Sei sulla pagina 1di 46

Halkyn Consulting Ltd 04/14/2014

ISO27001:2013 Assessment Status

Status Status

100% 100%
90% 90%
80% 80%
70% 70%
60%
60% 50%
50% 40%
40% 30%
30% 20%
10%
20% 0%
10% M In M P D T R In M B U U S C S E O P B L C T In N In S S T In S M In R C In
a t o ri u e e f e u s s y r e q p r a o o e f e f e e e f u a f e o f
0% n e bi o ri r s o di si e e s y c ui e o c g n c o t o c c s o p n o d m o
System acquisition, development and maintenance
Organisation of information security

Cryptography

Operations security

Compliance
Information security incident management
Asset management

a r le r n m p r a n r r t p u p r t k gi t h r w r u u t r pl a r u pl r
g n d t g in o m h e a r e o r m a e u n r ni m o m ri ri d m ie g m n ia m
e al e o e a ni a a s c e m g e e ti c p g ol c a r a t t a a r e a d n a
m O vi e m ti bi ti n s c s a r a n o ti a o al ti k ti y y t ti s m ti a c ti
e r c m pl o li o dl r e p n a r t n o n f v o s o r in a o e e o n e o
n g e pl o n t n in e s o d p e al n d o ul n e n e d n r n n ci w n
t a s o y a y cl g q s n a hi a p f m p n s c t q e s vi t s e it s
di ni a y m n f a ui m si p c s r r o e e y u r ui v e c o e s h e
r s n m e d o s r a bi pl c o o ni r r s ri a r el c e f c le c
e a d e n c r si e n li ic o c m t a a t t n e o u d in u g u
c ti t n t h a fi m a ti a n e m o ti bi e y s m p ri el f ri al ri
ti o el t a s c e g e ti t d al ri o li m m f e m t iv o t a t
o n e n s a n e s o r u w n n t s a e n e y e s y n y
n w g e ti t m n ol r a g al y a n r t n in r e c d r
f o e t o s e a s e r s m u a s t s y c o c e
o r o s n f n c s e o a di g o a u m in n o vi
r ki f o t c a f n t e f n p a ci ti n e
in n e r e n t a c m in d pl n d n t w
f g m a s d w g o e f s ie a e ui r s
o pl c s r a e n n o u r g n t a
r o c c e r m si t r p r e t y c
m y e o s e e d m p el m s t
a m s n p n e a o a e & u
ti e s t o t r ti r ti n i al
o n c r n a o t o t m r
n t o ol si ti n p n p e
s n bi o s r s r q
e t li n y o hi o ui
c r ti s s c p v r
u ol e t e s e e
ri s e s m m
t m s e e
y s e n n
s t t
s s

www.halkynconsulting.co.uk info@halkynconsulting.co.uk
Halkyn Consulting Ltd 04/14/2014

n N In S S T In S M In R C In
e f e e e f u a f e o f
t o c c s o p n o d m o
w r u u t r pl a r u pl r
m o m ri ri d m ie g m n ia m
r a t t a a r e a d n a
i k ti y y t ti s m ti a c ti
s o r in a o e e o n e o
e n e d n r n n ci w n
c t q e s vi t s e it s
u r ui v e c o e s h e
ri a r el c e f c le c
t n e o u d in u g u
y s m p ri el f ri al ri
m m f e m t iv o t a t
a e n e y e s y n y
n r t n in r e c d r
a s t s y c o c e
i g o a u m in n o vi
e f n p a ci ti n e
m in d pl n d n t w
e f s ie a e ui r s
n o u r g n t a
i t r p r e t y c
m p el m s t
a o a e & u
ti r ti n i al
o t o t m r
i n p n p e
s r s r q
y o hi o ui
s c p v r
t e s e e
e s m m
m s e e
s e n n
s t t
s s

www.halkynconsulting.co.uk info@halkynconsulting.co.uk
Overview
This tool is designed to assist a skilled and experienced professional ensure that the relevant control areas
of ISO / IEC 27001:2013 have been addressed.
This tool does not constitute a valid assessment and the use of this tool does not confer ISO/IEC
27001:2013 certification. The findings here must be confirmed as part of a formal audit / assessment visit.

Instructions for use

Pre-assessment
1. Determine assessment scope.

2. Collect evidence.

3. Prepare toolkit.

Assessment
4. Review control areas.

5. Determine level of compliance.

Post Assessment
6. Record areas of weakness

7. Determine improvement plan

8. Schedule re-assessment

Lifecycle Review
9. ISMS Review Schedules
Overview
xperienced professional ensure that the relevant control areas
ed.
ent and the use of this tool does not confer ISO/IEC
must be confirmed as part of a formal audit / assessment visit.

tructions for use

Work with the relevant business stakeholders to


determine what the appropriate scope of the
assessment is.

Identify and centralise as much evidence as


possible. This can include policy documents,
process documents, interview transcripts etc.

Using the assessment scope you can identify


what areas of the tool kit are not appropriate and
set these to 100% to close reporting.
Additionally, where suggested audit questions are
not relevant, these can be replaced with more
suitable ones.

Work through the tool kit, reviewing the evidence


for each control and determining how compliant it
is with the requirements.
The toolkit allows for this to be done in 5%
increments.

On completion of the review, the tool kit will give


you an overall level of compliance by control area
and by individual controls.

Make a note of any areas where compliance is


unsuitable (normally less than 90%)
For each area of weakness, work with the
relevant business stakeholders to determine how
the control can be improved.

Arrange a date to review weak areas to set a


target for improvement plans.

Ensure that the ISMS is re-assessed on a regular


basis, ideally once every 12 months.
ISO 27001:2013
www.halkynconsulting.co.uk Halkyn Consulting Ltd
Compliance Checklist

Reference Compliance Assessment Area Results


Checklist Standard Section Initial Assessment Points Findings
A.5 Information Security Policies
A.5.1 Management direction for information security

1. Do Security policies exist?


2. Are all policies approved by management?
A.5.1.1 Policies for information security
3. Are policies properly communicated to
employees?

1. Are security policies subject to review?


2. Are the reviews conducted at regular
Review of the policies for information
A.5.1.2 intervals?
security
3. Are reviews conducted when circumstances
change?

A.6 Organisation of information security


A.6.1 Internal Organisation

Are responsibilities for the protection of


individual assets, and for carrying out specific
Information security roles and
A.6.1.1 security processes, clearly identified and
responsibilities
defined and communicated to the relevant
parties?

Are duties and areas of responsibility


separated, in order to reduce opportunities for
A.6.1.2 Segregation of duties
unauthorized modification or misuse of
information, or services?

Page 5 of 46 04/14/2014
ISO 27001:2013
www.halkynconsulting.co.uk Halkyn Consulting Ltd
Compliance Checklist

1. Is there a procedure documenting when,


and by whom, contact with relevant authorities
(law enforcement etc.) will be made?
A.6.1.3 Contact with authorities 2. Is there a process which details how and
when contact is required?
3. Is there a process for routine contact and
intelligence sharing?

Do relevant individuals within the organisation


A.6.1.4 Contact with special interest groups maintain active membership in relevant special
interest groups?
Do all projects go through some form of
A.6.1.5 Information security in project management
information security assessment?
A.6.2 Mobile devices and teleworking

1. Does a mobile device policy exist?


2. Does the policy have management
approval?
A.6.2.1 Mobile device policy 3. Does the policy document and address
additional risks from using mobile devices (e.g.
Theft of asset, use of open wireless hotspots
etc.)

1. Is there a policy for teleworking?


2. Does this have management approval?
3. Is there a set process for remote workers to
A.6.2.2 Teleworking
get access?
4. Are teleworkers given the advice and
equipment to protect their assets?

A.7 Human resources security


A.7.1 Prior to employment

Page 6 of 46 04/14/2014
ISO 27001:2013
www.halkynconsulting.co.uk Halkyn Consulting Ltd
Compliance Checklist

1. Are background verification checks carried


out on all new candidates for employment?
2. Are these checks approved by appropriate
management authority?
A.7.1.1 Screening
3. Are the checks compliant with relevant laws,
regulations and ethics?
4. Are the level of checks required supported
by business risk assessments?

1. Are all employees, contractors and third


party users asked to sign confidentiality and
non-disclosure agreements?
A.7.1.2 Terms and conditions of employment
2. Do employment / service contracts
specifically cover the need to protect business
information?

A.7.2 During employment

1. Are managers (of all levels) engaged in


driving security within the business?
2. Does management behaviour and policy
A.7.2.1 Management responsibilities drive, and encourage, all employees,
contractors and 3rd party users to apply
security in accordance with established
policies and procedures?

Do all employees, contractors and 3rd party


Information security awareness, education users undergo regular security awareness
A.7.2.2
and training training appropriate to their role and function
within the organisation?

Page 7 of 46 04/14/2014
ISO 27001:2013
www.halkynconsulting.co.uk Halkyn Consulting Ltd
Compliance Checklist

1. Is there a formal disciplinary process which


allows the organisation to take action against
A.7.2.3 Disciplinary process employees who have committed an
information security breach?
2. Is this communicated to all employees?

A.7.3 Termination and change of employment

1. Is there a documented process for


terminating or changing employment duties?
2. Are any information security duties which
Termination or change of employment survive employment communicated to the
A.7.3.1
responsibilities employee or contractor?
3. Is the organisation able to enforce
compliance with any duties that survive
employment?

A.8 Asset management


A.8.1 Responsibility for assets

1. Is there an inventory of all assets


associated with information and information
A.8.1.1 Inventory of assets processing facilities?
2. Is the inventory accurate and kept up to
date?

All information assets must have a clearly


A.8.1.2 Ownership of assets defined owner who is aware of their
responsibilities.

Page 8 of 46 04/14/2014
ISO 27001:2013
www.halkynconsulting.co.uk Halkyn Consulting Ltd
Compliance Checklist

1. Is there an acceptable use policy for each


class / type of information asset?
A.8.1.3 Acceptable use of assets
2. Are users made aware of this policy prior to
use?

Is there a process in place to ensure all


employees and external users return the
A.8.1.4 Return of assets
organisation's assets on termination of their
employment, contract or agreement?

A.8.2 Information classification

1. Is there a policy governing information


classification?
A.8.2.1 Classification of information
2. Is there a process by which all information
can be appropriately classified?

Is there a process or procedure for ensuring


A.8.2.2 Labelling of information information classification is appropriately
marked on each asset?

1. Is there a procedure for handling each


information classification?
A.8.2.3 Handling of assets
2. Are users of information assets made aware
of this procedure?
A.8.3 Media handling

1. Is there a policy governing removable


media?
2. Is there a process covering how removable
A.8.3.1 Management of removable media media is managed?
3. Are the policy and process(es)
communicated to all employees using
removable media?

Page 9 of 46 04/14/2014
ISO 27001:2013
www.halkynconsulting.co.uk Halkyn Consulting Ltd
Compliance Checklist

Is there a formal procedure governing how


A.8.3.2 Disposal of media
removable media is disposed?

1. Is there a documented policy and process


detailing how physical media should be
A.8.3.3 Physical media transfer transported?
2. Is media in transport protected against
unauthorised access, misuse or corruption?

A.9 Access control


A.9.1 Business requirements for access control

1. Is there a documented access control


policy?
A.9.1.1 Access control policy 2. Is the policy based on business
requirements?
3. Is the policy communicated appropriately?

Are controls in place to ensure users only have


access to the network resources they have
A.9.1.2 Access to networks and network services
been specially authorised to use and are
required for their duties?
A.9.2 User access management
Is there a formal user access registration
A.9.2.1 User registration and de-registration
process in place?
Is there a formal user access provisioning
A.9.2.2 User access provisioning process in place to assign access rights for all
user types and services?
Are privileged access accounts separately
A.9.2.3 Management of privileged access rights
managed and controlled?

Page 10 of 46 04/14/2014
ISO 27001:2013
www.halkynconsulting.co.uk Halkyn Consulting Ltd
Compliance Checklist

Is there a formal management process in


Management of secret authentication
A.9.2.4 place to control allocation of secret
information of users
authentication information?

1. Is there a process for asset owners to


review access rights to their assets on a
A.9.2.5 Review of user access rights
regular basis?
2. Is this review process verified?

Is there a process to ensure user access


rights are removed on termination of
A.9.2.6 Removal or adjustment of access rights
employment or contract, or adjusted upon
change of role?
A.9.3 User responsibilities

1. Is there a policy document covering the


organisations practices in how secret
A.9.3.1 Use of secret authentication information
authentication information must be handled?
2. Is this communicated to all users?

A.9.4 System and application access control


Is access to information and application
A.9.4.1 Information access restriction system functions restricted in line with the
access control policy?

Where the access control policy requires it, is


A.9.4.2 Secure log-on procedures access controlled by a secure log-on
procedure?
1. Are password systems interactive?
A.9.4.3 Password management system
2. Are complex passwords required?
Are privilege utility programs restricted and
A.9.4.4 Use of privileged utility programs
monitored?
Is access to the source code of the Access
A.9.4.5 Access control to program source code
Control System protected?

Page 11 of 46 04/14/2014
ISO 27001:2013
www.halkynconsulting.co.uk Halkyn Consulting Ltd
Compliance Checklist
A.10 Cryptography
A.10.1 Cryptographic controls
Is there a policy on the use of cryptographic
A.10.1.1 Policy on the use of cryptographic controls
controls?
Is there a policy governing the whole lifecycle
A.10.1.2 Key management
of cryptographic keys?
A.11 Physical and environmental security
A.11.1 Secure areas

1. Is there a designated security perimeter?


A.11.1.1 Physical security perimeter 2. Are sensitive or critical information areas
segregated and appropriately controlled?

Do secure areas have suitable entry control


A.11.1.2 Physical entry controls systems to ensure only authorised personnel
have access?

1. Have offices, rooms and facilities been


designed and configured with security in mind?
A.11.1.3 Securing offices, rooms and facilities
2. Do processes for maintaining the security
(e.g. Locking up, clear desks etc.) exist?

Have physical protection measures to prevent


Protecting against external and
A.11.1.4 natural disasters, malicious attack or accidents
environmental threats
been designed in?

1. Do secure areas exist?


2. Where they do exist, do secure areas have
A.11.1.5 Working in secure areas suitable policies and processes?
3. Are the policies and processes enforced
and monitored?

Page 12 of 46 04/14/2014
ISO 27001:2013
www.halkynconsulting.co.uk Halkyn Consulting Ltd
Compliance Checklist

1. Are there separate delivery / loading areas?


2. Is access to these areas controls?
A.11.1.6 Delivery and loading areas
3. Is access from loading areas isolated from
information processing facilities?

A.11.2 Equipment

1. Are environmental hazards identified and


considered when equipment locations are
selected?
A.11.2.1 Equipment siting and protection
2. Are the risks from unauthorised access /
passers-by considered when siting
equipment?

1. Is there a UPS system or back up


generator?
A.11.2.2 Supporting utilities
2. Have these been tested within an
appropriate timescale?

1. Have risk assessments been conducted


over the location of power and
A.11.2.3 Cabling security telecommunications cables?
2. Are they located to protect from
interference, interception or damage?

Is there a rigorous equipment maintenance


A.11.2.4 Equipment maintenance
schedule?

1. Is there a process controlling how assets


are removed from site?
A.11.2.5 Removal of assets
2. Is this process enforced?
3. Are spot checks carried out?

1. Is there a policy covering security of assets


Security of equipment and assets off-
A.11.2.6 off-site?
premises
2. Is this policy widely communicated?

Page 13 of 46 04/14/2014
ISO 27001:2013
www.halkynconsulting.co.uk Halkyn Consulting Ltd
Compliance Checklist

1. Is there a policy covering how information


assets may be reused?
A.11.2.7 Secure disposal or reuse of equipment
2. Where data is wiped, is this properly verified
before reuse/disposal?

1. Does the organisation have a policy around


how unattended equipment should be
protected?
A.11.2.8 Unattended user equipment
2. Are technical controls in place to secure
equipment that has been inadvertently left
unattended?

1. Is there a clear desk / clear screen policy?


A.11.2.9 Clear desk and clear screen policy
2. Is this well enforced?

A.12 Operations security


A.12.1 Operational procedures and responsibilities

1. Are operating procedures well documented?


A.12.1.1 Documented operating procedures 2. Are the procedures made available to all
users who need them?

Is there a controlled change management


A.12.1.2 Change management
process in place?
Is there a capacity management process in
A.12.1.3 Capacity management
place?
Does the organisation enforce segregation of
Separation of development, testing and
A.12.1.4 development, test and operational
operational environments
environments?
A.12.2 Protection from malware

Page 14 of 46 04/14/2014
ISO 27001:2013
www.halkynconsulting.co.uk Halkyn Consulting Ltd
Compliance Checklist

1. Are processes to detect malware in place?


2. Are processes to prevent malware
A.12.2.1 Controls against malware spreading in place?
3. Does the organisation have a process and
capacity to recover from a malware infection.

A.12.3 Backup

1. Is there an agreed backup policy?


2. Does the organisation's backup policy
comply with relevant legal frameworks?
A.12.3.1 Information backup
3. Are backups made in accordance with the
policy?
4. Are backups tested?

A.12.4 Logging and monitoring


Are appropriate event logs maintained and
A.12.4.1 Event logging
regularly reviewed?
Are logging facilities protected against
A.12.4.2 Protection of log information
tampering and unauthorised access?
Are sysadmin / sysop logs maintained,
A.12.4.3 Administrator and operator logs
protected and regularly reviewed?
A.12.4.4 Clock synchronisation Are all clocks within the organisation
A.12.5 Control of operational software
Is there a process in place to control the
Installation of software on operational
A.12.5.1 installation of software onto operational
systems
systems?
A.12.6 Technical vulnerability management

Page 15 of 46 04/14/2014
ISO 27001:2013
www.halkynconsulting.co.uk Halkyn Consulting Ltd
Compliance Checklist

1. Does the organisation have access to


updated and timely information on technical
vulnerabilities?
A.12.6.1 Management of technical vulnerabilities
2. Is there a process to risk assess and react
to any new vulnerabilities as they are
discovered?

Are there processes in place to restrict how


A.12.6.2 Restrictions on soft-ware installation
users install software?
A.12.7 Information systems audit considerations
1. Are IS Systems subject to audit?
A.12.7.1 Information systems audit controls 2. Does the audit process ensure business
disruption is minimised?
A.13 Communications security
A.13.1 Network security management
Is there a network management process in
A.13.1.1 Network controls
place?

1. Does the organisation implement a risk


management approach which identifies all
network services and service agreements?
A.13.1.2 Security of network services 2. Is security mandated in agreements and
contracts with service providers (in house and
outsourced).
3. Are security related SLAs mandated?

Does the network topology enforce


A.13.1.3 Segregation in networks
segregation of networks for different tasks?

A.13.2 Information transfer

Page 16 of 46 04/14/2014
ISO 27001:2013
www.halkynconsulting.co.uk Halkyn Consulting Ltd
Compliance Checklist

1. Do organisational policies govern how


information is transferred?
Information transfer policies and 2. Are procedures for how data should be
A.13.2.1
procedures transferred made available to all employees?
3. Are relevant technical controls in place to
prevent non-authorised forms of data transfer?

Do contracts with external parties and


agreements within the organisation detail the
A.13.2.2 Agreements on information transfer
requirements for securing business
information in transfer?

Do security policies cover the use of


A.13.2.3 Electronic messaging information transfer while using electronic
messaging systems?

1. Do employees, contractors and agents sign


confidentiality or non disclosure agreements?
Confidentiality or nondisclosure
A.13.2.4 2. Are these agreements subject to regular
agreements
review?
3. Are records of the agreements maintained?

A.14 System acquisition, development and maintenance


A.14.1 Security requirements of information systems

1. Are information security requirements


specified when new systems are introduced?
Information security requirements analysis
A.14.1.1 2. When systems are being enhanced or
and specification
upgraded, are security requirements specified
and addressed?

Page 17 of 46 04/14/2014
ISO 27001:2013
www.halkynconsulting.co.uk Halkyn Consulting Ltd
Compliance Checklist

Do applications which send information over


public networks appropriately protect the
Securing application services on public
A.14.1.2 information against fraudulent activity, contract
networks
dispute, unauthorised discloser and
unauthorised modification?

Are controls in place to prevent incomplete


transmission, misrouting, unauthorised
A.14.1.3 Protecting application services transactions message alteration, unauthorised disclosure,
unauthorised message duplication or replay
attacks?

A.14.2 Security in development and support processes

1. Does the organisation develop software or


systems?
A.14.2.1 Secure development policy 2. If so, are there policies mandating the
implementation and assessment of security
controls?

A.14.2.2 System change control procedures Is there a formal change control process?
Is there a process to ensure a technical review
Technical review of applications after
A.14.2.3 is carried out when operating platforms are
operating platform changes
changed?

Is there a policy in place which mandates


Restrictions on changes to software
A.14.2.4 when and how software packages can be
packages
changed or modified?

Does the organisation have documented


A.14.2.5 Secure system engineering principles principles on how systems must be engineered
to ensure security?

Page 18 of 46 04/14/2014
ISO 27001:2013
www.halkynconsulting.co.uk Halkyn Consulting Ltd
Compliance Checklist

1. Has a secure development environment


been established?
A.14.2.6 Secure development environment 2. Do all projects utilise the secure
development environment appropriately during
the system development lifecycle?

1. Where development has been outsourced is


this supervised?
A.14.2.7 Outsourced development
2. Is externally developed code subject to a
security review before deployment?

Where systems or applications are developed,


A.14.2.8 System security testing are they security tested as part of the
development process?

Is there an established process to accept new


A.14.2.9 System acceptance testing systems / applications, or upgrades, into
production use?
A.14.3 Test data

1. Is there a process for selecting test data?


A.14.3.1 Protection of test data
2. Is test data suitably protected?

A.15 Supplier relationships


A.15.1 Information security in supplier relationships

1. Is information security included in contracts


established with suppliers and service
Information security policy for supplier providers?
A.15.1.1
relationships 2. Is there an organisation-wide risk
management approach to supplier
relationships?

Page 19 of 46 04/14/2014
ISO 27001:2013
www.halkynconsulting.co.uk Halkyn Consulting Ltd
Compliance Checklist

1. Are suppliers provided with documented


Addressing security within supplier security requirements?
A.15.1.2
agreements 2. Is supplier access to information assets &
infrastructure controlled and monitored?

Do supplier agreements include requirements


Information and communication technology
A.15.1.3 to address information security within the
supply chain
service & product supply chain?

A.15.2 Supplier service delivery management


Are suppliers subject to regular review and
A.15.2.1 Monitoring and review of supplier services
audit?
Are changes to the provision of services
A.15.2.2 Managing changes to supplier services subject to a management process which
includes security & risk assessment?
A.16 Information security incident management
A.16.1 Management of information security incidents and improvements
Are management responsibilities clearly
A.16.1.1 Responsibilities and procedures identified and documented in the incident
management processes?

1. Is there a process for timely reporting of


information security events?
A.16.1.2 Reporting information security events
2. Is there a process for reviewing and acting
on reported information security events?

Page 20 of 46 04/14/2014
ISO 27001:2013
www.halkynconsulting.co.uk Halkyn Consulting Ltd
Compliance Checklist

1. Is there a process for reporting of identified


information security weaknesses?
A.16.1.3 Reporting information security weaknesses 2. Is this process widely communicated?
3. Is there a process for reviewing and
addressing reports in a timely manner?

Is there a process to ensure information


Assessment of and decision on information
A.16.1.4 security events are properly assessed and
security events
classified?

Is there an incident response process which


A.16.1.5 Response to information security incidents reflects the classification and severity of
information security incidents?

Is there a process or framework which allows


Learning from information security the organisation to learn from information
A.16.1.6
incidents security incidents and reduce the impact /
probability of future events?

1. Is there a forensic readiness policy?


2. In the event of an information security
A.16.1.7 Collection of evidence
incident is relevant data collected in a manner
which allows it to be used as evidence?

A.17 Information security aspects of business continuity management


A.17.1 Information security continuity
Is information security included in the
A.17.1.1 Planning information security continuity
organisation's continuity plans?

Does the organisation's information security


Implementing information security function have documented, implemented and
A.17.1.2
continuity maintained processes to maintain continuity of
service during an adverse situation?

Page 21 of 46 04/14/2014
ISO 27001:2013
www.halkynconsulting.co.uk Halkyn Consulting Ltd
Compliance Checklist

Verify, review and evaluate information Are continuity plans validated and verified at
A.17.1.3
security continuity regular intervals?
A.17.2 Redundancies
Do information processing facilities have
Availability of information processing
A.17.2.1 sufficient redundancy to meet the
facilities
organisations availability requirements?
A.18 Compliance
A.18.1 Compliance with legal and contractual requirements

1. Has the organisation identified and


documented all relevant legislative, regulatory
Identification of applicable legislation and
A.18.1.1 or contractual requirements related to
contractual requirements
security?
2. Is compliance documented?

1. Does the organisation keep a record of all


intellectual property rights and use of
A.18.1.2 Intellectual property rights proprietary software products?
2. Does the organisation monitor for the use of
unlicensed software?

Are records protected from loss, destruction,


falsification and unauthorised access or
A.18.1.3 Protection of records release in accordance with legislative,
regulatory, contractual and business
requirements?

1. Is personal data identified and appropriately


Privacy and protection of personally classified?
A.18.1.4
identifiable information 2. Is personal data protected in accordance
with relevant legislation?

Are cryptographic controls protected in


A.18.1.5 Regulation of cryptographic controls accordance with all relevant agreements,
legislation and regulations?

Page 22 of 46 04/14/2014
ISO 27001:2013
www.halkynconsulting.co.uk Halkyn Consulting Ltd
Compliance Checklist
A.18.2 Information security reviews

1. Is the organisations approach to managing


information security subject to regular
A.18.2.1 Independent review of information security independent review?
2. Is the implementation of security controls
subject to regular independent review?

1. Does the organisation instruct managers to


Compliance with security policies and regularly review compliance with policy and
A.18.2.2
standards procedures within their area of responsibility?
2. Are records of these reviews maintained?

Does the organisation regularly conduct


A.18.2.3 Technical compliance review technical compliance reviews of its information
systems?

Page 23 of 46 04/14/2014
ISO 27001:2013
www.halkynconsulting.co.uk Halkyn Consulting Ltd
Compliance Checklist

Status

0%

0%

0%

0%

Page 24 of 46 04/14/2014
ISO 27001:2013
www.halkynconsulting.co.uk Halkyn Consulting Ltd
Compliance Checklist

0%

0%

0%

0%

0%

Page 25 of 46 04/14/2014
ISO 27001:2013
www.halkynconsulting.co.uk Halkyn Consulting Ltd
Compliance Checklist

0%

0%

0%

0%

Page 26 of 46 04/14/2014
ISO 27001:2013
www.halkynconsulting.co.uk Halkyn Consulting Ltd
Compliance Checklist

0%

0%

0%

0%

Page 27 of 46 04/14/2014
ISO 27001:2013
www.halkynconsulting.co.uk Halkyn Consulting Ltd
Compliance Checklist

0%

0%

0%

0%

0%

0%

Page 28 of 46 04/14/2014
ISO 27001:2013
www.halkynconsulting.co.uk Halkyn Consulting Ltd
Compliance Checklist

0%

0%

0%

0%

0%

0%

0%

Page 29 of 46 04/14/2014
ISO 27001:2013
www.halkynconsulting.co.uk Halkyn Consulting Ltd
Compliance Checklist

0%

0%

0%

0%

0%

0%

0%

0%

0%

Page 30 of 46 04/14/2014
ISO 27001:2013
www.halkynconsulting.co.uk Halkyn Consulting Ltd
Compliance Checklist

0%

0%

0%

0%

0%

0%

0%

Page 31 of 46 04/14/2014
ISO 27001:2013
www.halkynconsulting.co.uk Halkyn Consulting Ltd
Compliance Checklist

0%

0%

0%

0%

0%

0%

0%

Page 32 of 46 04/14/2014
ISO 27001:2013
www.halkynconsulting.co.uk Halkyn Consulting Ltd
Compliance Checklist

0%

0%

0%

0%

0%

0%

0%

Page 33 of 46 04/14/2014
ISO 27001:2013
www.halkynconsulting.co.uk Halkyn Consulting Ltd
Compliance Checklist

0%

0%

0%

0%

0%

0%

0%

Page 34 of 46 04/14/2014
ISO 27001:2013
www.halkynconsulting.co.uk Halkyn Consulting Ltd
Compliance Checklist

0%

0%

0%

0%

0%

0%

Page 35 of 46 04/14/2014
ISO 27001:2013
www.halkynconsulting.co.uk Halkyn Consulting Ltd
Compliance Checklist

0%

0%

0%

0%

0%

Page 36 of 46 04/14/2014
ISO 27001:2013
www.halkynconsulting.co.uk Halkyn Consulting Ltd
Compliance Checklist

0%

0%

0%

0%

0%

0%

0%

Page 37 of 46 04/14/2014
ISO 27001:2013
www.halkynconsulting.co.uk Halkyn Consulting Ltd
Compliance Checklist

0%

0%

0%

0%

0%

0%

Page 38 of 46 04/14/2014
ISO 27001:2013
www.halkynconsulting.co.uk Halkyn Consulting Ltd
Compliance Checklist

0%

0%

0%

0%

0%

0%

Page 39 of 46 04/14/2014
ISO 27001:2013
www.halkynconsulting.co.uk Halkyn Consulting Ltd
Compliance Checklist

0%

0%

0%

0%

0%

0%

0%

Page 40 of 46 04/14/2014
ISO 27001:2013
www.halkynconsulting.co.uk Halkyn Consulting Ltd
Compliance Checklist

0%

0%

0%

0%

0%

0%

0%

Page 41 of 46 04/14/2014
ISO 27001:2013
www.halkynconsulting.co.uk Halkyn Consulting Ltd
Compliance Checklist

0%

0%

0%

Page 42 of 46 04/14/2014
ISO27001:2013 Compliance
www.halkynconsulting.co.uk info@halkynconsulting.co.uk
Status Report

Standard Section
A.5 Information Security Policies
A.6 Organisation of information security
A.7 Human resources security
A.8 Asset management
A.9 Access control
A.10 Cryptography
A.11 Physical and environmental security
A.12 Operations security
A.13 Communications security
A.14 System acquisition, development and maintenance
A.15 Supplier relationships
A.16 Information security incident management
A.17 Information security aspects of business continuity management
A.18 Compliance

Overall Compliance

04/14/2014 Page 1 of 1 Halkyn Consulting Ltd


ISO27001:2013 Compliance
www.halkynconsulting.co.uk info@halkynconsulting.co.uk
Status Report

Status
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%

0%

04/14/2014 Page 1 of 1 Halkyn Consulting Ltd


ISO27001:2013 Compliance
www.halkynconsulting.co.uk info@halkynconsulting.co.uk
Status Report

Standard Section
A.5.1 Management direction for information security
A.6.1 Internal Organisation
A.6.2 Mobile devices and teleworking
A.7.1 Prior to employment
A.7.2 During employment
A.7.3 Termination and change of employment
A.8.1 Responibility for assets
A.8.2 Information classification
A.8.3 Media handling
A.9.1 Business requirements for access control
A.9.2 User access management
A.9.3 User responsibilities
A.9.4 System and application access control
A.10.1 Crypographic controls
A.11.1 Secure areas
A.11.2 Equipment
A.12.1 Operational procedures and responsibilities
A.12.2 Protection from malware
A.12.3 Backup
A.12.4 Logging and monitoring
A.12.5 Control of operational software
A.12.6 Technical vulnerability management
A.12.7 Information systems audit considerations
A.13.1 Network security management
A.13.2 Information transfer
A.14.1 Security requirements of information systems
A.14.2 Security in development and support processes
A.14.3 Test data
A.15.1 Information security in supplier relationships
A.15.2 Supplier service delivery management
A.16.1 Management of infosec incidents & improvements
A.17.1 Information security continuity
A.17.2 Redundancies
A.18.1 Compliance with legal and contractual requirements
A.18.2 Information security reviews

04/14/2014 Page 45 of 46 Halkyn Consulting Ltd


ISO27001:2013 Compliance
www.halkynconsulting.co.uk info@halkynconsulting.co.uk
Status Report

Status
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%

04/14/2014 Page 46 of 46 Halkyn Consulting Ltd