Information

  • Audit Title

  • Document No.

  • Client / Site

  • Conducted on

  • Prepared by

  • Location
  • Personnel

4.21 Establish the ISMS.

  • 4.2.1(a) Are the scope and the boundaries of the ISMS defined in terms of the characteristics of the business, the organisation, its location, assets and technology?

  • 4.2.1(a) Are exclusions from the standard identified, documented and justified?

4.2.1(b) ISMS Policy.

  • 4.2.1(b) (1) Does the ISMS policy provide framework for the setting objectives, and establish an overall sense of direction and principles for action with regard to IS?

  • 4.2.1(b) (2) Does the ISMS policy take into account business, legal, regulatory, contractual security requirements?

  • 4.2.1(b) (3) Does the policy align with the organisations strategic risk management context in which the establishment and maintenance of the ISMS will take place?

  • 4.2.1(b) (4) Does the ISMS policy establish the criteria against which risk will be evaluated?

  • 4.2.1(b) (5) Is the ISMS policy defined and approved by management?

  • Record the date the ISMS policy was last updated

4.2.1 (c) Risk Assessment.

  • 4.2.1 (c) (1) Is the risk assessment approach defined and suited to the ISMS and the identified business IS, legal and regulatory requirements ?

  • 4.2.1 (c) (2) Describe how risks are identified, analysed, evaluated, treated and the acceptable level of risk?

4.2.1 (d) Identify the risks.

  • 4.2.1 (d) (1) Have the assets and the owners of these assets, within the scope of the ISMS, been identified?

  • 4.2.1 (d) (2) Have the threats to these assets been identified?

  • 4.2.1 (d) (3) Have the vulnerabilities that might be exploited by these threats been identified?

  • 4.2.1 (d) (4) Has the impacts that losses of confidentiality, integrity and availability may have on assets been identified?

  • Record the date the Risk Assessment was last updated

4.2.1 (e) Analyse and evaluate the risks.

  • 4.2.1 (e) (1) Are the risks analysed and evaluated in terms of the business impacts on the organisation that might result from security failures?

  • 4.2.19(e) (2) Are the risks analysed and evaluated in terms of the realistic likelihood of security failures occurring in the light of prevailing threats and vulnerabilities?

  • 4.2.1 (e) (3) Are the risks analysed and evaluated in terms of the level of estimated risk?

  • 4.2.1(e) (4) Are the risks analysed and evaluated in terms of the whether the risks are acceptable or requirement treatment using the criteria for accepting risks identified in 4.2.1 (c)?

4.2.1 (f) Identify and evaluate options for the treatment of risks.

  • 4.2.1(f) Are the options for the treatment of risks identified an evaluated?

  • 4.2.1(f) (1) Have appropriate controls been applied?

  • 4.2.1(f) (2) Has the organisation knowingly and objectively accepted risk, provided they clearly satisfy the organisation's policies and the criteria for accepting risk (see 4.2.1(c) (2))?

  • 4.2.1(f) (3) Has the organisation avoided any risks?

  • 4.2.1(f) (4) Have any risks been transferred to other parties e.g. insurers, suppliers?

4.2.1(g) Select control objectives and control for the treatment of risk.

  • 4.2.1(g) Have control objectives and controls for the treatment of risk been selected?

  • 4.2.1(g) Have the control objectives and controls from Annex A of 17025:2005 been selected as part of this process suitable to cover the identified requirements?

4.2.1(h) Management approval of proposed residual risks

  • 4.2.1(h) has management approval of proposed residual risks been obtained?

4.2.1(i) Management approval to implement and operate the ISMS.

  • 4.2.1(i) Has management approval been obtained to implement and operate the ISMS?

4.2.1 (j) Statement of Applicability

  • 4.2.1(j) (1) Does the SoA include the control objectives and controls selected in 4.2.1(g) and the reasons for their selection?

  • 4.2.1(j) (2) Does the SoA include the control objectives and controls currently implemented? (reference 4.2.1(e) (2))

  • 4.2.1(j) (3) Does the SoA include the exclusions of any control objective and controls in Annex A and the justification for their exclusion?

  • Record the date the SoA was last updated

4.2.2 Implement and Operate the ISMS

  • 4.2.2(a) Is the risk treatment plan formulated to identify the appropriate management action, resources, responsibilities and priorities for managing information security risks

  • 4.2.2(b) Is the risk treatment plan implemented in order to achieve the identified control objectives, which including consideration of funding and allocation of roles and responsibilities?

  • 4.2.2(c) Are selected security controls in 4.2.1(g) implemented to meet the control objectives?

  • 4.2.2(d) Is the measuring of the effectiveness of the selected security controls or group of control defined?

  • 4.2.2(d) Does this measurement produce comparable and reproducible results? Is the specification on how this done recorded?

  • 4.2.2(e) Are the ISMS training and awareness programmes implemented?

  • 4.2.2(f) Is the operation of the ISMS managed?

  • 4.2.2(g) Are the resources for the ISMS managed?

  • 4.2.2(h) Are the procedures and other controls capable of enabling prompt detection of security events and response to security incidents implemented?

Major non-conformances

  • List any MAJOR non-conformances

Minor non-Conformances

  • List all MINOR non-conformances

Observations and opportunities for improvemement

  • List any observations or opportunities for improvement

  • Sign off the audit

The templates available in our Public Library have been created by our customers and employees to help get you started using SafetyCulture's solutions. The templates are intended to be used as hypothetical examples only and should not be used as a substitute for professional advice. You should seek your own professional advice to determine if the use of a template is permissible in your workplace or jurisdiction. You should independently determine whether the template is suitable for your circumstances.