personnel

A10 Communications and Operations Management

A10.1 Operational procedures and responsibilities

  • A10.1.1 Are the operating procedures documented, maintained and made available to all users who need them?

  • A10.1.2 Are changes to information processing facilities and systems controlled?

  • A10.1.3 Are duties and areas of responsibilities segregated in order to reduce opportunities for un-authorised modification or misuse of organisation assets?

  • A10.1.4 Are development, test and operational facilities separated to reduce risks of unauthorised access or changes to the operational system?

A10.2 Third Party Service Delivery Management

  • A10.2.1 Are the security control, service definitions and delivery levels included in the 3rd party delivery agreement implemented, operated and maintained by the 3rd party?

  • A10.2.2 Are the services, reports and records provided by the 3rd party regularly monitored and reviewed? Are audits carried out on the services, reports and records provided carried out regularly?

  • A10.2.3 Are changes to the provision of services, including maintaining and improving existing information security policies, procedures and controls managed, taking into account of the critically of business systems and processes involved and re-assessment of risks?

A10.3 System Planning & Acceptance

  • A10.3.1 Is the use of resources monitored and projections of future capacity requirements made to ensure required system performance?

  • A10.3.2 Is acceptance criteria for new information systems, upgrades and new versions established and suitable system tests carried out during development and prior to acceptance?

A10.4 Protection Against Malicious & Mobile Code

  • A10.4.1 Are detection, prevention and recovery controls implemented to protect against malicious s/w?

  • A10.4.2 Where the use of mobile code is authorised, are un-authorised mobile code prevented from being executed? Are mobile codes operating to a clearly defined security policy?

A10.5 Information Back-up

  • A10.5.1 Are back up copies of information and s/w taken regularly in accordance with the agreed back up policy?

A10.6 Network Security Management

  • A10.6.1 Are the networks adequately managed and controlled in order to be protected from threats and to maintain security for the systems and applications using the network, including information in transit?

  • A10.6.2 Are security features, service levels and management requirements of all network service identified and included in any network service agreements, whether these services are provided in-house or out-sourced?

A10.7 Media Handling

  • A10.7.1 Are procedures for the management of removable computer media, such as tapes, disks, cassettes and printer reports established and implemented?

  • A10.7.2 Are media disposed of securely and safely when no longer required, using formal procedures?

  • A10.7.3 Are procedures for the handling and storage of information established to protect such information from unauthorised disclosure or misuse?

  • A10.7.4 Are system documentation protected against unauthorised access?

A10.8 Exchange of information

  • A10.8.1 Are formal exchange policies, procedures and controls in place to protect the exchange of information through the use of all types of communication facilities?

  • A10.8.2 Are agreements established for the electronic or manual exchange of information and s/w between the organisation and external parties?

  • A10.8.3 Is the media containing information being transported protected from unauthorised access, misuse or corruption?

  • A10.8.4 Is information in electronic messaging appropriately protected?

  • A10.8.5 Are policies and procedures developed and maintained to protect information associated with the inter-connection o business information systems?

A10.9 Electronic commerce Services

A10.10 Monitoring Information Processing Activities

  • A10.10.1 Are audit logs recording user activities, exceptions and information security events produced and kept for an agreed period to assist in future investigations and access control monitoring?

  • A10.10.2 Are procedures for the monitoring the use of information processing facilities established and the results of the monitoring activities reviewed regularly?

  • A10.10.3 Are he logging facilities and log information protected against tampering and unauthorised access?

  • A10.10.4 Are system administrator and system operator activities logged?

  • A10.10.5 Are faults logged, analysed and appropriate action taken?

  • A10.10.6 Are all clocks of all relevant processing systems within the organisation or security domain synchronised within an agreed accurate time source?

A11 Access Control

A11.1 Business requirements for access control

  • A11.1 Is an access control policy established, documented, reviewed and implemented based on business and security requirements for access?

A11.2 User access management

  • A11.2.1 Is there a formal user registration and de-registration procedure for granting and revoking access to all information systems and services?

  • A11.2.2 Is the allocation and use of privileges restricted and controlled?

  • A11.2.3 Is the allocation of passwords controlled through a formal management process?

  • A11.2.4 Do management review user's access rights at regular intervals using a formal process?

A11.3 User Responsibilities

  • A11.3.1 Are all users required to follow good security practices in the selection and use of passwords?

  • A11.3.2 Are users required to ensure that unattended equipment has appropriate protection?

  • A11.3.3 Is a clear desk policy for papers and removable storage media and a clear scree policy for information processing facilities adopted?

A11.4 Network access control

  • A11.4.1 Do users only have direct access to the services that they have been specifically authorised to use?

  • A11.4.2 Are appropriate authentication methods used to control access by remote users?

  • A11.4.3 Is automatic equipment identification considered as a means to authenticate connections from specific locations and equipment?

  • A11.4.4 Are physical and logical access to diagnostics and configuration ports controlled?

  • A11.4.5 Are groups of information services ,users and information systems segregated on networks?

  • A11.4.6 For shared networks, is the capability of users to connect to the network restricted in accordance with the access control policy and requirements of the business application?

  • A11.4.7 Are routing controls implemented for networks to ensure that computer connections and information flows do not breach the access control policy of the business applications?

A11.5 Operating system access control

  • A11.5.1 Is access to operating systems controlled by a secure log-on procedure?

  • A11.5.2 Do all users have a unique identifier (user id) for their personal use? Is a suitable authentication technique chosen to substantiate the claimed identity of the user?

  • A11.5.3 Is a password management system in place to provide an effective, interactive facility that ensures quality passwords?

  • A11.5.4 Is the use of system utility programmes that might be capable of overriding system and application controls restricted and tightly controlled?

  • A11.5.5 Are inactive sessions shut down after a defined period of inactivity?

  • A11.5.6 Are restrictions on connection times used to provide additional security for high-risk applications?

A11.6 Application & information access control

  • Is access to informtion and application system functions by users and support staff restricted in accordance with the access control policy?

  • Do sensitive systems have a dedicated (isolated) computing environment?

A11.7 Mobile computing and Tele-working

  • Is a formal policy in place and appropriate security measures adopted to protect against risks of using mobile computing and communication facilities?

  • Are policies, operational plans and procedures developed and implemented to authorise and control tele-working activities?

A12 Information system aquisition development and maintenance

A12.1 Security requirements of information systems

  • A12.1.1 Do statement of business requirements for new information systems or enhancements to existing information systems specify requirements for security controls?

A12.2 Correct processing in applications

  • A12.2.1 Is data input to applications validated to ensure that it is correct and appropriate?

  • A12.2.2 Are validation checks incorporated into applications to detect any corruption of information through processing error or deliberate acts?

  • A12.2.3 Are requirements for ensuring authenticity and protecting message integrity in applications identified, and appropriate control identified and implemented?

  • A12.2.4 Is data output from an application validated to ensure that the processing of stored information is correct and appropriate to the circumstances?

A12.3 Cryptographic controls

  • A12.3.1 Is a policy on the use of cryptographic controls for the protection of information developed and implemented?

  • A12.3.2 Is key management in place to support the organisations use of cryptographic techniques?

A12.4 Security of system files

  • A12.4.1 Are procedures in place to control the installation of s/w on operational systems?

  • A12.4.2 Are test data selected carefully, protected and controlled?

  • A12.4.3 Is access to program source code restricted?

A12.5 Security in development and support processes

  • A12.5.1 Is the implementation of changes controlled by the use of formal change control procedures?

  • A12.5.2 Are business critical applications reviewed and tested to ensure that there is no adverse impact on operations or security when OS changes occur?

  • A12.5.3 Are modifications to s/w packages discouraged and limited to necessary changes? Are the changes strictly controlled?

  • A12.5.4 Are opportunities for information leakage prevented?

  • A12.5.5 Are outsourced s/w development supervised and monitored by the organisation/

A12.6 Technical vulnerability management

  • 12.6.1 Is timely information about technical vulnerability of information systems being used obtained? is the organisations exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk?

Major non-conformances

  • List any MAJOR non-conformances

Minor non-Conformances

  • List all MINOR non-conformances

Observations and opportunities for improvemement

  • List any observations or opportunities for improvement

Audit sign off

  • Auditee name:

  • Auditee signature:

  • Auditor name:

  • Auditor signature:

ISO27001:2005 A10 Communications & Ops Management, A11 Access Control & A12 Ecryption
Anonymous

ISO27001:2005 A10 Communications & Ops Management, A11 Access Control & A12 Ecryption

Use this Template
The templates available in our Public Library have been created by our customers and employees to help get you started using SafetyCulture's solutions. The templates are intended to be used as hypothetical examples only and should not be used as a substitute for professional advice. You should seek your own professional advice to determine if the use of a template is permissible in your workplace or jurisdiction. You should independently determine whether the template is suitable for your circumstances.

Related checklists

Incident Report
Anonymous
Incident Report
26,814 Downloads
Daily Temperature Log
Anonymous
Daily Temperature Log
20,437 Downloads
Heavy Vehicle Inspection
Anonymous
Heavy Vehicle Inspection
19,778 Downloads
Employee File Checklist
Anonymous
Employee File Checklist
10,143 Downloads
Mine Site Safety Inspection
Anonymous
Mine Site Safety Inspection
9,529 Downloads
Food Safety & HACCP Audit
Anonymous
Food Safety & HACCP Audit
7,993 Downloads
Rig Inspection
Anonymous
Rig Inspection
6,824 Downloads
Residence Inn Guest room inspection
Anonymous
Residence Inn Guest room inspection
6,621 Downloads
equipment log
Anonymous
equipment log
6,492 Downloads
Injury, Accident, Incident Report
Anonymous
Injury, Accident, Incident Report
6,406 Downloads
back arrow for carousel
back arrow for carousel
iAuditor Logo Icon ©SafetyCulture 2022