Professional Documents
Culture Documents
Part 1: "Plan"
4 Context of the organization
N/A Create document list
N/A Create an Organization Chart
4.3 Determining the scope of the information security management system (ISMS)
4.3 Create the Scope document
N/A Discuss observations and pertinent details
4.3.a Include scope item
7.4 Communication
7.4 Establish Communication
7.5.1 General
7.5.1.a Scope of the ISMS (4.3)
7.5.1.a Information security policy and objectives (5.2 and 6.2)
7.5.1.a Risk assessment methodology (6.1.2)
7.5.1.a Risk treatment methodology (6.1.2)
7.5.1.a Statement of Applicability (6.1.3 d)
7.5.1.a Risk treatment plan (6.1.3 e and 6.2)
7.5.1.a Risk assessment report (8.2)
7.5.1.a Definition of security roles and responsibilities (A.7.1.2 and
A.13.2.4)
7.5.1.a Inventory of assets (A.8.1.1)
7.5.1.a Acceptable use of assets (A.8.1.3)
7.5.1.a Access control policy (A.9.1.1)
7.5.1.a Operating procedures for IT management (A.12.1.1)
7.5.1.a Secure system engineering principles (A.14.2.5)
7.5.1.a Supplier security policy (A.15.1.1)
7.5.1.a Incident management procedure (A.16.1.5)
7.5.1.a Business continuity procedures (A.17.1.2)
7.5.1.a Statutory, regulatory, and contractual requirements (A.18.1.1)
7.5.1.a Create templates for required records
7.5.1.a Competence (7.2)
7.5.3.a Availability
7.5.3.b Protection
7.5.3 Document control of ISMS documentation
7.5.3.c Transmission and access
7.5.3.d Storage
7.5.3.e Version control
7.5.3.f Retention and destruction
7.5.3.* Identification of externally originating documents
N/A Create document management and workflow
Part 4: "Act"
10 Improvement
10.1 Nonconformity and corrective action
10.1.a-e Document the process for response to nonconformities
Create comprehensive list of documents for consideration for inclusion in the ISMS.
Add details for key staff to PM workbook.
Create visual organization chart.
Create initial mapping of ISO 27001 controls to departments, indicating expected applicability of each. Use the data to
estimate required interview time for each department. Provide the control mappings to the corresponding departments for
initial feedback and to help them become familiar with the items of future discussions.
Meet key subject matter experts (SMEs), Customer committee members, and layout the project plan and timeline.
Meet with business unit leaders together to determine the breakdown of future groups/meetings (based on which
data/applications they use).
Determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcom
Document external and internal issues relevant to the company's purpose and that affect its ability to achieve the ISMS goals.
Review with each Business Unit the ISO 27001 Requirements (Annex A); results of recent risk analyses and/or related
initiatives; and Questionnaire results.
Determine relevant interested parties and their requirements.
Document interested parties that are relevant to the ISMS.
Document the requirements of these interested parties relevant to information security.
Include or reference the following items:
1) External and internal issues relevant to the company's purpose and that affect its ability to achieve the ISMS goals (4.1)
2) Interested parties and their requirements/objectives (4.2)
3) Statement of leadership commitment (5.1, 5.2.c, 5.2.d)
4) Assignment of key roles and responsibilities [by titles] (5.3)
Review the most recent risk analysis, and include the recommendations to be addressed in the Scope document.
Map the results of any recent risk analyses to the ISO 27001 requirements. Include the ones to be addressed in the Scope
document.
Map the results of the internal security questionnaires to the ISO 27001 requirements. Include the ones to be addressed in
the Scope document.
Include interested parties and their requirements/objectives.
Include interfaces and dependencies between internal and external activities (may be specified in the Information Security
Policy).
Approve the Scope document.
Establish, implement, maintain and continually improve the ISMS.
Create the ISMS Master Document.
Assign responsibilities and authority for reporting on the performance of the ISMS to top management.
Apply the information security risk process; identify the risk owners; and analyze the impact and likelihood of each risk and
combine these to specify the level of each risk.
Review the most recent risk assessment.
Review results from Customer business units Internal Risk Analysis Scoping Questionnaires.
Combine the responses from the internal Security Questionnaires, ISO 27001 controls, and set of additional discussion items
into a single document for each business unit.
Facilitate discussions with each business unit regarding their processes; applicable ISO 27001 controls; and answers to the
security questionnaires.
SOW Step 15
ISO 27001 Annex A controls and documentation mapping align with the existing SOC framework where relevant.
Produce a Statement of Applicability that contains the necessary controls (see 6.1.3.b-c) and justification for inclusions,
whether they are implemented or not, and the justification for exclusions of controls from Annex A.
Document the Risk Treatment Plan.
For each Risk Treatment Plan item, review with the business unit managers and get their sign-off for each risk's treatment
option.
Establish information security objectives at relevant functions and levels.
Determine and document the relevant functions and levels for establishment of information security objectives.
For each function/level determined in Section 6.2, work with the business owners to determine and document the
corresponding information security objectives. Make sure they are:
a) be consistent with the information security policy;
b) be measurable (if practicable);
c) take into account applicable information security requirements, and results from risk assessment and risk treatment;
d) be communicated; and
e) be updated as appropriate.
For each objective determined in Section 6.2, work with the business owners to plan how to achieve the objectives by
determining:
f) what will be done;
g) what resources will be required (see Section 7.1);
h) who will be responsible;
i) when it will be completed; and
j) how the results will be evaluated.
Determine and document the resources required to maintain and continuously improve the ISMS.
Ensure appropriate competence for all persons whose work affects information security performance.
Define and document the necessary competence of all staff who affect the performance of information security.
Review the competence of the corresponding personnel based on the criteria defined in Section 7.2.a (e.g., education,
training, and experience).
Take actions to bring all relevant personnel to the required levels of competence.
Determine and document the need for internal and external communications relevant to the ISMS.
Determine the need for internal and external communications relevant to the ISMS including:
a) on what to communicate;
b) when to communicate;
c) with whom to communicate;
d) who shall communicate; and
e) the processes by which communication shall be effected.
Documented information pertinent to the organization and the ISMS shall be included.
Confirm the documents intended to be included in the ISMS implementation, and approval from Customer PM.
Update Section 7.5.1 below with documents to be included
Develop the ISO 27001 Required Documents section in accordance with sections 4-8 of the 2013 Standard. Ensure Policies
and Procedures Documentation is updated or developed to support the relevant Annex A controls.
Determine and create any additional documents necessary for the effectiveness of the ISMS. See the Documents worksheet.
When creating and updating documented information, appropriate measures will be taken.
Define the content, format, media, and review/approval process for the ISMS documentation.
Review the ISMS documents and ensure appropriate:
a) identification and description (e.g. a title, date, author, or reference number)
b) format (e.g. language, software version, graphics) and media (e.g. paper, electronic)
Review the ISMS documents for suitability and adequacy, and approve them.
Quality Review address completeness and accuracy of the entire documentation set.
Documented information required by the ISMS shall be controlled.
Determine and document how the ISMS documented information will be controlled in regards to the following:
Plan, implement, and control the processes needed to meet information security requirements.
Implement actions and plans determined in Sections 6.1 and 6.2.
Define the requirements for keeping records as evidence that processes have been carried out as planned.
Document and implement change control policies and procedures, including response to unintended changes and mitigation
of adverse effects.
Document outsourced processes and how they are controlled. Bring this up during facilitated discussions with the business
units.
Create the appropriate operational control records.
Perform information security risk assessments.
Specify the schedule of risk assessments.
Determine triggers ("when significant changes are proposed or occur" for unscheduled risk assessments.
Define the requirements for keeping records as evidence that risk assessments have been carried out as planned, and their
results.
Create the appropriate risk assessment records.
Perform information security risk treatment.
Implement the risk treatment plan documented and approved in Sections 6.1.3.e-f.
Define the requirements for keeping records as evidence that risk treatments have been carried out as planned, and their
results.
Create the appropriate risk treatment records.
Evaluate the information security performance and the effectiveness of the ISMS.
Document the methodology to evaluate the performance and effectiveness of the ISMS. Determine what needs to be
monitored and measured, including information security processes and controls; the methods for monitoring, measurement,
analysis and evaluation; when the monitoring and measuring shall be performed; who shall perform the monitoring and
measuring; when the results from monitoring and measurement shall be analyzed and evaluated; and who shall analyze and
evaluate these results.
Define the requirements for keeping records as evidence that monitoring and measurement have been carried out as
planned, and their results.
Create the appropriate monitoring and measurement records.
Plan, establish, implement, and maintain an internal audit program.
Determine and document the methodology to evaluate the performance and effectiveness of the ISMS. Specify the
frequency, methods, responsibilities, planning requirements, and reporting. Also specify how the audit criteria and scope will
be defined for each audit; how auditors will be selected and audits will be conducted to ensure objectivity and impartiality f
the audit process; how and to whom the audit results will be reported; and the records to be retained as evidence of the
audit program and the results of each audit.
Define the requirements for the records to be retained as evidence of the audit program and the results of each audit.
Review the ISMS at planned intervals to ensure its continuing suitability, adequacy and effectiveness.
Document the management review process including: a) reviews of the status of actions from previous management
reviews; b) changes in external and internal issues that are relevant to the ISMS; c) feedback on the information security
performance (including trends in: 1) nonconformities and corrective actions; 2) monitoring and measurement results; 3)
audit results; and 4) fulfilment of information security objectives); d) feedback from interested parties; e) results of risk
assessment and status of risk treatment plan; and f) opportunities for continual improvement. The outputs of the
management review shall include decisions related to continual improvement opportunities and any needs for changes to
the information security management system.
Define the requirements for keeping records as evidence that management reviews have been carried out as planned, and
their results.
Define the requirements for keeping records as evidence of f) the nature of the nonconformities and any subsequent actions
taken, and g) the results of any corrective action.
Continually improve the suitability, adequacy and effectiveness of the ISMS.
No tasks
Legal / Compliance
TO - Infrastructure
Finance - Strategy
Customer Support
TO - Engineering
L - Legal & Regulatory
Internal Audit
C - Contractual
Accounting
Marketing
IT - Corp
B - Business Req. & Best Practices
Sales
HR
R - Risk Assessment
O - Other (explain)
Control ID Section/Control Title Section Objective/Control Description Inclusion Existing Controls L C B R O Comments Suggested Effectiveness Measurement(s)
A.5 Information Security Policies
A.5.1 Management direction Objective: To provide management direction and support for
for information security information security in accordance with business requirements and
relevant laws and regulations.
A.5.1.1 The policies for A set of policies for information security shall be defined, approved Review policies on an annual basis and look
information security by management, published and communicated to employees and for security issues related to policy controls.
relevant external parties.
A.5.1.2 Review of the policies The policies for information security shall be reviewed at planned Discuss the effectiveness of the review
for information security intervals or if significant changes occur to ensure their continuing process with the management team.
suitability, adequacy and effectiveness.
A.6 Organization of information security
A.6.1 Internal organization Objective: To establish a management framework to initiate and
control the implementation and operation of information security
within the organization.
A.6.1.1 Information security All information security roles and responsibilities shall be defined Perform an annual review of information
roles and responsibilities and allocated. security roles and responsibilities.
A.6.1.2 Segregation of duties Conflicting duties and areas of responsibility shall be segregated to Perform an annual review of the segregation
reduce opportunities for unauthorized or unintentional modification of duties requirements in the security policies
or misuse of the organizations assets. as well as a review of any segregation of
duties related security incidents.
A.6.1.3 Contact with authorities Appropriate contacts with relevant authorities shall be maintained. Verify contact information on an annual basis
during the policy and procedure review.
A.6.1.4 Contact with special Appropriate contacts with special interest groups or other specialist Review the group memberships on an annual
interest groups security forums and professional associations shall be maintained. basis (measure their industry contribution)
and consider new groups if available.
A.6.1.5 Information security in Information security shall be addressed in project management, Audit the security incidents to identify any
project management regardless of the type of the project. incidents related to the releases.
A.6.2 Mobile devices and Objective: To ensure the security of teleworking and use of mobile
teleworking devices.
A.6.2.1 Mobile device policy A policy and supporting security measures shall be adopted to Review number of mobile device related
manage the risks introduced by using mobile devices. security instances.
A.6.2.2 Teleworking A policy and supporting security measures shall be implemented to Review number of mobile workers and
protect information accessed, processed or stored at teleworking sites. security incidents involving off-site work.
A.7.1.2 Terms and conditions of The contractual agreements with employees and contractors shall Review the employee handbook.
employment state their and the organizations responsibilities for information
security.
A.7.2 During employment Objective: To ensure that employees and contractors are aware of and
fulfil their information security responsibilities.
A.7.2.1 Management Management shall require all employees and contractors to apply Ensure all employees attest to agreeing to the
responsibilities information security in accordance with the established policies and Employee Handbook at least once a year.
procedures of the organization.
A.7.2.2 Information security All employees of the organization and, where relevant, contractors Survey after training - 100% attendance by
awareness, education and shall receive appropriate awareness education and training and Ops and 10 question quiz scores.
training regular updates in organizational policies and procedures, as relevant
for their job function.
A.7.2.3 Disciplinary process There shall be a formal and communicated disciplinary process in Verify employees have signed off on the
place to take action against employees who have committed an employee handbook and gather feedback on
information security breach. the disciplinary process from HR.
A.7.3 Termination and change Objective: To protect the organizations interests as part of the
of employment process of changing or terminating employment.
A.7.3.1 Termination or change of Information security responsibilities and duties that remain valid after Perform a quarterly user account and access
employment termination or change of employment shall be defined, communicated audit to ensure that access was revoked for all
responsibilities to the employee or contractor and enforced. terminated employees.
A.8 Asset management
A.8.1 Responsibility for assets Objective: To identify organizational assets and define appropriate
protection responsibilities.
A.8.1.1 Inventory of assets Assets associated with information and information processing Perform a bi-annual audit to ensure that assets
facilities shall be identified and an inventory of these assets shall be are tracked in the system of record.
drawn up and maintained.
A.8.1.2 Ownership of assets Assets maintained in the inventory shall be owned. Perform an annual audit to ensure asset
owners are accurate.
A.8.1.3 Acceptable use of assets Rules for the acceptable use of information and of assets associated Evaluate the number of issues or disciplinary
with information and information processing facilities shall be actions related to acceptable use of company
identified, documented and implemented. assets.
A.8.1.4 Return of assets All employees and external party users shall return all of the Perform an annual audit to ensure that
organizational assets in their possession upon termination of their terminated employees returned their
employment, contract or agreement. equipment
A.8.2 Information classification Objective: To ensure that information receives an appropriate level of
protection in accordance with its importance to the organization.
A.8.2.1 Classification of Information shall be classified in terms of legal requirements, value, Perform an annual information security policy
information criticality and sensitivity to unauthorised disclosure or modification. review and review any security incidents
related to the classification of sensitive
information.
A.8.2.2 Labelling of information An appropriate set of procedures for information labelling shall be Perform an annual information security policy
developed and implemented in accordance with the information review and review any security incidents
classification scheme adopted by the organization. related to the labeling of sensitive
information.
A.8.2.3 Handling of assets Procedures for handling assets shall be developed and implemented in Perform an annual information security policy
accordance with the information classification scheme adopted by the review and review any security incidents
organization. related to the handling of sensitive
information.
A.9.1.2 Access to networks and Users shall only be provided with access to the network and network Perform a quarterly user account and access
network services services that they have been specifically authorized to use. audit.
A.9.2.1 User registration and de- A formal user registration and de-registration process shall be Perform a quarterly user account and access
registration implemented to enable assignment of access rights. audit.
A.9.2.2 User access provisioning A formal user access provisioning process shall be implemented to Perform a quarterly user account and access
assign or revoke access rights for all user types to all systems and audit.
services.
A.9.2.3 Management of The allocation and use of privileged access rights shall be restricted Perform a quarterly user account and access
privileged access rights and controlled. audit.
A.9.2.4 Management of secret The allocation of secret authentication information shall be controlled Perform a quarterly user account and access
authentication through a formal management process. audit.
information of users
A.9.2.5 Review of user access Asset owners shall review users access rights at regular intervals. Perform a quarterly user account and access
rights audit.
A.9.2.6 Removal or adjustment The access rights of all employees and external party users to Perform a quarterly user account and access
of access rights information and information processing facilities shall be removed audit.
upon termination of their employment, contract or agreement, or
adjusted upon change.
A.9.3 User responsibilities Objective: To make users accountable for safeguarding their
authentication information.
A.9.3.1 Use of secret Users shall be required to follow the organizations practices in the Perform an annual information security policy
authentication use of secret authentication information. review and review any security incidents
information related to authentication information.
A.9.4 System and application Objective: To prevent unauthorized access to systems and
access control applications.
A.9.4.1 Information access Access to information and application system functions shall be Perform a quarterly user account and access
restriction restricted in accordance with the access control policy. audit.
A.9.4.2 Secure log-on procedures Where required by the access control policy, access to systems and Perform an annual information security policy
applications shall be controlled by a secure log-on procedure. review and review any security incidents
related to authentication information.
A.9.4.3 Password management Password management systems shall be interactive and shall ensure Review password requirements during the
system quality passwords. annual policy review and review any security
incidents related to passwords.
A.9.4.4 Use of privileged utility The use of utility programs that might be capable of overriding Perform a quarterly user account and access
programs system and application controls shall be restricted and tightly audit.
controlled.
A.9.4.5 Access control to Access to program source code shall be restricted. Perform a quarterly user account and access
program source code audit.
A.10 Cryptography
A.10.1 Cryptographic controls Objective: To ensure proper and effective use of cryptography to
protect the confidentiality, authenticity and/or integrity of
information.
A.10.1.1 Policy on the use of A policy on the use of cryptographic controls for protection of Review encryption requirements during the
cryptographic controls information shall be developed and implemented. annual policy review and review any security
incidents related to information exposure.
A.10.1.2 Key management A policy on the use, protection and lifetime of cryptographic keys Review encryption requirements during the
shall be developed and implemented through their whole lifecycle. annual policy review and review any security
incidents related to information exposure.
A.11.2 Equipment Objective: To prevent loss, damage, theft or compromise of assets and
interruption to the organization's operations.
A.11.2.1 Equipment siting and Equipment shall be sited and protected to reduce the risks from Perform an annual information security policy
protection environmental threats and hazards, and opportunities for unauthorized review. Annual review of SOC/ISO reports
access.
A.11.2.2 Supporting utilities Equipment shall be protected from power failures and other Perform an annual information security policy
disruptions caused by failures in supporting utilities. review. Annual review of SOC/ISO reports
A.11.2.3 Cabling security Power and telecommunications cabling carrying data or supporting Perform an annual information security policy
information services shall be protected from interception, interference review. Annual review of SOC/ISO reports
or damage.
A.11.2.4 Equipment maintenance Equipment shall be correctly maintained to ensure its continued Annual equipment audit to ensure
availability and integrity. replacement of non-supported hardware.
A.11.2.5 Removal of assets Equipment, information or software shall not be taken off-site without Perform an annual information security policy
prior authorization. review. Annual review of SOC/ISO reports
A.11.2.6 Security of equipment Security shall be applied to off-site assets taking into account the Perform an annual information security policy
and assets off-premises different risks of working outside the organizations premises. review.
A.11.2.7 Secure disposal or reuse All items of equipment containing storage media shall be verified to Perform an annual information security policy
of equipment ensure that any sensitive data and licensed software has been removed review.
or securely overwritten prior to disposal or re-use.
A.11.2.8 Unattended user Users shall ensure that unattended equipment has appropriate Perform an annual information security policy
equipment protection. review.
A.11.2.9 Clear desk and clear A clear desk policy for papers and removable storage media and a Perform an annual information security policy
screen policy clear screen policy for information processing facilities shall be review.
adopted.
A.12 Operations security
A.12.1 Operational procedures Objective: To ensure correct and secure operations of information
and responsibilities processing facilities.
A.12.1.1 Documented operating Operating procedures shall be documented and made available to all Perform an annual procedures audit.
procedures users who need them.
A.12.1.2 Change management Changes to the organization, business processes, information Annual review of the change management
processing facilities and systems that affect information security shall process.
be controlled.
A.12.1.3 Capacity management The use of resources shall be monitored, tuned and projections made Review the number of security or availability
of future capacity requirements to ensure the required system issues related to capacity management.
performance.
A.12.1.4 Separation of Development, testing, and operational environments shall be Review the requirements and any security
development, testing and separated to reduce the risks of unauthorized access or changes to the incidents related to system isolation.
operational environments operational environment.
A.12.2 Protection from malware Objective: To ensure that information and information processing
facilities are protected against malware.
A.12.2.1 Controls against malware Detection, prevention and recovery controls to protect against Review the number of security incidents and
malware shall be implemented, combined with appropriate user impacs related to malware.
awareness.
A.12.3 Backup Objective: To protect against loss of data.
A.12.3.1 Information backup Backup copies of information, software and system images shall be Success of restore procedures. Log of restores
taken and tested regularly in accordance with an agreed backup required
policy.
A.12.4 Logging and monitoring Objective: To record events and generate evidence.
A.12.4.1 Event logging Event logs recording user activities, exceptions, faults and Annual review to confirm log file information
information security events shall be produced, kept and regularly is still sufficent and the availablity of the log
reviewed. files meets management/customer
expectations.
A.12.4.2 Protection of log Logging facilities and log information shall be protected against Annual review of controls and measure
information tampering and unauthorized access. number of log releated security events.
A.12.4.3 Administrator and System administrator and system operator activities shall be logged Annual review of the administrator access
operator logs and the logs protected and regularly reviewed. logging capabilties.
A.12.4.4 Clock synchronisation The clocks of all relevant information processing systems within an Annual audit of time syncronization.
organization or security domain shall be synchronised to a single
reference time source.
A.12.5 Control of operational Objective: To ensure the integrity of operational systems.
software
A.12.5.1 Installation of software Procedures shall be implemented to control the installation of Annual review of system failures and related
on operational systems software on operational systems. security and operational system incidents.
A.13.1.3 Segregation in networks Groups of information services, users and information systems shall Perform an annual information security policy
be segregated on networks. and procedures review.
A.13.2 Information transfer Objective: To maintain the security of information transferred within
an organization and with any external entity.
A.13.2.1 Information transfer Formal transfer policies, procedures and controls shall be in place to Perform an annual information security policy
policies and procedures protect the transfer of information through the use of all types of and procedures review.
communication facilities.
A.13.2.2 Agreements on Agreements shall address the secure transfer of business information Review 3rd party contract language on an
information transfer between the organization and external parties. annual basis.
A.13.2.3 Electronic messaging Information involved in electronic messaging shall be appropriately Perform an annual information security policy
protected. and procedures review.
A.13.2.4 Confidentiality or Requirements for confidentiality or non-disclosure agreements Review the Legal SLA.
nondisclosure reflecting the organizations needs for the protection of information
agreements shall be identified, regularly reviewed and documented.
A.14.1.1 Information security The information security related requirements shall be included in the Perform a review of the Release Management
requirements analysis requirements for new information systems or enhancements to and Software Deployment document.
and specification existing information systems.
A.14.1.2 Securing application Information involved in application services passing over public Ensure the use of SSL/TLS is appropriate.
services on public networks shall be protected from fraudulent activity, contract dispute
networks and unauthorized disclosure and modification.
A.14.1.3 Protecting application Information involved in application service transactions shall be Ensure the use of SSL/TLS is appropriate.
services transactions protected to prevent incomplete transmission, mis-routing,
unauthorized message alteration, unauthorized disclosure,
unauthorized message duplication or replay.
A.14.2 Security in development Objective: To ensure that information security is designed and
and support processes implemented within the development lifecycle of information
systems.
A.14.2.1 Secure development Rules for the development of software and systems shall be Review the Engineering SLA.
policy established and applied to developments within the organization.
A.14.2.2 System change control Changes to systems within the development lifecycle shall be Review the change management process.
procedures controlled by the use of formal change control procedures.
A.14.2.3 Technical review of When operating platforms are changed, business critical applications Review whether not operating platforms
applications after shall be reviewed and tested to ensure there is no adverse impact on changed and if so, whether or not an
operating platform organizational operations or security. application review was performed.
changes
A.14.2.4 Restrictions on changes Modifications to software packages shall be discouraged, limited to Perform a review of the Release Management
to software packages necessary changes and all changes shall be strictly controlled. and Software Deployment document.
A.14.2.5 Secure system Principles for engineering secure systems shall be established, Review the Engineering SLA.
engineering principles documented, maintained and applied to any information system
implementation efforts.
A.14.2.6 Secure development Organizations shall establish and appropriately protect secure Review the Engineering SLA.
environment development environments for system development and integration
efforts that cover the entire system development lifecycle.
A.14.2.7 Outsourced development The organization shall supervise and monitor the activity of
outsourced system development.
A.14.2.8 System security testing Testing of security functionality shall be carried out during Review the Engineering SLA and perform a
development. review of the Release Management and
Software Deployment document.
A.14.2.9 System acceptance Acceptance testing programs and related criteria shall be established Perform a review of the Release Management
testing for new information systems, upgrades and new versions. and Software Deployment document.
A.14.3 Test data Objective: To ensure the protection of data used for testing.
A.14.3.1 Protection of test data Test data shall be selected carefully, protected and controlled. Review the master information security policy
and the Engineering SLA.
A.15 Supplier relationships
A.15.1 Information security in To ensure protection of the organizations assets that is accessible by
supplier relationships suppliers.
A.15.1.1 Information security Information security requirements for mitigating the risks associated Audit all failures due to supplier security
policy for supplier with suppliers access to the organizations assets shall be agreed with events.
relationships the supplier and documented.
A.15.1.2 Addressing security All relevant information security requirements shall be established Audit all failures due to supplier security
within supplier and agreed with each supplier that may access, process, store, events.
agreements communicate, or provide IT infrastructure components for, the
organizations information.
A.15.1.3 Information and Agreements with suppliers shall include requirements to address the Audit all failures due to supplier security
communication information security risks associated with information and events.
technology supply chain communications technology services and product supply chain.
A.15.2 Supplier service delivery Objective: To maintain an agreed level of information security and
management service delivery in line with supplier agreements.
A.15.2.1 Monitoring and review Organizations shall regularly monitor, review and audit supplier Supplier review results.
of supplier services service delivery.
A.15.2.2 Managing changes to Changes to the provision of services by suppliers, including Supplier review results.
supplier services maintaining and improving existing information security policies,
procedures and controls, shall be managed, taking account of the
criticality of business information, systems and processes involved
and re-assessment of risks.
A.16.1.1 Responsibilities and Management responsibilities and procedures shall be established to Perform a review of the incident response
procedures ensure a quick, effective and orderly response to information security procedures.
incidents.
A.16.1.2 Reporting information Information security events shall be reported through appropriate Perform a review of the incident response
security events management channels as quickly as possible. procedures.
A.16.1.3 Reporting information Employees and contractors using the organizations information Perform a review of the incident response
security weaknesses systems and services shall be required to note and report any procedures.
observed or suspected information security weaknesses in systems or
services.
A.16.1.4 Assessment of and Information security events shall be assessed and it shall be decided if Perform a review of the incident response
decision on information they are to be classified as information security incidents. procedures.
security events
A.16.1.5 Response to information Information security incidents shall be responded to in accordance Perform a review of the incident response
security incidents with the documented procedures. procedures.
A.16.1.6 Learning from Knowledge gained from analysing and resolving information security Perform a review of the incident response
information security incidents shall be used to reduce the likelihood or impact of future procedures.
incidents incidents.
A.16.1.7 Collection of evidence The organization shall define and apply procedures for the Perform a review of the incident response
identification, collection, acquisition and preservation of information, procedures.
which can serve as evidence.
A.17 Information security aspects of business continuity management
A.17.1 Information security Objective: Information security continuity shall be embedded in the
continuity organizations business continuity management systems.
A.17.1.1 Planning information The organization shall determine its requirements for information Review the BCP/DR table top test results.
security continuity security and the continuity of information security management in
adverse situations, e.g. during a crisis or disaster.
A.17.1.2 Implementing The organization shall establish, document, implement and maintain Review the BCP/DR table top test results.
information security processes, procedures and controls to ensure the required level of
continuity continuity for information security during an adverse situation.
A.17.1.3 Verify, review and The organization shall verify the established and implemented Review the BCP/DR table top test results.
evaluate information information security continuity controls at regular intervals in order to
security continuity ensure that they are valid and effective during adverse situations.
A.17.2 Redundancies Objective: To ensure availability of information processing facilities.
A.17.2.1 Availability of Information processing facilities shall be implemented with Review any incidents related to the
information processing redundancy sufficient to meet availability requirements. availability of the data centers.
facilities
A.18 Compliance
A.18.1 Compliance with legal Objective: To avoid breaches of legal, statutory, regulatory or
and contractual contractual obligations related to information security and of any
requirements security requirements.
A.18.1.1 Identification of All relevant legislative statutory, regulatory, contractual requirements Review the Legal SLA.
applicable legislation and and the organizations approach to meet these requirements shall be
contractual requirements explicitly identified, documented and kept up to date for each
information system and the organization.
A.18.1.2 Intellectual property Appropriate procedures shall be implemented to ensure compliance Perform an annual information security policy
rights with legislative, regulatory and contractual requirements related to and procedures review.
intellectual property rights and use of proprietary software products.
A.18.1.3 Protection of records Records shall be protected from loss, destruction, falsification, Perform an annual information security policy
unauthorized access and unauthorized release, in accordance with and procedures review.
legislatory, regulatory, contractual and business requirements.
A.18.1.4 Privacy and protection of Privacy and protection of personally identifiable information shall be Annual review of privacy policy and privacy-
personally identifiable ensured as required in relevant legislation and regulation where related incidents.
information applicable.
A.18.1.5 Regulation of Cryptographic controls shall be used in compliance with all relevant Review the Legal SLA.
cryptographic controls agreements, legislation and regulations.
A.18.2 Information security Objective: To ensure that information security is implemented and
reviews operated in accordance with the organizational policies and
procedures.
A.18.2.1 Independent review of The organizations approach to managing information security and its Annual review of internal audit and
information security implementation (i.e. control objectives, controls, policies, processes management review findings
and procedures for information security) shall be reviewed
independently at planned intervals or when significant changes occur.
A.18.2.2 Compliance with Managers shall regularly review the compliance of information Annual review of internal audit and
security policies and processing and procedures within their area of responsibility with the management review findings
standards appropriate security policies, standards and any other security
requirements.
A.18.2.3 Technical compliance Information systems shall be regularly reviewed for compliance with Annual review of internal audit and
review the organizations information security policies and standards. management review findings
ISO 27001 Documents
Last Updated: 2016-02-11
ISO-047 9.3 Evidence of Management Reviews of the ISMS, and their Results
ISO-048 10.1 Nonconformity Response and Corrective Action Procedures
ISO-049 10.1.f Evidence Regarding Nonconformities
ISO-050 10.1.g Evidence of the Results of any Corrective Action
ISO-051 10.2 Continual Improvement Process
ISO-052 A.5.1.1 Set of Information Security Policies
ISO-053 A.5.1.2 Evidence of Review of Information Security Policies
ISO-107 A.9.2.3 Evidence that Privileged Access Management Process is enacted (Records)
ISO-120 A.9.4.1 Evidence that Data and Application Access Authorization Procedure is
enacted
ISO-121 A.9.4.2 Secure Log-on Procedure (if required by Access Control Policy)
ISO-217 A.12.7.1 Evidence that External Audit Activity Planning Process is enacted
ISO-218 A.12.7.1 External Audit Activity Report
EXT-002 N/A Network Security Policy
ISO-220 A.13.1.1 Design of Network Controls
ISO-221 A.13.1.1 Evidence of Design of Network Controls Reviews
ISO-222 A.13.1.2 Design of Controls for Network Services
ISO-223 A.13.1.2 Evidence of Design of Controls for Network Services Reviews
ISO-224 A.13.1.3 Design of Network Segregation
ISO-225 A.13.1.3 Evidence of Design of Network Segregation Reviews
ISO-226 A.13.2.1 Information Transfer Policies
ISO-227 A.13.2.1 Evidence of Information Transfer Policies Reviews
ISO-228 A.13.2.1 Information Transfer Procedures
ISO-229 A.13.2.1 Evidence of Information Transfer Procedures Reviews
ISO-230 A.13.2.1 Information Transfer Control Design
ISO-231 A.13.2.1 Evidence of Information Transfer Control Design Reviews
ISO-232 A.13.2.2 Information Transfer Agreement Policy
ISO-233 A.13.2.2 Evidence of Information Transfer Agreement Policy Reviews
ISO-234 A.13.2.2 Information Transfer Agreement Template
ISO-235 A.13.2.2 Evidence of Information Transfer Agreements
ISO-236 A.13.2.3 Secure Electronic Messaging Policy
ISO-237 A.13.2.3 Evidence of Secure Electronic Messaging Policy Reviews
ISO-238 A.13.2.3 Secure Electronic Messaging Procedure
ISO-239 A.13.2.3 Evidence of Secure Electronic Messaging Procedure Reviews
ISO-240 A.13.2.4 Confidentiality and NDA Requirements Design
Total 350
Link to mandatory/non-mandatory documents: http://advisera.com/27001academy/knowledgebase/list-o
Required 54 Policy 36
Implied 221 Process 51
Optional 75 Procedure 28
Plan 11
Unique Docs 23 Description 42
Form or Template 22
Record 159
Total Included 0
Implemented 0 0 0 0 0
Approved 0 0 0 0 0
Written 0 0 0 0 0
In Progress 0 0 0 0 0
Waiting 0 0 0 0 0
Phase 2 0 0 0 0 0
Unknown 0 0 0 0 0
Total 0 0 0 0 0
ISO 27001 Documents Policy Process Procedure Plan Description
Phase 1
Implemented 0 0 0 0 0
Approved 0 0 0 0 0
Written 0 0 0 0 0
In Progress 0 0 0 0 0
Total 0 0 0 0 0
my/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/