This digitized checklist is used by information managers to assess the readiness of an organization for ISO 27001 certification. It helps to identify process gaps and to review the current ISMS. It also serves as a guide for reviewing the following categories used based on the ISO 27001:2013 standard:
- Reference framework of the organization - Management - Planning - Operation - Support - Performance Evaluation - Improvement
The company shall determine external and internal matters that are important to its purpose and that influence its ability to reach the intended result(s) of its information security management system.
4.2 Understanding the requirements and expectations of involved parties
The company shall arrange:
a) involved parties that are important to the information security management system
b) the demands of these involved parties important to information security
4.3 Defining the range of the information security management system
The company shall settle the boundaries and applicability of the information security management system to verify its scope.
4.4 Information security management system
The company shall build, implement, sustain and continually develop an information security management system, in accordance with the demands of this International Standard.
5.1 Leadership and commitment
Management shall present proof of its involvement to the establishment, implementation, operation, controlling, review, support and development of the ISMS by:
5.1 (a) guaranteeing the information security system and the information security objectives are built and are compatible with the strategic direction of the company
5.1 (b) assuring the integration of the information security management system demands into the company’s methods;
5.1 (c) assuring that the resources required for the information security management system are accessible;
5.1 (d) communicating the value of effective information security management and of adapting to the information security management system demands;
5.1 (e) assuring that the information security management system reaches its intended result(s);
5.1 (f) pointing and supporting people to provide to the effectiveness of the information security management system;
5.1 (g) promoting continual development;
5.1 (h) maintaining other important management roles to show their leadership as it appeals to their areas of responsibility.
Top management shall build an information security policy that:
a) is relevant to the purpose of the company;
b) covers information security objectives (see 6.2) or presents the framework for setting information security objectives;
c) involves a commitment to satisfy applicable demands related to information security;
d) involves a commitment to the continual development of the information security management system.
The information security policy shall:
e) be available as documented information;
f) be communicated within the company;
g) be accessible to interested parties, as relevant
5.3 Organizational roles, responsibilities and authorities
Top management shall guarantee that the duties and authorities for roles important to information security are distributed and communicated.
6.1 Efforts to discuss risks and opportunities
When preparing for the information security management system, the company shall view the issues referred to in 4.1 and the demands referred to in 4.2 and determine the dangers and opportunities that need to be directed to:
a) assure the information security management system can reach its intended result(s);
b) limit, or reduce, undesired results;
c) achieve persistent development
6.1.1 (d) The company shall plan actions to approach these risks and opportunities;
6.1.1 (e) The company shall plan how to:
1) combine and implement these actions into its information security management system
2) assess the effectiveness of these procedures.
6.1.2 Information security risk evaluation
6.1.2 (a) sets and sustains information security risk criteria that cover:
1) the risk recognition criteria;
2) criteria for implementing information security risk evaluations;
The company shall determine and apply an information security risk evaluation process that:
6.1.2 (b) assures that repeated information security risk evaluations produce consistent, valid and comparable outcomes;
6.1.2 (c) classifies the information security risks:
1) implement the information security risk evaluation process to recognise risks associated with the loss of confidentiality, integrity and availability for information within the range of the information security management system; and
2) classify the risk owners;
6.1.2 (d) outlines the information security risks:
1) evaluate the potential consequences that would occur if the risks classified in 6.1.2 c) 1) were to materialize;
2) evaluate the realistic possibility of the existence of the risks recognised in 6.1.2 c) 1); and
3) define the levels of risk;
6.1.2 (e) assesses information security hazards:
1) compare the outcomes of risk analysis with the risk criteria established in 6.1.2 a);
2) prioritize the investigated risks for risk handling.
6.1.3 Information security risk handling
The company shall establish and apply an information security risk handling process to:
6.1.3 (a) select proper information security risk treatment options, taking account of the risk evaluation outcomes;
6.1.3 (b) define all controls that are required to achieve the information security risk treatment option(s) chosen;
6.1.3 (c) compare the checks defined in 6.1.3 (b) above with those in Annex A and confirm that no required controls have been omitted;
6.1.3 (d) produce a Statement of Applicability that includes the required controls (see 6.1.3.b and c) and justification for inclusions, whether they are performed or not, and the support for exclusions of checks from Annex A;
6.1.3 (e) formulate an information security hazard operation plan;
6.1.3 (f) obtain risk owners’ permission for the information security risk handling plan and approval of the residual information security risks.
6.2 Information security objectives and plans to reach them
The company shall confirm information security objectives at important functions and levels.
The information security purposes shall:
a) be consistent with the information security policy;
b) be measurable (if practicable);
c) take into account applicable information security demands, and risk evaluation and risk handling results;
d) be communicated;
e) be updated as relevant.
When planning how to reach its information security objectives, the company shall prepare:
f) what will be done;
g) what resources will be needed;
h) who will be responsible;
i) when it will be finished;
j) how the effects will be assessed.
The company shall define and provide the resources required for the establishment, implementation, support and continual development of the information security management system.
The company shall:
7.2 (a) define the required competence of person(s) doing business under its control that influences its information security performance;
7.2 (b) guarantee that these people are qualified on the basis of proper education, training, or experience;
7.2 (c) where appropriate, take actions to obtain the required competence, and assess the effectiveness of the actions taken;
7.2 (d) retain properly documented information as proof of competence.
Persons doing business under the company’s check shall be aware of:
7.3 (a) the information security policy;
7.3 (b) their participation in the effectiveness of the information security management system, including the advantages of improved information security performance;
7.3 (c) the implications of not complying with the information security management system demands.
The company shall define the need for internal and external communications important to the information security management system covering:
7.4 (a) on what to communicate;
7.4 (b) when to communicate;
7.4 (c) with whom to communicate;
7.4 (d) who shall communicate;
7.4 (e) the methods by which communication shall be fulfilled.
7.5 Documented information
The company’s information security management system shall cover:
7.5.1 (a) documented information needed by this International Standard;
7.5.1 (b) documented information defined by the company as being important for the effectiveness of the information security management system.
7.5.2 Creating and updating
When designing and updating documented information the company shall assure proper:
7.5.2 (a) identification and description (e.g. a title, date, author, or reference number);
7.5.2 (b) format (e.g. language, software version, graphics) and media (e.g. paper, electronic);
7.5.2 (c) review and permission for suitability and capacity.
7.5.3 Control of reported information
Documented information needed by the information security management system and by this International Standard shall be checked to assure:
7.5.3 (a) it is accessible and suitable for use, where and when it is required;
7.5.3 (b) it is sufficiently guarded (e.g. from loss of confidentiality, inappropriate use, or loss of integrity).
For the handle of documented information, the company shall approach the following activities, as appropriate:
7.5.3 (c) distribution, access, retrieval and use;
7.5.3 (d) deposit and preservation, including the security of legibility;
7.5.3 (e) control of changes (e.g. version control);
7.5.3 (f) retention and disposition.
Documented information of external origin, defined by the company to be required for the planning and operation of the information security management system, shall be recognised as appropriate and controlled.
8.1 Operational planning and control
The company shall plan, perform and control the processes required to meet information security demands and to perform the actions determined in 6.1. The company shall also perform plans to achieve information security objectives defined in 6.2.
The company shall keep documented information to the extent required to have an assurance that the methods have been carried out as planned.
The company shall verify planned changes and evaluate the consequences of unintended changes, taking action to mitigate any disadvantageous effects, as required.
The company shall guarantee that outsourced processes are defined and controlled.
8.2 Information security risk evaluation
The company shall perform information security risk evaluations at planned intervals or when important changes are proposed or occur, taking account of the criteria set in 6.1.2.a.
The company shall maintain documented information on the results of the information security risk evaluations.
8.3 Information security risk handling
The company shall perform the information security risk handling plan.
The company shall retain documented information on the effects of the information security risk procedure.
9. Performance evaluation
9.1 Monitoring, measurement, analysis and assessment
The company shall assess the information security administration and the effectiveness of the information security management system.
The company shall define:
9.1 (a) what needs to be controlled and measured, including information security methods and controls;
9.1 (b) the methods for control, measurement, analysis and assessment, as applicable, to assure valid results;
9.1 (c) when the monitoring and measuring shall be implemented;
9.1 (d) who shall monitor and measure;
9.1 (e) when the outcomes from monitoring and measurement shall be investigated and assessed;
9.1 (f) who shall analyze and assess these outcomes.
9.2 Internal audit
The company shall conduct internal audits at planned intervals to present information on whether the information security management system:
9.2 (a) conforms to
1) the company’s own demands for its information security management system;
2) the demands of this International Standard;
9.2 (b) is effectively achieved and sustained.
The company shall:
9.2 (c) plan, establish, perform and maintain an audit programme(s), including the frequency, methods, responsibilities, planning demands and reporting. The audit programme(s) shall take into attention the value of the processes concerned and the results of prior audits;
9.2 (d) determine the audit criteria and range for each audit;
9.2 (e) select examiners and conduct audits that assure objectivity and the impartiality of the audit process;
9.2 (f) assure that the outcomes of the audits are reported to important management;
9.2 (g) maintain documented information as proof of the audit programme(s) and the audit outcomes.
9.3 Management review
Top management shall examine the company’s information security management system at planned intervals to assure its ongoing suitability, adequacy and effectiveness.
The management review shall involve consideration of:
9.3 (a) the status of actions from prior management inspections;
9.3 (b) changes in external and internal issues that are important to the information security management system;
9.3 (c) feedback on information security performance, involving trends in:
1) nonconformities and improving actions;
2) monitoring and measurement outcomes;
3) audit results;
4) achievement of information security objectives;
9.3 (d) feedback from interested parties;
9.3 (e) results of risk evaluation and status of risk handling plan;
9.3 (f) opportunities for continual development.
The results of the management review shall cover decisions related to continual development opportunities and any requires for changes to the information security management system. The company shall maintain documented information as proof of the effects of management reviews.
10.1 Nonconformity and improving action
When a nonconformity occurs, the company shall:
10.1 (a) react to the nonconformity, and as applicable:
1) control and correct it;
2) deal with the consequences;
10.1 (b) assess the demand for action to eliminate the causes of nonconformity, in order that it does not recur or occur elsewhere, by:
1) examining the nonconformity;
2) defining the causes of the nonconformity;
3) defining if similar nonconformities exist, or could probably occur;
10.1 (c) implement any action required;
10.1 (d) evaluate the effectiveness of any improving action taken;
10.1 (e) make adjustments to the information security management system if required.
Improving actions shall be proper to the effects of the nonconformities encountered.
The company shall retain documented information as proof of:
10.1 (f) the kind of the nonconformities and any subsequent actions taken, and
10.1 (g) the results of any improving action.
10.2 Continual development
The company shall continually develop the suitability, adequacy and effectiveness of the information security management system.
Please note that this checklist template is a hypothetical appuses-hero example and provides only standard information. The template does not aim to replace, among other things, workplace, health and safety advice, medical advice, diagnosis or treatment, or any other applicable law. You should seek your professional advice to determine whether the use of such a checklist is appropriate in your workplace or jurisdiction.
Please, finish the registration to access the content of the checklist.