ISO 27001 Implementation Guide

Section 3

Interactive Checklist

Mark each item with its current status. Progress is saved in your browser.

Overall progress
0 / 82 applicable items · 82 total
0%

Clause 4 — Context of the organization

  • 4.1 Determine external and internal issues relevant to the ISMS
  • 4.2 Identify interested parties and their relevant requirements
  • 4.3 Define and document the ISMS scope
  • 4.4 Establish, implement, maintain and continually improve the ISMS

Clause 5 — Leadership

  • 5.1 Top management demonstrates leadership and commitment
  • 5.2 Information security policy established, approved and communicated
  • 5.3 Roles, responsibilities and authorities assigned and communicated

Clause 6 — Planning

  • 6.1.1 Address risks and opportunities for the ISMS
  • 6.1.2 Documented information security risk assessment process
  • 6.1.3 Risk treatment process, Statement of Applicability and Risk Treatment Plan
  • 6.2 Information security objectives defined and planned
  • 6.3 Changes to the ISMS planned in a controlled manner

Clause 7 — Support

  • 7.1 Resources for the ISMS determined and provided
  • 7.2 Competence of personnel determined and evidenced
  • 7.3 Awareness of policy, contribution and consequences
  • 7.4 Internal and external communication on the ISMS
  • 7.5 Documented information created, controlled and protected

Clause 8 — Operation

  • 8.1 Operational planning and control
  • 8.2 Information security risk assessment performed at planned intervals
  • 8.3 Risk treatment plan implemented

Clause 9 — Performance evaluation

  • 9.1 Monitoring, measurement, analysis and evaluation defined and performed
  • 9.2 Internal audit programme planned and executed
  • 9.3 Management review conducted with required inputs and outputs

Clause 10 — Improvement

  • 10.1 Continual improvement of the ISMS
  • 10.2 Nonconformities identified, treated and root causes addressed

Annex A.5 — Organisational controls

  • Information security policies adopted, reviewed and communicated (5.1)
  • Roles, segregation of duties and management responsibilities defined (5.2–5.4)
  • Threat intelligence collected and acted upon (5.7)
  • Asset inventory, acceptable use, return, classification, labelling and transfer (5.9–5.14)
  • Access control, identity, authentication and access rights lifecycle (5.15–5.18)
  • Supplier and ICT supply chain security managed (5.19–5.22)
  • Information security for the use of cloud services (5.23)
  • Incident management process operating end to end (5.24–5.28)
  • Continuity and ICT readiness for business continuity (5.29–5.30)
  • Legal, regulatory, IPR, records, privacy and compliance (5.31–5.36)
  • Documented operating procedures available where needed (5.37)

Annex A.6 — People controls

  • Background screening proportionate to risk (6.1)
  • Security terms and conditions in employment contracts (6.2)
  • Awareness, education and training programme delivered (6.3)
  • Disciplinary process defined and communicated (6.4)
  • Responsibilities after termination or role change (6.5)
  • Confidentiality / non-disclosure agreements signed (6.6)
  • Remote working security requirements implemented (6.7)
  • Channel for reporting information security events available (6.8)

Annex A.7 — Physical controls

  • Physical security perimeters and entry controls (7.1–7.2)
  • Offices, rooms and facilities secured (7.3)
  • Physical security monitoring in place (7.4)
  • Protection against environmental threats (7.5)
  • Working in secure areas controlled (7.6)
  • Clear desk and clear screen enforced (7.7)
  • Equipment siting, protection and off-premise use (7.8–7.9)
  • Storage media managed across lifecycle (7.10)
  • Supporting utilities and cabling protected (7.11–7.12)
  • Equipment maintained and securely disposed of (7.13–7.14)

Annex A.8 — Technological controls

  • User endpoint devices hardened and managed (8.1)
  • Privileged access rights restricted, reviewed and logged (8.2)
  • Information access restriction enforced (8.3)
  • Access to source code controlled (8.4)
  • Secure authentication mechanisms in use (8.5)
  • Capacity management process operating (8.6)
  • Protection against malware deployed (8.7)
  • Technical vulnerability management operating (8.8)
  • Configuration management for systems and devices (8.9)
  • Information deletion procedures applied (8.10)
  • Data masking applied where appropriate (8.11)
  • Data leakage prevention controls implemented (8.12)
  • Information backup performed and tested (8.13)
  • Redundancy for processing facilities planned (8.14)
  • Logging and monitoring activities defined and operating (8.15–8.16)
  • Clock synchronisation across systems (8.17)
  • Privileged utility programs controlled (8.18)
  • Installation of software on operational systems controlled (8.19)
  • Networks, network services and segregation managed (8.20–8.22)
  • Web filtering applied (8.23)
  • Use of cryptography governed by a policy (8.24)
  • Secure development lifecycle, requirements, architecture and coding (8.25–8.28)
  • Security testing in development and acceptance (8.29)
  • Outsourced development controlled (8.30)
  • Separation of development, test and production environments (8.31)
  • Change management for systems and applications (8.32)
  • Test information selected, protected and managed (8.33)
  • Protection of information systems during audit testing (8.34)