Information

  • Document No.

  • Audit Title

  • Client / Site

  • Conducted on

  • Prepared by

  • Location
  • Personnel

4. CONTEXT OF THE ORGANIZATION

4.1 Understanding the organization and its context

  • Has the organization determined the external issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system?<br><br>(for guidance see Clause 5.3 of ISO 31000:2009)

  • Has the organization determined internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system?<br><br>(for guidance see Clause 5.3 of ISO 31000:2009)<br>

4.2 Understanding the needs and expectations of interested parties

  • Has the organization:<br>a) determined the interested parties that are relevant to the information security management system?<br>

  • b) determined the requirements of these interested parties relevant to information security?

4.3 Determining the scope of the information security management system

  • Has the organization determined the boundaries and applicability of the information security management system to establish its scope?

  • Has the organization considered:<br>a) the external and internal issues referred to in 4.1?<br>

  • b) the requirements referred to in 4.2?

  • c) the interfaces and dependencies between activities performed by the organization, and those that are performed by other organizations?

4.4 Information security management system

  • Has the organization established an information security management system?

  • Has the organization implemented an information security management system?

  • Has the organization maintained an information security management system?

  • Has the organization continually improved an information security management system?

5. LEADERSHIP

5.1 Leadership Commitment

  • Has top management provided evidence of its leadership and commitment to the development and implementation of the information security management system?

  • Has top management provided evidence of its leadership and commitment to the development and implementation of the information security management system<br>a) ensuring the information security policy and the information security objectives are established and are compatible with the strategic direction of the organization?<br>

  • b) ensuring the integration of the information security management system requirements into the organization’s processes?

  • c) ensuring that the resources needed for the information security management system are available?

  • d) communicating the importance of effective information security management and of conforming to the information security management system requirements?

  • e) ensuring that the information security management system achieves its intended outcome(s)?

  • f) directing and supporting persons to contribute to the effectiveness of the information security management system?

  • g) promoting continual improvement?

  • h) supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility?<br>

5.2 Policy

  • Has top management ensured the security policy: <br>e) be available as documented information?

  • f) be communicated within the organization?

  • g) be available to interested parties, as appropriate?

  • Has top management established an information security policy that:<br>a) is appropriate to the purpose of the organization?<br>

  • b) includes information security objectives (see 6.2) or provides the framework for setting information security objectives?

  • c) includes a commitment to satisfy applicable requirements related to information security?

  • d) includes a commitment to continual improvement of the information security management system?

5.3 Organizational roles, responsibilities and authorities

  • Has top management ensured the responsibilities and authorities for roles relevant to information security are assigned?

  • Has top management ensured the responsibilities and authorities for roles relevant to information security are communicated?

  • Has top management assigned responsibility and authority for:<br>a) ensuring that the information security management system conforms to the requirements of this International Standard? <br>

  • b) reporting on the performance of the information security management system to top management?

6. PLANNING

6.1 Actions to address risk and opportunities

6.1.1 General

  • Has the organization considered the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed?

  • Has the organization determined the risks and opportunities that need to be addressed such that:<br>a) the information security management system can achieve its intended outcome(s)?<br>

  • b) prevent, or reduce, undesired effects?

  • c) achieve continual improvement?

  • Has the organization planned:<br>d) actions to address these risks and opportunities?<br>

  • e) how to<br>1) integrate and implement the actions into its information security management system processes?<br>

  • 2) evaluate the effectiveness of these actions?

6.1.2 Information security risk assessment

  • Has the organization defined and applied an information security risk assessment process?

  • Does the process establish and maintain <br>a) Information security risk criteria?<br>

  • 1) Does the information security risk criteria include risk acceptance criteria?

  • 2) Does the information security risk criteria include criteria for performing information security risk assessments?

  • b) that repeated information security risk assessments produce consistent, valid and comparable results?

  • c) identifies the information security risks?

  • 1) applies the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of the information security management system?

  • 2) identifies the risk owners?

  • d) analyses the information security risks?

  • 1) assesses the potential consequences that would result if the risks identified in 6.1.2 c) 1) were to materialize?

  • 2) assesses the realistic likelihood of the occurrence of the risks identified in 6.1.2 c) 1)?

  • 3) determines the levels of risk?

  • e) evaluates the information security risks?

  • 4) compares the results of risk analysis with the risk criteria established in 6.1.2 a)?

  • 5) prioritizes the analysed risks for risk treatment?

6.1.3 Information security risk treatment

  • Has the organization defined an information security risk treatment process?

  • Has the organization applied an information security risk treatment process that:<br>a) selects appropriate information security risk treatment options, taking account of the risk assessment results?<br>

  • b) determined all controls that are necessary to implement the information security risk treatment option(s) chosen?

  • c) compared the controls determined in 6.1.3 b) above with those in Annex A and verify that no necessary controls have been omitted?

  • d) produced a Statement of Applicability that contains the necessary controls (see 6.1.3 b) and c)) and justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A?

  • e) formulated an information security risk treatment plan?

  • f) obtained risk owners’ approval of the information security risk treatment plan and acceptance of the residual information security risks?

  • NOTE 1: Annex A contains a comprehensive list of control objectives and controls. Users of this International Standard are directed to Annex A to ensure that no necessary controls are overlooked.

    NOTE 2: Control objectives are implicitly included in the controls chosen. The control objectives and
    controls listed in Annex A are not exhaustive and additional control objectives and controls may be needed.

6.2 Information security objectives and planning to achieve them

  • Has the organization established information security objectives at relevant functions and levels?

  • Has the organization ensured that the information security objectives shall:<br>a) be consistent with the information security policy?<br>

  • b) be measurable (if practicable)?

  • c) take into account applicable information security requirements, and results from risk assessment and risk treatment?

  • d) be communicated?

  • e) be updated, as appropriate?

  • For each of its information security objectives, has the organization determined:<br>a) what will be done?<br>

  • b) what resources will be required?

  • c) who will be responsible?

  • d) when it will be completed?

  • e) how the results will be evaluated?

7. SUPPORT

7.1 Resources

  • Has the organization determined and provided the resources needed for the establishment of the information security management system?

  • Has the organization determined and provided the resources needed for the implementation of the information security management system?

  • Has the organization determined and provided the resources needed for the maintenance of the information security management system?

  • Has the organization determined and provided the resources needed for the continual improvement of the information security management system?

7.2 Competence

  • Has the organization determined <br>a) the necessary competence of person(s) doing work under its control that affects its information security performance?<br>

  • b) ensured that these persons are competent on the basis of appropriate education, training, or experience?

  • c) where applicable, taken actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken?

  • d) retained appropriate documented information as evidence of competence?

7.3 Awareness

  • Are persons doing work under the organization’s control aware of:<br>a) the information security policy?<br>

  • b) their contribution to the effectiveness of the information security management system, including the benefits of improved information security performance?

  • c) the implications of not conforming with the information security management system requirements?

7.4 Communication

  • Has the organization determined the need for internal and external communications relevant to the information security management system including:<br>a) on what to communicate?<br>

  • b) when to communicate?

  • c) with whom to communicate?

  • d) who shall communicate?

  • e) the processes by which communication shall be effected?

7.5 Documented Information

7.5.1 General

  • Does the organization’s information security management system include:<br>a) documented information required by this International Standard?<br>

  • b) documented information determined by the organization as being necessary for the effectiveness of the information security management system?

  • NOTE: The extent of documented information for an information security management system can differ from one organization to another due to:

    1) the size of organization and its type of activities, processes, products and services;

    2) the complexity of processes and their interactions; and

    3) the competence of persons.

7.5.2 Creating and updating

  • When creating and updating documented information has the organization ensured appropriate:<br>a) identification and description (e.g. a title, date, author, or reference number)?<br>

  • b) format (e.g. language, software version, graphics) and media (e.g. paper, electronic)?

  • c) review and approval for suitability and adequacy?

7.5.3 Control of documented information

  • Is Documented information required by the information security management system and by this<br>International Standard controlled to ensure:<br>a) it is available and suitable for use, where and when it is needed?<br>

  • b) it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity)?

  • For the control of documented information, has the organization addressed the following activities, as applicable:<br>a) distribution, access, retrieval and use?<br>

  • b) storage and preservation, including the preservation of legibility?

  • c) control of changes (e.g. version control)?

  • d) retention and disposition?

  • Has documented information of external origin, determined by the organization to be necessary for the planning and operation of the information security management system, been identified as appropriate, and controlled?

  • NOTE: Access implies a decision regarding the permission to view the documented information only, or the permission and authority to view and change the documented information, etc

8. OPERATION

8.1 Operational planning and control

  • Does the organization plan, implement and control the processes needed to meet information security requirements, and to implement the actions determined in 6.1?

  • Has the organization implemented plans to achieve information security objectives determined in 6.2?

  • Does the organization shall keep documented information to the extent necessary to have confidence that the processes have been carried out as planned?

  • Does the organization control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary?

  • Has the organization ensured that outsourced processes are determined and controlled?

8.2 Information security risk assessment

  • Has the organization performed information security risk assessments at planned intervals or when significant changes are proposed or occur, taking account of the criteria established in 6.1.2 a)?

  • Has the organization retained documented information of the results of the information security risk assessments?

8.3 Information security risk treatment

  • Has the organization implemented the information security risk treatment plan?

  • Has the organization retained documented information of the results of the information security risk treatment?

9. PERFORMANCE EVALUATION

9.1 Monitoring, measurement, analysis and evaluation

  • Does the organization evaluate the information security performance and the effectiveness of the information security management system?

  • Does the organization determine:<br>a) what needs to be monitored and measured, including information security processes and controls?<br>

  • b) the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results?

  • c) when the monitoring and measuring shall be performed?

  • d) who shall monitor and measure?

  • e) when the results from monitoring and measurement shall be analysed and evaluated?

  • f) who shall analyse and evaluate these results?

9.2 Internal Audit

  • Does the organization conduct internal audits at planned intervals?

  • to provide information on whether the information security management system:<br>a) conforms to<br>1) the organization’s own requirements for its information security management system?<br>

  • 2) the requirements of this International Standard?

  • b) is effectively implemented and maintained?

  • Has the organization, taking into consideration the importance of the processes concerned and the results of previous audits:<br>c) planned, established, implemented and maintained an audit programme(s) including the frequency, methods, responsibilities, planning requirements and reporting? <br>

  • d) defined the audit criteria and scope for each audit?<br>

  • e) selected auditors and conducted audits that ensure objectivity and the impartiality of the audit process?

  • f) ensured that the results of the audits are reported to relevant management?

  • g) retained documented information as evidence of the audit programme(s) and the audit results?

9.3 Management Review

  • Does top management review the organization’s information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness?

  • Does the management review consider:<br>a) the status of actions from previous management reviews?<br>

  • b) changes in external and internal issues that are relevant to the information security management system?

  • c) obtain feedback on the information security performance, including trends in:<br>1) nonconformities and corrective actions?<br>

  • 2) monitoring and measurement results?

  • 3) audit results?

  • 4) fulfillment of information security objectives?

  • d) feedback from interested parties?

  • e) results of risk assessment and status of risk treatment plan?

  • f) opportunities for continual improvement?

  • Does the output of the management review include decisions related to continual improvement opportunities and any needs for changes to the information security management system?

10. IMPROVEMENT

10.1 Nonconformity and corrective action

  • When a nonconformity occurs, does the organization: <br>a) react to the nonconformity, and as applicable:<br>1) take action to control and correct it?<br>

  • 2) deal with the consequences?

  • b) evaluate the need for action to eliminate the causes of nonconformity, in order that it does not recur or occur elsewhere? by:<br>1) reviewing the nonconformity?<br>

  • 2) determining the causes of the nonconformity?

  • 3) determining if similar nonconformities exist, or could potentially occur?

  • c) implement any action needed?

  • d) review the effectiveness of any corrective action taken?

  • e) make changes to the information security management system, if necessary?

  • f) the nature of the nonconformities and any subsequent actions taken?

  • g) the results of any corrective action?

10.2 Continual improvement

  • Does the organization continually improve the suitability, adequacy and effectiveness of the information security management system?

A5. INFORMATION SECURITY POLICIES

A.5.1 Management direction for information security

  • Objective: To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations.

A.5.1.1 Policies for information security

  • Does the organization have a set of policies for information security that is defined, approved by management, published and communicated to employees and relevant external parties?

A.5.1.2 Review of the policies for information security

  • Does the organization review the policies for information security shall at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness?

A6. ORGANIZATION OF INFORMATION SECURITY

A.6.1 Internal organization

  • Objective: To establish a management framework to initiate and control the implementation and operation of information security within the organization.

A.6.1.1 Information security roles and responsibilities

  • Are all information security responsibilities defined and allocated?

A.6.1.2 Segregation of duties

  • Has the organization segregated conflicting duties and areas of responsibility to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s assets?

A.6.1.3 Contact with authorities

  • Have appropriate contacts with relevant authorities been maintained?

A.6.1.4 Contact with special interest groups

  • Have appropriate contacts with special interest groups or other specialist security forums and professional associations been maintained?

A.6.1.5 Information security in project management

  • Has information security been addressed in project management, regardless of the type of the project?

A.6.2 Mobile devices and teleworking

  • Objective: To ensure the security of teleworking and use of mobile devices.

A.6.2.1 Mobile device policy

  • Has the organization adopted a policy and supporting security measures to manage the risks introduced by using mobile devices?

A.6.2.2 Teleworking

  • Has a policy and supporting security measures beeen implemented to protect information accessed, processed or stored at teleworking sites?

A7. HUMAN RESOURCE SECURITY

A.7.1 Prior to employment

  • Objective: To ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered.

A.7.1.1 Screening

  • Has background verification checks on all candidates for employment been be carried out in accordance with relevant laws, regulations and ethics?

  • are the checks proportional to the business requirements, the classification of the information to be accessed and the perceived risks?

A.7.1.2 Terms and conditions of employment

  • Do the contractual agreements with employees and contractors state their and the organization’s responsibilities for information security?

A.7.2 During employment

  • Objective: To ensure that employees and contractors are aware of and fulfil their information security responsibilities.

A.7.2.1 Management responsibilities

  • Has Management required all employees and contractors to apply information security in accordance with the established policies and procedures of the organization?

A.7.2.2 Information security awareness, education and training

  • Have all employees of the organization and, where relevant, contractors received appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function?

A.7.2.3 Disciplinary process

  • Does the organization have a formal and communicated disciplinary process in place to take action against employees who have committed an information security breach?

A.7.3

  • Objective: To protect the organization’s interests as part of the process of changing or terminating employment.

A.7.3.1 Termination or change of employment responsibilities

  • Has the Information security responsibilities and duties that remain valid after termination or change of employment been defined, communicated to the employee or contractor and enforced?

A8. ASSET MANAGEMENT

A.8.1 Responsibility for assets

  • Objective: To identify organizational assets and define appropriate protection responsibilities..

A.8.1.1 Inventory of assets

  • Have the assets associated with information and information processing facilities been identified?

  • has an inventory of these assets been drawn up and maintained?

A.8.1.2 Ownership of assets

  • Are the assets maintained in the inventory owned?

A.8.1.3 Acceptable use of assets

  • Have rules for the acceptable use of information and of assets associated with information and information processing facilities been identified?

  • Documented?

  • Implemented?

A.8.1.4 Return of assets

  • Does the organization require all employees and external party users return all of the organizational assets in their possession upon termination of their employment, contract or agreement?

A.8.2 Information classification

  • Objective: To ensure that information receives an appropriate level of protection in accordance with its importance to the organization.

A.8.2.1 Classification of information

  • Has Information been classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification?

A.8.2.2 Labelling of information

  • Has an appropriate set of procedures for information labelling been developed and implemented in accordance with the information classification scheme adopted by the organization?

A.8.2.3 Handling of assets

  • Have procedures for handling assets been developed and implemented in accordance with the information classification scheme adopted by the organization?

A.8.3 Media handling

  • Objective: To prevent unauthorized disclosure, modification, removal or destruction of information stored on media.

A.8.3.1 Management of removable media

  • Have procedures shall be implemented for the management of removable media in accordance with the classification scheme adopted by the organization?

A.8.3.2 Disposal of media

  • Have formal procedures been developed to ensure media is disposed of securely when no longer required?

A.8.3.3 Physical media transfer

  • Is Media containing information protected against unauthorized access, misuse or corruption during transportation?

A9. ACCESS CONTROL

A.9.1 Business requirements of access control

  • Objective: To limit access to information and information processing facilities.

A.9.1.1 Access control policy

  • Has an access control policy been established, documented and reviewed based on business and information security requirements?

A.9.1.2 Access to networks and network services

  • Have users been only be provided with access to the network and network services that they have been specifically authorized to use?

A.9.2 User access management

  • Objective: To ensure authorized user access and to prevent unauthorized access to systems and services.

A.9.2.1 User registration and deregistration

  • Has a formal user registration and de-registration process been implemented to enable assignment of access rights?

A.9.2.2 User access provisioning

  • Has a formal user access provisioning process been implemented to assign or revoke access rights for all user types to all systems and services?

A.9.2.3 Management of privileged access rights

  • Has the allocation and use of privileged access rights been restricted and controlled?

A.9.2.4 Management of secret authentication information of users

  • Is the allocation of secret authentication information being controlled through a formal management process?

A.9.2.5 Review of user access rights

  • Are the Asset owners reviewing users’ access rights at regular intervals?

A.9.2.6 Removal or adjustment of access rights

  • Are the access rights of all employees and external party users to information and information processing facilities removed upon termination of their employment, contract or agreement, or adjusted upon change?

A.9.3 User responsibilities

  • Objective: To make users accountable for safeguarding their authentication information.

A.9.3.1 Use of secret authentication information

  • Are users shall be required to follow the organization’s practices in the use of secret authentication information?

A.9.4 System and application access control

  • Objective: To prevent unauthorized access to systems and applications.

A.9.4.1 Information access restriction

  • Is access to information and application system functions restricted in accordance with the access control policy?

A.9.4.2 Secure log-on procedures

  • Where required by the access control policy, are access to systems and applications controlled by a secure log-on procedure?

A.9.4.3 Password management system

  • Are the password management systems interactive and ensure quality passwords?

A.9.4.4 Use of privileged utility programs

  • Are the use of utility programs that might be capable of overriding system and application controls restricted and tightly controlled?

A.9.4.5 Access control to program source code

  • Is access to program source code restricted?

A10. CRYPTOGRAPHY

A.10.1 Cryptographic controls

  • Objective: To ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information.

A.10.1.1 Policy on the use of cryptographic controls

  • Has a policy on the use of cryptographic controls for protection of information been developed and implemented?

A.10.1.2 Key management

  • Has a policy on the use, protection and lifetime of cryptographic keys been developed and implemented through their whole lifecycle?

A11. PHYSICAL AND ENVIRONMENTAL SECURITY

A.11.1 Secure areas

  • Objective: To prevent unauthorized physical access, damage and interference to the organization’s information and information processing facilities.

A.11.1.1 Physical security perimeter

  • Have security perimeters been defined and used to protect areas that contain either sensitive or critical information and information processing facilities?

A.11.1.2 Physical entry controls

  • Have all secure areas been protected by appropriate entry controls to ensure that only authorized personnel are allowed access?

A.11.1.3 Securing offices, rooms and facilities

  • Has physical security for offices, rooms and facilities been designed and applied?

A.11.1.4 Protecting against external and environmental threats

  • Has physical protection against natural disasters, malicious attack or accidents been designed and applied?

A.11.1.5 Working in secure areas

  • Have procedures for working in secure areas been designed and applied?

A.11.1.6 Delivery and loading areas

  • Have all access points such as delivery and loading areas and other points where unauthorized persons could enter the premises been controlled and, if possible, isolated from information processing facilities to avoid unauthorized access?

A.11.2 Equipment

  • Objective: To prevent loss, damage, theft or compromise of assets and interruption to the organization’s operations.

A.11.2.1 Equipment siting and protection

  • Has equipment been sited and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access?

A.11.2.2 Supporting utilities

  • Is equipment protected from power failures and other disruptions caused by failures in supporting utilities?

A.11.2.3 Cabling security

  • Has power and telecommunications cabling carrying data or supporting information services been protected from interception, interference or damage?

A.11.2.4 Equipment maintenance

  • Has equipment been correctly maintained to ensure its continued availability and integrity?

A.11.2.5 Removal of assets

  • Has equipment, information or software been taken off-site without prior authorization?

A.11.2.6 Security of equipment and assets off-premises

  • Has security been applied to off-site assets taking into account the different risks of working outside the organization’s premises?

A.11.2.7 Secure disposal or re- use of equipment

  • Do all items of equipment containing storage media been verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use?

A.11.2.8 Unattended user equipment

  • Do users ensure that unattended equipment has appropriate protection?<br>

A.11.2.9 Clear desk and clear screen policy

  • Has a clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities been adopted?<br>

A12. OPERATIONS SECURITY

A.12.1 Operational procedures and responsibilities

  • Objective: To ensure correct and secure operations of information processing facilities.

A.12.1.1 Documented operating procedures

  • Have operating procedures been documented and made available to all users who need them?

A.12.1.2 Change management

  • Have changes to the organization, business processes, information processing facilities and systems that affect information security been controlled?

A.12.1.3 Capacity management

  • Has the use of resources been monitored, tuned and projections made of future capacity requirements to ensure the required system performance?

A.12.1.4 Separation of development, testing and operational environments

  • Has the development, testing, and operational environments been separated to reduce the risks of unauthorized access or changes to the operational environment?

A.12.2 Protection from malware

  • Objective: To ensure that information and information processing facilities are protected against malware.

A.12.2.1 Controls against malware

  • Have detection, prevention and recovery controls to protect against malware been implemented, combined with appropriate user awareness?

A.12.3 Backup

  • Objective: To protect against loss of data.

A.12.3.1 Information backup

  • Have backup copies of information, software and system images been taken and tested regularly in accordance with an agreed backup policy?

A.12.4 Logging and monitoring

  • Objective: To record events and generate evidence.

A.12.4.1 Event logging

  • Have event logs recording user activities, exceptions, faults and information security events been produced, kept and regularly reviewed?

A.12.4.2 Protection of log information

  • Are logging facilities and log information protected against tampering and unauthorized access?

A.12.4.3 Administrator and operator logs

  • Are system administrator and system operator activities logged and the logs protected and regularly reviewed?

A.12.4.4 Clock synchronization

  • Are the clocks of all relevant information processing systems within an organization or security domain synchronized to a single reference time source?

A.12.5 Control of operational software

  • Objective: To ensure the integrity of operational systems.

A.12.5.1 Installation of software on operational systems

  • Have procedures been implemented to control the installation of software on operational systems?

A.12.6 Technical vulnerability management

  • Objective: To prevent exploitation of technical vulnerabilities.

A.12.6.1 Management of technical vulnerabilities

  • Has information about technical vulnerabilities of information systems being used been obtained in a timely fashion, the organization’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk?

A.12.6.2 Restrictions on software installation

  • Have the rules governing the installation of software by users been established and implemented?

A.12.7 Information systems audit considerations

  • Objective: To minimise the impact of audit activities on operational systems.

A.12.7.1 Information systems audit controls

  • Audit requirements and activities involving verification of operational systems shall be carefully planned and agreed to minimise disruptions to business processes.

A13. COMMUNICATIONS SECURITY

A.13.1 Network controls

  • Objective: To ensure the protection of information in networks and its supporting information processing facilities.

A.13.1.1 Documented operating procedures

  • Are Networks managed and controlled to protect information in systems and applications?

A.13.1.2 Security of network services

  • Have security mechanisms, service levels and management requirements of all network services been identified and included in network services agreements, whether these services are provided in-house or outsourced?

A.13.1.3 Segregation in networks

  • Are groups of information services, users and information systems segregated on networks?

A.13.2 Information transfer

  • Objective: To maintain the security of information transferred within an organization and with any external entity.

A.13.2.1 Information transfer policies and procedures

  • Are formal transfer policies, procedures and controls in place to protect the transfer of information through the use of all types of communication facilities?

A.13.2.2 Agreements on information transfer

  • Do agreements address the secure transfer of business information between the organization and external parties?

A.13.2.3 Electronic messaging

  • Has information involved in electronic messaging been appropriately protected?

A.13.2.4 Confidentiality or non-disclosure agreements

  • Have requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information been identified, regularly reviewed and documented?

A14. SYSTEM ACQUISITION, DEVELOPMENT AND MAINTENANCE

A.14.1 Security requirements of information systems

  • Objective: To ensure that information security is an integral part of information systems across the entire lifecycle. This also includes the requirements for information systems which provide services over public networks.

A.14.1.1 Information security requirements analysis and specification

  • Has the information security related requirements been included in the requirements for new information systems or enhancements to existing information systems?

A.14.1.2 Securing application services on public networks

  • Has information involved in application services passing over public networks been protected from fraudulent activity, contract dispute and unauthorized disclosure and modification?

A.14.1.3 Protecting application services transactions

  • Has information involved in application service transactions been protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay?

A.14.2 Security in development and support processes

  • Objective: To ensure that information security is designed and implemented within the development lifecycle of information systems.

A.14.2.1 Secure development policy

  • Have rules for the development of software and systems been established and applied to developments within the organization?

A.14.2.2 System change control procedures

  • Are changes to systems within the development lifecycle controlled by the use of formal change control procedures?

A.14.2.3 Technical review of applications after operating platform changes

  • When operating platforms are changed, are business critical applications reviewed and tested to ensure there is no adverse impact on organizational operations or security?

A.14.2.4 Restrictions on changes to software packages

  • Are modifications to software packages discouraged, limited to necessary changes and all changes shall be strictly controlled?

A.14.2.5 Secure system engineering principles

  • Have principles for engineering secure systems been established, documented, maintained and applied to any information system implementation efforts?

A.14.2.6 Secure development environment

  • Has the organization established and appropriately protected secure development environments for system development and integration efforts that cover the entire system development lifecycle?

A.14.2.7 Outsourced development

  • Does the organization supervise and monitor the activity of out-sourced system development?

A.14.2.8 System security testing

  • Is testing of security functionality carried out during development?

A.14.2.9 System acceptance testing

  • Are acceptance testing programs and related criteria established for new information systems, upgrades and new versions?

A.14.3 Test data

  • Objective: To ensure the protection of data used for testing.

A.14.3.1 Protection of test data

  • Is test data selected carefully, protected and controlled?

A15. SUPPLIER RELATIONSHIPS

A.15.1 Information security in supplier relationships

  • Objective: To ensure protection of the organization’s assets that is accessible by suppliers.

A.15.1.1 Information security policy for supplier relationships

  • Is information security requirements for mitigating the risks associated with supplier’s access to the organization’s assets agreed with the supplier and documented?

A.15.1.2 Addressing security within supplier agreements

  • Is all relevant information security requirements established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organization’s information?

A.15.1.3 Information and communication technology supply chain

  • Do agreements with suppliers include requirements to address the information security risks associated with information and communications technology services and product supply chain?

A.15.2 Supplier service delivery management

  • Objective: To maintain an agreed level of information security and service delivery in line with supplier agreements.

A.15.2.1 Supplier service delivery management

  • Does the organization regularly monitor, review and audit supplier service delivery?

A.15.2.1 Supplier service delivery management

  • Are changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures and controls, managed, taking account of the criticality of business information, systems and processes involved and re-assessment of risks?

A16. INFORMATION SECURITY INCIDENT MANAGEMENT

A.16.1 Management of information security incidents and improvements

  • Objective: To ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.

A.16.1.1 Responsibilities and procedures

  • Have management responsibilities and procedures been established to ensure a quick, effective and orderly response to information security incidents?

A.16.1.2 Reporting information security events

  • Are information security events reported through appropriate management channels as quickly as possible?

A.16.1.3 Reporting information security weaknesses

  • Are employees and contractors using the organization’s information systems and services required to note and report any observed or suspected information security weaknesses in systems or services?

A.16.1.4 Assessment of and decision on information security events

  • Have information security events been assessed and it determined if they are to be classified as information security incidents?

A.16.1.5 Response to information security incidents

  • Have information security incidents been responded to in accordance with the documented procedures?

A.16.1.6 Learning from information security incidents

  • Is knowledge gained from analysing and resolving information security incidents used to reduce the likelihood or impact of future incidents?

A.16.1.7 Collection of evidence

  • Has the organization defined and applied procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence?

A17. INFORMATION SECURITY ASPECTS OF BUSINESS CONTINUITY MANAGEMENT

A.17.1 Information security continuity

  • Objective: Information security continuity shall be embedded in the organization’s business continuity management systems.

A.17.1.1 Planning information security continuity

  • Has the organization determined its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or disaster?

A.17.1.2 Implementing information security continuity

  • Has the organization established, documented, implemented and maintained processes, procedures and controls to ensure the required<br>level of continuity for information security during an adverse situation?<br>

A.17.1.3 Verify, review and evaluate information security continuity

  • Has the organization verified verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations?

A.17.2 Redundancies

  • Objective: To ensure availability of information processing facilities.

A.17.2.1 Availability of information processing facilities

  • Have information processing facilities been implemented with redundancy sufficient to meet availability requirements?

A18. COMPLIANCE

A.18.1 Compliance with legal and contractual requirements

  • Objective: To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements.

A.18.1.1 Identification of applicable legislation and contractual requirements

  • Are all relevant legislative statutory, regulatory, contractual requirements and the organization’s approach to meet these requirements explicitly identified, documented and kept up to date for each information system and the organization?

A.18.1.2 Intellectual property rights

  • Have appropriate procedures been implemented to ensure compliance with legislative, regulatory and contractual requirements related to intellectual property rights and use of proprietary software products?

A.18.1.3 Protection of records

  • Are all records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislatory, regulatory, contractual and business requirements?

A.18.1.4 Privacy and protection of personally identifiable information

  • Have privacy and protection of personally identifiable information been ensured as required in relevant legislation and regulations where applicable?

A.18.1.5 Regulation of cryptographic controls

  • Have cryptographic controls been used in compliance with all relevant agreements, legislation and regulations?

A.18.2 Information security reviews

  • Objective: To ensure that information security is implemented and operated in accordance with the organizational policies and procedures.

A.18.2.1 Independent review of information security

  • Does the organization’s approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes and procedures for information security) been reviewed independently at planned intervals or when significant changes occur?

A.18.2.2 Compliance with security policies and standards

  • Have managers regularly reviewed the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements?

A.18.2.3 Technical compliance review

  • Have information systems been regularly reviewed for compliance with the organization’s information security policies and standards?

The templates available in our Public Library have been created by our customers and employees to help get you started using SafetyCulture's solutions. The templates are intended to be used as hypothetical examples only and should not be used as a substitute for professional advice. You should seek your own professional advice to determine if the use of a template is permissible in your workplace or jurisdiction. You should independently determine whether the template is suitable for your circumstances.