How to use the Digital Octopii Compliance Checklist …

The Standard tab contains the requirements from Clause 4 to 10 in the main body of IEC/ISO 27001:2013.

Column D: Make your way through each row and identify in column D - "Documented or evidenced where?" how
meet the requirements. In most cases you should enter in this column the title of the relevant policy, procedure, lo
specific section in the document where the requirement is mentioned.

Column E: This column has colour formatting applied and entering Y, P or N will turn the cell green, amber or red.
If you fully meet the requirement, enter Y; if you have no way of evidencing that you meet the requirement, enter
your documentation, enter P (for partly).
Column F & G: These are free text fields for you to enter comments/questions assign responsibility and manage th

The Annex A tab contains the requirements for the 114 controls listed in Annex A of IEC/ISO 27001:2013.

Column D: This column will eventually help you complete your Statement of Applicability (see clause 6.1.3 d)). Indi
control applies to your organisation. For example, if your organisation doesn't have any premises, control 11.1 Sec
This column has colour formatting applied and entering Y or N will turn the cell green or grey.

Column E: Make your way through each row and identify in column E - "Documented or evidenced where?" how y
meet the requirements. In most cases you should enter in this column the title of the relevant policy, procedure, lo
specific section in the document where the requirement is mentioned.

Column F: This column has colour formatting applied and entering Y, P or N will turn the cell green, amber or red.
If you fully meet the requirement, enter Y; if you have no way of evidencing that you meet the requirement, enter N
your documentation, enter P (for partly).

Column G & H: These are free text fields for you to enter comments/questions assign responsibility and manage th

If an any point you're struggling, don't understand the process or

questions, you can contact us on support@digitaloctopii.com or
our ISO 27001 Toolkits where you'll find step-by-step guides and
generate your documentation set and build your ISMS.
hecklist …

of IEC/ISO 27001:2013.

ed or evidenced where?" how you can evidence that you

e relevant policy, procedure, log or register as well as the

the cell green, amber or red.

meet the requirement, enter N; if you need to amend

responsibility and manage the implementation project.

of IEC/ISO 27001:2013.

bility (see clause 6.1.3 d)). Indicate in this column if the

any premises, control 11.1 Secure Areas would not apply.
n or grey.

d or evidenced where?" how you can evidence that you

e relevant policy, procedure, log or register as well as the

the cell green, amber or red.

meet the requirement, enter N; if you need to amend

responsibility and manage the implementation project.

nd the process or have specific

taloctopii.com or subscribe to
-step guides and templates to
r ISMS.
 BS 25999-2:2007 Gap Analysis

ISO 27001:2013 ISMS Compliance Checklist Need help? Subscribe to the full ISO
27001 Toolkit for a step-by-step guide

Requirement met?
Clause Title Requirement Documented or evidenced where? Yes/No/ Comments/questions
P (partly)
4 Context of the
organisation

Understanding the Have you determined internal and external issues relevant
4.1 organisation and its to the organisation's purpose and that affect its ability to
context achieve the intended outcomes of the ISMS

Understanding the
needs and
4.2 expectations of Have you determined:
interested parties
a) Interested parties relevant to ISMS

b) Requirements of interested parties relevant to ISMS

Have you determined the boundaries and applicability of

4.3 Determining the scope the information security management system to establish
of the ISMS
its scope.
a) Scope will take 4.1 into account
b) Scope will take 4.2 into account
Scope will consider the interfaces and dependencies
c) between activities handled by the organisation and those
handled by external parties
Is your ISMS established, implemented, maintained and
4.4 ISMS continually improved, in accordance with the requirements
in this standard.
5 Leadership
5.1 Leadership and Top management demonstrates leadership and
commitment commitment to the ISMS by doing the following:

a.1) Ensuring an information security policy is established and

aligns with the organisation's strategic direction

a.2) Ensuring information security objectives are established and

align with the organisation's strategic direction

Ensuring ISMS processes are integrated into the

b) organisation's business processes
c) Ensuring resources for the ISMS are available

© IT Governance Ltd 2008 v1.0 www.itgovernance.co.uk

 BS 25999-2:2007 Gap Analysis
Requirement met?
Clause Title Requirement Documented or evidenced where? Yes/No/ Comments/questions
P (partly)
Communicating the importance of effective information
d) security management and of conforming to ISMS
requirements
Ensuring the ISMS achieves its intended outcomes (i.e.
e)
achieves its objectives)

f) Directing and supporting the people involved in the ISMS

g) Promoting continual improvement
Supporting managers across the organisation with their
h) leadership in the ISMS as it applies to their areas of
responsibilities

5.2 Policy Have you established an information security policy that

covers the following:

a) The policy is appropriate to the purpose of the organisation

The policy includes information security objectives or a

b)
framework for setting information security objectives

c) The policy includes a commitment to satisfy applicable

requirements for information security

d) The policy includes a commitment to continual

improvement of the ISMS
e) The policy is documented
f) The policy is communicated within the organisation

g) The policy is available to interested parties as appropriate

Organisational roles,
5.3 responsibilities and Top management assigns responsibilities and authorities for
authorities roles relevant to information security

5.3 Top management , and makes sure people are aware of

those responsibilities.

a) Top management has assigned responsibility and authority

for ensuring ISMS conforms to ISO27001

b) Top management has assigned responsibility and authority

for reporting ISMS performance to top management

6.1 Actions to address

risks and opportunities

6.1.1 General When planning for ISMS, the organisation will:

6.1.1 consider issues referred to 4.1 and requirements in 4.2

© IT Governance Ltd 2008 v1.0 www.itgovernance.co.uk

 BS 25999-2:2007 Gap Analysis
Requirement met?
Clause Title Requirement Documented or evidenced where? Yes/No/ Comments/questions
P (partly)
determine risks and opportunities that need to be
6.1.1 addressed to:
a) Ensure ISMS can achieve intended outcomes
b) Prevent or reduce undesired effects
c) Achieve continual improvement
d) Organisation will plan actions to address the identified risks
and opportunities

e.1) Organisation will plan how to integrate the actions into its
ISMS processes

e.2) Organisation will plan how to evaluate effectiveness of

these actions

6.1.2 Information security Have you defined and applied a risk assessment process
risk assessment that includes:
The establishment and maintainenance of information
a) security risk criteria, including:
a.1) risk acceptance criteria
a.2) criteria for performing information security risk
assessments.
Risk assessments that produce consistent, valid and
b)
comparable results
c) Risk assessments that identify security risks:
risks associated with loss of confidentiality, integrity and
c.1) availability
c.2) identify risk owners.
d) Analysis of information security risks to:
d.1) assess consequences of risks identified if they materialise
d.2) assess likelihood of occurrence of risks identified
d.3) determine levels of risk
e) evaluation of information security risks that:
e.1) compares the risk analysis with risk criteria (6.1.2.a)
e.2) prioritises risks for risk treatment.
Retain documented information about risk assessment
process

Information security Have you defined and applied a risk treatment process for
6.1.3 risk treatment information security risks that ensures:

a) Selection of appropriate risk treatment options

b) Determination of controls necessary (from any source)

c) Compares controls in 6.1.3.b to those in Annex A

© IT Governance Ltd 2008 v1.0 www.itgovernance.co.uk

 BS 25999-2:2007 Gap Analysis
Requirement met?
Clause Title Requirement Documented or evidenced where? Yes/No/ Comments/questions
P (partly)
d) Produces a Statement of Applicability that contains:
d.1) a list of controls required
d.2) a justification for their inclusion
an indication of whether the controls are implemented or
d.3)
not
d.4) a justification for their exclusion

e) An information security risk treatment plan is in place

f) The risk owner approval for the treatment plan and residual
risk is obtained
Retain documented information about information security
risk treatment process
Information security
6.2 objectives and Do you have Information security objectives at relevant
planning to achieve functions and levels. The objectives must:
them
a) be consistent with the information security policy
b) be measurable if possible

c) take account of information security requirements, and

results from risk assessment and risk treatments

d) be communicated
e) updated as appropriate
When planning how to achieve objectives, determine:
f) what will be done
g) what resources are required
h) who is responsible
i) when it will be completed
j) how the results will be evaluated
Retain documented information on the information security
objectives
7 Support
Have you determined and provided the resources necessary
7.1 Resources to establish, implement, maintain and continually improve
the ISMS
7.2 Competence

a) Have you determined the necessary competence for people

doing work affecting information security performance

b) Have you ensured these people are competent by providing

education, training or experience

© IT Governance Ltd 2008 v1.0 www.itgovernance.co.uk

 BS 25999-2:2007 Gap Analysis
Requirement met?
Clause Title Requirement Documented or evidenced where? Yes/No/ Comments/questions
P (partly)

Where required, have you taken action to make sure people

c) have acquired the necessary competence; have you
evaluated the effectiveness of actions

d) Do you retain documentation of evidence of competence

7.3 Awareness Persons doing work under the organisation's control are
aware of:
a) information security policy

b) their contribution to effectiveness of the ISMS, including

benefits of improved information security performance

the implications of not conforming with your ISMS

c)
requirements
Have you determined the need for internal and external
7.4 Communication
communications regarding ISMS, including:
a) what to communicate
b) when to communicate
c) with whom to communicate
d) who will communicate
e) the process/method for communicating
7.5 Documented
information
7.5.1 General Your ISMS must include:

documents required by ISO27001:2013 (i.e. where

a)
"documented information" is mentioned in the standard)

documents you deem required for the effectiveness of the

b) ISMS
When creating and updating documents, ensure
7.5.2 Creating and updating appropriate:

identification and description (e.g. title, date, author, ref

a) number)
b) format and media
c) review and approval for suitability and adequacy
Control of
Your documented information must be controlled to
7.5.3 documented ensure:
information

a) it is available and suitable for use, where and when

necessary
b) it is adequately protected.

© IT Governance Ltd 2008 v1.0 www.itgovernance.co.uk

 BS 25999-2:2007 Gap Analysis
Requirement met?
Clause Title Requirement Documented or evidenced where? Yes/No/ Comments/questions
P (partly)

Do your document controls address the following activities:

c) distribution, access, retrieval and use of documented

information
d) storage and preservation of documented information

© IT Governance Ltd 2008 v1.0 www.itgovernance.co.uk

ISO/IEC 27001:2013 ISMS Annex A Gap Analysis

Clause Section Title

Management
Management direction direction for
5.1 for information security information
security

Management direction Policies for

5.1.1 for information security information
security

Review of the
Management direction policies for
5.1.2 for information security information
security
Internal
6.1 Internal organisation organisation

Information
6.1.1 Internal organisation security roles and
responsibilities

6.1.2 Internal organisation Segregation of

duties

Contact with
6.1.3 Internal organisation authorities

Contact with
6.1.4 Internal organisation special interest
groups
 Information
6.1.5 Internal organisation security in project
management

6.2 Mobile devices and Mobile devices

teleworking and teleworking

6.2.1 Mobile devices and Mobile device

teleworking policy

Mobile devices and

6.2.2 Teleworking
teleworking
Prior to
7.1 Prior to employment employment

7.1.1 Prior to employment Screening

Terms and
7.1.2 Prior to employment conditions of
employment

During
7.2 During employment
employment
7.2.1 During employment Management
responsibilities

Information
security
7.2.2 During employment awareness,
education and
training

7.2.3 During employment Disciplinary

process

Termination and
7.3 Termination and changechange of
employment

Termination or
7.3.1 Termination and changechange of
employment
responsibilities

Responsibility for
8.1 Responsibility for assets assets

8.1.1 Responsibility for assets Inventory of assets

8.1.2 Responsibility for assets Ownership of

assets

8.1.3 Responsibility for assets Acceptable use of

assets

8.1.4 Responsibility for assets Return of assets

8.2 Information classificatio Information

classification
8.2.1 Information classificatio Classification of
information

8.2.2 Information classificatio Labelling of

information

8.2.3 Information classificatio Handling of assets

8.3 Media handling Media handling

Management of
8.3.1 Media handling removable media

8.3.2 Media handling Disposal of media

Physical media
8.3.3 Media handling
transfer
Business
9.1 Business requirements ofrequirements of
access control

9.1.1 Business requirements ofAccess control

policy
Access to networks
9.1.2 Business requirements ofand network
services

9.2 User access managemenUser access

management

User registration
9.2.1 User access managemenand de-registration

User access
9.2.2 User access managemenprovisioning

Management of
9.2.3 User access managemenprivileged access
rights

Management of
secret
9.2.4 User access managemenauthentication
information of
users

Review of user
9.2.5 User access managemen
access rights
Removal or
9.2.6 User access managemenadjustment of
access rights
User
9.3 User responsibilities
responsibilities
 Use of secret
9.3.1 User responsibilities authentication
information

System and
9.4 System and application aapplication access
control

9.4.1 System and application aInformation access

restriction
Secure log-on
9.4.2 System and application a
procedures
Password
9.4.3 System and application amanagement
system

9.4.4 System and application aUse of privileged

utility programs

Access control to
9.4.5 System and application aprogram source
code
Cryptographic
10.1 Cryptographic controls controls

Policy on the use

10.1.1 Cryptographic controls of cryptographic
controls

10.1.2 Cryptographic controls Key management

11.1 Secure areas Secure areas

Physical security
11.1.1 Secure areas perimeter

11.1.2 Secure areas Physical entry

controls
Securing offices,
11.1.3 Secure areas rooms and
facilities

Protecting against
11.1.4 Secure areas external and
environmental
threats

Working in secure
11.1.5 Secure areas
areas

11.1.6 Secure areas Delivery and

loading areas

11.2 Equipment Equipment

 Equipment siting
11.2.1 Equipment
and protection

11.2.2 Equipment Supporting utilities

11.2.3 Equipment Cabling security

Equipment
11.2.4 Equipment maintenance

11.2.5 Equipment Removal of assets

Security of
equipment and
11.2.6 Equipment assets off-
premises

Secure disposal or
11.2.7 Equipment re-use of
equipment
Unattended user
11.2.8 Equipment
equipment

11.2.9 Equipment Clear desk and

clear screen policy

Operational
12.1 Operational procedures aprocedures and
responsibilities

Documented
12.1.1 Operational procedures aoperating
procedures

12.1.2 Operational procedures aChange

management

Capacity
12.1.3 Operational procedures a
management

Separation of
development,
12.1.4 Operational procedures atesting and
operational
environments

Protection from
12.2 Protection from malwar
malware

12.2.1 Protection from malwar Controls against

malware
12.3 Backup Backup
12.3.1 Backup Information
backup

Logging and
12.4 Logging and monitoring
monitoring

12.4.1 Logging and monitoring Event logging

12.4.2 Logging and monitoring Protection of log

information

Administrator and
12.4.3 Logging and monitoring
operator logs

Clock
12.4.4 Logging and monitoring
synchronisation

Control of
12.5 Control of operational s operational
software

Installation of
software on
12.5.1 Control of operational s operational
systems

Technical
12.6 Technical vulnerability vulnerability
management
Management of
12.6.1 Technical vulnerability technical
vulnerabilities
Restrictions on
12.6.2 Technical vulnerability software
installation
Information
12.7 Information systems audisystems audit
considerations
Information
12.7.1 Information systems audisystems audit
controls
Network security
13.1 Network security mana management

13.1.1 Network security mana Network controls

Security of
13.1.2 Network security mana network services

13.1.3 Network security mana Segregation in

networks
Information
13.2 Information transfer
transfer
Information
13.2.1 Information transfer transfer policies
and procedures
Agreements on
13.2.2 Information transfer information
transfer
 Electronic
13.2.3 Information transfer
messaging
Confidentiality or
13.2.4 Information transfer non-disclosure
agreements

Security
requirements of
14.1 Security requirements o
information
systems

Information
security
14.1.1 Security requirements o requirements
analysis and
specification

Securing
application
14.1.2 Security requirements o
services on public
networks

Protecting
application
14.1.3 Security requirements o services
transactions

Security in
14.2 Security in developmentdevelopment and
support processes

Secure
14.2.1 Security in developmentdevelopment
policy

System change
14.2.2 Security in developmentcontrol procedures

Technical review
of applications
14.2.3 Security in development
after operating
platform changes

Restrictions on
14.2.4 Security in developmentchanges to
software packages

Secure system
14.2.5 Security in developmentengineering
principles
 Secure
14.2.6 Security in developmentdevelopment
environment

Outsourced
14.2.7 Security in development
development

14.2.8 Security in developmentSystem security

testing

System acceptance
14.2.9 Security in development
criteria

14.3 Test data Test data

Protection of test
14.3.1 Test data data
Information
security in
15.1 Information security in s supplier
relationships

Information
security policy for
15.1.1 Information security in s supplier
relationships

Addressing
security within
15.1.2 Information security in s supplier
agreements

Information and
communication
15.1.3 Information security in s technology supply
chain

Supplier service
15.2 Supplier service delive delivery
management
Monitoring and
15.2.1 Supplier service delive review of supplier
services

Managing changes
15.2.2 Supplier service delive to supplier
services

Management of
information
16.1 Management of informati
security incidents
and
improvements

16.1.1 Responsibilities
Management of informati
and procedures
Reporting
16.1.2 Management of informati
information
security events
 Reporting
16.1.3 information
Management of informati
security
weaknesses

Assessment of and
16.1.4 decision on
Management of informati
information
security events

Response to
16.1.5 Management of informati
information
security incidents
Learning from
16.1.6 Management of informati
information
security incidents

16.1.7 Collection of
Management of informati
evidence

17.1 Information security conInformation

security continuity

Planning
17.1.1 Information security coninformation
security continuity

Implementing
17.1.2 Information security coninformation
security continuity

Verify, review and

17.1.3 Information security conevaluate
information
security continuity

17.2 Redundancies Redundancies

Availability of
information
17.2.1 Redundancies processing
facilities

Compliance with
legal and
18.1 Compliance with legal a contractual
requirements

Identification of
applicable
18.1.1 Compliance with legal a legislation and
contractual
requirements

Intellectual
18.1.2 Compliance with legal a property rights
(IPR)

18.1.3 Compliance with legal a Protection of

records

Privacy and
protection of
18.1.4 Compliance with legal a personally
identifiable
information
 Regulation of
18.1.5 Compliance with legal a cryptographic
controls
Information
18.2 Information security rev
security reviews
Independent
review of
18.2.1 Information security rev
information
security

Compliance with
18.2.2 Information security rev security policies
and standards

18.2.3 Information security rev Technical

compliance review
013 ISMS Annex A Gap Analysis

Does this
control apply in
Control objective/question & 27002 guidelines your
organisation?
Does management provide direction and support for information security in
accordance with business requirements and relevant laws and regulations?

Is there an information security policy document, or set of policies, that has been
defined, approved by management, and has it been published and communicated to all
employees and relevant external parties?

Does it contain objectives, define infosec, assign roles and point to a "process for
handling deviations and exceptions"?

Is there a procedure for the information security policy, or policies, to be reviewed at

planned intervals or if significant changes occur, and does this process ensure its
continuing suitability, adequacy, and effectiveness, and is there evidence that the policy
(or policies) is applied?

Is there a management framework to initiate and control the implementation and

operation of information security within the organisation?
Have all information security responsibilities been defined and allocated?
E.g. assets and info sec processes identified
asset owners responsibilities defined
authorisation levels defined and documented
maintaining/acquiring competencies
info sec aspects of supplier relationships

Have conflicting duties and areas of responsibility been segregated to reduce

opportunities for unauthorised or unintentional modification or misuse of the
organisation's assets?

If SME and can't segregate, are other controls in place like monitoring of activities, audit
trails and mgt supervision?

Does the organisation maintain appropriate contacts with relevant authorities?

Organizations should have procedures in place that specify when and by whom
authorities (e.g. law enforcement, regulatory bodies, supervisory authorities) should be
contacted and how identified information security incidents should be reported in a
timely manner (e.g. if it is suspected that laws may have been broken).

Does the organisation maintain appropriate contact with special interest groups or other
specialist security forums and professional associations?

E.g. to keep up with best practice knowledge, receive warnings of alerts, advisories,
patches, vulnerabilities
have access with specialist information security advice
share inf about new technology, products, threats or vulnerabilities
provide liaison points when dealing with incidents
Does the organisation address information security in project management, regardless
of the type of project?

a) information security objectives are included in project objectives;

b) an information security risk assessment is conducted at an early stage of the
project to identify necessary controls;
c) information security is part of all phases of the applied project methodology.

Does the organisation ensure the security of teleworking and use of mobile devices?

Does the organisation have a policy and supporting security measures to manage the
risks introduced by the use of mobile devices?

The mobile device policy should cover:

a) registration of mobile devices;
b) requirements for physical protection;
c) restriction of software installation;
d) requirements for mobile device software versions and for applying patches;
e) restriction of connection to information services;
f) access controls;
g) cryptographic techniques;
h) malware protection;
i) remote disabling, erasure or lockout;
j) backups;
k) usage of web services and web apps.

Does the organisation have a policy and supporting security measures to protect
information accessed, processed or stored at teleworking sites?
Does the organisation ensure that employees and contractors understand their
responsibilities and are suitable for the roles for which they are considered?
Does the organisation conduct background verification checks on all candidates for
employment, in accordance with relevant laws, regulations and ethics, and are these
checks sufficient considering the business requirements, the classification of the
information to be accessed and the related risks?

Do contractual agreements with employees and contractors state their and the
organisation's responsibilities for information security? e.g. confidentiality agreement,
respecting information classification requirements, responsibilities when handling 3rd
party information, obligations beyond termination?

Does the organisation ensure that employees and contractors are aware of and fulfil
their information security responsibilities?
Does the organisation's management require all employees and contractors to apply
information security in accordance with the organisation's established policies and
procedures?

For example, management responsibilities should include ensuring that employees and
contractors are briefed on their information security roles and responsibilities, are
provided with guidelineson information security expectations, achieve a level of
awareness on information security relevant to their roles and responsibilities, conform
to the terms and conditions of employment.

Does the organisation ensure that all employees and relevant contractors receive
appropriate awareness education and training? Receive regular updates to policies and
procedures, as relevant for their job role?

Does the organisation have a formal and communicated disciplinary procedure in place
to take action against employees who commit an information security breach?

Does the organisation protect its interests as part of the process of changing or
terminating employment?

Does the organisation define and enforce information security responsibilities and duties
that remain valid after termination or change of employment, and are these
communicated to the employee or contractor? For example, continuing contractual
clauses beyond termination (e.g. confidentiality) and how an internal move should be
considered as a termination and re-hiring.

Has the organisation identified organisational assets and defined appropriate

protection responsibilities?
Has the organisation identified assets associated with information and information
processing facilities, and has an inventory of these assets been drawn up and
maintained?

The asset inventory should be accurate, up to date, consistent and aligned with other
inventories.
For each of the identified assets, ownership of the asset should be assigned (see 8.1.2)
and the classification should be identified (see 8.2).

Have owners of the assets maintained in the asset inventory been identified?

Has the organisation identified, documented and implemented rules for the acceptable
use of information and of assets associated with information and information processing
facilities?
Are all employees and external party users required to return all of the organisational
assets in their possession upon termination of their employment, contract or
agreement?

Does the organisation ensure that information receives an appropriate level of

protection in accordance with its importance?
Does the organisation classify information? Do classification levels consider legal
requirements, value, criticality and sensitivity to unauthorised disclosure or
modification?

The "value" should be built into the classification levels which should be incremental,
e.g. in terms of confidentiality, integrity and availability requirements.

Has an appropriate set of procedures been developed and implemented for information
labelling in accordance with the information classification scheme?
Has the organisation developed and implemented procedures for handling assets in
accordance with the information classification scheme? For example covering access
restrictions, transfer methods, storage location or media for each level of classification.

Does the organisation prevent unauthorised disclosure, modification, removal or

destruction of information stored on media?
Are there procedures for the management of removable media in accordance with the
classification scheme?
Are there formal procedures for the disposal of media securely when no longer
required?
Are there procedures to protect media containing information against unauthorised
access, misuse or corruption during transportation?
Does the organisation limit access to information and information processing facilities?

Is there an established, documented and reviewed access control policy based on

business and information security requirements?
Are users restricted to access only those networks and network services that they have
been specifically authorised to use?

Are there processes in place to ensure only authorised users have access and to
prevent unauthorised access to systems and services?
Is there a formal user registration and de-registration process to enable assignment of
access rights?
Does it ensure only unique user IDs are used to enable users to be linked to and held
responsible for their actions? Are leavers' user IDs immediately disabled or removed?

Is there a formal user access provisioning process to assign or revoke access rights for all
user types to all systems and services?
Is the allocation and use of privileged access rights restricted and controlled?

Is there a formal management process to control the allocation of secret authentication

information? [Passwords are a commonly used type of secret authentication information
and are a common means of verifying a user’s identity. Other types of secret
authentication information are cryptographic keys and other data stored on hardware
tokens (e.g. smart cards) that produce authentication codes.]

Do asset owners review users' access rights at regular intervals? Does it consider both
access and permissions?
Are access rights of employees and external party users to information and processing
facilities removed upon termination (or change) of their employment, contract or
agreement?
Are users accountable for safeguarding their authentication information?
Are users required to follow the organisation's established practices in the use of secret
authentication information?

For example, are users advised to keep secret authentication information confidential
and not divulge it to any other party, including people in authority? Are they advised to
avoid keeping a record (e.g. on paper, software file or hand-held device) of secret
authentication information, unless this can be stored securely and the method of storing
has been approved (e.g. password vault)? Are they advise to change their password if
there's a risk it's been compromised?

Does the organisation prevent unauthorised access to systems and applications?

Is access to information and application system functions restricted in accordance with

the access control policy?
Is there a secure log-on procedure to control access to systems and applications where
required by the access control policy?
Are the password management systems interactive and do they ensure quality
passwords?

Are there quidelines for the use of utility programs that might be capable of overriding
system and application controls? Are their use restricted and tightly controlled?

Is access to program source code restricted? Is access to associated items (such as

designs, specifications, verification plans and validation plans) restricted?

Is cryptography properly and effectively used to protect the confidentiality,

authenticity and/or integrity of information?
Has a policy on the use of cryptographic controls for protection of information been
developed and implemented?

Has a policy on the management of cryptographic keys been developed and

implemented?
Does the organisation prevent unauthorised physical access, damage and interference
to the organisation's information and information processing facilities?

Have physical security perimeters been defined, and are they used to protect areas that
contain either sensitive or critical information and information processing facilities?

Are secure areas protected by appropriate entry controls to ensure that only authorised
personnel are allowed access?
Have physical security mechanisms for offices, rooms and facilities been considered and
applied?

Have you designed and applied physical protection against natural disasters, malicious
attacks and accidents?

You should seek specialist advice on how to avoid damage from fire, flood, earthquake,
explosion, civil unrest and other forms of natural or man-made disaster.

Have procedures for working in secure areas been designed and applied?

Are access points such as delivery and loading areas controlled or isolated? Or other
points where unauthorised persons could enter the premises unchallenged/unnoticed?

Does the organisation prevent loss, damage, theft and compromise of assets and
interruption to the organisation's operations?
Is equipment located and protected to reduce the risks from environmental threats and
hazards, and opportunities for unauthorised access?
Is equipment protected from power failures and other disruptions caused by failures in
supporting utilities?
Are power and telecommunication cables carrying data or supporting information
services protected from interception, interference and damage?
Is equipment maintained correctly/regularly to ensure continued availability and
integrity?
Are equipment, information and software prevented from being taken off-site without
prior authorisation?
Is security applied to assets when off-site? Does this take into account the different risks
of working outside the organisation's premises?

Are there procedures to verify that equipment containing storage media has had any
sensitive data and licensed software removed or securely overwritten prior to disposal
or re-use?
Are all users made aware of security requirements and procedures to ensure that
unattended equipment has appropriate protection?
Is there a clear desk policy for papers and removable storage media, and a clear screen
policy for information processing facilities?

Does the organisation ensure correct and secure operations of information processing
facilities?

Are there documented IT operating procedures and are they made available to all users
who need them?
For example, procedures to cover the installation and configuration of systems, backups,
job scheduling, error/alert handling and other exceptional conditions, system restart and
recovery etc.

Is there a change management/control procedure? Are changes to the organisation,

business processes, information processing facilities and systems that affect information
security approved and implemented in a controlled way?
Is resource usage monitored and tuned, and are projections made of future capacity
requirements, to ensure the required system performance?

Are the development, testing and operational environments separated to reduce the
risks of unauthorised access and changes to the operational environment?

Are information and information processing facilities protected against malware?

Are there detection, prevention and recovery controls in place to protect against
malware? Is this combined with appropriate user awareness education/training?
Does the organisation protect against loss of data?
Is there an agreed backup policy, and are backup copies of information, software and
system images taken and tested regularly in accordance with this policy? Are backups
included in the retention policy?
Does the organisation record events and generate evidence?

Are required event logs identified, produced, kept and regularly reviewed or alerts
configured? Do they record user activities, exceptions, faults and information security
events?
Are logging facilities and log information protected against tampering and unauthorised
access?
Are system administrator and system operator activities logged, and are the logs
protected and regularly reviewed?

Privileged user account holders may be able to manipulate the logs under their control,
therefore it is crucial to protect and review the logs to maintain accountability for
privileged users.

Are the clocks of all relevant information processing systems within an organisation or
security domain synchronised with a single reference time source?

Is the integrity of operational systems ensured?

Are procedures implemented to control the installation of software on operational

systems?

Does the organisation prevent the exploitation of technical vulnerabilities?

Is timely information about technical vulnerabilities of information systems being used

obtained, is the organisation’s exposure to such vulnerabilities evaluated, and are the
appropriate measures taken to address the associated risk?
Have rules governing the installation of software by users been established and
implemented?

Does the organisation minimise the impact of audit activities on operational systems?

Are audit activities involving verification of operational systems carefully planned and
agreed to minimise disruptions to business processes?

Does the organisation protect information in networks and supporting information

processing facilities?
Are networks managed and controls to protect information in connected systems and
applications?
Are security features, service levels and management requirements of all network
services identified and included in network services agreements, whether provided in-
house or outsourced?
Are information services, users and information systems segregated into groups on
networks?
Is the security of information transferred within the organisation and with any external
entity maintained?
Are there formal transfer policies, procedures and controls in place to protect
information during transfer? Do they cover all transfer methods? Do they consider your
information classification scheme?
Do agreements (e.g. with clients, suppliers, partners). cover the secure transfer of
information between the organisation and external parties?
Is information involved in electronic messaging appropriately protected? E.g. covering
email, electronic data interchange, social media
Are requirements for the use of confidentiality or non-disclosure agreements identified,
regularly reviewed and documented?

Does the organisation ensure that security is an integral party of information systems,
including those information systems that provide services over public networks?

When defining requirements for new information systems and/or enhancements to

existing information systems, are information security related requirements considered
and included?

Is information involved in application services passing over public networks protected

from fraudulent activity, contract dispute and unauthorised disclosure and modification?

Is information involved in application service transactions protected to prevent

incomplete transmission, mis-routing, unauthorised message alteration, unauthorised
disclosure, unauthorised message duplication and replay?

Is information security designed and implemented within the development lifecycle of

information systems?

Are there established rules for the development of software and systems, and are they
applied to developments within your control, i.e. within the organisation or sub-
contracted?
Are there formal change control procedures built within the development lifecycle to
control changes to systems ?

When operating systems are changed, are business critical applications reviewed and
tested to ensure there is no adverse impact on organisational operations or security?

Are modifications to vendor-supplied software packages discouraged, limited to

necessary changes and are all changes strictly controlled?

Have principles for engineering secure systems been established, documented and
maintained, and are they applied?
Are development environments for system development and integration efforts in place
and appropriately protected? Are they used throughout the development lifecycle?

A secure development environment includes people, processes and technology

associated with system development and integration.

Do you supervise and monitor the activity of outsourced system development?

Is security functionality testing conducted during development? Including the

preparation of a detailed schedule of activities and test inputs and expected outputs
under a range of conditions. For in-house developments, such tests should initially be
performed by the development team. Independent acceptance testing should then be
undertaken (both for in-house and for outsourced developments) to ensure that the
system works as expected and only as expected. The extent of testing should be in
proportion to the importance and nature of the system.

Are there acceptance testing programs? Are acceptance criteria been established for
new information systems, upgrades and new versions? Do they include testing of
information security requirements?
Is data used for testing protected?
Is test data selected appropriately? Is it protected and controlled?

Are the organisation's assets accessible by suppliers protected?

Are information security requirements for mitigating the risks associated with supplier's
access to the organisation's assets agreed with the supplier and documented?

Are all relevant information security requirements established and agreed with each
supplier that may access, process, store, communicate, or provide IT infrastructure for,
the organisation's information?

Do agreements with suppliers include requirements to address the information security

risks associated with information and communications technology services and product
supply chain?

Does the organisation maintain an agreed level of information security and service
delivery in line with supplier agreements?

Does the organisation regularly monitor, review and audit supplier service delivery?

Does the organisation manage changes to the provision of services by suppliers,

including maintaining and improving existing information security policies, procedures
and controls, taking account of the criticality of business information, systems and
processes involved, and re-assessment of risks?

Does the organisation ensure that a consistent and effective approach is applied to the
management of information security incidents, including communication on security
events and weaknesses?

Has the organisation established management responsibilities and procedures to ensure

a quick, effective and orderly response to information security incidents?
Are information security events reported through appropriate management channels as
quickly as possible?
Does the organisation require employees and contractors using the organisation's
information systems and services to note and report any observed or suspected
information security weaknesses in systems or services?

Does the organisation assess information security events and make decisions as to
whether they are classified as information security incidents?

Are information security incidents responded to in accordance with the documented

procedures?

Does the organisation use knowledge gained from analysing and resolving information
security incidents to reduce the likelihood or impact of future incidents?

Has the organisation defined and applied procedures for the identification, collection,
acquisition and preservation of information that can serve as evidence?

Is information security continuity embedded in the organisation business continuity

management systems?

Has the organisation determined its requirements for information security and the
continuity of information security management in adverse situations (e.g. during a crisis
or disaster)?

Has the organisation established, documented implemented and maintained processes,

procedures and controls that ensure the required level of continuity for information
security during an adverse situation?

Does the organisation verify the established and implemented information security
continuity controls at regular intervals, ensuring that they are valid and effective during
adverse situations?

Is the availability of information processing facilities ensured?

Are information processing facilities implemented with redundancy sufficient to meet
availability requirements?

Does the organisation avoid breaches of legal, statutory, regulatory and contractual
obligations related to information security and of any security requirements?

Have all relevant legislative, statutory, regulatory and contractual requirements and the
organization’s approach to meet these requirements been explicitly identified and
documented, and is it kept up to date for each information system and the organization?

Have appropriate procedures been implemented to ensure compliance with legislative,

regulatory and contractual requirements related to intellectual property rights and use
of proprietary software products?
Are records protected from loss, destruction, falsification, unauthorised access and
unauthorised release, in accordance with legislatory, regulatory, contractual and
business requirements?
Does the organisation ensure privacy and protection of personally identifiable
information as required in relevant legislation and regulations?
Are cryptographic controls used in compliance with all relevant agreements, legislation
and regulations?

Does the organisation ensure that information security is implemented and operated
in accordance with the organisational policies and procedures?
Is the organisation's approach to managing information security and its implementation
reviewed independently and at planned intervals or when significant changes occur?

Do managers regularly review the compliance of information processing and procedures

within their area of responsibility with the appropriate security policies, standards and
other security requirements?
Are information systems regularly checked for compliance with the organisation's
information security policies and standards?
 Need help? Subscribe to the full ISO
27001 Toolkit for a step-by-step guide

Requirement
Documented or evidenced where? met? (Y/N/P) Issues and comments Action required?
What next?

Now that you've used the compliance checklist, you should be in a position to determine exactly how ready you are for th
Stage 1 certification audit. Based on our experience, you're probably in one of the following four scenarios... which one
describes you best?

Scenario 1: You have no or very few documented policies & procedures in pla
You want to do it yourselves but don't have much
You want to do it yourselves. You have time. time.
You want to minimise costs and you have someone with You want to minimise costs and do it on your own, b
time to write all the documentation - i.e. you want don't have time to write all the documentation from
guidance to do it all on your own. blank page.
Use our ISO 27001 Pro Toolkit for a step-by-step gui
Try the Free ISO 27001 Toolkit and all the templates you need.

Try the ISO 27001 Pro Toolkit

Start with Free

Start with Pro

We want to share the workload with a consultant.

You want to share the workload and/or prefer to have a You want consultants to do it for you.
consultant guide you. If you use our templates and you You don’t have the resources in-house with the
do the writing, we will need around 5 person days of our knowledge or the time and want consultants to do a
time to get you ready for the Stage 1 audit. the work. This is likely to take 15-20 person days of o
time to get you ready for the Stage 1 audit.
Get in touch
Get in touch

Contact us Contact us

Scenario 2: You already have several policies & procedures in place

You want ISO consultants to do it for you.
You want to minimise costs. You don’t have the time and/or knowledge in house
You have the knowledge in-house to do it on your own. fill the gaps you've identified or complete the gap
Get the templates and information missing from our ISO analysis. A full gap analysis takes 3 person days of ou
27001 Pro Toolkit time to perform. Filling the gaps depends how man
there are.
Try the ISO 27001 Pro Toolkit
Get in touch
 Get the templates and information missing from our ISO analysis. A full gap analysis takes 3 person days of ou
27001 Pro Toolkit time to perform. Filling the gaps depends how man
there are.
Try the ISO 27001 Pro Toolkit
Get in touch

Start with Pro Contact us

Scenario 3: You already have all the documentation you need, you want to ma
sure you're ready
You want ISO consultants to do it for you.
You want an ISO expert to give your ISMS a once-over
before your chosen certification body comes in for the
Stage 1 audit.

A complete pre-audit review takes 1 person day to

perform if you've already completed this checklist - 3
days if you haven't.
Get in touch

Contact us
how ready you are for the
scenarios... which one

ocedures in place
ves but don't have much
e.
and do it on your own, but
the documentation from a
page.
kit for a step-by-step guide
lates you need.

001 Pro Toolkit

ts to do it for you.
urces in-house with the
want consultants to do all
e 15-20 person days of our
for the Stage 1 audit.

touch

place
ants to do it for you.
/or knowledge in house to
fied or complete the gap
takes 3 person days of our
gaps depends how many
are.

touch
takes 3 person days of our
gaps depends how many
are.

touch

you want to make