Bip 0072-2014 PDF

Are you rea d y for a n I SM S a u d i t ba sed on I SO /I E C 2 7 001 ?
Are you read y for an ISM S au d i t based on

ISO/I EC 27001 ?
Secon d ed i ti on
Edward (Ted) Humphreys and Bridget Kenyon

F i rst p u b l i sh e d in th e UK in 1 999
S e co n d e d i ti o n 2 002
Th i rd e d i ti o n 2 005
Re p ri n t e d 2 008
F o u rt h e d i ti o n 2 01 4
by
B SI S ta n d a rd s Li m i t e d
3 89 C h i swi ck H i g h Roa d
Lo n d o n W4 4AL
© Th e B ri t i s h S t a n d a rd s I n st i tu ti o n 2 01 4
Al l ri g h ts re se rve d . E xce p t a s p e rm i tt e d u n d e r th e C o p yri g h t, D e si g n s a n d P a t e n t s Act 1 9 8 8 , no p a rt o f t h i s
p u b l i ca t i o n m ay be re p ro d u ce d , s to re d in a re tri e va l sys te m o r tra n s m i tt e d in a n y fo rm o r b y a n y m e a n s – e l e ctro n i c,
p h o t o co p yi n g , re co rd i n g o r o th e rwi se – wi th o u t p ri o r p e rm i ssi o n in wri t i n g fro m th e p u b l i sh e r.
Wh i l st e ve ry c a re h a s been t a ke n in d e ve l o p i n g and co m p i l i n g th i s p u b l i c a t i o n , B SI a cc e p ts no l i a b i l i t y fo r a n y l o ss o r
damage c a u se d , a ri si n g d i re ctl y o r i n d i re ctl y i n co n n e cti o n wi t h re l i a n ce on i ts co n te n ts e xce p t to th e e xte n t th a t
su ch l i a b i l i ty m a y n o t b e e xcl u d e d in l a w.
B SI has made e ve ry re a so n a b l e e ffo rt t o l o ca t e , co n t a ct a n d a ckn o wl e d g e co p yri g h t o wn e rs o f m a te ri a l i n cl u d ed in
th i s b o o k. An yo n e wh o b e l i e ve s t h a t t h e y h a ve a cl a i m o f co p yri g h t i n a n y o f th e co n te n t o f t h i s b o o k sh o u l d
co n ta ct B S I a t th e a b o ve a d d re ss.
B SI has no re s p o n s i b i l i ty fo r t h e p e rs i st e n ce o r a cc u ra cy o f U RLs fo r e xt e rn a l o r th i rd - p a rt y i n te rn e t we b si t e s re fe rre d
to in th i s b o o k, and d o e s n o t g u a ra n te e th a t a n y co n te n t o n su ch we b si t e s i s, o r wi l l re m a i n , a ccu ra te or
a p p ro p ri a t e .
Th e ri g h t o f B ri d g e t Ke n yo n and E d wa rd H u m p h re ys to be i d e n t i fi e d a s th e a u th o rs o f t h i s wo rk h a ve been a ss e rte d
b y th e m in a cco rd a n ce wi t h se ct i o n s 7 7 and 78 o f th e C o p yri g h t , D esi g n s and P a te n ts Act 1 9 8 8 .
Typ e se t i n G re a t B ri t a i n b y Le tt e rp a rt Li m i t e d - l e tt e rp a rt . c o m
P ri n t e d in G re a t B ri t a i n b y B e rfo rt s, www. b e rfo rt s. co . u k
British Library Cataloguing in Publication Data

A ca ta l o g u e re co rd fo r th i s b o o k i s a va i l a b l e fro m th e B ri t i sh Li b ra ry
I SB N 978 0 580 82 91 3 0
Con ten ts
F o re wo rd vi i
1 I n trod u cti on 1
1 .1 S co p e o f th i s g u i d e 1
1 .2 U se o f th e s t a n d a rd s 2
1 .3 Co m p a n i o n g u i d es 2
2 I SM S scope 3
3 H ow to u se th i s g u i d e 4
3.1 I SM S p ro ce s s re q u i re m e n ts 4
3.2 An n e x A Re fe re n ce co n t ro l o b j e ct i ve s a n d co n tro l s 5
3.3 A sa m p l e of a co m p l e te d q u e s ti o n n a i re 7
4 I SM S processes workbook (a ssessm en t of I SM S process req u i rem en ts) 8
5 An n ex A G a p a n a l ysi s workbook (a ssessm en t of I SM S con trol s) 44
Are you rea dy for a n ISMS a udit ba sed on ISO/IEC 27001 ? v

I n fo rm a ti o n se cu ri ty m a n a g e m e n t syste m s g u i d a n ce se ri e s
The Information Security Management Systems (ISMS) series of books is designed to provide users with assistance on
establishing, implementing, maintaining, checking and auditing their ISMS in order to prepare for certification. Titles
in this Information Security Management Systems Guidance series include:
• B I P 00 7 1 , Guidelin es o n requirem en ts a n d p rep a ra tio n fo r ISMS certifica tion ba sed o n ISO/IEC 27001 ;
• B I P 00 7 2 , A re yo u rea dy for a n ISMS a udit ba sed o n ISO/IEC 27001 ?;
• B I P 00 7 3 , Guide to th e im plem en ta tio n a n d a uditin g of ISMS con trols b a sed on ISO/IEC 27001 ;
• B I P 00 7 4, Mea surin g th e effectiven ess o f your ISMS im plem en ta tio n s b a sed on ISO/IEC 27001 ;
• B I P 00 7 6 , In fo rm a tio n security risk m a n a gem en t — Ha n db oo k for ISO/IEC 27001 .

Foreword
Information is one of your organization’s most valuable assets. The objectives of information security
are to protect the confidentiality, integrity and availability of information. These basic elements of
information security help to ensure that an organization can protect against:
• sensitive or confidential information being given away, leaked or disclosed both accidentally or in
an unauthorized way;
• personally identifiable information being compromised;
• critical information being accidentally or intentionally modified without your knowledge;
• any important business information being lost without trace or hope of recovery;
• any important business information being rendered unavailable when needed
It should be the responsibility of all managers, information system owners or custodians, and users in
general, to ensure that the information they are processing is properly managed and protected from a
variety of risks and threats faced by every organization. The two standards ISO/IEC 27001 :201 3,
Information technology – Security techniques – Information security management systems —
Requirements and ISO/IEC 27002:201 3, Information technology — Security techniques — Code of
practice for information security controls together provide a basis for organizations to develop an
effective information security management framework for managing and protecting their important
business assets whilst minimizing their risks, helping to maximize the organization’s investments and
business opportunities and ensuring their information systems continue to be available and
operational.
ISO/IEC 27001 :201 3 is the requirements standard that can be used for accredited third-party information
security management system (ISMS) certifications. Organizations going through the accredited
certification route to obtain an ISMS certificate would need their ISMS to be audited and assessed by
an accredited certification body to ensure that they have appropriate management processes and
systems in place that conform to the requirements specified in the ISO/IEC 27001 ISMS standard
The standard ISO/IEC 27002:201 3, Information technology — Security techniques — Code of practice for
information security controls provides a comprehensive set of best practice controls for information
security and implementation guidance Organizations can adopt these controls as part of the risk
treatment process specified in ISO/IEC 27001 :201 3 in order to manage the risks they face to their
information assets.
This guide, BIP 0072, as with the other guides in the BIP 0070 series, is designed to provide users with
assistance in checking the processes and controls in place in their ISMS against the requirements laid
out in ISO/IEC 27001 :201 3 and ISO/IEC 27002:201 3.
Note: The information provided in this document is provided with the best of intentions. It reflects
common practice that is derived by a consensus among those with a wide variety of skills, knowledge
and experience in the subject. This guide makes no claim to be exhaustive or definitive and users of
this guide may need to seek further guidance more specific to the business context of the organization
implementing the requirements of ISO/IEC 27001:2013. Furthermore, there will always be other aspects
where additional guidance is required relevant.
Are you ready for an ISMS audit based on ISO/IEC 27001? vii
1 Introduction
This document is one of a set of five guides published by BSI to support the use and application of
ISO/IEC 27001 :201 3 and ISO/IEC 27002:201 3. Other guides include:
• BIP 0071 , Guidelines on requirements and preparation for ISMS certification based on
ISO/IEC 27001 ;
• BIP 0073, Guide to the implementation and auditing of ISMS controls based on ISO/IEC 27001;
• BIP 0074, Measuring the effectiveness of your ISMS implementation based on ISO/IEC 27001;
• BIP 0076, Information security risk management. Handbook for ISO/IEC 27001 .
This guide is intended primarily for use by organizations wishing to carry out internal assessment of
their ISMS against the requirements in ISO/IEC 27001 :201 3 either as a precursor to an internal ISMS
audit (see Clause 9 of ISO/IEC 27001 :201 3) or in preparation for a formal third-party ISMS certification
audit (see BIP 0071 ). It is recommended that the assessments specified in this guide be carried out by
those persons responsible for information security management in the organization or by internal audit
staff ISMS developers and implementers may also find this guide a useful reference document when
considering the security aspects of new systems. This assessment guide is intended as an aid to
satisfying the requirements for a formal compliance audit and is not a replacement for a compliance
audit.
1 .1 S co p e o f th i s g u i d e
This guide provides a means to help organizations assess their ISMS with respect to the requirements
specified in ISO/IEC 27001 :201 3 using the following workbooks.
• ISMS processes workbook – a gap analysis to check whether the organization has a set of systems
and processes in place to satisfy the requirements specified in Clauses 4 to 1 0 of
ISO/IEC 27001 :201 3.
• Annex A Gap analysis workbook – this workbook lists the controls that are defined in Annex A of
ISO/IEC 27001 :201 3. This workbook can be used either as part of the risk treatment process as
defined in ISO/IEC 27001 :201 3, 6.1 .3 or as a stand-alone gap analysis tool to check the
implementation of Annex A controls. After determining the controls needed
(6.1 .3.b)), organizations are directed to Annex A to do a comparison check to ensure that no
necessary controls are overlooked (6.1 .3 c). This workbook can be used to check and document
whether Annex A controls are implemented or not, and to record the justification for any
exclusions. The reasons and justification why a particular control has or has not been implemented
are subsequently used to satisfy the mandatory requirement for production of a Statement of
Applicability (SoA) (6.1 .3.d).
Note: For accredited certification, this type of gap analysis has no formal status and should not be taken as a
replacement for the SoA.
These workbooks can be useful to those organizations preparing for a formal third-party accredited
certification, as well as for those preparing for post-certification activities such as surveillance audits
and for recertification. They provide a means of checking how many activities have been carried out
and what activities still need to be undertaken. Assessments using both these workbooks should not be
taken as a definitive quality check on the completeness of these activities, or the correctness and
effectiveness of the results and the implementation of these processes and activities. These workbooks
only provide a high level ‘health check’ on the state of ISMS progress.
Please note that the use of these workbooks and this guide does not constitute a replacement for a
formal compliance audit with ISO/IEC 27001 :201 3.
Are you ready for an ISMS audit based on ISO/IEC 27001? 1

1 In tro du ctio n
1 .2 U se o f th e s ta n d a rd s
This guide makes reference to the following standards:

• ISO/IEC 27001 :201 3 — In fo rm a tio n te ch n o lo g y — Se cu rity te ch n iq u e s — In fo rm a tio n se cu rity
m a n a ge m e n t syste m s — Re q u ire m e n ts . This standard is used as the basis for accredited

certification.
• ISO/IEC 27002:201 3 – In fo rm a tio n te ch n o lo g y – Se cu rity te ch n iq u e s – Co de o f p ra ctice fo r
in fo rm a tio n se cu rity co n tro ls.
This guide will be updated following any changes to these standards. Organizations must therefore
ensure that the correct version is being used for compliance checks related to pre-certification,
certification and post-certification purposes.
1 .3 Co m p a n i o n g u i d es
Additional guides are available that provide a more detailed interpretation of ISO/IEC 27001 :201 3 and
practical development advice, e.g. BIP 0071 on preparing for ISMS certification and BIP 0073 on the
implementation and auditing of ISMS controls.
2 A re yo u re a dy fo r a n ISMS a u dit b a se d o n ISO /IEC 2 7001 ?

2 ISMS scope
It is important both for the organization whose ISMS is being assessed, and for the auditors’
understanding of the ISMS, that the scope of the ISMS is well defined and unambiguous. Given the
complexity of many business applications and processes, as well as the growth of information systems,
IT and networking, there are many possible ways to define the ISMS boundaries. Similarly, the size of
organization and its geographical spread will influence the view of what is a suitable scope It is very
rare that business systems and processes work in isolation or are self-contained, as they will have
interfaces with other systems. Therefore, in defining the scope of the ISMS, any interfaces with other
systems and processes outside the ISMS boundaries need to be taken into consideration.
Guidance on the identification and definition of the ISMS scope is given in BIP 0071 , which expands on
the requirement that the organization shall determine the boundaries and applicability of the ISMS to
establish its scope as given in ISO/IEC 27001 :201 3. It is important that when determining this scope, the
organization shall consider: a) the external and internal issues that are relevant to its purpose and that
affect its ability to achieve the intended outcome(s) of its ISMS; b) the requirements of these interested
parties relevant to information security; and c) interfaces and dependencies between activities
performed by the organization, and those that are performed by other organizations.
Are you rea dy for a n ISMS a udit ba sed on ISO/IEC 27001 ? 3

3 How to use this guide
The aim of the guide is to allow organizations to assess the extent of their ISMS processes and controls
in place against the requirements specified in ISO/IEC 27001 :201 3. This Section tells you how to prepare
for, and complete, these workbook assessments; the major component of the workbooks is carried out
using questionnaires. The form and content of these questionnaires is described below and a sample of
a completed questionnaire is shown in Section 3.3. The workbooks are contained in sections 4 and 5 of
this guide
3.1 I S M S p ro ce ss re q u i re m e n ts
I n tro d u cti o n
The ISMS process requirements workbook deals with the set of requirements defined in
ISO/IEC 27001 :201 3. It covers an ongoing life cycle of activities aimed at establishing effective
information security management, providing a programme of ISMS continual improvement.
The ISMS requirements defined in ISO/IEC 27001 :201 3 require the implementation of a systematic
information security risk management process and the implementation of a set of processes used to
establish, implement, monitor and maintain an ISMS (see clauses of ISO/IEC 27001 :201 3 for details):
• Context of the organization (Clause 4);
• Leadership (Clause 5);
• Planning (Clause 6);
• Support (Clause 7);
• Operation (Clause 8);
• Performance evaluation (Clause 9);
• Improvement (Clause 1 0).
This includes having an appropriate system of documented information in place that is kept up to date,
accurate and available for inspection and reference with appropriate documented information in
accordance with the requirements of ISO/IEC 27001 :201 3, 7.5.
The third-party certification or internal ISMS audit will need to check, based on appropriate evidence
being provided, that the organization has a set of ISMS processes in place, as well as an ISMS system of
controls (based on Annex A of ISO/IEC 27001 :201 3) to cover the requirements of Clauses 4 to 1 0 of
ISO/IEC 27001 :201 3.
4 Are you rea dy for a n ISMS a udit ba sed on ISO/IEC 27001 ?

3. 2 A n nex A Re fe re n ce co n tro l o b je ctive s a n d co n tro ls
Wo rkb o o k ch e ckl i s t
Section 4 of this guide considers the workbook checklists for the ISMS process requirements. The two
basic questions, which may be addressed to each of the process requirements, are as follows.
Q1 .Is a relevant process in place to satisfy the mandatory prescriptive ‘shall’ requirements specified in
Clauses 4 to 1 0 of ISO/IEC 27001 :201 3?
Three answers are possible:
• YE S – This indicates that there is a process in place that completely fulfils the requirement. Some
explanation should be given justifying and providing evidence to support this answer.
• PARTI AL – This indicates that a process is in place but not sufficiently developed or implemented to
allow an answer of ‘yes‘ for this requirement. Further action is needed to meet the requirements
specified in ISO/IEC 27001 .
• NO – This indicates that there is no process in place to address the requirement and action is
needed to meet the requirements specified in ISO/IEC 27001 .
Q2. If the requirement has been either not implemented or only partially implemented, why is this the
case?
It will be important to provide an explanation to understand the reasons and justification for partial
implementation or non-implementation and to provide appropriate evidence to support this. Also, an
indication needs to be given as to what action shall be taken to address this gap in meeting the
requirements of ISO/IEC 27001 . An explanation justifying and providing evidence for the answer that a
requirement of ISO/IEC 27001 has been completely addressed is also helpful.
3.2 An n e x A Re fe re n ce co n tro l o b j e cti ve s a n d co n tro l s
3.2.1 I n tro d u cti o n
Annex A of ISO/IEC 27001 :201 3 contains the control objectives and controls that are to be used in
context with the risk treatment process in 6.1 .3. These are directly derived from and aligned with those
listed in ISO/IEC 27002:201 3 Clauses 5 to 1 8. This guide presents each of the control requirements in
question form and should be used in conjunction with the ISMS processes workbook to support as
appropriate the implementation of the risk treatment processes (see ISO/IEC 27001 :201 3, 6.1 .3 and 8.3).
The risk treatment process defined in ISO/IEC 27001 :201 3, 6.1 .3 states the following:
6.1 .3 Info rmatio n s ecurity ris k treatment
The o rganizatio n shall define and ap p ly an info rmatio n security risk treatment p ro cess to :
a) S elect ap p ro p riate info rmatio n security risk treatment o p tio ns, taking acco unt o f the risk assessment results;
b) D etermine all co ntro ls that are necessary to imp lement the info rmatio n security risk treatment o p tio n(s) cho sen;
NOTE: Organizations can design controls as required, or identify them from any source
c) C o mp are the co ntro ls determined in 6 . 1 . 3 b ) ab o ve with tho se in Annex A and verify that no necessary co ntro ls have
b een o mitted;
NOTE: Annex A contains a comprehensive list of control objectives and controls. Users of this International Standard are
directed to Annex A to ensure that no necessary controls are overlooked
NOTE: Control objectives are implicitly included in the controls chosen. The control objectives and controls listed in Annex A are
not exhaustive and additional control objectives and controls may be needed
d) P ro duce a S tatement o f Ap p licab ility that co ntains the necessary co ntro ls (see 6 . 1 . 3 b ) and c) ) and j ustificatio n fo r
inclusio ns, whether they are imp lemented o r no t, and the j ustificatio n fo r exclusio ns o f co ntro ls fro m Annex A.
A re yo u re a dy fo r a n ISMS a u dit b a se d o n ISO /IEC 2 7001 ? 5

3 How to use th is guide
Section 5 of this guide enables organizations to indicate whether the control:

• has been implemented, and justification and evidence can be given to support this answer;
• only partially been implemented, and the reason(s) and justification for this;
• has not been implemented at all and the reason(s) and justification for this. For example, the
control may not have been determined as necessary as part of the risk management process (see
ISO/IEC 27001 :201 3, 6.1 .3 and 8.3), or it may have been determined but has not yet been
implemented
It should be understood that external or internal auditors, whose task it is to assess the ISMS against
the requirements of ISO/IEC 27001 , may not regard the reasons given for non-implementation as
sufficient justification and may require additional reasons to be given during the audit. Please note
that any exclusion from the controls in Annex A of ISO/IEC 27001 :201 3 is to be justified, based on the
results of the risk assessment and the risk treatment decisions made
Organizations may wish to further refine the process defined in this guide with more detailed
questions regarding the control requirements within each general category. This might be necessary to
completely assess all details of a specific control implementation in place in an organization. Due to the
number of controls, this might be an extensive task, but will lead to more detailed information and a
more accurate account of the status of the ISMS implementation.
Wo rkb o o k ch e ckl i s t
The two basic questions that may be addressed to each of the control requirements are as follows.
Q1 . Has this control requirement been implemented? Three answers are possible:
• YE S – This indicates that there is a control in place that completely fulfils the control requirements.
An explanation with reference to supporting evidence should be given justifying this answer – see
‘Comments’.
• PARTI AL – This indicates that some measures are in place that address the control requirements but
not sufficiently to allow an answer of ‘yes’ to be given. An explanation with reference to
supporting evidence should be given justifying this answer – see ‘Comments’.
• NO – This indicates that no measures have been taken to address the control requirements. This is
also the correct answer if the control is not relevant to the system under review as determined by
the risk assessment and risk treatment processes (see ISO/IEC 27001 :201 3, 6.1 .2 to 6.1 .3). A ‘no’
response may also be given if a control requirement is relevant but is not yet implemented or the
requirement has been satisfied by deploying another control.
Q2. If the control requirement has not been fully implemented then why is this the case?
It will be important to understand the reasons and justification for either partial or
non-implementation. Supporting evidence for an answer stating that the control requirement, has been
completely addressed would also be helpful.
The ISMS implementation is based on a risk management process. A third-party certification or internal
ISMS audit will check and require evidence that the ISMS has been developed and implemented based
on a risk management process. One important audit requirement is that any implemented ISMS system
of controls can be traced back to the risk assessment and risk treatment processes. Consequently, if this
workbook check is carried out just prior to the certification, e.g. as a pre-certification assessment, then
the absence or non-applicability of controls should be documented and justified with supporting
evidence based on the results of the risk assessment. One example of such a justification is that the
implementation of a particular control could not be justified by the levels of risk exposure, or that the
risk treatment decision was different from reducing the risk.

3. 3 A sa m p le of a co m p le te d q u e stio n n a ire
COM M E N TS: In all cases some further comment should be given to expand on the particular control
implementation, or reasons for partial or non-implementation. Such comments could include:
• where there are controls deemed to be in place, it may be useful to describe evidence and
justifications for their implementation, and the way in which they have been implemented This in
itself may lead to identification and recognition that further action and work still needs to be done
in that area, or to support the activities described in the ‘Performance evaluation’ stage (Clause 9).
Alternatively, setting out the implemented controls in this way may indicate that more is being
done than necessary and that savings can be made by reducing some controls;
• where control requirements have not or have only been partially met, an indication should be
given of what steps are to be taken and over what time period to mitigate the (partial) absence of
the control requirement, and justification for this status should be given;
• where a decision has been made to take no further action to implement controls in a given area,
in effect, a decision has been taken to accept this as a potential risk. Such a decision should be
clearly documented and justified to be fully understood and explained.
3.3 A sa m pl e of a com pl eted q u esti on n a i re
To help those completing this guide, an example page from one of the questionnaire sections follows.
I SO /I E C 27 001 , Information security management systems — Requirements
7. Support
7. 2 . c. Co m p e te n ce
Re q u ire m e n t: Th e o rga n iza tio n sh a ll wh e re a p p lica b le , ta ke a ctio n s to a cq uire th e n e ce ssa ry
co m p e te n ce , a n d e va lu a te th e e ffe ctive n e ss o f th e a ctio n s ta ke n .
Q1 . Implementation status. Tick one box for each control requirement..
Con trol req u i rem en t YE S PARTI AL NO
7.2.c Is there a process in place and being used, where

applicable, to take actions to acquire the necessary
competence, and evaluate the effectiveness of the actions
taken?
Q2. If you have ticked either of the boxes marked PARTI AL or NO you should indicate the reason in the
following table
Aspect Rea son s a n d j u sti fi ca ti on (wi th Acti on to be ta ken

referen ce to su pporti n g evi d en ce)
A.6.2.1 There is a process in place but it is not Management needs to take action
fully operational. Although actions have to ensure that this evaluation
been taken to acquire the necessary activity gets done: by reassessing
competence, the evaluation of the the resources needed, and to
effectiveness of these actions has yet to reassign the work if necessary, and
be carried out. The reason for this that to properly schedule and prioritise
those tasked with carrying the work the work to ensure the resource is
were employed on other tasks. available to do the work within a
given time frame
A re yo u re a dy fo r a n ISMS a u dit b a se d o n ISO /IEC 2 7001 ? 7

4 ISMS processes workbook (assessment of ISMS
process requirements)
It is important to lay a firm foundation for the ISMS process within which a system of controls is
implemented Clauses 4 to 1 0 of ISO/IEC 27001 :201 3 provide requirements for establishing,
implementing, maintaining and continually improving an ISMS. The user guide BIP 0071 expands on the
issues involved By referring to these two documents as necessary, you should review and follow the
compliance checks addressed in this Clause in the following tables.
Guidance on completing the questionnaires can be found in Section 3.1 of this guide
Please note that the question given in the tables below are based on requirements that are mandatory
for any organization claiming compliance with ISO/IEC 27001 :201 3, and should be addressed by any
organization that aims for accredited ISO/IEC 27001 :201 3 certification.
I SO /I E C 27 001 , In form a tion security m a n a gem en t system s — Requirem en ts
4. Context of the organization

4. 1 Un de rsta n din g th e o rg a n iza tio n a n d its co n te xt
Q1 . Consider the following aspect relating to the organizational context of the ISMS. Tick one box.
Aspect YE S PARTI AL NO
4.1 Is there a process in place to enable the organization to

determine external and internal issues that are relevant to its
purpose and that affect its ability to achieve the intended
outcome(s) of its information security management system?
Q2. If you have ticked either of the boxes marked PARTI AL or NO you should indicate the reasons and
justification in the following boxes.

4.1
CO M M E N TS: Enter a more detailed explanation of the reason(s) indicated above as appropriate Where
aspects are already addressed it may be helpful to provide detail on actions taken.
8 A re yo u re a dy fo r a n ISMS a u dit b a se d o n ISO /IEC 2 7001 ?

4 ISMS processes workbook (assessment of ISMS process requirements)

4. 2 Understanding the needs and expectations of interested parties
Q1 . Consider the following aspects relating to interested parties. Tick one box.
4.2.a Is there a process in place to enable the organization to

determine interested parties that are relevant to the
information security management system?
4.2.b Is there a process in place to enable the organization to

determine the requirements of these interested parties that
are relevant to information security?
Aspect Rea son s a n d j u sti fi ca ti on (wi th referen ce Acti on to be ta ken

to su pporti n g evi d en ce)
4.2.a
4.2.b
COM M E N TS: Enter a more detailed explanation of the reason(s) indicated above as appropriate. Where
aspects are already addressed it may be helpful to provide details on actions taken.
Are you ready for an ISMS audit based on ISO/IEC 27001 ? 9


4. 3 Determining the scope of the information security management system
Q1 . Consider the following aspects relating to the scope of the ISMS. Tick one box.
4.3.a Has the organization determined the boundaries and

applicability of the information security management system
to establish its scope?
4.3.b When determining the scope of its ISMS has the

organization considered the external and internal issues
referred to in 4.1 ?
4.3.c When determining the scope of its ISMS has the

organization considered the requirements referred to in 4.2?
4.3.d When determining the scope of its ISMS has the

organization considered the interfaces and dependencies
between activities performed by the organization, and those
that are performed by other organizations?
4.3.e Has the organization made the scope available as

documented information?

4.3.a
4.3.b
4.3.c
4.3.d
4.3.e
CO M M E N TS:Enter a more detailed explanation of the reason(s) indicated above as appropriate. Where
10 Are you ready for an ISMS audit based on ISO/IEC 27001 ?


4. 4 Information security management system
Q1 . Consider the following aspects relating to the status of the ISMS. Tick one box.
4.4.a Has the organization established an information security

management system, in accordance with the requirements of
ISO/IEC 27001 :201 3?
4.4.b Has the organization implemented an information

security management system, in accordance with the
requirements of ISO/IEC 27001 :201 3?
4.4.c Has the organization processes in place for maintaining

its information security management system, in accordance
with the requirements of ISO/IEC 27001 :201 3?
4.4.d Has the organization processes in place for continually

improving an information security management system, in
accordance with the requirements of ISO/IEC 27001 :201 3?

4.4.a
4.4.b
4.4.c
4.4.d

I S O /I E C 2 7 0 0 1 , In form a tion security m a n a gem en t system s — Requirem en ts
5 Lea d ersh i p
5. 1 Leadership and commitment
Q1 . Con si d er th e fol l owi n g a spects rel a ti n g to top m a n a g em en t. Ti ck on e box.
As p e ct YE S PARTI AL NO
5 . 1 . a D oes top m a n a g em en t d em on stra te l ea d ersh i p a n d

com m i tm en t wi th respect to th e i n form a ti on secu ri ty
m a n a g em en t system by en su ri n g th e i n form a ti on secu ri ty
pol i cy a n d th e i n form a ti on secu ri ty obj ecti ves a re esta bl i sh ed
a n d a re com pa ti bl e wi th th e stra teg i c d i recti on of th e
org a n i za ti on ?
5 . 1 . b D oes top m a n a g em en t d em on stra te l ea d ersh i p a n d

m a n a g em en t system by en su ri n g th e i n teg ra ti on of th e
i n form a ti on secu ri ty m a n a g em en t system req u i rem en ts i n to
th e org a n i za ti on ’s processes?
5 . 1 . c D oes top m a n a g em en t d em on stra te l ea d ersh i p a n d

m a n a g em en t system by en su ri n g th a t th e resou rces n eed ed
for th e i n form a ti on secu ri ty m a n a g em en t system a re
a va i l a bl e?
5 . 1 . d D oes top m a n a g em en t d em on stra te l ea d ersh i p a n d

m a n a g em en t system by com m u n i ca ti n g th e i m porta n ce of
effecti ve i n form a ti on secu ri ty m a n a g em en t a n d of con form i n g
to th e i n form a ti on secu ri ty m a n a g em en t system
req u i rem en ts?
5 . 1 . e D oes top m a n a g em en t d em on stra te l ea d ersh i p a n d

m a n a g em en t system by en su ri n g th a t th e i n form a ti on secu ri ty
m a n a g em en t system a ch i eves i ts i n ten d ed ou tcom e(s) ?
5 . 1 . f D oes top m a n a g em en t d em on stra te l ea d ersh i p a n d

m a n a g em en t system by d i recti n g a n d su pporti n g person s to
con tri bu te to th e effecti ven ess of th e i n form a ti on secu ri ty
m a n a g em en t system ?
5 . 1 . g D oes top m a n a g em en t d em on stra te l ea d ersh i p a n d

m a n a g em en t system by prom oti n g con ti n u a l i m provem en t?
5 . 1 . h D oes top m a n a g em en t d em on stra te l ea d ersh i p a n d

m a n a g em en t system by su pporti n g oth er rel eva n t
m a n a g em en t rol es to d em on stra te th ei r l ea d ersh i p a s i t
a ppl i es to th ei r a rea s of respon si bi l i ty?


5.1 .a
5.1 .b
5.1 .c
5.1 .d
5.1 .e
5.1 .f
5.1 .g
5.1 .h

5 Leadership
5. 2 Policy
Q1 . Consider the following aspects relating to the information security policy. Tick one box.
5.2.a Has top management established an information security

policy that is appropriate to the purpose of the organization?
5.2.b Has top management established an information security

policy that includes information security objectives (see 6.2) or
provides the framework for setting information security
objectives?
5.2.c Has top management established an information security

policy that includes a commitment to satisfy applicable
requirements related to information security?
5.2.d Has top management established an information security

policy that includes a commitment to continual improvement
of the information security management system?
5.2.e Is the information security policy made available as

documented information?
5.2.f Is the information security policy communicated within

the organization?
5.2.g Is the information security policy made available to

interested parties, as appropriate?

5.2.a
5.2.b
5.2.c
5.2.d
5.2.e
5.2.f
5.2.g

5 Leadership
5. 3 Organizational roles, responsibilities and authorities
Q1 . Consider the following aspects relating to roles, responsibilities and authorities. Tick one box.
5.3.a Does top management ensure that the responsibilities

and authorities for roles relevant to information security are
assigned and communicated?
5.3.b Has top management assigned the responsibility and

authority for ensuring that the information security
management system conforms to the requirements of
ISO/IEC 27001 ?
5.3.c Has top management assigned the responsibility and

authority for reporting on the performance of the
information security management system to top
management?

5.3.a
5.3.b
5.3.c

6 Pl a n n i n g
6. 1 Actions to address risks and opportunities
6. 1 . 1 General
Q1 . Con si d er th e fol l owi n g a spects rel a ti n g to ri sk/opportu n i ty i d en ti fi ca ti on a n d rel a ted a cti on s. Ti ck

on e box.
6. 1 . 1 . a Wh en pl a n n i n g for th e i n form a ti on secu ri ty

m a n a g em en t system , d oes th e org a n i za ti on con si d er th e
i ssu es referred to i n 4. 1 a n d th e req u i rem en ts referred to i n
4. 2 a n d d eterm i n e th e ri sks a n d opportu n i ti es th a t n eed to be
a d d ressed to en su re th e i n form a ti on secu ri ty m a n a g em en t
system ca n a ch i eve i ts i n ten d ed ou tcom e(s) ?
6. 1 . 1 . b Wh en pl a n n i n g for th e i n form a ti on secu ri ty

a d d ressed to preven t, or red u ce, u n d esi red effects?
6. 1 . 1 . c Wh en pl a n n i n g for th e i n form a ti on secu ri ty

a d d ressed to a ch i eve con ti n u a l i m provem en t?
6. 1 . 1 . d D oes th e org a n i za ti on pl a n a cti on s to a d d ress th ese

ri sks a n d opportu n i ti es?
6. 1 . 1 . e D oes th e org a n i za ti on pl a n h ow to 1 ) i n teg ra te a n d

i m pl em en t th ese a cti on s i n to i ts i n form a ti on secu ri ty
m a n a g em en t system processes; a n d 2 ) eva l u a te th e
effecti ven ess of th ese a cti on s?


6.1 .1 .a
6.1 .1 .b
6.1 .1 .c
6.1 .1 .d
6.1 .1 .e

6 Pl a n n i n g

6. 1 . 2 Information security risk assessment
Q1 . Co n si d e r th e fo l l o wi n g a sp e cts re l a ti n g to th e ri sk a sse ssm e n t p ro ce ss. Ti ck o n e b o x.
6 . 1 . 2 . a D o e s th e o rg a n i za ti o n d e fi n e a n d a p p l y a n i n fo rm a ti o n
secu ri ty ri sk a sse ssm e n t p ro ce ss th a t e sta b l i sh e s a n d m a i n ta i n s
i n fo rm a ti o n se cu ri ty ri sk cri te ri a th a t i n cl u d e : 1 ) th e ri sk
a cce p ta n ce cri te ri a ; a n d 2 ) cri te ri a fo r p e rfo rm i n g i n fo rm a ti o n
secu ri ty ri sk a sse ssm e n ts?
6 . 1 . 2 . b D o e s th e o rg a n i za ti o n d e fi n e a n d a p p l y a n
i n fo rm a ti o n se cu ri ty ri sk a ssessm e n t p ro ce ss th a t e n su re s th a t
rep e a te d i n fo rm a ti o n se cu ri ty ri sk a sse ssm e n ts p ro d u ce
co n si ste n t, va l i d a n d co m p a ra b l e re su l ts?
6 . 1 . 2 . c D o e s th e o rg a n i za ti o n d e fi n e a n d a p p l y a n i n fo rm a ti o n
secu ri ty ri sk a sse ssm e n t p ro ce ss th a t: 1 ) i d e n ti fi e s ri sks
a sso ci a te d wi th th e l o ss o f co n fi d e n ti a l i ty, i n te g ri ty a n d
a va i l a b i l i ty fo r i n fo rm a ti o n wi th i n th e sco p e o f th e
i n fo rm a ti o n se cu ri ty m a n a g em e n t syste m ; a n d 2 ) i d e n ti fi es th e
ri sk o wn e rs?
6 . 1 . 2 . d D o e s th e o rg a n i za ti o n d e fi n e a n d a p p l y a n
i n fo rm a ti o n se cu ri ty ri sk a ssessm e n t p ro ce ss th a t a n a l yse s th e
i n fo rm a ti o n se cu ri ty ri sks a s fo l l o ws: 1 ) a sse sse s th e p o te n ti a l
co n se q u e n ce s th a t wo u l d re su l t i f th e ri sks i d e n ti fi e d i n 6 . 1 . 2
c) 1 ) we re to m a te ri a l i ze ; 2 ) a sse sse s th e re a l i sti c l i ke l i h o o d o f
th e o ccu rre n ce o f th e ri sks i d e n ti fi e d i n 6 . 1 . 2 c) 1 ) ; a n d 3 )
d e te rm i n e s th e l e ve l s o f ri sk?
6 . 1 . 2 . e D o e s th e o rg a n i za ti o n d e fi n e a n d a p p l y a n i n fo rm a ti o n
secu ri ty ri sk a sse ssm e n t p ro ce ss th a t e va l u a te s th e i n fo rm a ti o n
secu ri ty ri sks a s fo l l o ws: 1 ) co m p a re s th e re su l ts o f ri sk a n a l ysi s
wi th th e ri sk cri te ri a e sta b l i sh e d i n 6 . 1 . 2 a ) ; a n d 2 ) p ri o ri ti ze s
th e a n a l yse d ri sks fo r ri sk tre a tm e n t?
6 . 1 . 2 . f D o e s th e o rg a n i za ti o n re ta i n d o cu m e n te d i n fo rm a ti o n
a b o u t th e i n fo rm a ti o n se cu ri ty ri sk a sse ssm e n t p ro ce ss?


6.1 .2.a
6.1 .2.b
6.1 .2.c
6.1 .2.d
6.1 .2.e
6.1 .2.f

6 Pl a n n i n g
6. 1 . 3 Information security risk treatment
Q1 . Con si d er th e fol l owi n g a spects rel a ti n g to th e ri sk trea tm en t process. Ti ck on e box.
6. 1 . 3 . a D oes th e org a n i za ti on d efi n e a n d a ppl y a n i n form a ti on

secu ri ty ri sk trea tm en t process to sel ect a ppropri a te
i n form a ti on secu ri ty ri sk trea tm en t opti on s, ta ki n g a ccou n t of
th e ri sk a ssessm en t resu l ts?
6. 1 . 3 . b D oes th e org a n i za ti on d efi n e a n d a ppl y a n

i n form a ti on secu ri ty ri sk trea tm en t process to d eterm i n e a l l
con trol s th a t a re n ecessa ry to i m pl em en t th e i n form a ti on
secu ri ty ri sk trea tm en t opti on (s) ch osen ?
6. 1 . 3 . c D oes th e org a n i za ti on d efi n e a n d a ppl y a n i n form a ti on

secu ri ty ri sk trea tm en t process to com pa re th e con trol s
d eterm i n ed i n 6. 1 . 3 . b a bove wi th th ose i n An n ex A a n d veri fy
th a t n o n ecessa ry con trol s h a ve been om i tted ?
6. 1 . 3 . d D oes th e org a n i za ti on d efi n e a n d a ppl y a n

i n form a ti on secu ri ty ri sk trea tm en t process to prod u ce a
Sta tem en t of Appl i ca bi l i ty th a t con ta i n s th e n ecessa ry con trol s
(see 6. 1 . 3 . b a n d c. ) a n d j u sti fi ca ti on for i n cl u si on s, wh eth er
th ey a re i m pl em en ted or n ot, a n d th e j u sti fi ca ti on for
excl u si on s of con trol s from An n ex A?
6. 1 . 3 . e D oes th e org a n i za ti on d efi n e a n d a ppl y a n i n form a ti on

secu ri ty ri sk trea tm en t process to form u l a te a n i n form a ti on
secu ri ty ri sk trea tm en t pl a n ?
6. 1 . 3 . f D oes th e org a n i za ti on d efi n e a n d a ppl y a n i n form a ti on

secu ri ty ri sk trea tm en t process to obta i n ri sk own ers’ a pprova l
of th e i n form a ti on secu ri ty ri sk trea tm en t pl a n a n d
a ccepta n ce of th e resi d u a l i n form a ti on secu ri ty ri sks?
6. 1 . 3 . h D oes th e org a n i za ti on reta i n d ocu m en ted i n form a ti on

a bou t th e i n form a ti on secu ri ty ri sk trea tm en t process?


6.1 .3.a
6.1 .3.b
6.1 .3.c
6.1 .3.d
6.1 .3.e
6.1 .3.f
6.1 .3.h

6 Pl a n n i n g
6. 2 Information security objectives and plans to achieve them
Q1 . Con si d er th e fol l owi n g a spects rel a ti n g to i n form a ti on secu ri ty obj ecti ves. Ti ck on e box.
6. 2 . a D oes th e org a n i za ti on esta bl i sh i n form a ti on secu ri ty

obj ecti ves a t rel eva n t fu n cti on s a n d l evel s?
6. 2 . b Are th e i n form a ti on secu ri ty obj ecti ves con si sten t wi th

th e i n form a ti on secu ri ty pol i cy?
6. 2 . c Are th e i n form a ti on secu ri ty obj ecti ves m ea su ra bl e (i f

pra cti ca bl e) ?
6. 2 . d D o th e i n form a ti on secu ri ty obj ecti ves ta ke i n to a ccou n t

a ppl i ca bl e i n form a ti on secu ri ty req u i rem en ts, a n d ri sk
a ssessm en t a n d ri sk trea tm en t resu l ts?
6. 2 . e Are th e i n form a ti on secu ri ty obj ecti ves com m u n i ca ted ?
6. 2 . f Are th e i n form a ti on secu ri ty obj ecti ves u pd a ted a s

a ppropri a te?
6. 2 . g D oes th e org a n i za ti on reta i n d ocu m en ted i n form a ti on

a bou t th e i n form a ti on secu ri ty obj ecti ves?
6. 2 . h Wh en pl a n n i n g h ow to a ch i eve i ts i n form a ti on secu ri ty

obj ecti ves, d oes th e org a n i za ti on d eterm i n e wh a t wi l l be
d on e?
6. 2 . i Wh en pl a n n i n g h ow to a ch i eve i ts i n form a ti on secu ri ty

obj ecti ves, d oes th e org a n i za ti on d eterm i n e wh a t resou rces
wi l l be req u i red ?
6. 2 . j Wh en pl a n n i n g h ow to a ch i eve i ts i n form a ti on secu ri ty

obj ecti ves, d oes th e org a n i za ti on d eterm i n e wh o wi l l be
respon si bl e?
6. 2 . k Wh en pl a n n i n g h ow to a ch i eve i ts i n form a ti on secu ri ty

obj ecti ves, d oes th e org a n i za ti on d eterm i n e wh en i t wi l l be
com pl eted ?
6. 2 . l Wh en pl a n n i n g h ow to a ch i eve i ts i n form a ti on secu ri ty

obj ecti ves, d oes th e org a n i za ti on d eterm i n e h ow th e resu l ts
wi l l be eva l u a ted ?


6.2.a
6.2.b
6.2.c
6.2.d
6.2.e
6.2.f
6.2.h
6.2.i
6.2.j
6.2.k
6.2.l

7 Support
7. 1 Resources
Q1 . Consider the following aspect relating to resources required Tick one box.
7.1 . Is there a process in place and being used by the

organization to determine and provide the resources needed
for the establishment, implementation, maintenance and
continual improvement of the information security
management system objectives determined in 6.2?

7.1
CO M M E N TS: Enter a more detailed explanation of the reason(s) indicated above as appropriate. Where

7. Support
7. 2 Competence
Q1 . Consider the following aspects relating to training and competence Tick one box.
7.2.a Is there a process in place and being used by the

organization to determine the necessary competence of
person(s) doing work under its control that affects its
information security performance?
7.2.b Is there a process in place and being used to ensure that

these persons are competent on the basis of appropriate
education, training, or experience?
7.2.c Is there a process in place and being used, where

applicable, to take actions to acquire the necessary
competence, and evaluate the effectiveness of the actions
taken?
7.2.d Is appropriate documented information retained as

evidence of competence?

7.2.a
7.2.b
7.2.c
7.2.d

7. Support
7. 3 Awareness
Q1 . Consider the following aspects relating to awareness. Tick one box.

organization to ensure persons doing work under the
organization’s control are aware of the information security
policy?
7.3.b Is there a process in place and being used by the

organization’s control are aware of their contribution to the
effectiveness of the information security management system,
including the benefits of improved information security
performance?
7.3.c Is there a process in place and being used by the

organization’s control are aware of the implications of not
conforming with the information security management system
requirements?

7.3.a
7.3.b
7.3.c

7. Support
7. 4 Communication
Q1 . Consider the following aspects relating to training, awareness and competence Tick one box.

organization to determine the need for internal and external
communications relevant to the information security
management system?
7.4.b Has this process identified what to communicate?
7.4.c Has this process identified when to communicate?
7.4.d Has this process identified with whom to communicate?
7.4.e Has this process identified who shall communicate?
7.4.f Has this process identified the processes by which

communication shall be effected?

7.4.a
7.4.b
7.4.c
7.4.d
7.4.e
7.4.f

7. Support
7. 5 Documented information
7. 5. 1 General
Q1 . Consider the following aspects relating to the existence of ISMS documentation. Tick one box.
7.5.1 .a Does the organization’s information security

management system include documented information
required by ISO/IEC 27001 :201 3?
7.5.1 .b Does the organization’s information security

management system include documented information
determined by the organization as being necessary for the
effectiveness of the information security management system?

7.5.1 .a
7.5.1 .b

7. Support
7. 5. 2 Creating and updating
Q1 . Consider the following aspects relating to creating and updating ISMS documentation. Tick one
box.
7.5.2.a When creating and updating documented information,

does the organization have in place a process to ensure
appropriate identification and description (e.g. a title, date,
author, or reference number)?
7.5.2.b When creating and updating documented information,

appropriate format (e.g. language, software version, graphics)
and media (e.g. paper, electronic)?
7.5.2.c When creating and updating documented information,

appropriate review and approval for suitability and adequacy?

7.5.2.a
7.5.2.b
7.5.2.c

7 Su pport
7. 5. 3 Control of documented information
Q1 . Con si d er th e fol l owi n g a spects rel a ti n g to con trol of d ocu m en ted i n form a ti on . Ti ck on e box.
7 . 5 . 3 . a D oes th e org a n i za ti on h a ve i n pl a ce a process to

con trol th e d ocu m en ted i n form a ti on req u i red by th e
i n form a ti on secu ri ty m a n a g em en t system a n d by
I SO /I E C 2 7 001 : 2 01 3 to en su re i t i s a va i l a bl e a n d su i ta bl e for
u se, wh ere a n d wh en i t i s n eed ed ?
7 . 5 . 3 . b D oes th e org a n i za ti on h a ve i n pl a ce a process to

I SO /I E C 2 7 001 : 2 01 3 to en su re i t i s a d eq u a tel y protected (e. g .
from l oss of con fi d en ti a l i ty, i m proper u se, or l oss of i n teg ri ty) ?
7 . 5 . 3 . c D oes th e org a n i za ti on h a ve i n pl a ce a process to

I SO /I E C 2 7 001 : 2 01 3 to a d d ress, a s a ppl i ca bl e, i ts d i stri bu ti on ,
a ccess, retri eva l a n d u se?
7 . 5 . 3 . d D oes th e org a n i za ti on h a ve i n pl a ce a process to

I SO /I E C 2 7 001 : 2 01 3 to a d d ress, a s a ppl i ca bl e, i ts stora g e a n d
preserva ti on , i n cl u d i n g th e preserva ti on of l eg i bi l i ty?
7 . 5 . 3 . e D oes th e org a n i za ti on h a ve i n pl a ce a process to

I SO /I E C 2 7 001 : 2 01 3 to a d d ress, a s a ppl i ca bl e, th e con trol of
ch a n g es (e. g . versi on con trol ) ?
7 . 5 . 3 . f D oes th e org a n i za ti on h a ve i n pl a ce a process to

I SO /I E C 2 7 001 : 2 01 3 to a d d ress, a s a ppl i ca bl e, i ts reten ti on a n d
d i sposi ti on ?
7 . 5 . 3 . g D oes th e org a n i za ti on h a ve i n pl a ce a process to

i d en ti fy a s a ppropri a te d ocu m en ted i n form a ti on of extern a l
ori g i n th a t i s d eterm i n ed by th e org a n i za ti on to be n ecessa ry
for th e pl a n n i n g a n d opera ti on of th e i n form a ti on secu ri ty
7 . 5 . 3 . h D oes th e org a n i za ti on h a ve i n pl a ce a process to

con trol d ocu m en ted i n form a ti on of extern a l ori g i n th a t i s
d eterm i n ed by th e org a n i za ti on to be n ecessa ry for th e

planning and operation of the information security

management system?

7.5.3.a
7.5.3.b
7.5.3.c
7.5.3.d
7.5.3.e
7.5.3.f
7.5.3.g
7.5.3.h

8 Operations
8. 1 Operational planning and control
Q1 . Consider the following aspects relating to operational planning and control. Tick one box.
8.1 .a Is there a process in place and being used by the

organization to plan, implement and control the processes
needed to meet information security requirements, and to
implement the actions determined in 6.1 .
8.1 .b Has the organization implemented plans to achieve its

information security objectives as determined in 6.2?
8.1 .c Does the organization keep documented information to

the extent necessary to have confidence that the processes
have been carried out as planned?
8.1 .d Does the organization control planned changes and

review the consequences of unintended changes, taking
action to mitigate any adverse effects, as necessary?
8.1 .e Does the organization ensure that outsourced processes

are determined and controlled?

8.1 .a
8.1 .b
8.1 .c
8.1 .d
8.1 .e

8 Operations
8. 2 Information security risk management
Q1 . Consider the following aspects relating to risk assessments. Tick one box.
8.2.a Is there a process in place and being used to perform

information security risk assessments at planned intervals or
when significant changes are proposed or occur, taking
account of the criteria established in 6.1 .2 a)?
8.2.b Does the organization retain documented information

of the results of the information security risk assessments?

8.2.a
8.2.b

8. Operations
8. 3 Information security risk treatment
Q1 . Consider the following aspects relating to risk treatment. Tick one box.
8.3.a Is the organization implementing its information security

risk treatment plan?
8.3.b Does the organization retain documented information

of the results of the information security risk treatment?

8.3.a
8.3.b

9 P e rfo rm a n ce e va l u a ti o n
9. 1 Monitoring, measurement, analysis and evaluation
Q 1 . C o n s i d e r t h e fo l l o wi n g a s p e cts re l a t i n g to m e a s u re m e n t o f p e rfo rm a n ce o f th e I SM S. Ti ck o n e b o x.
9. 1 . a I s th e re a p ro ce s s i n p l a ce and bei n g u se d to e va l u a t e
th e i n fo rm a t i o n s e cu ri ty p e rfo rm a n ce and th e e ffe ct i ve n e s s o f
th e i n fo rm a t i o n s e cu ri ty m a n a g e m e n t s ys te m ?
9. 1 . b D o e s th e p ro ce s s d e te rm i n e wh a t n e e d s to be
m o n i to re d and m e a s u re d , i n cl u d i n g i n fo rm a ti o n s e cu ri ty
p ro ce s s e s a n d co n t ro l s ?
9 . 1 . c D o e s th e p ro ce s s d e te rm i n e th e m e th o d s fo r m o n i to ri n g ,
m e a s u re m e n t, a n a l ys i s a n d e va l u a ti o n , a s a p p l i ca b l e , to
e n s u re va l i d re s u l t s ?
9. 1 . d D o e s th e p ro ce s s d e te rm i n e wh e n th e m o n i to ri n g and
m e a s u ri n g sh a l l be p e rfo rm e d ?
9. 1 . e D o e s th e p ro ce s s d e te rm i n e wh o sh a l l m o n i to r a n d
m e a s u re ?
9 . 1 . f D o e s th e p ro ce s s d e te rm i n e wh e n th e re s u l t s fro m
m o n i to ri n g and m e a s u re m e n t s h a l l be a n a l ys e d and
e va l u a t e d ?
9. 1 . g D o e s th e p ro ce s s d e te rm i n e wh o sh a l l a n a l ys e and
e va l u a t e th e s e re s u l ts ?
9. 1 . h D o e s th e o rg a n i z a t i o n re ta i n a p p ro p ri a te d o cu m e n te d
i n fo rm a ti o n a s e vi d e n ce o f th e m o n i to ri n g and m e a s u re m e n t
re s u l ts ?


9.1 .a
9.1 .b
9.1 .c
9.1 .d
9.1 .e
9.1 .f
9.1 .g
9.1 .h

9 Perform a n ce eva l u a ti on
9. 2 Internal audit
Q1 . Con si d er th e fol l owi n g a spects rel a ti n g to a n i n tern a l I SM S a u d i t fu n cti on . Ti ck on e box.
9 . 2 . a I s th ere a process i n pl a ce a n d bei n g u sed to en su re th a t

th e org a n i za ti on con d u cts i n tern a l a u d i ts a t pl a n n ed
i n terva l s?
9 . 2 . b D o th e i n tern a l a u d i ts provi d e i n form a ti on on wh eth er

th e i n form a ti on secu ri ty m a n a g em en t system con form s to th e
org a n i za ti on ’s own req u i rem en ts for i ts i n form a ti on secu ri ty
9 . 2 . c D o th e i n tern a l a u d i ts provi d e i n form a ti on on wh eth er

th e i n form a ti on secu ri ty m a n a g em en t system con form s to th e
req u i rem en ts of I SO /I E C 2 7 001 : 2 01 3 ?
9 . 2 . d D o th e i n tern a l a u d i ts provi d e i n form a ti on on wh eth er

th e i n form a ti on secu ri ty m a n a g em en t system i s effecti vel y
i m pl em en ted a n d m a i n ta i n ed ?
9 . 2 . e D oes th e org a n i za ti on pl a n , esta bl i sh , i m pl em en t a n d

m a i n ta i n a n a u d i t prog ra m m e(s) , i n cl u d i n g th e freq u en cy,
m eth od s, respon si bi l i ti es, pl a n n i n g req u i rem en ts a n d
reporti n g ?
9 . 2 . f D oes th e a u d i t prog ra m m e(s) ta ke i n to con si d era ti on th e

i m porta n ce of th e processes con cern ed a n d th e resu l ts of
previ ou s a u d i ts?
9 . 2 . g D oes th e org a n i za ti on d efi n e th e a u d i t cri teri a a n d

scope for ea ch a u d i t?
9 . 2 . h D oes th e org a n i za ti on sel ect a u d i tors a n d con d u ct a u d i ts

th a t en su re obj ecti vi ty a n d th e i m pa rti a l i ty of th e a u d i t
process?
9 . 2 . i D oes th e org a n i za ti on en su re th a t th e resu l ts of th e

a u d i ts a re reported to rel eva n t m a n a g em en t?
9 . 2 . j D oes th e org a n i za ti on reta i n d ocu m en ted i n form a ti on a s

evi d en ce of th e a u d i t prog ra m m e(s) a n d th e a u d i t resu l ts?


9.2.a
9.2.b
9.2.c
9.2.d
9.2.e
9.2.f
9.2.g
9.2.h
9.2.i
9.2.j

9 . Perfo rm a n ce e va l u a ti o n
9. 3 Management review
Q1 . Co n si d e r th e fo l l o wi n g a sp e cts re l a ti n g to to p m a n a g e m e n t re vi e w o f th e I S M S . Ti ck o n e b o x.
9 . 3 . a I s th e re a p ro ce ss i n p l a ce a n d b e i n g u se d b y to p
m a n a g e m e n t to re vi ew th e o rg a n i za ti o n ’s i n fo rm a ti o n
se cu ri ty m a n a g e m en t system a t p l a n n e d i n te rva l s to e n su re i ts
co n ti n u i n g su i ta b i l i ty, a d e q u a cy a n d e ffe cti ve n e ss?
9 . 3 . b D o e s th e re vi e w i n cl u d e co n si d e ra ti o n o f th e sta tu s o f
a cti o n s fro m p re vi o u s m a n a g e m e n t re vi e ws?
9 . 3 . c D o e s th e re vi e w i n cl u d e co n si d e ra ti o n o f ch a n g e s i n
e xtern a l a n d i n te rn a l i ssu e s th a t a re re l e va n t to th e
i n fo rm a ti o n se cu ri ty m a n a g e m e n t syste m ?
9 . 3 . d D o e s th e re vi e w i n cl u d e co n si d e ra ti o n o f fe e d b a ck o n
th e i n fo rm a ti o n se cu ri ty p e rfo rm a n ce , i n cl u d i n g tre n d s i n : 1 )
n o n co n fo rm i ti e s a n d co rre cti ve a cti o n s; 2 ) m o n i to ri n g a n d
m e a su re m e n t re su l ts; 3 ) a u d i t re su l ts; a n d 4) fu l fi l m e n t o f
i n fo rm a ti o n se cu ri ty o b j e cti ve s?
9 . 3 . e D o e s th e re vi e w i n cl u d e co n si d e ra ti o n o f fe e d b a ck fro m
i n te re ste d p a rti e s?
9 . 3 . f D o e s th e re vi e w i n cl u d e co n si d e ra ti o n o f re su l ts o f ri sk
a sse ssm e n t a n d sta tu s o f ri sk tre a tm e n t p l a n ?
9 . 3 . g D o th e se re vi e ws i n cl u d e co n si d era ti o n o f o p p o rtu n i ti e s
fo r co n ti n u a l i m p ro ve m e n t?
9 . 3 . h D o th e o u tp u ts o f th e m a n a g e m e n t re vi e w i n cl u d e
d e ci si o n s re l a te d to co n ti n u a l i m p ro ve m e n t o p p o rtu n i ti e s a n d
a n y ch a n g e s n e e d e d to th e i n fo rm a ti o n se cu ri ty m a n a g e m e n t
syste m ?
9 . 3 . i D o e s th e o rg a n i za ti o n re ta i n d o cu m e n te d i n fo rm a ti o n a s
e vi d en ce o f th e re su l ts o f m a n a g e m e n t re vi e ws?


9.3.a
9.3.b
9.3.c
9.3.d
9.3.e
9.3.f
9.3.g
9.3.h
9.3.i

1 0 I m p ro vem e n t
1 0. 1 Non-conformity and corrective action
Q1 . Co n si d e r th e fo l l o wi n g a sp e cts re l a ti n g to n o n -co n fo rm i ti e s a n d co rre cti ve a cti o n . Ti ck o n e b o x.
1 0. 1 . a I s th ere a p ro ce ss i n p l a ce a n d b e i n g u se d b y th e
o rg a n i za ti o n to re a ct to a n y n o n co n fo rm i ty, a n d a s
a p p l i ca b l e : 1 ) ta ke a cti o n to co n tro l a n d co rre ct i t; a n d 2 )
d e a l wi th th e co n se q u e n ce s?
1 0. 1 . b I s th e re a p ro ce ss i n p l a ce a n d b e i n g u se d b y th e
o rg a n i za ti o n to e va l u a te th e n e e d fo r a cti o n to e l i m i n a te th e
ca u se s o f a n y n o n co n fo rm i ty, i n o rd e r th a t i t d o e s n o t re cu r
o r o ccu r e l sewh ere , b y: 1 ) re vi e wi n g th e n o n co n fo rm i ty; 2 )
d e te rm i n i n g th e ca u se s o f th e n o n co n fo rm i ty; a n d 3 )
d e te rm i n i n g i f si m i l a r n o n co n fo rm i ti e s e xi st, o r co u l d
p o te n ti a l l y o ccu r?
1 0. 1 . c I s th e re a p ro ce ss i n p l a ce a n d b e i n g u se d b y th e
o rg a n i za ti o n to i m p l e m e n t a n y a cti o n n e e d e d ?
1 0. 1 . d I s th e re a p ro ce ss i n p l a ce a n d b e i n g u se d b y th e
o rg a n i za ti o n to re vi e w th e e ffe cti ve n e ss o f a n y co rre cti ve
a cti o n ta ke n ?
1 0. 1 . e I s th ere a p ro ce ss i n p l a ce a n d b e i n g u se d b y th e
o rg a n i za ti o n to m a ke ch a n g e s to th e i n fo rm a ti o n se cu ri ty
m a n a g e m e n t syste m , i f n e ce ssa ry?
1 0. 1 . f I s th e re a p ro ce ss i n p l a ce a n d b e i n g u se d b y th e
o rg a n i za ti o n to e n su re th a t co rre cti ve a cti o n s a re a p p ro p ri a te
to th e e ffects o f th e n o n co n fo rm i ti e s e n co u n te re d ?
1 0. 1 . g D o e s th e o rg a n i za ti o n re ta i n d o cu m e n te d i n fo rm a ti o n
a s e vi d e n ce o f th e n a tu re o f th e n o n co n fo rm i ti e s a n d a n y
su b se q u e n t a cti o n s ta ke n ?
1 0. 1 . h D o e s th e o rg a n i za ti o n re ta i n d o cu m e n te d i n fo rm a ti o n
a s e vi d e n ce o f th e re su l ts o f a n y co rre cti ve a cti o n ?

Q2 . If you have ticked either of the boxes marked PARTI AL or NO you should indicate the reasons and

1 0.1 .a
1 0.1 .b
1 0.1 .c
1 0.1 .d
1 0.1 .e
1 0.1 .f
1 0.1 .g
1 0.1 .h
Enter a more detailed explanation of the reason(s) indicated above. Where aspects are
CO M M E N TS:
already addressed it may be helpful to provide details on actions taken.

I SO /I E C 27 001 , In form a tion security m a n a gem en t – Requirem en ts
1 0 Improvement
1 0. 2 Continual improvement
Q1 . Consider the following aspect relating to continual improvement. Tick one box.
1 0.2 Is there a process in place and being used to continually

improve the suitability, adequacy and effectiveness of the
information security management system?

1 0.2

5 Annex A Gap analysis workbook (assessment of
ISMS controls)
The following questionnaires should be addressed to determine the extent to which the control
requirements from Annex A of ISO/IEC 27001 :201 3 have been implemented within the ISMS. Guidance
on completing the questionnaires can be found in Section 3.2 of this guide
Please note that exclusions to the following controls can only be made if these exclusions do not affect
the organization’s ability, and/or responsibility, to provide information security that meets the security
requirements determined by risk assessment and applicable regulatory requirements. Any exclusions of
controls found to be necessary to satisfy the risk acceptance criteria need to be justified, and evidence
needs to be provided to show that the associated risks have been accepted by those with sufficient
management seniority within the organization who are accountable to the board, owner and
shareholders for corporate decisions.
BIP 0073 (and ISO/IEC 27002: 201 3) provides implementation guidance and further information
regarding the control questions given in the tables below e.g. the control question for A.1 6.1 .7 talks
about evidence, and BIP 0073 and ISO/IEC 27002 provides some examples of this evidence.
NOTE The control guidance given in ISO/IEC 27002 is not mandatory, it is purely helpful guidance and so does not
play any part in an ISO/IEC 27001 : 201 3 certification audit.

5 Annex A Gap analysis workbook (assessment of ISMS controls)
A.5 Information security policies

A.5.1 Management direction for information security
Objective: To provide management direction and support for information security in accordance
with business requirements and relevant laws and regulations.
Q1 . Implementation status. Tick one box for each control requirement.
A.5.1 .1 Is the information security policy document set

defined, approved by management, published and
communicated to all employees and relevant external parties?
A.5.1 .2 Are the information security policies reviewed at

planned intervals or if significant changes occur to ensure
their continuing suitability, adequacy and effectiveness?
Con trol Rea son s a n d j u sti fi ca ti on (wi th Acti on to be ta ken

A.5.1 .1
A.5.1 .2
control measures are in place it may be helpful to provide details on actions taken. See Section 3.2 for
details. Use additional sheets if necessary.

A.6 Organization of information security

A.6.1 Internal organization
Objective: To establish a management framework to initiate and control the implementation and
operation of information security within the organization.
A.6.1 .1 Are all information security responsibilities defined

and allocated?
A.6.1 .2 Are areas of conflicting duties and areas of

responsibility segregated to reduce opportunities for
unauthorized or unintentional modification or misuse of the
organization’s assets?
A.6.1 .3 Are appropriate contacts with relevant authorities

maintained?
A.6.1 .4 Are appropriate contacts with special interest groups

or other specialist security forums and professional
associations maintained?
A.6.1 .5 Is information security addressed in project

management, regardless of the type of the project?

A.6.1 .1
A.6.1 .2
A.6.1 .3
A.6.1 .4
A.6.1 .5

A.6 Organization of information security

A.6.2 Mobile devices and teleworking
Objective: To ensure the security of teleworking and use of mobile devices.
A.6.2.1 Have a policy and supporting security measures been

adopted to manage the risks introduced by using mobile
devices?
A.6.2.2 Have a policy and supporting security measures been

implemented to protect information accessed, processed or
stored at teleworking sites?

A.6.2.1
A.6.2.2

A.7 Human resource security

A.7.1 Prior to employment
Objective: To ensure that employees and contractors understand their responsibilities and are
suitable for the roles for which they are considered.
A.7.1 .1 . Have background verification checks on all candidates

for employment been carried out in accordance with relevant
laws, regulations and ethics and are they proportional to the
business requirements, the classification of the information to
be accessed and the perceived risks?
A.7.1 .2. Do the contractual agreements with employees and

contractors state their and the organization’s responsibilities
for information security?

A.7.1 .1
A.7.1 .2


A.7.2 During employment
Objective: To ensure that employees and contractors are aware of and fulfil their information
security responsibilities.
A.7.2.1 Does management require all employees and

contractors to apply information security in accordance with
the established policies and procedures of the organization?
A.7.2.2 Do all employees of the organization and, where

relevant, contractors receive appropriate awareness education
and training and regular updates in organizational policies
and procedures, as relevant for their job function?
A.7.2.3 Is there a formal and communicated disciplinary

process in place to take action against employees who have
committed an information security breach?

A.7.2.1
A.7.2.2
A.7.2.3

I SO /I E C 27 001 , I n form a ti on secu ri ty m a n a g em en t system s — Requirements

A.7.3 Termination and change of employment
Objective: To protect the organization’s interests as part of the process of changing or terminating
employment.
A.7.3.1 Have information security responsibilities and duties

that remain valid after termination or change of employment
been defined, communicated to the employee or contractor
and enforced?

A.7.3.1

A.8 Asset management

A.8.1 Responsibility for assets
Objective: To identify organizational assets and define appropriate protection responsibilities.
A.8.1 .1 Have assets associated with information and

information processing facilities been identified, has an
inventory of these assets been drawn up, and is it being
maintained?
A.8.1 .2 Are all assets maintained in the inventory assigned

owners?
A.8.1 .3 Have rules for the acceptable use of information and

of assets associated with information and information
processing facilities been identified, documented and
implemented?
A.8.1 .4 Do all employees and external party users return all of

the organizational assets in their possession upon termination
of their employment, contract or agreement?

A.8.1 .1
A.8.1 .2
A.8.1 .3
A.8.1 .4


A.8.2 Information classification
Objective: To ensure that information receives an appropriate level of protection in accordance
with its importance to the organization.
A.8.2.1 Is information classified in terms of legal requirements,

value, criticality and sensitivity to unauthorized disclosure or
modification?
A.8.2.2 Has an appropriate set of procedures for information

labelling been developed and implemented in accordance
with the information classification scheme adopted by the
organization?
A.8.2.3 Are procedures for handling assets developed and

implemented in accordance with the information classification
scheme adopted by the organization?

A.8.2.1
A.8.2.2
A.8.2.3


A.8.3 Media handling
Objective: To prevent unauthorized disclosure, modification, removal or destruction of information
stored on media
A.8.3.1 Have procedures been implemented for the

management of removable media in accordance with the
classification scheme adopted by the organization?
A.8.3.2 Is media disposed of securely when no longer

required, using formal procedures?
A.8.3.3 Is media containing information protected against

unauthorized access, misuse or corruption during
transportation?

A.8.3.1
A.8.3.2
A.8.3.3

I SO /I E C 27 001 Information security management systems — Requirements
A.9 Access control

A.9.1 Business requirements of access control
Objective: To limit access to information and information processing facilities.
A.9.1 .1 Has an access control policy been established,

documented and reviewed based on business and information
security requirements?
A.9.1 .2 Have users only been provided with access to the

network and network services that they have been specifically
authorized to use?

A.9.1 .1
A.9.1 .2

A.9 Access control

A.9.2 User access management
Objective: To ensure authorized user access and to prevent unauthorized access to systems and
services.
A.9.2.1 Has a formal user registration and de-registration

process been implemented to enable assignment of access
rights?
A.9.2.2 Has a formal user access provisioning process been

implemented to assign or revoke access rights for all user
types to all systems and services?
A.9.2.3 Is the allocation and use of privileged access rights

being restricted and controlled?
A.9.2.4 Is the allocation of secret authentication information

being controlled through a formal management process?
A.9.2.5 Do asset owners review users’ access rights at regular

intervals?
A.9.2.6 Are the access rights of all employees and external

party users to information and information processing
facilities being removed upon termination of their
employment, contract or agreement, or adjusted upon
change?

A.9.2.1
A.9.2.2
A.9.2.3
A.9.2.4
A.9.2.5
A.9.2.6

A.9 Access control

A.9.3 User responsibilities
Objective: To make users accountable for safeguarding their authentication information.
A.9.3.1 Are users required to follow the organization’s

practices in the use of secret authentication information?

A.9.3.1

A.9 Access control

A.9.4 System and application access control
Objective: To prevent unauthorized access to systems and applications.
A.9.4.1 Is access to information and application system

functions restricted in accordance with the access control
policy?
A.9.4.2 Where required by the access control policy, is access

to systems and applications being controlled by a secure
log-on procedure?
A.9.4.3 Are password management systems interactive and do

they ensure quality passwords?
A.9.4.4 Is the use of utility programs that might be capable of

overriding system and application controls restricted and
tightly controlled?
A.9.4.5.Is access to program source code restricted?

A.9.4.1
A.9.4.2
A.9.4.3
A.9.4.4
A.9.4.5

A.1 0 Cryptography
A.1 0.1 Cryptographic controls
Objective: To ensure proper and effective use of cryptography to protect the confidentiality,
authenticity and/or integrity of information.
A.1 0.1 .1 Has a policy on the use of cryptographic controls for

protection of information been developed and implemented?
A.1 0.1 .2 Has a policy on the use, protection and lifetime of

cryptographic keys been developed and is it implemented
through their whole life cycle?

A.1 0.1 .1
A.1 0.1 .2

A.1 1 Physical and environmental security

A.1 1 .1 Secure areas
Objective: To prevent unauthorized physical access, damage and interference to the organization’s
information and information processing facilities.
A.1 1 .1 .1 Are security perimeters defined and used to protect

areas that contain either sensitive or critical information and
information processing facilities?
A.1 1 .1 .2 Are secure areas protected by appropriate entry

controls to ensure that only authorized personnel are allowed
access?
A.1 1 .1 .3 Has physical security for offices, rooms and facilities

been designed and is it being applied?
A.1 1 .1 .4 Has physical protection against natural disasters,

malicious attack or accidents been designed and is it being
applied?
A.1 1 .1 .5 Have procedures for working in secure areas been

designed and are they being applied?
A.1 1 .1 .6 Are access points such as delivery and loading areas

and other points where unauthorized persons could enter the
premises controlled and, if possible, isolated from information
processing facilities to avoid unauthorized access?

A.1 1 .1 .1 .
A.1 1 .1 .2.
A.1 1 .1 .3.
A.1 1 .1 .4.
A.1 1 .1 .5.
A.1 1 .1 .6.

A. 1 1 P h ys i ca l and e n vi ro n m e n ta l s e cu ri ty
A. 1 1 . 2 E q u i pm en t
Objective: To prevent loss, damage, theft or compromise of assets and interruption to the
organization’s operations.
Q 1 . I m p l e m e n ta ti o n s ta tu s . Ti ck o n e b o x fo r e a ch co n tro l re q u i re m e n t.
Co n tro l re q u i re m e n t YE S PARTI AL NO
A. 1 1 . 2 . 1 I s e q u i p m e n t si te d and p ro t e cte d to re d u ce th e ri s ks
fro m e n vi ro n m e n ta l th re a ts a n d h a z a rd s , and o p p o rtu n i ti e s
fo r u n a u th o ri z e d a cce s s ?
A. 1 1 . 2 . 2 I s eq u i pm en t bei n g p ro te cte d fro m p o we r fa i l u re s
and o th e r d i s ru p ti o n s ca u s e d b y fa i l u re s i n s u p p o rt i n g
u ti l i ti e s ?
A. 1 1 . 2 . 3 Are p o we r a n d te l e co m m u n i ca ti o n s ca b l i n g ca rryi n g
d a ta o r s u p p o rt i n g i n fo rm a ti o n s e rvi ce s b e i n g p ro te cte d fro m
i n te rce p ti o n , i n te rfe re n ce or d a m a g e?
A. 1 1 . 2 . 4 I s e q u i p m e n t b e i n g co rre ctl y m a i n ta i n e d to e n s u re i ts
co n ti n u e d a va i l a b i l i ty a n d i n te g ri t y?
A. 1 1 . 2 . 5 I s e q u i p m e n t, i n fo rm a ti o n o r s o ftwa re n ot bei n g
t a ke n o ff- s i te wi th o u t p ri o r a u th o ri z a ti o n ?
A. 1 1 . 2 . 6 I s s e cu ri ty a p p l i e d to o ff- s i te a s s e ts , ta ki n g i n to
a cco u n t th e d i ffe re n t ri s ks o f wo rki n g o u ts i d e th e
o rg a n i z a ti o n ’s p re m i s e s ?
A. 1 1 . 2 . 7 Are all i te m s o f e q u i p m e n t co n t a i n i n g s t o ra g e m ed i a
bei n g ve ri fi e d to e n s u re t h a t a n y s e n s i ti ve d a ta and l i ce n s e d
s o ftwa re h a s been re m o ve d o r s e cu re l y o ve rwri tt e n p ri o r to
d i sp o sa l o r re - u s e ?
A. 1 1 . 2 . 8 D o u s e rs e n s u re th a t u n a tt e n d e d eq u i pm en t h a s
a p p ro p ri a te p ro t e cti o n ?
A. 1 1 . 2 . 9 Has a cl e a r d e s k p o l i c y fo r p a p e rs a n d re m o va b l e
s to ra g e m ed i a and a cl e a r s cre e n p o l i cy fo r i n fo rm a t i o n
p ro ce s s i n g fa ci l i ti e s b e e n a d o p te d ?


A.1 1 .2.1
A.1 1 .2.2
A.1 1 .2.3
A.1 1 .2.4
A.1 1 .2.5
A.1 1 .2.6
A.1 1 .2.7
A.1 1 .2.8
A.1 1 .2.9

A.1 2 Operations security

A.1 2.1 Operational procedures and responsibilities
Objective: To ensure correct and secure operations of information processing facilities.
A.1 2.1 .1 Are operating procedures documented and made

available to all users who need them?
A.1 2.1 .2 Are changes to the organization, business processes,

information processing facilities and systems that affect
information security being controlled?
A.1 2.1 .3 Is the use of resources being monitored, tuned and

are projections made of future capacity requirements to
ensure the required system performance?
A.1 2.1 .4 Are development, testing, and operational

environments separated to reduce the risks of unauthorized
access or changes to the operational environment?

A.1 2.1 .1
A.1 2.1 .2
A.1 2.1 .3
A.1 2.1 .4


A.1 2.2 Protection from malware
Objective: To ensure that information and information processing facilities are protected against
malware.
A.1 2.2.1 Are detection, prevention and recovery controls to

protect against malware implemented, combined with
appropriate user awareness?

A.1 2.2.1


A.1 2.3 Backup
Objective: To protect against loss of data
A.1 2.3.1 Are backup copies of information, software and

system images being taken and tested regularly in accordance
with an agreed backup policy?

A.1 2.3.1


A.1 2.4 Logging and monitoring
Objective: To record events and generate evidence
A.1 2.4.1 Are event logs recording user activities, exceptions,

faults and information security events being produced, kept
and regularly reviewed?
A.1 2.4.2 Are logging facilities and log information being

protected against tampering and unauthorized access?
A.1 2.4.3 Are system administrator and system operator

activities being logged and the logs protected and regularly
reviewed?
A.1 2.4.4 Are the clocks of all relevant information processing

systems within an organization or security domain being
synchronized to a single reference time source?

A.1 2.4.1
A.1 2.4.2
A.1 2.4.3
A.1 2.4.4


A.1 2.5 Control of operational software
Objective: To ensure the integrity of operational systems.
A.1 2.5.1 Are procedures implemented to control the

installation of software on operational systems?

A.1 2.5.1


A.1 2.6 Technical vulnerability management
Objective: To prevent exploitation of technical vulnerabilities.
A.1 2.6.1 Is information about technical vulnerabilities of

information systems being used being obtained in a timely
fashion, is the organization’s exposure to such vulnerabilities
evaluated and are appropriate measures taken to address the
associated risk?
A.1 2.6.2 Are rules governing the installation of software by

users established and implemented?

A.1 2.6.1
A.1 2.6.2


A.1 2.7 Information systems audit considerations
Objective: To minimize the impact of audit activities on operational systems.
A.1 2.7.1 Are audit requirements and activities involving

verification of operational systems being carefully planned
and agreed to minimize disruptions to business processes?

A.1 2.7.1

A.1 3 Communications security

A.1 3.1 Network security management
Objective: To ensure the protection of information in networks and its supporting information
processing facilities.
A.1 3.1 .1 Are networks being managed and controlled to

protect information in systems and applications?
A.1 3.1 .2 Are security mechanisms, service levels and

management requirements of all network services identified
and included in network services agreements, whether these
services are provided in-house or outsourced?
A.1 3.1 .3 Are groups of information services, users and

information systems segregated on networks?

A.1 3.1 .1
A.1 3.1 .2
A.1 3.1 .3

A.1 3 Communications security

A.1 3.2 Information transfer
Objective: To maintain the security of information transferred within an organization and with any
external entity.
A.1 3.2.1 Are formal transfer policies, procedures and controls

in place to protect the transfer of information through the
use of all types of communication facilities?
A.1 3.2.2 Are agreements in place to address the secure

transfer of business information between the organization
and external parties?
A.1 3.2.3 Is information involved in electronic messaging being

appropriately protected?
A.1 3.2.4 Are requirements for confidentiality or non-disclosure

agreements reflecting the organization’s needs for the
protection of information being identified, regularly reviewed
and have they been documented?

A.1 3.2.1
A.1 3.2.2
A.1 3.2.3
A.1 3.2.4

A.1 4 System acquisition, development and maintenance

A.1 4.1 Security requirements of information systems
Objective: To ensure that information security is an integral part of information systems across the
entire life cycle This also includes the requirements for information systems, which provide services
over public networks.
A.1 4.1 .1 Are information security related requirements

included in the requirements for new information systems or
enhancements to existing information? systems?
A.1 4.1 .2 Is information involved in application services passing

over public networks being protected from fraudulent activity,
contract dispute and unauthorized disclosure and
modification?
A.1 4.1 .3 Is information involved in application service

transactions being protected to prevent incomplete
transmission, mis-routing, unauthorized message alteration,
unauthorized disclosure, unauthorized message duplication or
replay?

A.1 4.1 .1
A.1 4.1 .2
A.1 4.1 .3

A. 1 4 S ys te m a cq u i s i ti o n , d e ve l o p m e n t a n d m a i n te n a n ce
A. 1 4. 2 S e cu ri ty i n d e ve l o p m e n t a n d s u p p o rt p ro ce s s e s
Objective: To ensure that information security is designed and implemented within the
development life cycle of information systems.
Q 1 . I m p l e m e n ta ti o n s ta tu s . Ti ck o n e b o x fo r e a ch co n tro l re q u i re m e n t.
A. 1 4. 2 . 1 Are ru l e s fo r th e d e ve l o p m e n t o f s o ftwa re and
s ys te m s e s ta b l i s h e d and a re th e y b e i n g a ppl i ed to
d e ve l o p m e n ts wi t h i n th e o rg a n i z a t i o n ?
A. 1 4. 2 . 2 Are ch a n g e s to s ys te m s wi th i n th e d e ve l o p m e n t l i fe
cycl e bei n g co n tro l l e d b y th e u se o f fo rm a l ch a n g e co n t ro l
p ro ce d u re s ?
A. 1 4. 2 . 3 Wh e n o p e ra ti n g p l a tfo rm s a re ch a n g e d , a re b u si n e ss
cri ti ca l a p p l i ca ti o n s re vi e we d and te s te d to e n s u re th e re is no
a d ve rs e i m p a ct o n o rg a n i z a ti o n a l o p e ra ti o n s o r s e cu ri ty?
A. 1 4. 2 . 4 Are m o d i fi ca t i o n s to s o ftwa re p a cka g e s d i s co u ra g e d ,
l i m i te d to n e ce s s a ry ch a n g e s a n d a re all ch a n g e s s tri ctl y
co n tro l l e d ?
A. 1 4. 2 . 5 Are p ri n ci p l e s fo r e n g i n e e ri n g s e cu re s ys te m s b e i n g
e sta b l i sh e d , d o cu m e n te d , m a i n ta i n e d and a ppl i ed to any
i n fo rm a ti o n s ys te m i m p l e m e n ta ti o n e ffo rts ?
A. 1 4. 2 . 6 D o e s th e o rg a n i z a t i o n e s ta b l i s h and a p p ro p ri a te l y
p ro te ct s e cu re d e ve l o p m e n t e n vi ro n m e n ts fo r s ys t e m
d e ve l o p m e n t a n d i n te g ra ti o n e ffo rts . Do th e s e s e cu re
d e ve l o p m e n t e n vi ro n m e n t s co ve r th e e n ti re s ys t e m
d e ve l o p m e n t l i fe cycl e ?
A. 1 4. 2 . 7 D o e s th e o rg a n i z a t i o n s u p e rvi s e and m o n i to r th e
a ct i vi t y o f o u ts o u rce d s ys te m d e ve l o p m e n t?
A. 1 4. 2 . 8 I s t e s ti n g o f s e cu ri ty fu n cti o n a l i ty b e i n g ca rri e d ou t
d u ri n g d e ve l o p m e n t?
A. 1 4. 2 . 9 Are a cc e p ta n ce te s ti n g p ro g ra m s a n d re l a te d cri te ri a
bei n g e s ta b l i s h e d fo r n e w i n fo rm a ti o n s ys te m s , u p g ra d e s a n d
n e w ve rs i o n s ?


A.1 4.2.1
A.1 4.2.2
A.1 4.2.3
A.1 4.2.4
A.1 4.2.5
A.1 4.2.6
A.1 4.2.7
A.1 4.2.8
A.1 4.2.9

A.1 4 System acquisition, development and maintenance

A.1 4.3 Test data
Objective: To ensure the protection of data used for testing
A.1 4.3.1 Is test data being selected carefully, protected and

controlled?

A.1 4.3.1

A.1 5 Supplier relationships

A.1 5.1 Information security in supplier relationships
Objective: To ensure protection of the organization’s assets that is accessible by suppliers.
A.1 5.1 .1 Have information security requirements for

mitigating the risks associated with each supplier’s access to
the organization’s assets been agreed with the supplier and
documented?
A.1 5.1 .2 Have all relevant information security requirements

been established and agreed with each supplier that may
access, process, store, communicate, or provide IT
infrastructure components for, the organization’s information?
A.1 5.1 .3 Do agreements with suppliers include requirements

to address the information security risks associated with
information and communications technology services and
product supply chain?

A.1 5.1 .1
A.1 5.1 .2
A.1 5.1 .3

A.1 5 Supplier relationships

A.1 5.2 Supplier service delivery management
Objective: To maintain an agreed level of information security and service delivery in line with
supplier agreements.
A.1 5.2.1 Does the organization regularly monitor, review and

audit supplier service delivery?
A.1 5.2.2 Are changes to the provision of services by suppliers,

including maintaining and improving existing information
security policies, procedures and controls, being managed,
taking account of the criticality of business information,
systems and processes involved and re-assessment of risks?

A.1 5.2.1
A.1 5.2.2

A. 1 6 I n fo rm a ti o n s e c u ri ty i n ci d e n t m a n a g e m e n t
A. 1 6 . 1 M a n a g e m e n t o f i n fo rm a t i o n s e cu ri ty i n ci d e n ts a n d i m p ro ve m e n ts
Objective: To ensure a consistent and effective approach to the management of information

security incidents, including communication on security events and weaknesses.
Q 1 . I m p l e m e n ta ti o n s ta tu s . Ti ck o n e b o x fo r e a ch co n tro l re q u i re m e n t .
A. 1 6 . 1 . 1 H a ve m a n a g e m e n t re s p o n s i b i l i ti e s a n d p ro ce d u re s
been e sta b l i sh e d to e n s u re a q u i ck, e ffe c ti ve and o rd e rl y
re s p o n s e to i n fo rm a ti o n s e cu ri ty i n ci d e n ts ?
A. 1 6 . 1 . 2 Are i n fo rm a ti o n s e cu ri t y e ve n ts b e i n g re p o rte d
t h ro u g h a p p ro p ri a te m a n a g e m e n t ch a n n e l s a s q u i ckl y a s
p o ssi b l e ?
A. 1 6 . 1 . 3 Are e m p l o ye e s a n d co n tra cto rs u s i n g th e
o rg a n i z a ti o n ’s i n fo rm a t i o n s ys te m s a n d s e rvi ce s re q u i re d to
n o te and re p o rt a n y o b s e rve d o r s u s p e cte d i n fo rm a ti o n
s e cu ri ty we a kn e s s e s i n s ys te m s o r s e rvi ce s ?
A. 1 6 . 1 . 4 Are i n fo rm a ti o n s e cu ri t y e ve n ts b e i n g a sse sse d and is
i t bei n g d e ci d e d i f th e y a re to be cl a s s i fi e d a s i n fo rm a ti o n
s e cu ri ty i n ci d e n ts ?
A. 1 6 . 1 . 5 Are i n fo rm a ti o n s e cu ri t y i n ci d e n t s b e i n g re s p o n d e d
to in a cco rd a n ce wi th th e d o cu m e n te d p ro ce d u re s ?
A. 1 6 . 1 . 6 I s th e kn o wl e d g e g a i n ed fro m a n a l ys i n g and
re s o l vi n g i n fo rm a ti o n s e cu ri t y i n ci d e n ts b e i n g u se d to re d u ce
th e l i ke l i h o o d o r i m p a ct o f fu tu re i n ci d e n t s ?
A. 1 6 . 1 . 7 D o e s th e o rg a n i z a t i o n d e fi n e and a p p l y p ro ce d u re s
fo r th e i d e n ti fi ca ti o n , co l l e ct i o n , a cq u i s i ti o n and p re s e rva ti o n
o f i n fo rm a t i o n , wh i ch ca n s e rve a s e vi d e n ce ?


A.1 6.1 .1
A.1 6.1 .2
A.1 6.1 .3
A.1 6.1 .4
A.1 6.1 .5
A.1 6.1 .6
A.1 6.1 .7
CO M M E N TS: Enter a more detailed explanation of the reason(s) indicated above. Where control
measures are in place it may be helpful to provide details on actions taken. See Section 3.2 for details.
Use additional sheets if necessary.

A.1 7 Information security aspects of business continuity management

A.1 7.1 Information security continuity
Objective: Information security continuity shall be embedded in the organization’s business
continuity management systems.
A.1 7.1 .1 Has the organization determined its requirements for

information security and the continuity of information security
management in adverse situations, e.g. during a crisis or
disaster?
A.1 7.1 .2 Has the organization established, documented and

implemented, and does it maintain processes, procedures and
controls to ensure the required level of continuity for
information security during an adverse situation?
A.1 7.1 .3 Does the organization verify the established and

implemented information security continuity controls at
regular intervals in order to ensure that they are valid and
effective during adverse situations?

A.1 7.1 .1
A.1 7.1 .2
A.1 7.1 .3

A.1 7 Information security aspects of business continuity management

A.1 7.2 Redundancies
Objective: To ensure availability of information processing facilities.
A.1 7.2.1 Have information processing facilities been

implemented with redundancy sufficient to meet availability
requirements?

A.1 7.2.1

A.1 8 Compliance
A.1 8.1 Compliance with legal and contractual requirements
Objective: To avoid breaches of legal, statutory, regulatory or contractual obligations related to
information security and of any security requirements.
A.1 8.1 .1 Are all relevant legislative statutory, regulatory and

contractual requirements and the organization’s approach to
meet these requirements, explicitly identified, documented and
kept up to date for each information system and the
organization?
A.1 8.1 .2 Are appropriate procedures implemented to ensure

compliance with legislative, regulatory and contractual
requirements related to intellectual property rights and use of
proprietary software products?
A.1 8.1 .3 Are records protected from loss, destruction,

falsification, unauthorized access and unauthorized release, in
accordance with legislative, regulatory, contractual and
business requirements?
A.1 8.1 .4 Is the privacy and protection of personally identifiable

information ensured as required in relevant legislation and
regulation where applicable?
A.1 8.1 .5 Are cryptographic controls used in compliance with all

relevant agreements, legislation and regulations?

A.1 8.1 .1
A.1 8.1 .2
A.1 8.1 .3
A.1 8.1 .4
A.1 8.1 .5

A.1 8 Compliance
A.1 8.2 Information security reviews
Objective: To ensure that information security is implemented and operated in accordance with the
organizational policies and procedures.
A.1 8.2.1 Is the organization’s approach to managing

information security and its implementation (i.e. control
objectives, controls, policies, processes and procedures for
information security) reviewed independently at planned
intervals or when significant changes occur?
A.1 8.2.2 Do managers regularly review the compliance of

information processing and procedures within their area of
responsibility with the appropriate security policies, standards
and any other security requirements?
A.1 8.2.3 Are information systems regularly reviewed for

compliance with the organization’s information security
policies and standards?

A.1 8.2.1
A.1 8.2.2
A.1 8.2.3

Bip 0072-2014 PDF

Uploaded by

Copyright:

Available Formats

Bip 0072-2014 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Bip 0072-2014 PDF

Uploaded by

Copyright:

Available Formats

Are you rea d y for a n I SM S a u d i t ba sed on I SO /I E C 2 7 001 ?

Are you read y for an ISM S au d i t based on

Edward (Ted) Humphreys and Bridget Kenyon

Al l ri g h ts re se rve d . E xce p t a s p e rm i tt e d u n d e r th e C o p yri g h t, D e si g n s a n d P a t e n t s Act 1 9 8 8 , no p a rt o f t h i s

p u b l i ca t i o n m ay be re p ro d u ce d , s to re d in a re tri e va l sys te m o r tra n s m i tt e d in a n y fo rm o r b y a n y m e a n s – e l e ctro n i c,

p h o t o co p yi n g , re co rd i n g o r o th e rwi se – wi th o u t p ri o r p e rm i ssi o n in wri t i n g fro m th e p u b l i sh e r.

damage c a u se d , a ri si n g d i re ctl y o r i n d i re ctl y i n co n n e cti o n wi t h re l i a n ce on i ts co n te n ts e xce p t to th e e xte n t th a t

B SI has made e ve ry re a so n a b l e e ffo rt t o l o ca t e , co n t a ct a n d a ckn o wl e d g e co p yri g h t o wn e rs o f m a te ri a l i n cl u d ed in

B SI has no re s p o n s i b i l i ty fo r t h e p e rs i st e n ce o r a cc u ra cy o f U RLs fo r e xt e rn a l o r th i rd - p a rt y i n te rn e t we b si t e s re fe rre d

Th e ri g h t o f B ri d g e t Ke n yo n and E d wa rd H u m p h re ys to be i d e n t i fi e d a s th e a u th o rs o f t h i s wo rk h a ve been a ss e rte d

b y th e m in a cco rd a n ce wi t h se ct i o n s 7 7 and 78 o f th e C o p yri g h t , D esi g n s and P a te n ts Act 1 9 8 8 .

P ri n t e d in G re a t B ri t a i n b y B e rfo rt s, www. b e rfo rt s. co . u k

British Library Cataloguing in Publication Data

4 I SM S processes workbook (a ssessm en t of I SM S process req u i rem en ts) 8

5 An n ex A G a p a n a l ysi s workbook (a ssessm en t of I SM S con trol s) 44

Are you rea dy for a n ISMS a udit ba sed on ISO/IEC 27001 ? v

• B I P 00 7 2 , A re yo u rea dy for a n ISMS a udit ba sed o n ISO/IEC 27001 ?;

• B I P 00 7 6 , In fo rm a tio n security risk m a n a gem en t — Ha n db oo k for ISO/IEC 27001 .

Are you ready for an ISMS audit based on ISO/IEC 27001? 1

This guide makes reference to the following standards:

m a n a ge m e n t syste m s — Re q u ire m e n ts . This standard is used as the basis for accredited

in fo rm a tio n se cu rity co n tro ls.

2 A re yo u re a dy fo r a n ISMS a u dit b a se d o n ISO /IEC 2 7001 ?

Are you rea dy for a n ISMS a udit ba sed on ISO/IEC 27001 ? 3

4 Are you rea dy for a n ISMS a udit ba sed on ISO/IEC 27001 ?

3.2 An n e x A Re fe re n ce co n tro l o b j e cti ve s a n d co n tro l s

3.2.1 I n tro d u cti o n

6.1 .3 Info rmatio n s ecurity ris k treatment

A re yo u re a dy fo r a n ISMS a u dit b a se d o n ISO /IEC 2 7001 ? 5

Section 5 of this guide enables organizations to indicate whether the control:

6 Are you rea dy for a n ISMS a udit ba sed on ISO/IEC 27001 ?

3.3 A sa m pl e of a com pl eted q u esti on n a i re

I SO /I E C 27 001 , Information security management systems — Requirements

Re q u ire m e n t: Th e o rga n iza tio n sh a ll wh e re a p p lica b le , ta ke a ctio n s to a cq uire th e n e ce ssa ry

co m p e te n ce , a n d e va lu a te th e e ffe ctive n e ss o f th e a ctio n s ta ke n .

Q1 . Implementation status. Tick one box for each control requirement..

Con trol req u i rem en t YE S PARTI AL NO

7.2.c Is there a process in place and being used, where

Aspect Rea son s a n d j u sti ﬁ ca ti on (wi th Acti on to be ta ken

A re yo u re a dy fo r a n ISMS a u dit b a se d o n ISO /IEC 2 7001 ? 7

I SO /I E C 27 001 , In form a tion security m a n a gem en t system s — Requirem en ts

4. Context of the organization

4.1 Is there a process in place to enable the organization to

Aspect Rea son s a n d j u sti ﬁ ca ti on (wi th Acti on to be ta ken

8 A re yo u re a dy fo r a n ISMS a u dit b a se d o n ISO /IEC 2 7001 ?

I SO /I E C 27 001 , In form a tion security m a n a gem en t system s — Requirem en ts

4. Context of the organization

4.2.a Is there a process in place to enable the organization to

4.2.b Is there a process in place to enable the organization to

Aspect Rea son s a n d j u sti ﬁ ca ti on (wi th referen ce Acti on to be ta ken

Are you ready for an ISMS audit based on ISO/IEC 27001 ? 9

I SO /I E C 27 001 , In form a tion security m a n a gem en t system s — Requirem en ts

4. Context of the organization

4.3.a Has the organization determined the boundaries and

4.3.b When determining the scope of its ISMS has the

4.3.c When determining the scope of its ISMS has the

4.3.d When determining the scope of its ISMS has the

4.3.e Has the organization made the scope available as

Aspect Rea son s a n d j u sti ﬁ ca ti on (wi th Acti on to be ta ken