Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
2.1.2 6.1.2 Information Security coordination Whether information security activities are coordinated
by representatives from diverse parts of the
organization, with pertinent roles and responsibilities
Vinod Kumar
Page 1 04/03/2018
vinodjis@hotmail.com
ISO 27001 Compliance Checklist
Identification of risks related to external Whether risks to the organization’s information and
2.2.1 6.2.1 information processing facility, from a process involving
parties
external party access, is identified and appropriate
control measures implemented before granting access.
Whether all identified security requirements are fulfilled
Addressing security while dealing with
2.2.2 6.2.2 before granting customer access to the organization’s
customers
information or assets.
Vinod Kumar
Page 2 04/03/2018
vinodjis@hotmail.com
ISO 27001 Compliance Checklist
Asset Management
3.1 7.1 Responsibility for assets
Whether all assets are identified and an inventory or
3.1.1 7.1.1 Inventory of Assets
register is maintained with all the important assets.
Whether each asset identified has an owner, a defined
3.1.2 7.1.2 Ownership of Assets and agreed-upon security classification, and access
restrictions that are periodically reviewed.
Whether regulations for acceptable use of information
3.1.3 7.1.3 Acceptable use of assets and assets associated with an information processing
facility were identified, documented and implemented.
3.2 7.2 Information Classification
Whether the information is classified in terms of its
3.2.1 7.2.1 Classification guidelines value, legal requirements, sensitivity and criticality to
the organization.
Whether an appropriate set of procedures are defined
3.2.2 7.2.2 Information labelling and handling for information labelling and handling, in accordance
with the classification scheme adopted by the
organization.
Human resources security
4.1 8.1 Prior to employment
Whether employee security roles and responsibilities,
contractors and third party users were defined and
documented in accordance with the organization’s
4.1.1 8.1.1 Roles and responsibilities information security policy.
Were the roles and responsibilities defined and clearly
communicated to job candidates during the pre-
employment process
Whether background verification checks for all
candidates for employment, contractors, and third party
users were carried out in accordance to the relevant
4.1.2 8.1.2 Screening regulations.
Does the check include character reference, confirmation
of claimed academic and professional qualifications and
independent identity checks
Vinod Kumar
Page 3 04/03/2018
vinodjis@hotmail.com
ISO 27001 Compliance Checklist
Vinod Kumar
Page 4 04/03/2018
vinodjis@hotmail.com
ISO 27001 Compliance Checklist
Vinod Kumar
Page 5 04/03/2018
vinodjis@hotmail.com
ISO 27001 Compliance Checklist
Vinod Kumar
Page 6 04/03/2018
vinodjis@hotmail.com
ISO 27001 Compliance Checklist
Vinod Kumar
Page 7 04/03/2018
vinodjis@hotmail.com
ISO 27001 Compliance Checklist
Vinod Kumar
Page 8 04/03/2018
vinodjis@hotmail.com
ISO 27001 Compliance Checklist
6.6.2 10.6.2 Security of network services
Whether the ability of the network service provider, to
manage agreed services in a secure way, is determined
and regularly monitored, and the right to audit is
agreed upon.
6.7 10.7 Media handling
Whether procedures exist for management of removable
media, such as tapes, disks, cassettes, memory cards,
6.7.1 10.7.1 Management of removable media and reports.
Whether all procedures and authorization levels are
clearly defined and documented.
Whether the media that are no longer required are
6.7.2 10.7.2 Disposal of Media disposed of securely and safely, as per formal
procedures.
Whether a procedure exists for handling information
storage.
6.7.3 10.7.3 Information handling procedures
Does this procedure address issues, such as information
protection, from unauthorized disclosure or misuse
Whether the system documentation is protected against
6.7.4 10.7.4 Security of system documentation
unauthorized access.
6.8 10.8 Exchange of information
Whether there is a formal exchange policy, procedure
and control in place to ensure the protection of
Information exchange policies and information.
6.8.1 10.8.1
procedures
Does the procedure and control cover using electronic
communication facilities for information exchange.
Whether agreements are established concerning
exchange of information and software between the
6.8.2 10.8.2 Exchange Agreements organization and external parties.
Whether the security content of the agreement reflects
the sensitivity of the business information involved.
Whether media containing information is protected
6.8.3 10.8.3 Physical media in transit against unauthorized access, misuse or corruption
during transportation beyond the organization’s
physical boundary.
Vinod Kumar
Page 9 04/03/2018
vinodjis@hotmail.com
ISO 27001 Compliance Checklist
Vinod Kumar
Page 11 04/03/2018
vinodjis@hotmail.com
ISO 27001 Compliance Checklist
7.3.1 11.3.1 Password use Whether there are any security practice in place to guide
users in selecting and maintaining secure passwords
Vinod Kumar
Page 12 04/03/2018
vinodjis@hotmail.com
ISO 27001 Compliance Checklist
Vinod Kumar
Page 13 04/03/2018
vinodjis@hotmail.com
ISO 27001 Compliance Checklist
7.6.1 11.6.1 Information access restriction Whether access to information and application system
functions by users and support personnel is restricted in
accordance with the defined access control policy.
Whether sensitive systems are provided with dedicated
7.6.2 11.6.2 Sensitive system isolation (isolated) computing environment such as running on a
dedicated computer, share resources only with trusted
application systems, etc.,
7.7 11.7 Mobile computing and teleworking
Whether a formal policy is in place, and appropriate
security measures are adopted to protect against the risk
of using mobile computing and communication
facilities.
7.7.1 11.7.1 Mobile computing and communications Some example of Mobile computing and
communications facility include: notebooks, palmtops,
laptops, smart cards, mobile phones.
Whether risks such as working in unprotected
environment is taken into account by Mobile computing
policy.
Whether policy, operational plan and procedures are
7.7.2 11.7.2
developed and implemented for teleworking activities.
Vinod Kumar
Page 14 04/03/2018
vinodjis@hotmail.com
ISO 27001 Compliance Checklist
8.2.4 12.2.4 Output data validation Whether the data output of application system is
validated to ensure that the processing of stored
information is correct and appropriate to circumstances.
8.3 12.3 Cryptographic controls
Vinod Kumar
Page 15 04/03/2018
vinodjis@hotmail.com
ISO 27001 Compliance Checklist
8.3.1 12.3.1 Policy on use of cryptographic controls Whether the cryptographic policy does consider the
management approach towards the use of
cryptographic controls, risk assessment results to
identify required level of protection, key management
methods and various standards for effective
implementation
Whether key management is in place to support the
organizations use of cryptographic techniques.
Whether cryptographic keys are protected against
modification, loss, and destruction.
Whether secret keys and private keys are protected
8.3.2 12.3.2 Key Management against unauthorized disclosure.
Whether equipments used to generate, store keys are
physically protected.
Whether the Key management system is based on
agreed set of standards, procedures and secure
methods.
8.4 12.4 Security of system files
Whether there are any procedures in place to control
8.4.1 12.4.1 Control of operational software installation of software on operational systems. (This is
to minimise the risk of corruption of operational
systems.)
8.4.2 12.4.2 Protection of system test data Whether system test data is protected and controlled.
Whether use of personal information or any sensitive
information for testing operational database is shunned
Whether strict controls are in place to restrict access to
8.4.3 12.4.3 Access control to program source code program source libraries.
(This is to avoid the potential for unauthorized,
unintentional changes.)
8.5 12.5 Security in development and support services
Vinod Kumar
Page 16 04/03/2018
vinodjis@hotmail.com
ISO 27001 Compliance Checklist
8.5.4 12.5.4 Information leakage Whether controls such as scanning of outbound media,
regular monitoring of personnel and system activities
permitted under local legislation, monitoring resource
usage are considered.
Whether the outsourced software development is
supervised and monitored by the organization.
8.5.5 12.5.5 Outsourced software development Whether points such as: Licensing arrangements, escrow
arrangements, contractual requirement for quality
assurance, testing before installation to detect Trojan
code etc., are considered.
8.6 12.6 Technical vulnerability management
Whether timely information about technical
vulnerabilities of information systems being used is
obtained.
8.6.1 12.6.1 Control of technical vulnerabilities
Whether the organization’s exposure to such
vulnerabilities evaluated and appropriate measures
taken to mitigate the associated risk.
Information Security Incident Management
9.1 13.1 Reporting information security events and weaknesses
Vinod Kumar
Page 17 04/03/2018
vinodjis@hotmail.com
ISO 27001 Compliance Checklist
Vinod Kumar
Page 18 04/03/2018
vinodjis@hotmail.com
9.2.3 13.2.3 Collection of evidence
ISO 27001 Compliance Checklist
Vinod Kumar
Page 19 04/03/2018
vinodjis@hotmail.com
ISO 27001 Compliance Checklist
Vinod Kumar
Page 20 04/03/2018
vinodjis@hotmail.com
ISO 27001 Compliance Checklist
11.1.3 15.1.3 Protection of organizational records
Vinod Kumar
Page 21 04/03/2018
vinodjis@hotmail.com
ISO 27001 Compliance Checklist
Vinod Kumar
Page 22 04/03/2018
vinodjis@hotmail.com
ISO 27001 Compliance Checklist
Results
Status (%)
Vinod Kumar
Page 23 04/03/2018
vinodjis@hotmail.com
ISO 27001 Compliance Checklist
Vinod Kumar
Page 24 04/03/2018
vinodjis@hotmail.com
ISO 27001 Compliance Checklist
Vinod Kumar
Page 25 04/03/2018
vinodjis@hotmail.com
ISO 27001 Compliance Checklist
Vinod Kumar
Page 26 04/03/2018
vinodjis@hotmail.com
ISO 27001 Compliance Checklist
Vinod Kumar
Page 27 04/03/2018
vinodjis@hotmail.com
ISO 27001 Compliance Checklist
Vinod Kumar
Page 28 04/03/2018
vinodjis@hotmail.com
ISO 27001 Compliance Checklist
Vinod Kumar
Page 29 04/03/2018
vinodjis@hotmail.com
ISO 27001 Compliance Checklist
Vinod Kumar
Page 30 04/03/2018
vinodjis@hotmail.com
ISO 27001 Compliance Checklist
Vinod Kumar
Page 31 04/03/2018
vinodjis@hotmail.com
ISO 27001 Compliance Checklist
Vinod Kumar
Page 32 04/03/2018
vinodjis@hotmail.com
ISO 27001 Compliance Checklist
Vinod Kumar
Page 33 04/03/2018
vinodjis@hotmail.com
ISO 27001 Compliance Checklist
Vinod Kumar
Page 34 04/03/2018
vinodjis@hotmail.com
ISO 27001 Compliance Checklist
Vinod Kumar
Page 35 04/03/2018
vinodjis@hotmail.com
ISO 27001 Compliance Checklist
Vinod Kumar
Page 36 04/03/2018
vinodjis@hotmail.com
ISO 27001 Compliance Checklist
Vinod Kumar
Page 37 04/03/2018
vinodjis@hotmail.com
ISO 27001 Compliance Checklist
Vinod Kumar
Page 38 04/03/2018
vinodjis@hotmail.com
ISO 27001 Compliance Checklist
Vinod Kumar
Page 39 04/03/2018
vinodjis@hotmail.com
ISO 27001 Compliance Checklist
Vinod Kumar
Page 40 04/03/2018
vinodjis@hotmail.com
ISO 27001 Compliance Checklist
Vinod Kumar
Page 41 04/03/2018
vinodjis@hotmail.com
ISO 27001 Compliance Checklist
Vinod Kumar
Page 42 04/03/2018
vinodjis@hotmail.com
ISO 27001 Compliance Checklist
Vinod Kumar
Page 43 04/03/2018
vinodjis@hotmail.com
ISO 27001 Compliance Checklist
Vinod Kumar
Page 44 04/03/2018
vinodjis@hotmail.com
ISO 27001 Compliance Checklist
Internal Organization 0%
Organization of Information Security
External Parties 0%
Prior to Employment 0%
Human resources security During Employment 0%
Termination or change of employment 0%
Secure Areas 0%
Physical and Enviornmental security
Equipment Security 0%
Vinod Kumar
vinodjis@hotmail.com Page 45 04/03/2018
ISO 27001 Compliance Checklist
Vinod Kumar
Page 46 04/03/2018
vinodjis@hotmail.com
100%
10%
20%
30%
40%
50%
60%
70%
80%
90%
0%
Security Policy
0%
Organization of Information Security
Asset Management 0%
0% Status
Domain
Access Control
0%
Compliance
0%
ISO 27001 Compliance Checklist
Compliance Checklist
A conditional formatting has been provided on "Compliance checklist" sheet under the "Status (%)" filed and is as m
1 to 25
26 to 75
76 to 100
In the field "Findings" fill in the evidence that you saw and your thoughts of the implementation
In the field "Status (%)" fill in the compliance level on the scale as mentioned above
If any of the controls in not applicable, please put in "NA" or anything that denotes that particular control is not ap
Vinod Kumar
Page 48 04/03/2018
vinodjis@hotmail.com
ISO 27001 Compliance Checklist
lementation
Vinod Kumar
Page 49 04/03/2018
vinodjis@hotmail.com