ISO 27001 Project Tasks and Status Tracking

ISO 27001 Project Tasks
Last Updated: 2016-03-29
ISO 27001 Task Status Resources -

Section Customer
Phase 1: Develop the Information Security Management System (ISMS)

N/A Initiation
N/A Approve the project
N/A Set up project communications
N/A Agree on the project timeline
Part 1: "Plan"
4 Context of the organization
N/A Create document list
N/A Create an Organization Chart
N/A Identify Key Department Staff and Process Owners

N/A Create initial mapping of ISO 27001 controls to departments
N/A Schedule initial kickoff meetings

N/A Schedule first onsite travel for Consultant team
N/A Present the initial kickoff meetings
N/A Refine the mapping of ISO 27001 controls to specific

application/data owners
4.1 Understanding the organization and its context
4.1 Document external and internal relevant issues
4.1 Determine applicability
4.2 Understanding the needs and expectations of interested parties

4.2.a Document interested third parties
4.2.b Document requirements of interested third parties
4.1 Draft the Information Security Policy
4.2
4.4
5.1
5.2.c-d
5.3
4.3 Determining the scope of the information security management system (ISMS)
4.3 Create the Scope document
N/A Discuss observations and pertinent details
4.3.a Include scope item
4.3.a Include Risk Register
4.3.a Include Risk Analysis Report
4.3.a Include Security Questionnaires
4.3.b Include scope item

4.3.c Include scope item
N/A Approve the Scope document

4.4 Information security management system
4.4 Document the ISMS
5 Leadership
5.1 Leadership and commitment
5.1 Commit to the Information Security Policy
5.2.c-d
5.2 Policy
5.2.a-b Establish the Information Security Policy
N/A Approve the Information Security Policy

5.2.e Document the Information Security Policy
5.2.f Internally publish the Information Security Policy
5.2.g Externally publish the Information Security Policy
5.3 Organizational roles, responsibilities, and authorities
5.3 Assign responsibilities and authority
5.3.a Ensure conformance with ISO 27001
5.3.b Ensure performance reporting

6 Planning
6.1 Actions to address risks and opportunities
6.1.1 General
6.1.1.a Ensure ISMS success
6.1.1.b Minimize adverse effects
6.1.1.c Build in continual improvement
6.1.1.d Plan actions to address risks and opportunities

6.1.1.e.1 Plan how to integrate these into ISMS processes
6.1.1.e..2 Plan how to evaluate effectiveness of actions
N/A Provide initial control lists
6.1.2 Information security risk assessment
6.1.2.a Define the risk criteria
6.1.2.a.1 Define the risk acceptance criteria
6.1.2.a.2 Define the risk assessment performance criteria
6.1.2.b Define the risk assessment process
N/A Develop the Risk Assessment Program in accordance with the
NIST 800-30 Standard.
6.1.2.c-d Identify and analyze the information security risks
6.1.2.c-d Review the most recent Risk Assessment

[part 1]
6.1.2.c-d Review the most recent security audit results
[part 2]
6.1.2.c-d Review the most recent risk questionnaires
[part 3]
N/A Create discussion documents
6.1.2.c-d Perform a Risk Assessment with each business unit
6.1.2.c-d Business unit: Information Security

6.1.2.c-d Business unit: Legal/Compliance
6.1.2.c-d Business unit: Internal Audit
6.1.2.c-d Business unit: IT
6.1.2.c-d Business unit: Engineering
6.1.2.c-d Business unit: Accounting
6.1.2.c-d Business unit: Finance/Strategy
6.1.2.c-d Business unit: M&A and Business Analysis
6.1.2.c-d Business unit: HR
6.1.2.c-d Business unit: Sales
6.1.2.c-d Business unit: Marketing
6.1.2.c-d Business unit: Customer Support
6.1.2.e Evaluate the information security risks
6.1.2.e.1 Review the identified risks against the criteria
6.1.2.e.2 Prioritize the risks
6.1.3 Information security risk treatment
6.1.3 Define the risk treatment process
6.1.3.a Treat the risks
6.1.3.b Select controls

6.1.3.c Compare selected controls to ISO 27001 controls
N/A Map the controls to the SOC framework

6.1.3.d Document a Statement of Applicability
6.1.3.e Create a Risk Treatment Plan

6.1.3.f Obtain risk acceptance/approval for mitigation
6.2 Information security objectives and planning to achieve them

6.2 Information security objectives and planning
6.2.a-e Define information security objectives
6.2.f-j Plan how to achieve information security objectives
6.2.a-j TBD: Function/level 1

6.2.a-j
Part 2: "Do"
7 Support
7.1 Resources
7.1 Determine initial resource requirements
N/A Determine client project resources
7.1 Identify Internal Audit resource
N/A Provide estimate of Internal Audit cost
7.1 Select external audit/certification firm
7.1 Determine ongoing resource requirements

7.2 Competence
7.2.a Define competence requirements
7.2.b Evaluate competence of resources

7.2.c Acquire competence
[part 1]
7.2.c Evaluate effectives of actions taken
[part 2]
7.2.d Define record keeping for competence
7.3 Awareness
7.3 Security Awareness Training
7.4 Communication
7.4 Establish Communication
7.5 Documented information

N/A Agree on documents to be included
N/A Update Section 7.5.1 in this project plan
7.5 Create required documentation
7.5.1 General
7.5.1.a Scope of the ISMS (4.3)
7.5.1.a Information security policy and objectives (5.2 and 6.2)
7.5.1.a Risk assessment methodology (6.1.2)
7.5.1.a Risk treatment methodology (6.1.2)
7.5.1.a Statement of Applicability (6.1.3 d)
7.5.1.a Risk treatment plan (6.1.3 e and 6.2)
7.5.1.a Risk assessment report (8.2)
7.5.1.a Definition of security roles and responsibilities (A.7.1.2 and
A.13.2.4)
7.5.1.a Inventory of assets (A.8.1.1)
7.5.1.a Acceptable use of assets (A.8.1.3)
7.5.1.a Access control policy (A.9.1.1)
7.5.1.a Operating procedures for IT management (A.12.1.1)
7.5.1.a Secure system engineering principles (A.14.2.5)
7.5.1.a Supplier security policy (A.15.1.1)
7.5.1.a Incident management procedure (A.16.1.5)
7.5.1.a Business continuity procedures (A.17.1.2)
7.5.1.a Statutory, regulatory, and contractual requirements (A.18.1.1)
7.5.1.a Create templates for required records
7.5.1.a Competence (7.2)
7.5.1.a Monitoring and measurement results (9.1)

7.5.1.a Change control records (implied in 8.1)
7.5.1.a Internal audit program (9.2)
7.5.1.a Results of internal audits (9.2)
7.5.1.a Results of the management review (9.3)
7.5.1.a Results of corrective actions (10.1)
7.5.1.a Logs of user activities, exceptions, and security events
(A.12.4.1 and A.12.4.3)
7.5.1.b Create documentation as appropriate
7.5.2 Creating and updating

7.5.2 Define document creation and updating process
7.5.2.a-b Ensure appropriate content, format, and media
7.5.2.c Ensure acceptability of ISMS documents

N/A Perform review of ISMS documentation
7.5.3 Control of documented information
7.5.3 Define control of ISMS documentation
7.5.3.a Availability
7.5.3.b Protection
7.5.3 Document control of ISMS documentation
7.5.3.c Transmission and access
7.5.3.d Storage
7.5.3.e Version control
7.5.3.f Retention and destruction
7.5.3.* Identification of externally originating documents
N/A Create document management and workflow
N/A Setup project document repository

8 Operation
8.1 Operational planning and control
8.1 Implement operational planning and control
8.1 Implement record keeping for operational control
8.1 Implement change control
8.1 Control of outsourced processes
8.1 Create operational control records

8.2 Information security risk assessment
8.2 Schedule information security risk assessments
8.2 Specify criteria for unscheduled risk assessments
8.2 Define record keeping for risk assessments
8.2 Create risk assessment records

8.3 Information security risk treatment
8.3 Implement the information security risk treatment plan
8.3 Implement record keeping for risk treatments
8.3 Create risk treatment records

Part 3: "Check"
9 Performance evaluation
9.1 Monitoring, measurement, analysis, and evaluation
9.1.a-f Document the evaluation process
9.1 Define record keeping for monitoring and measurement
9.1 Create monitoring and measurement records

9.2 Internal audit
9.2.a-f Document the audit program
9.2.g Define record keeping for internal audit
9.3 Management review

9.3 Document the management review process
9.3 Define record keeping for management review
Part 4: "Act"
10 Improvement
10.1 Nonconformity and corrective action
10.1.a-e Document the process for response to nonconformities
10.1.f-g Define record keeping for corrective action
10.2 Continual improvement

Commit to continual improvement
Phase 2: Test and Audit the ISMS
I Internal Audit
Internal Audit
Project manage and perform internal audit
Coordinate remediation
Management review
II External Audit (Part 1)
Stage 1 Audit
Coordinate the Stage 1 audit schedule and activities
Gather supporting evidence
Finish compiling evidence
Review Stage 1 audit findings
Coordinate remediation
III External Audit (Part 2)
Stage 2 Audit
Coordinate the Stage 2 audit schedule and activities
Obtain evidence requirements list
Gather required evidence
Phase 3: Achieve Certification
IV Finalize Certification
ISO 27001 Certification
Receive official certification
ISO 27001 Implementation and Certifi
Resources -
Consultant
ISO 27001 Implementation and Certification
Task Details and Next Steps
Schedule weekly status meetings for the duration of the project.

Confirm the timing for the various work steps and key milestones based on the external certification firms audit schedule,
Customer's timing boundaries and availability of key contacts, and Consultant teams schedule.
Create comprehensive list of documents for consideration for inclusion in the ISMS.
Add details for key staff to PM workbook.
Create visual organization chart.
Create initial mapping of ISO 27001 controls to departments, indicating expected applicability of each. Use the data to
estimate required interview time for each department. Provide the control mappings to the corresponding departments for
initial feedback and to help them become familiar with the items of future discussions.
Meet key subject matter experts (SMEs), Customer committee members, and layout the project plan and timeline.
Meet with business unit leaders together to determine the breakdown of future groups/meetings (based on which
data/applications they use).
Determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcom
Document external and internal issues relevant to the company's purpose and that affect its ability to achieve the ISMS goals.
Review with each Business Unit the ISO 27001 Requirements (Annex A); results of recent risk analyses and/or related
initiatives; and Questionnaire results.
Determine relevant interested parties and their requirements.
Document interested parties that are relevant to the ISMS.
Document the requirements of these interested parties relevant to information security.
Include or reference the following items:
1) External and internal issues relevant to the company's purpose and that affect its ability to achieve the ISMS goals (4.1)
2) Interested parties and their requirements/objectives (4.2)
3) Statement of leadership commitment (5.1, 5.2.c, 5.2.d)
4) Assignment of key roles and responsibilities [by titles] (5.3)
Determine the boundaries and applicability of the ISMS.

Create the Scope document as defined below.
Review any observations prior to the start of the project.
Include external and internal issues relevant to the company's purpose and that affect its ability to achieve the ISMS goals.
Review the most recent risk analysis, and include the recommendations to be addressed in the Scope document.
Map the results of any recent risk analyses to the ISO 27001 requirements. Include the ones to be addressed in the Scope
document.
Map the results of the internal security questionnaires to the ISO 27001 requirements. Include the ones to be addressed in
the Scope document.
Include interested parties and their requirements/objectives.
Include interfaces and dependencies between internal and external activities (may be specified in the Information Security
Policy).
Approve the Scope document.
Establish, implement, maintain and continually improve the ISMS.
Create the ISMS Master Document.
Demonstrate leadership and commitment with respect to the ISMS.

Have senior leadership review the Information Security Policy and sign off on the commitments specified in Sections 5.1,
5.2.c, and 5.2.d of the standard.
Establish an information security policy.
Document the Information Security Policy, making sure that it: a) is appropriate to the purpose of the organization; and b)
includes the information security objectives determined in Section 6.2.
Have senior leadership review the Information Security Policy and formally approve (sign off on) it.
Document the Information Security Policy.
Publish and announce to internal staff the Information Security Policy.
Publish and announce to external stakeholders and interested parties the Information Security Policy.
Ensure that the responsibilities and authorities for roles relevant to information security are assigned and communicated.
Top management shall ensure that the responsibilities and authorities for roles relevant to information security are assigned
and communicated.
Assign responsibilities and authority for ensuring that the ISMS conforms to the requirements of ISO 27001:2013.
Assign responsibilities and authority for reporting on the performance of the ISMS to top management.
Address risks and opportunities related to the ISMS.

Include internal and external issues, and interested parties and their requirements, when planning for the ISMS.
Determine and document risks and opportunities (based on results of Sections 4.1 and 4.2) that need to be addressed to
ensure the information security management system can achieve its intended outcome(s).
prevent, or reduce, undesired effects.
achieve continual improvement.
Plan actions to address the risks and opportunities determined in Sections 6.1.1a-c.
Plan how to integrate and implement the actions determined in Section 6.1.1.d into the ISMS processes.
Plan how to evaluate the effectiveness of the actions implemented in Section 6.1.1.e.1.
Discuss which business units should receive initial control lists.
Define and apply an information security risk assessment process.
Define and document the Risk Assessment criteria.
Define and document the risk acceptance criteria.
Define and document the criteria for performing information security risk assessments.
Define and document the Risk Assessment process.
Review the Risk Assessment Program and align it with NIST Special Publication 800-30 Revision 1.
Apply the information security risk process; identify the risk owners; and analyze the impact and likelihood of each risk and
combine these to specify the level of each risk.
Review the most recent risk assessment.
Review the most recent security audit.
Review results from Customer business units Internal Risk Analysis Scoping Questionnaires.
Combine the responses from the internal Security Questionnaires, ISO 27001 controls, and set of additional discussion items
into a single document for each business unit.
Facilitate discussions with each business unit regarding their processes; applicable ISO 27001 controls; and answers to the
security questionnaires.
Evaluate the information security risks.

Compare the results of risk analysis with the risk criteria established in 6.1.2.a.
Rank the risks by level (as determined in Section 6.1.2.c-d).
Define and apply an information security risk treatment process.
Define and document the risk treatment process.
For each risk identified in the Risk Assessment, select a risk treatment option (Accept, Mitigate, Transfer, or Avoid).
For each risk to be mitigated, determine the controls to be implemented.

Compare the selected controls to the 114 controls in ISO 27001 Annex A, and include all relevant controls from the Annex.
SOW Step 15
ISO 27001 Annex A controls and documentation mapping align with the existing SOC framework where relevant.
Produce a Statement of Applicability that contains the necessary controls (see 6.1.3.b-c) and justification for inclusions,
whether they are implemented or not, and the justification for exclusions of controls from Annex A.
Document the Risk Treatment Plan.
For each Risk Treatment Plan item, review with the business unit managers and get their sign-off for each risk's treatment
option.
Establish information security objectives at relevant functions and levels.
Determine and document the relevant functions and levels for establishment of information security objectives.
For each function/level determined in Section 6.2, work with the business owners to determine and document the
corresponding information security objectives. Make sure they are:
a) be consistent with the information security policy;
b) be measurable (if practicable);
c) take into account applicable information security requirements, and results from risk assessment and risk treatment;
d) be communicated; and
e) be updated as appropriate.
For each objective determined in Section 6.2, work with the business owners to plan how to achieve the objectives by
determining:
f) what will be done;
g) what resources will be required (see Section 7.1);
h) who will be responsible;
i) when it will be completed; and
j) how the results will be evaluated.
Determine and provide the resources needed for the ISMS.

Determine and document the resources required to establish and implement the ISMS.
Determine client resource to attend meetings with client process owners
SOW Step 10
Customer PM has selected Consultant to perform the internal audit function for this project.
As appropriate and possible, provide an estimate of internal audit costs, and coordinate the appropriate resource and
scheduling.
Assist Customer with the selection of the external certification firm. This needs to be initiated early in the project in order to
ensure that the firm can schedule and prepare for the audit and certification within our timeframe.
Determine and document the resources required to maintain and continuously improve the ISMS.
Ensure appropriate competence for all persons whose work affects information security performance.
Define and document the necessary competence of all staff who affect the performance of information security.
Review the competence of the corresponding personnel based on the criteria defined in Section 7.2.a (e.g., education,
training, and experience).
Take actions to bring all relevant personnel to the required levels of competence.
Evaluate the effectiveness of actions taken to ensure competence of relevant staff.
Retain documented evidence of competence (and records of competence evaluations).

Ensure appropriate security awareness for all persons doing work under the organization's control.
Review the current security awareness program, and enhance it as necessary to ensure that all personnel are aware of:
a) the information security policy;
b) their contribution to the effectiveness of the information security management system, including the benefits of improved
information security performance; and
c) the implications of not conforming with the information security management system requirements.
Determine and document the need for internal and external communications relevant to the ISMS.
Determine the need for internal and external communications relevant to the ISMS including:
a) on what to communicate;
b) when to communicate;
c) with whom to communicate;
d) who shall communicate; and
e) the processes by which communication shall be effected.
Documented information pertinent to the organization and the ISMS shall be included.
Confirm the documents intended to be included in the ISMS implementation, and approval from Customer PM.
Update Section 7.5.1 below with documents to be included
Develop the ISO 27001 Required Documents section in accordance with sections 4-8 of the 2013 Standard. Ensure Policies
and Procedures Documentation is updated or developed to support the relevant Annex A controls.
The ISMS shall include required documented information.
Create this document.

Create this document. Check with HR.
Create record templates as evidence of competence (e.g., records of training, skills, experience and qualifications) (7.2).

Determine and create any additional documents necessary for the effectiveness of the ISMS. See the Documents worksheet.
When creating and updating documented information, appropriate measures will be taken.
Define the content, format, media, and review/approval process for the ISMS documentation.
Review the ISMS documents and ensure appropriate:
a) identification and description (e.g. a title, date, author, or reference number)
b) format (e.g. language, software version, graphics) and media (e.g. paper, electronic)
Review the ISMS documents for suitability and adequacy, and approve them.
Quality Review address completeness and accuracy of the entire documentation set.
Documented information required by the ISMS shall be controlled.
Determine and document how the ISMS documented information will be controlled in regards to the following:
a) availability and suitability

b) protection (e.g., from loss of confidentiality, improper use, or loss of integrity)
Document the policies, procedures, and controls for the ISMS documentation pertaining to:
c) distribution, access, retrieval and use
d) storage and preservation, including the preservation of legibility
e) control of changes (e.g. version control)
f) retention and disposition
*) identification and inclusion of externally originating ISMS documented information
Setup document management to manage the project documentation components, including the ability to handle version
control, workflow, and approvals.
Create and specify a shared Customer location for the project documentation.
Plan, implement, and control the processes needed to meet information security requirements.
Implement actions and plans determined in Sections 6.1 and 6.2.
Define the requirements for keeping records as evidence that processes have been carried out as planned.
Document and implement change control policies and procedures, including response to unintended changes and mitigation
of adverse effects.
Document outsourced processes and how they are controlled. Bring this up during facilitated discussions with the business
units.
Create the appropriate operational control records.
Perform information security risk assessments.
Specify the schedule of risk assessments.
Determine triggers ("when significant changes are proposed or occur" for unscheduled risk assessments.
Define the requirements for keeping records as evidence that risk assessments have been carried out as planned, and their
results.
Create the appropriate risk assessment records.
Perform information security risk treatment.
Implement the risk treatment plan documented and approved in Sections 6.1.3.e-f.
Define the requirements for keeping records as evidence that risk treatments have been carried out as planned, and their
results.
Create the appropriate risk treatment records.
Evaluate the information security performance and the effectiveness of the ISMS.
Document the methodology to evaluate the performance and effectiveness of the ISMS. Determine what needs to be
monitored and measured, including information security processes and controls; the methods for monitoring, measurement,
analysis and evaluation; when the monitoring and measuring shall be performed; who shall perform the monitoring and
measuring; when the results from monitoring and measurement shall be analyzed and evaluated; and who shall analyze and
evaluate these results.
Define the requirements for keeping records as evidence that monitoring and measurement have been carried out as
planned, and their results.
Create the appropriate monitoring and measurement records.
Plan, establish, implement, and maintain an internal audit program.
Determine and document the methodology to evaluate the performance and effectiveness of the ISMS. Specify the
frequency, methods, responsibilities, planning requirements, and reporting. Also specify how the audit criteria and scope will
be defined for each audit; how auditors will be selected and audits will be conducted to ensure objectivity and impartiality f
the audit process; how and to whom the audit results will be reported; and the records to be retained as evidence of the
audit program and the results of each audit.
Define the requirements for the records to be retained as evidence of the audit program and the results of each audit.
Review the ISMS at planned intervals to ensure its continuing suitability, adequacy and effectiveness.
Document the management review process including: a) reviews of the status of actions from previous management
reviews; b) changes in external and internal issues that are relevant to the ISMS; c) feedback on the information security
performance (including trends in: 1) nonconformities and corrective actions; 2) monitoring and measurement results; 3)
audit results; and 4) fulfilment of information security objectives); d) feedback from interested parties; e) results of risk
assessment and status of risk treatment plan; and f) opportunities for continual improvement. The outputs of the
management review shall include decisions related to continual improvement opportunities and any needs for changes to
the information security management system.
Define the requirements for keeping records as evidence that management reviews have been carried out as planned, and
their results.
React appropriately to nonconformities.

Document the process for response to nonconformities, including how the organization: a) reacts to the nonconformity (and
as applicable: 1) takes action to control and correct it; and 2) deals with the consequences); b) evaluates the need for action
to eliminate the causes of nonconformity, in order that it does not recur or occur elsewhere (by: 1) reviewing the
nonconformity; 2) determining the causes of the nonconformity; and 3) determining if similar nonconformities exist, or could
potentially occur); c) implements any action needed; d) reviews the effectiveness of any corrective action taken; and e)
makes changes to the ISMS, if necessary.
Define the requirements for keeping records as evidence of f) the nature of the nonconformities and any subsequent actions
taken, and g) the results of any corrective action.
Continually improve the suitability, adequacy and effectiveness of the ISMS.
No tasks
Coordinate and perform internal audit.

Coordinate Internal Audit.
Coordinate remediation in preparation for Part 1 audit.
Facilitate management review of internal audit findings.
Coordinate Stage 1 audit.

Coordinate the Stage 1 audit.
Begin pulling together the supporting evidence for the Stage 2 audit.
Finish compiling evidence for the Stage 2 audit.
Facilitate management review of Stage 1 audit findings.
Coordinate remediation in prep for Stage 2 audit.
Coordinate Stage 2 audit.

Coordinate external certification firms ISO 27001 Stage 2 audit.
Obtain evidence requirements listings from the external certification firm.
Coordinate the evidence gathering.
Coordinate ISO 27001 certification.

Coordinate the draft and finalization of the certification.
ation
Dated Comments
nded outcome(s) of its ISMS.

ISO 27001 Annex A Control List and Statement of Applicability
Oversight Technical Finance Other ISO 27001 Statement of Applicability (SoA)

ISO 27001 Controls Control Justification
Finance - M&A and Bus. Analysis

Information Security
Legal / Compliance
TO - Infrastructure
Finance - Strategy
Customer Support
TO - Engineering
L - Legal & Regulatory
Internal Audit
C - Contractual
Accounting
Marketing
IT - Corp
B - Business Req. & Best Practices
Sales
HR
R - Risk Assessment
O - Other (explain)
Control ID Section/Control Title Section Objective/Control Description Inclusion Existing Controls L C B R O Comments Suggested Effectiveness Measurement(s)
A.5 Information Security Policies
A.5.1 Management direction Objective: To provide management direction and support for
for information security information security in accordance with business requirements and
relevant laws and regulations.
A.5.1.1 The policies for A set of policies for information security shall be defined, approved Review policies on an annual basis and look
information security by management, published and communicated to employees and for security issues related to policy controls.
relevant external parties.
A.5.1.2 Review of the policies The policies for information security shall be reviewed at planned Discuss the effectiveness of the review
for information security intervals or if significant changes occur to ensure their continuing process with the management team.
suitability, adequacy and effectiveness.
A.6 Organization of information security
A.6.1 Internal organization Objective: To establish a management framework to initiate and
control the implementation and operation of information security
within the organization.
A.6.1.1 Information security All information security roles and responsibilities shall be defined Perform an annual review of information
roles and responsibilities and allocated. security roles and responsibilities.
A.6.1.2 Segregation of duties Conflicting duties and areas of responsibility shall be segregated to Perform an annual review of the segregation
reduce opportunities for unauthorized or unintentional modification of duties requirements in the security policies
or misuse of the organizations assets. as well as a review of any segregation of
duties related security incidents.
A.6.1.3 Contact with authorities Appropriate contacts with relevant authorities shall be maintained. Verify contact information on an annual basis
during the policy and procedure review.
A.6.1.4 Contact with special Appropriate contacts with special interest groups or other specialist Review the group memberships on an annual
interest groups security forums and professional associations shall be maintained. basis (measure their industry contribution)
and consider new groups if available.
A.6.1.5 Information security in Information security shall be addressed in project management, Audit the security incidents to identify any
project management regardless of the type of the project. incidents related to the releases.
A.6.2 Mobile devices and Objective: To ensure the security of teleworking and use of mobile
teleworking devices.
A.6.2.1 Mobile device policy A policy and supporting security measures shall be adopted to Review number of mobile device related
manage the risks introduced by using mobile devices. security instances.
A.6.2.2 Teleworking A policy and supporting security measures shall be implemented to Review number of mobile workers and
protect information accessed, processed or stored at teleworking sites. security incidents involving off-site work.
A.7 Human resource security

A.7.1 Prior to employment Objective: To ensure that employees and contractors understand their
responsibilities and are suitable for the roles for which they are
considered.
A.7.1.1 Screening Background verification checks on all candidates for employment Audit the service level agreement with HR.
shall be carried out in accordance with relevant laws, regulations and
ethics and shall be proportional to the business requirements, the
classification of the information to be accessed and the perceived
risks.
A.7.1.2 Terms and conditions of The contractual agreements with employees and contractors shall Review the employee handbook.
employment state their and the organizations responsibilities for information
security.
A.7.2 During employment Objective: To ensure that employees and contractors are aware of and
fulfil their information security responsibilities.
A.7.2.1 Management Management shall require all employees and contractors to apply Ensure all employees attest to agreeing to the
responsibilities information security in accordance with the established policies and Employee Handbook at least once a year.
procedures of the organization.
A.7.2.2 Information security All employees of the organization and, where relevant, contractors Survey after training - 100% attendance by
awareness, education and shall receive appropriate awareness education and training and Ops and 10 question quiz scores.
training regular updates in organizational policies and procedures, as relevant
for their job function.
A.7.2.3 Disciplinary process There shall be a formal and communicated disciplinary process in Verify employees have signed off on the
place to take action against employees who have committed an employee handbook and gather feedback on
information security breach. the disciplinary process from HR.
A.7.3 Termination and change Objective: To protect the organizations interests as part of the
of employment process of changing or terminating employment.
A.7.3.1 Termination or change of Information security responsibilities and duties that remain valid after Perform a quarterly user account and access
employment termination or change of employment shall be defined, communicated audit to ensure that access was revoked for all
responsibilities to the employee or contractor and enforced. terminated employees.
A.8 Asset management
A.8.1 Responsibility for assets Objective: To identify organizational assets and define appropriate
protection responsibilities.
A.8.1.1 Inventory of assets Assets associated with information and information processing Perform a bi-annual audit to ensure that assets
facilities shall be identified and an inventory of these assets shall be are tracked in the system of record.
drawn up and maintained.
A.8.1.2 Ownership of assets Assets maintained in the inventory shall be owned. Perform an annual audit to ensure asset
owners are accurate.
A.8.1.3 Acceptable use of assets Rules for the acceptable use of information and of assets associated Evaluate the number of issues or disciplinary
with information and information processing facilities shall be actions related to acceptable use of company
identified, documented and implemented. assets.
A.8.1.4 Return of assets All employees and external party users shall return all of the Perform an annual audit to ensure that
organizational assets in their possession upon termination of their terminated employees returned their
employment, contract or agreement. equipment
A.8.2 Information classification Objective: To ensure that information receives an appropriate level of
protection in accordance with its importance to the organization.
A.8.2.1 Classification of Information shall be classified in terms of legal requirements, value, Perform an annual information security policy
information criticality and sensitivity to unauthorised disclosure or modification. review and review any security incidents
related to the classification of sensitive
information.
A.8.2.2 Labelling of information An appropriate set of procedures for information labelling shall be Perform an annual information security policy
developed and implemented in accordance with the information review and review any security incidents
classification scheme adopted by the organization. related to the labeling of sensitive
information.
A.8.2.3 Handling of assets Procedures for handling assets shall be developed and implemented in Perform an annual information security policy
accordance with the information classification scheme adopted by the review and review any security incidents
organization. related to the handling of sensitive
information.
A.8.3 Media handling Objective: To prevent unauthorized disclosure, modification, removal

or destruction of information stored on media.
A.8.3.1 Management of Procedures shall be implemented for the management of removable Assess the use of removable media and any
removable media media in accordance with the classification scheme adopted by the security incidents involving removable media.
organization.
A.8.3.2 Disposal of media Media shall be disposed of securely when no longer required, using Assess the media disposal practices.
formal procedures.
A.8.3.3 Physical media transfer Media containing information shall be protected against unauthorized Assess the use of removable media and any
access, misuse or corruption during transportation. security incidents involving removable media.
A.9 Access control

A.9.1 Business requirements of Objective: To limit access to information and information processing
access control facilities.
A.9.1.1 Access control policy An access control policy shall be established, documented and Perform a quarterly user account and access
reviewed based on business and information security requirements. audit.
A.9.1.2 Access to networks and Users shall only be provided with access to the network and network Perform a quarterly user account and access
network services services that they have been specifically authorized to use. audit.
A.9.2 User access management

Objective: To ensure
authorized user access
and to prevent
unauthorized access to
systems and services.
A.9.2.1 User registration and de- A formal user registration and de-registration process shall be Perform a quarterly user account and access
registration implemented to enable assignment of access rights. audit.
A.9.2.2 User access provisioning A formal user access provisioning process shall be implemented to Perform a quarterly user account and access
assign or revoke access rights for all user types to all systems and audit.
services.
A.9.2.3 Management of The allocation and use of privileged access rights shall be restricted Perform a quarterly user account and access
privileged access rights and controlled. audit.
A.9.2.4 Management of secret The allocation of secret authentication information shall be controlled Perform a quarterly user account and access
authentication through a formal management process. audit.
information of users
A.9.2.5 Review of user access Asset owners shall review users access rights at regular intervals. Perform a quarterly user account and access
rights audit.
A.9.2.6 Removal or adjustment The access rights of all employees and external party users to Perform a quarterly user account and access
of access rights information and information processing facilities shall be removed audit.
upon termination of their employment, contract or agreement, or
adjusted upon change.
A.9.3 User responsibilities Objective: To make users accountable for safeguarding their
authentication information.
A.9.3.1 Use of secret Users shall be required to follow the organizations practices in the Perform an annual information security policy
authentication use of secret authentication information. review and review any security incidents
information related to authentication information.
A.9.4 System and application Objective: To prevent unauthorized access to systems and
access control applications.
A.9.4.1 Information access Access to information and application system functions shall be Perform a quarterly user account and access
restriction restricted in accordance with the access control policy. audit.
A.9.4.2 Secure log-on procedures Where required by the access control policy, access to systems and Perform an annual information security policy
applications shall be controlled by a secure log-on procedure. review and review any security incidents
related to authentication information.
A.9.4.3 Password management Password management systems shall be interactive and shall ensure Review password requirements during the
system quality passwords. annual policy review and review any security
incidents related to passwords.
A.9.4.4 Use of privileged utility The use of utility programs that might be capable of overriding Perform a quarterly user account and access
programs system and application controls shall be restricted and tightly audit.
controlled.
A.9.4.5 Access control to Access to program source code shall be restricted. Perform a quarterly user account and access
program source code audit.
A.10 Cryptography
A.10.1 Cryptographic controls Objective: To ensure proper and effective use of cryptography to
protect the confidentiality, authenticity and/or integrity of
information.
A.10.1.1 Policy on the use of A policy on the use of cryptographic controls for protection of Review encryption requirements during the
cryptographic controls information shall be developed and implemented. annual policy review and review any security
incidents related to information exposure.
A.10.1.2 Key management A policy on the use, protection and lifetime of cryptographic keys Review encryption requirements during the
shall be developed and implemented through their whole lifecycle. annual policy review and review any security
incidents related to information exposure.
A.11 Physical and environmental security

A.11.1 Secure areas Objective: To prevent unauthorized physical access, damage and
interference to the organizations information and information
processing facilities.
A.11.1.1 Physical security Security perimeters shall be defined and used to protect areas that Perform an annual review of the data center
perimeter contain either sensitive or critical information and information SOC/ISO reports.
processing facilities.
A.11.1.2 Physical entry controls Secure areas shall be protected by appropriate entry controls to ensure Perform an annual review of the data center
that only authorized personnel are allowed access. SOC/ISO reports.
A.11.1.3 Securing offices, rooms Physical security for offices, rooms and facilities shall be designed Perform an annual review of the data center
and facilities and applied. SOC/ISO reports.
A.11.1.4 Protecting against Physical protection against natural disasters, malicious attack or Perform an annual review of the data center
external and accidents shall be designed and applied. SOC/ISO reports.
environmental threats
A.11.1.5 Working in secure areas Procedures for working in secure areas shall be designed and applied. Perform an annual information security policy
review.
A.11.1.6 Delivery and loading Access points such as delivery and loading areas and other points Review security incidents related to
areas where unauthorized persons could enter the premises shall be unauthorized physical access.
controlled and, if possible, isolated from information processing
facilities to avoid unauthorized access.
A.11.2 Equipment Objective: To prevent loss, damage, theft or compromise of assets and
interruption to the organization's operations.
A.11.2.1 Equipment siting and Equipment shall be sited and protected to reduce the risks from Perform an annual information security policy
protection environmental threats and hazards, and opportunities for unauthorized review. Annual review of SOC/ISO reports
access.
A.11.2.2 Supporting utilities Equipment shall be protected from power failures and other Perform an annual information security policy
disruptions caused by failures in supporting utilities. review. Annual review of SOC/ISO reports
A.11.2.3 Cabling security Power and telecommunications cabling carrying data or supporting Perform an annual information security policy
information services shall be protected from interception, interference review. Annual review of SOC/ISO reports
or damage.
A.11.2.4 Equipment maintenance Equipment shall be correctly maintained to ensure its continued Annual equipment audit to ensure
availability and integrity. replacement of non-supported hardware.
A.11.2.5 Removal of assets Equipment, information or software shall not be taken off-site without Perform an annual information security policy
prior authorization. review. Annual review of SOC/ISO reports
A.11.2.6 Security of equipment Security shall be applied to off-site assets taking into account the Perform an annual information security policy
and assets off-premises different risks of working outside the organizations premises. review.
A.11.2.7 Secure disposal or reuse All items of equipment containing storage media shall be verified to Perform an annual information security policy
of equipment ensure that any sensitive data and licensed software has been removed review.
or securely overwritten prior to disposal or re-use.
A.11.2.8 Unattended user Users shall ensure that unattended equipment has appropriate Perform an annual information security policy
equipment protection. review.
A.11.2.9 Clear desk and clear A clear desk policy for papers and removable storage media and a Perform an annual information security policy
screen policy clear screen policy for information processing facilities shall be review.
adopted.
A.12 Operations security
A.12.1 Operational procedures Objective: To ensure correct and secure operations of information
and responsibilities processing facilities.
A.12.1.1 Documented operating Operating procedures shall be documented and made available to all Perform an annual procedures audit.
procedures users who need them.
A.12.1.2 Change management Changes to the organization, business processes, information Annual review of the change management
processing facilities and systems that affect information security shall process.
be controlled.
A.12.1.3 Capacity management The use of resources shall be monitored, tuned and projections made Review the number of security or availability
of future capacity requirements to ensure the required system issues related to capacity management.
performance.
A.12.1.4 Separation of Development, testing, and operational environments shall be Review the requirements and any security
development, testing and separated to reduce the risks of unauthorized access or changes to the incidents related to system isolation.
operational environments operational environment.
A.12.2 Protection from malware Objective: To ensure that information and information processing
facilities are protected against malware.
A.12.2.1 Controls against malware Detection, prevention and recovery controls to protect against Review the number of security incidents and
malware shall be implemented, combined with appropriate user impacs related to malware.
awareness.
A.12.3 Backup Objective: To protect against loss of data.
A.12.3.1 Information backup Backup copies of information, software and system images shall be Success of restore procedures. Log of restores
taken and tested regularly in accordance with an agreed backup required
policy.
A.12.4 Logging and monitoring Objective: To record events and generate evidence.
A.12.4.1 Event logging Event logs recording user activities, exceptions, faults and Annual review to confirm log file information
information security events shall be produced, kept and regularly is still sufficent and the availablity of the log
reviewed. files meets management/customer
expectations.
A.12.4.2 Protection of log Logging facilities and log information shall be protected against Annual review of controls and measure
information tampering and unauthorized access. number of log releated security events.
A.12.4.3 Administrator and System administrator and system operator activities shall be logged Annual review of the administrator access
operator logs and the logs protected and regularly reviewed. logging capabilties.
A.12.4.4 Clock synchronisation The clocks of all relevant information processing systems within an Annual audit of time syncronization.
organization or security domain shall be synchronised to a single
reference time source.
A.12.5 Control of operational Objective: To ensure the integrity of operational systems.
software
A.12.5.1 Installation of software Procedures shall be implemented to control the installation of Annual review of system failures and related
on operational systems software on operational systems. security and operational system incidents.
A.12.6 Technical vulnerability Objective: To prevent exploitation of technical vulnerabilities.

management
A.12.6.1 Management of technical Information about technical vulnerabilities of information systems Review the number of failures due to not
vulnerabilities being used shall be obtained in a timely fashion, the organizations acting on system vulnerbilities.
exposure to such vulnerabilities evaluated and appropriate measures
taken to address the associated risk.
A.12.6.2 Restrictions on software Rules governing the installation of software by users shall be Perform an annual information security policy
installation established and implemented. review.
A.12.7 Information systems Objective: To minimise the impact of audit activities on operational
audit considerations systems.
A.12.7.1 Information systems Audit requirements and activities involving verification of operational Perform an annual information security policy
audit controls systems shall be carefully planned and agreed to minimise disruptions and procedures review.
to business processes.
A.13 Communications security
A.13.1 Network security Objective: To ensure the protection of information in networks and its
management supporting information processing facilities.
A.13.1.1 Network controls Networks shall be managed and controlled to protect information in Perform an annual information security policy
systems and applications. and procedures review.
A.13.1.2 Security of network Security mechanisms, service levels and management requirements of Review vendor SLAs.
services all network services shall be identified and included in network
services agreements, whether these services are provided in-house or
outsourced.
A.13.1.3 Segregation in networks Groups of information services, users and information systems shall Perform an annual information security policy
be segregated on networks. and procedures review.
A.13.2 Information transfer Objective: To maintain the security of information transferred within
an organization and with any external entity.
A.13.2.1 Information transfer Formal transfer policies, procedures and controls shall be in place to Perform an annual information security policy
policies and procedures protect the transfer of information through the use of all types of and procedures review.
communication facilities.
A.13.2.2 Agreements on Agreements shall address the secure transfer of business information Review 3rd party contract language on an
information transfer between the organization and external parties. annual basis.
A.13.2.3 Electronic messaging Information involved in electronic messaging shall be appropriately Perform an annual information security policy
protected. and procedures review.
A.13.2.4 Confidentiality or Requirements for confidentiality or non-disclosure agreements Review the Legal SLA.
nondisclosure reflecting the organizations needs for the protection of information
agreements shall be identified, regularly reviewed and documented.
A.14 System acquisition, development and maintenance

A.14.1 Security requirements of Objective: To ensure that information security is an integral part of
information systems information systems across the entire lifecycle. This also includes the
requirements for information systems which provide services over
public networks.
A.14.1.1 Information security The information security related requirements shall be included in the Perform a review of the Release Management
requirements analysis requirements for new information systems or enhancements to and Software Deployment document.
and specification existing information systems.
A.14.1.2 Securing application Information involved in application services passing over public Ensure the use of SSL/TLS is appropriate.
services on public networks shall be protected from fraudulent activity, contract dispute
networks and unauthorized disclosure and modification.
A.14.1.3 Protecting application Information involved in application service transactions shall be Ensure the use of SSL/TLS is appropriate.
services transactions protected to prevent incomplete transmission, mis-routing,
unauthorized message alteration, unauthorized disclosure,
unauthorized message duplication or replay.
A.14.2 Security in development Objective: To ensure that information security is designed and
and support processes implemented within the development lifecycle of information
systems.
A.14.2.1 Secure development Rules for the development of software and systems shall be Review the Engineering SLA.
policy established and applied to developments within the organization.
A.14.2.2 System change control Changes to systems within the development lifecycle shall be Review the change management process.
procedures controlled by the use of formal change control procedures.
A.14.2.3 Technical review of When operating platforms are changed, business critical applications Review whether not operating platforms
applications after shall be reviewed and tested to ensure there is no adverse impact on changed and if so, whether or not an
operating platform organizational operations or security. application review was performed.
changes
A.14.2.4 Restrictions on changes Modifications to software packages shall be discouraged, limited to Perform a review of the Release Management
to software packages necessary changes and all changes shall be strictly controlled. and Software Deployment document.
A.14.2.5 Secure system Principles for engineering secure systems shall be established, Review the Engineering SLA.
engineering principles documented, maintained and applied to any information system
implementation efforts.
A.14.2.6 Secure development Organizations shall establish and appropriately protect secure Review the Engineering SLA.
environment development environments for system development and integration
efforts that cover the entire system development lifecycle.
A.14.2.7 Outsourced development The organization shall supervise and monitor the activity of
outsourced system development.
A.14.2.8 System security testing Testing of security functionality shall be carried out during Review the Engineering SLA and perform a
development. review of the Release Management and
Software Deployment document.
A.14.2.9 System acceptance Acceptance testing programs and related criteria shall be established Perform a review of the Release Management
testing for new information systems, upgrades and new versions. and Software Deployment document.
A.14.3 Test data Objective: To ensure the protection of data used for testing.
A.14.3.1 Protection of test data Test data shall be selected carefully, protected and controlled. Review the master information security policy
and the Engineering SLA.
A.15 Supplier relationships
A.15.1 Information security in To ensure protection of the organizations assets that is accessible by
supplier relationships suppliers.
A.15.1.1 Information security Information security requirements for mitigating the risks associated Audit all failures due to supplier security
policy for supplier with suppliers access to the organizations assets shall be agreed with events.
relationships the supplier and documented.
A.15.1.2 Addressing security All relevant information security requirements shall be established Audit all failures due to supplier security
within supplier and agreed with each supplier that may access, process, store, events.
agreements communicate, or provide IT infrastructure components for, the
organizations information.
A.15.1.3 Information and Agreements with suppliers shall include requirements to address the Audit all failures due to supplier security
communication information security risks associated with information and events.
technology supply chain communications technology services and product supply chain.
A.15.2 Supplier service delivery Objective: To maintain an agreed level of information security and
management service delivery in line with supplier agreements.
A.15.2.1 Monitoring and review Organizations shall regularly monitor, review and audit supplier Supplier review results.
of supplier services service delivery.
A.15.2.2 Managing changes to Changes to the provision of services by suppliers, including Supplier review results.
supplier services maintaining and improving existing information security policies,
procedures and controls, shall be managed, taking account of the
criticality of business information, systems and processes involved
and re-assessment of risks.
A.16 Information security incident management

A.16.1 Management of Objective: To ensure a consistent and effective approach to the
information security management of information security incidents, including
incidents and communication on security events and weaknesses.
improvements
A.16.1.1 Responsibilities and Management responsibilities and procedures shall be established to Perform a review of the incident response
procedures ensure a quick, effective and orderly response to information security procedures.
incidents.
A.16.1.2 Reporting information Information security events shall be reported through appropriate Perform a review of the incident response
security events management channels as quickly as possible. procedures.
A.16.1.3 Reporting information Employees and contractors using the organizations information Perform a review of the incident response
security weaknesses systems and services shall be required to note and report any procedures.
observed or suspected information security weaknesses in systems or
services.
A.16.1.4 Assessment of and Information security events shall be assessed and it shall be decided if Perform a review of the incident response
decision on information they are to be classified as information security incidents. procedures.
security events
A.16.1.5 Response to information Information security incidents shall be responded to in accordance Perform a review of the incident response
security incidents with the documented procedures. procedures.
A.16.1.6 Learning from Knowledge gained from analysing and resolving information security Perform a review of the incident response
information security incidents shall be used to reduce the likelihood or impact of future procedures.
incidents incidents.
A.16.1.7 Collection of evidence The organization shall define and apply procedures for the Perform a review of the incident response
identification, collection, acquisition and preservation of information, procedures.
which can serve as evidence.
A.17 Information security aspects of business continuity management
A.17.1 Information security Objective: Information security continuity shall be embedded in the
continuity organizations business continuity management systems.
A.17.1.1 Planning information The organization shall determine its requirements for information Review the BCP/DR table top test results.
security continuity security and the continuity of information security management in
adverse situations, e.g. during a crisis or disaster.
A.17.1.2 Implementing The organization shall establish, document, implement and maintain Review the BCP/DR table top test results.
information security processes, procedures and controls to ensure the required level of
continuity continuity for information security during an adverse situation.
A.17.1.3 Verify, review and The organization shall verify the established and implemented Review the BCP/DR table top test results.
evaluate information information security continuity controls at regular intervals in order to
security continuity ensure that they are valid and effective during adverse situations.
A.17.2 Redundancies Objective: To ensure availability of information processing facilities.
A.17.2.1 Availability of Information processing facilities shall be implemented with Review any incidents related to the
information processing redundancy sufficient to meet availability requirements. availability of the data centers.
facilities
A.18 Compliance
A.18.1 Compliance with legal Objective: To avoid breaches of legal, statutory, regulatory or
and contractual contractual obligations related to information security and of any
requirements security requirements.
A.18.1.1 Identification of All relevant legislative statutory, regulatory, contractual requirements Review the Legal SLA.
applicable legislation and and the organizations approach to meet these requirements shall be
contractual requirements explicitly identified, documented and kept up to date for each
information system and the organization.
A.18.1.2 Intellectual property Appropriate procedures shall be implemented to ensure compliance Perform an annual information security policy
rights with legislative, regulatory and contractual requirements related to and procedures review.
intellectual property rights and use of proprietary software products.
A.18.1.3 Protection of records Records shall be protected from loss, destruction, falsification, Perform an annual information security policy
unauthorized access and unauthorized release, in accordance with and procedures review.
legislatory, regulatory, contractual and business requirements.
A.18.1.4 Privacy and protection of Privacy and protection of personally identifiable information shall be Annual review of privacy policy and privacy-
personally identifiable ensured as required in relevant legislation and regulation where related incidents.
information applicable.
A.18.1.5 Regulation of Cryptographic controls shall be used in compliance with all relevant Review the Legal SLA.
cryptographic controls agreements, legislation and regulations.
A.18.2 Information security Objective: To ensure that information security is implemented and
reviews operated in accordance with the organizational policies and
procedures.
A.18.2.1 Independent review of The organizations approach to managing information security and its Annual review of internal audit and
information security implementation (i.e. control objectives, controls, policies, processes management review findings
and procedures for information security) shall be reviewed
independently at planned intervals or when significant changes occur.
A.18.2.2 Compliance with Managers shall regularly review the compliance of information Annual review of internal audit and
security policies and processing and procedures within their area of responsibility with the management review findings
standards appropriate security policies, standards and any other security
requirements.
A.18.2.3 Technical compliance Information systems shall be regularly reviewed for compliance with Annual review of internal audit and
review the organizations information security policies and standards. management review findings
ISO 27001 Documents
Doc ID ISO 27001 Doc Short Description

Clause
EXT-001 N/A ISMS Master Document

ISO-001 4.1 External and internal issues relevant to the company's purpose and that
affect its ability to achieve the ISMS goals
ISO-002 4.1 Procedure for Identifying Interested Parties and their relevant Requirements
ISO-003 4.2 Interested Parties and their relevant Requirements

ISO-004 4.3 ISMS Scope
ISO-005 4.4 Evidence of ISMS Implementation
ISO-006 5.1 ISMS Requirements
ISO-007 5.2 Information Security Policy
ISO-008 6.1.1 ISMS Risks and Opportunities
ISO-009 6.1.1 Action Plan to Address Risks and Opportunities
ISO-010 6.1.2 Information Security Risk Assessment Methodology
ISO-011 6.1.2 Risk Assessment Report

ISO-012 6.1.2 Risk Assessment Template
ISO-013 6.1.3 Information Security Risk Treatment Methodology

ISO-014 6.1.3.d Statement of Applicability
ISO-015 6.1.3.e Risk Treatment Plan
ISO-016 6.1.3 Risk Treatment Report
ISO-017 6.2 Information Security Objectives
ISO-018 6.2 Plan to Achieve Information Security Objectives
ISO-019 7.1 ISMS Required Resources

ISO-020 7.2.a Description of Necessary Competence
ISO-021 7.2.b Competence Determination/Review Procedure
7.2.c
ISO-022 7.2.c Competence Achievement Plan
ISO-023 7.2.d Evidence of Competence
ISO-024 7.3 Security Awareness Program
ISO-025 7.4 Security Awareness Training Slide Deck
ISO-026 7.4 Communication Process
ISO-027 7.5.1.b Documented information determined by the organization as being necessary
for the effectiveness of the ISMS
ISO-028 7.5.2 Document Control Policy (including Creating and Updating Requirements
7.5.3 and Control of Records)
ISO-029 7.5.2 Document Control Methodology (including Creating and Updating
7.5.3 Requirements and Control of Records)
ISO-030 8.1 Evidence of completion of the Plan to Achieve Information Security
Objectives
ISO-031 8.1 Determination and Control of Outsourced Processes
ISO-032 8.2 Results of the Information Security Risk Assessment (Risk Assessment
Report)
ISO-033 8.3 Results of the Information Security Risk Treatment (Risk Treatment Report)
ISO-034 9.1 Monitoring and Measurement Methodology

ISO-035 9.1 Evidence of the Monitoring and Measurement Results
ISO-036 9.1 Analysis and Evaluation Methodology
ISO-037 9.1 Evidence of the Analysis and Evaluation Results
ISO-038 9.2 Internal Audit Program
A.12.7.1
ISO-039 9.2 Evidence of Internal Audit Program Reviews
ISO-040 9.2 Internal Audit Procedure
ISO-041 9.2 ISMS Audit Checklist
ISO-042 9.2 Evidence of Internal Audit Procedure Reviews
ISO-043 9.2.g Evidence of Internal Audit Results
ISO-044 9.2g ISMS Corrective Action Form
ISO-045 9.3 Management Review of the ISMS
ISO-046 9.3 Form for Management Review Minutes
ISO-047 9.3 Evidence of Management Reviews of the ISMS, and their Results
ISO-048 10.1 Nonconformity Response and Corrective Action Procedures
ISO-049 10.1.f Evidence Regarding Nonconformities
ISO-050 10.1.g Evidence of the Results of any Corrective Action
ISO-051 10.2 Continual Improvement Process
ISO-052 A.5.1.1 Set of Information Security Policies
ISO-053 A.5.1.2 Evidence of Review of Information Security Policies
ISO-054 A.5.1.1 Set of Information Security Procedures

ISO-055 A.6.1.1 Information Security Roles and Responsibilities (also Section 5.3)
ISO-056 A.6.1.1. Evidence that Information Security Responsibilities are enacted (Records)
ISO-057 A.6.1.2 Segregation of Duties Process

ISO-058 A.6.1.3 Authority Contacts
ISO-059 A.6.1.4 Special Interest Group Contacts
ISO-060 A.6.1.5 Information Security Process for Project Management
ISO-061 A.6.2.1 Mobile Device Policy
ISO-062 A.6.2.2 BYOD Policy
ISO-063 A.6.2.2 Teleworking Policy
ISO-064 A.7.1.1 Background Check Process
ISO-065 A.7.1.1 Evidence of Background Checks (Records)
ISO-066 A.7.1.2 Employment Contract Security Responsibility Stipulations
ISO-067 A.7.1.2 Evidence of Security Responsibility Stipulations in Employment Contracts
(Records)
ISO-068 A.7.2.2 Evidence of Security Awareness Training
ISO-069 A.7.2.2 Evidence of Communication of Information Security Policy Change(s)
(Records)
ISO-070 A.7.2.3 Disciplinary Process (including communication of it)
ISO-071 A.7.2.3 Evidence that Disciplinary Process is being communicated (Records)
ISO-072 A.7.2.3 Evidence that Disciplinary Process is being carried out (Records)
ISO-073 A.7.3.1 Change of Employment Procedures Regarding Information Security
Responsibilities
ISO-074 A.7.3.1 Evidence that Employment Procedures for InfoSec Responsibilities are
enacted (Records)
ISO-075 A.8 Asset Management Program
ISO-076 A.8.1.1 Asset Inventory including Management Ownership
A.8.1.2
ISO-077 A.8.1.1 Asset Inventory Review Process
A.8.1.2
ISO-078 A.8.1.1 Evidence of Asset Inventory Reviews (Records)
A.8.1.2
ISO-079 A.8.1.3 Rules for the Acceptable Use of Information and of Assets (Acceptable Use
Policy)
ISO-080 A.8.1.3 Evidence of Communication of Acceptable Use of Information and of Assets
(Records)
ISO-081 A.8.1.4 Asset Return Process
ISO-082 A.8.1.4 Evidence of Asset Returns (Records)
ISO-083 A.8.2.1 Information Classification Schema
A.8.2.2
ISO-084 A.8.2.1 Information Classification and Labeling Process
A.8.2.2
ISO-085 A.8.2.1 Evidence of Information Classification and Labeling Reviews (Records)
A.8.2.2
ISO-086 A.8.2.3 Asset Handling Procedures
ISO-087 A.8.2.3 Evidence of Implementation of Asset Handling Procedures (Records)
ISO-088 A.8.3.1 Management of Removable Media Policy
ISO-089 A.8.3.1 Management of Removable Media Procedures
ISO-090 A.8.3.1 Evidence that Removable Media Procedures are enacted (Records)
ISO-091 A.8.3.2 Disposal of Media Policy
ISO-092 A.8.3.2 Disposal of Media Procedures
ISO-093 A.8.3.2 Evidence that Disposal of Media Procedures are enacted (Records)
ISO-094 A.8.3.3 Physical Media Transfer Policy
ISO-095 A.8.3.3 Physical Media Transfer Procedures
ISO-096 A.8.3.3 Evidence that Physical Media Transfer Procedures are enacted (Records)
ISO-097 A.9.1.1 Access Control Policy
ISO-098 A.9.1.1 Access Control Policy Review Process
ISO-099 A.9.1.1 Evidence of Access Control Policy Reviews (Records)
ISO-100 A.9.1.2 Network and Network Service Access Authorization Procedure
ISO-101 A.9.1.2 Evidence that Network and Network Service Access Authorization Procedure
is enacted (Records)
ISO-102 A.9.2.1 User Registration and De-registration Process
ISO-103 A.9.2.1 Evidence that User Registration and De-registration Processes are enacted
(Records)
ISO-104 A.9.2.2 User Access Provisioning Process
ISO-105 A.9.2.2 Evidence that User Access Provisioning Process is enacted (Records)
ISO-106 A.9.2.3 Privileged Access Management Process
ISO-107 A.9.2.3 Evidence that Privileged Access Management Process is enacted (Records)
ISO-108 A.9.2.4 Secret Authentication (e.g., Password) Policy

ISO-109 A.9.2.4 Secret Authentication (e.g., Password) Information Management Process
ISO-110 A.9.2.4 Evidence that Secret Authentication Information Management Process is

enacted (Records)
ISO-111 A.9.2.5 Asset Access Review Process
ISO-112 A.9.2.5 Evidence of Asset Access Reviews (Records)

ISO-113 A.9.2.6 Removal or Adjustment of Access Rights Process
ISO-114 A.9.2.6 Evidence that Removal or Adjustment of Access Rights Process is enacted
(Records)
ISO-115 A.9.3.1 Authentication Safeguarding Policy
ISO-116 A.9.3.1 Authentication Safeguarding Process
ISO-117 A.9.3.1 Evidence that Authentication Safeguarding Process is enacted

ISO-118 A.9.4.1 Data and Application Access Authorization Procedure
ISO-119 A.9.4.1 Data and Application Access Request and Authorization Form
ISO-120 A.9.4.1 Evidence that Data and Application Access Authorization Procedure is
enacted
ISO-121 A.9.4.2 Secure Log-on Procedure (if required by Access Control Policy)
ISO-122 A.9.4.2 Evidence that Secure Log-on Procedure is enacted

ISO-123 A.9.4.3 Password Management System Description
ISO-124 A.9.4.3 Evidence that Password Management System is enacted

ISO-125 A.9.4.4 Utility Program Policy
ISO-126 A.9.4.4 Utility Program Review Process
ISO-127 A.9.4.4 Data and Application Access Request and Authorization Form
ISO-128 A.9.4.5 Access Control to Source Code Authorization Process
ISO-129 A.9.4.5 Source Code Access Request and Authorization Form
ISO-130 A.10.1.1 Cryptographic Controls Policy
ISO-131 A.10.1.1 Cryptographic Controls Process

ISO-132 A.10.1.1 Evidence that Cryptograpic Controls Process is enacted
ISO-133 A.10.1.2 Key Management Policy
ISO-134 A.10.1.2 Key Management Process
ISO-135 A.10.1.2 Evidence that Key Management Process is enacted
ISO-136 A.11.1.1 Physical Security Perimeters Definition
ISO-137 A.11.1.1 Evidence of Physical Security Perimeters Definition Reviews
ISO-138 A.11.1.2 Physical Entry Controls
ISO-139 A.11.1.2 Evidence of Physical Entry Controls Reviews
ISO-140 A.11.1.3 Physical Security Design
ISO-141 A.11.1.3 Evidence of Physical Security Design Reviews
ISO-142 A.11.1.4 Design for Protection Against External and Environmental Threats
ISO-143 A.11.1.4 Evidence of Design for Protection Against External and Environmental
Threats Reviews
ISO-144 A.11.1.5 Procedures for Working in Secured Areas
ISO-145 A.11.1.5 Evidence of Reviews of Procedures for Working in Secured Areas
ISO-146 A.11.1.6 Physical Access Point Security Designs
ISO-147 A.11.1.6 Evidence of Reviews of Physical Access Point Security Designs
ISO-148 A.11.2.1 Equipment Siting and Protection Design
ISO-149 A.11.2.1 Evidence of Equipment Siting and Protection Design Reviews
ISO-150 A.11.2.2 Design for Protection Against Utility Failures
ISO-151 A.11.2.2 Evidence of Design for Protection Against Utility Failures Reviews
ISO-152 A.11.2.3 Cabling Protection Design
ISO-153 A.11.2.3 Evidence of Cabling Protection Design Reviews
ISO-154 A.11.2.4 Equipment Maintenance Process
ISO-155 A.11.2.4 Evidence of Equipment Maintenance Process Reviews
ISO-156 A.11.2.4 Evidence that Equipment Maintenance Process is enacted
ISO-157 A.11.2.5 Removal of Asset Authorization Process
ISO-158 A.11.2.5 Evidence of Removal of Asset Authorization Process Reviews
ISO-159 A.11.2.5 Removal of Asset Authorization Form
ISO-160 A.11.2.6 Offsite Asset Security Process

ISO-161 A.11.2.6 Evidence of Offsite Asset Security Process Reviews
ISO-162 A.11.2.7 Secure Media Disposal and Re-use Policy
ISO-163 A.11.2.7 Evidence of Secure Media Disposal and Re-use Policy Reviews
ISO-164 A.11.2.7 Secure Media Disposal and Re-use Process
ISO-165 A.11.2.7 Evidence of Secure Media Disposal and Re-use Process Reviews
ISO-166 A.11.2.8 Protection of Unattended Equipment Policy
ISO-167 A.11.2.8 Evidence of Protection of Unattended Equipment Policy Reviews
ISO-168 A.11.2.8 Protection of Unattended Equipment Process
ISO-169 A.11.2.8 Evidence of Protection of Unattended Equipment Process Reviews
ISO-170 A.11.2.9 Clear Desk Policy
ISO-171 A.11.2.9 Evidence of Clear Desk Policy Reviews
ISO-172 A.11.2.9 Clear Screen Policy
ISO-173 A.11.2.9 Evidence of Clear Screen Policy Reviews
ISO-174 A.12.1.1 Operating Procedures
ISO-175 A.12.1.1 Evidence of Operating Procedures Reviews
ISO-176 8.1 Change Management Policy
A.12.1.2
A.14.2.2
A.14.2.3
A.14.2.4
ISO-177 8.1 Evidence of Change Management Policy Reviews

A.12.1.2
A.14.2.2
A.14.2.3
A.14.2.4
ISO-178 8.1 Change Management Process

A.12.1.2
A.14.2.2
A.14.2.3
A.14.2.4
ISO-179 8.1 Evidence of Change Management Process Reviews

A.12.1.2
A.14.2.2
A.14.2.3
A.14.2.4
ISO-180 A.12.1.3 Capacity Management Process

ISO-181 A.12.1.3 Evidence of Capacity Management Process Reviews
ISO-182 A.12.1.3 Capacity Management Plans/Reports
ISO-183 A.12.1.4 Separation of Environments Policy
ISO-184 A.12.1.4 Evidence of Separation of Environments Policy Reviews
ISO-185 A.12.1.4 Separation of Environments Design
ISO-186 A.12.1.4 Evidence of Separation of Environments Design Reviews
ISO-187 A.12.2.1 Malware Protection Policy
ISO-188 A.12.2.1 Evidence of Malware Protection Policy Reviews
ISO-189 A.12.2.1 Malware Protection Design
ISO-190 A.12.2.1 Evidence of Malware Protection Design Reviews
ISO-191 A.12.3.1 Data Backup and Recovery Policy
ISO-192 A.12.3.1 Evidence of Data Backup and Recovery Policy Reviews
ISO-193 A.12.3.1 Data Backup and Recovery Procedures
ISO-194 A.12.3.1 Evidence of Data Backup and Recovery Procedures Reviews
ISO-195 A.12.3.1 Data Backup and Recovery Test Process
ISO-196 A.12.3.1 Evidence of Data Backup and Recovery Test Process Reviews
ISO-197 A.12.4.1 Event Logging Design
ISO-198 A.12.4.1 Evidence of Event Logging Design Reviews

ISO-199 A.12.4.1 Event Log Reviews
ISO-200 A.12.4.2 Design for Protection of Log Information
ISO-201 A.12.4.2 Evidence of Reviews of Design for Protection of Log Information
ISO-202 A.12.4.3 Operator Logging Design
ISO-203 A.12.4.3 Evidence of Operator Logging Design Reviews
ISO-204 A.12.4.3 Operator Log Review Process
ISO-205 A.12.4.3 Evidence of Operator Log Reviews
ISO-206 A.12.4.4 Clock Synchronization Design
ISO-207 A.12.4.4 Evidence of Clock Synchronization Reviews
ISO-208 A.12.5.1 Software Installation Policy
A.12.6.2
ISO-209 A.12.5.1 Evidence of Software Installation Policy Reviews
A.12.6.2
ISO-210 A.12.5.1 Software Installation Control Procedures
A.12.6.2
ISO-211 A.12.5.1 Evidence of Software Installation Control Procedures Reviews
A.12.6.2
ISO-212 A.12.6.1 Vulnerability Management Policy
ISO-213 A.12.6.1 Evidence of Vulnerability Management Policy Reviews
ISO-214 A.12.6.1 Vulnerability Management Process
ISO-215 A.12.6.1 Evidence that Vulnerability Management Process is enacted
ISO-216 A.12.7.1 External Audit Activity Planning Process
ISO-217 A.12.7.1 Evidence that External Audit Activity Planning Process is enacted
ISO-218 A.12.7.1 External Audit Activity Report
EXT-002 N/A Network Security Policy
ISO-220 A.13.1.1 Design of Network Controls
ISO-221 A.13.1.1 Evidence of Design of Network Controls Reviews
ISO-222 A.13.1.2 Design of Controls for Network Services
ISO-223 A.13.1.2 Evidence of Design of Controls for Network Services Reviews
ISO-224 A.13.1.3 Design of Network Segregation
ISO-225 A.13.1.3 Evidence of Design of Network Segregation Reviews
ISO-226 A.13.2.1 Information Transfer Policies
ISO-227 A.13.2.1 Evidence of Information Transfer Policies Reviews
ISO-228 A.13.2.1 Information Transfer Procedures
ISO-229 A.13.2.1 Evidence of Information Transfer Procedures Reviews
ISO-230 A.13.2.1 Information Transfer Control Design
ISO-231 A.13.2.1 Evidence of Information Transfer Control Design Reviews
ISO-232 A.13.2.2 Information Transfer Agreement Policy
ISO-233 A.13.2.2 Evidence of Information Transfer Agreement Policy Reviews
ISO-234 A.13.2.2 Information Transfer Agreement Template
ISO-235 A.13.2.2 Evidence of Information Transfer Agreements
ISO-236 A.13.2.3 Secure Electronic Messaging Policy
ISO-237 A.13.2.3 Evidence of Secure Electronic Messaging Policy Reviews
ISO-238 A.13.2.3 Secure Electronic Messaging Procedure
ISO-239 A.13.2.3 Evidence of Secure Electronic Messaging Procedure Reviews
ISO-240 A.13.2.4 Confidentiality and NDA Requirements Design
ISO-241 A.13.2.4 Evidence of Confidentiality and NDA Requirements Design Reviews

ISO-242 A.14.1.1 Security in New or Modified Systems Policy
ISO-243 A.14.1.1 Evidence of Security in New or Modified Systems Policy Reviews
ISO-244 A.14.1.1 Security in New or Modified Systems Process
A.14.2.5
ISO-245 A.14.1.1 Evidence of Security in New or Modified Systems Process Reviews
A.14.2.5
ISO-246 A.14.1.2 Protection of Applications on Public Networks Design
ISO-247 A.14.1.2 Evidence of Protection of Applications on Public Networks Design Reviews
ISO-248 A.14.1.3 Application Service Transaction Protection Design

ISO-249 A.14.1.3 Evidence of Application Service Transaction Protection Design Reviews
ISO-250 A.14.2.1 Secure SDLC Policy
A.14.2.6
A.14.2.7
A.14.2.8
A.14.2.9
ISO-251 A.14.2.1 Evidence of Secure SDLC Policy Reviews

A.14.2.6
A.14.2.7
A.14.2.8
A.14.2.9
ISO-252 A.14.2.1 Secure SDLC Process

A.14.2.6
A.14.2.7
A.14.2.8
A.14.2.9
ISO-253 A.14.2.1 Evidence of Secure SDLC Process Reviews

A.14.2.6
A.14.2.7
A.14.2.8
A.14.2.9
ISO-254 A.14.3.1 Protection of Test Data Process

ISO-255 A.14.3.1 Evidence of Protection of Test Data Process Reviews
ISO-256 A.15.1.1 Supplier Security Policy
A.15.1.2
ISO-257 A.15.1.1 Evidence of Supplier Security Policy Reviews
A.15.1.2
ISO-258 A.15.1.2 Supplier Security Template
ISO-259 A.15.1.2 Evidence of Information Security in Supplier Agreements

ISO-260 A.15.1.3 Information Security for IT Service Providers Policy
ISO-261 A.15.1.3 Evidence of Information Security for IT Service Providers Policy Reviews
ISO-262 A.15.1.3 Information Security for IT Service Providers Template
ISO-263 A.15.2.1 Supplier Services Management Process

A.15.2.2
ISO-264 A.15.2.1 Evidence of Supplier Services Management Process Reviews
A.15.2.2
ISO-265 A.15.2.1 Evidence of Supplier Services Management Reviews
A.15.2.2
ISO-266 A.15.2.1 Supplier Services Review Template
A.15.2.2
ISO-267 A.16 Incident Management Policy
ISO-268 A.16 Evidence of Incident Management Policy Reviews

ISO-269 A.16.1.1 Incident Management Roles and Responsibilities
ISO-270 A.16.1.1 Evidence of Incident Management Roles and Responsibilities Reviews
ISO-271 A.16.1.1 Incident Management Procedures
ISO-272 A.16.1.1 Evidence of Incident Management Procedures Reviews
ISO-273 A.16.1.2 Incident Report Template
ISO-274 A.16.1.2 Evidence of Incident Reports

ISO-275 A.16.1.3 Security Weakness Reporting Process
ISO-276 A.16.1.3 Evidence of Security Weakness Reporting Process Reviews
ISO-277 A.16.1.3 Security Weakness Report Template
ISO-278 A.16.1.4 Incident Assessment Process

ISO-279 A.16.1.5 Evidence of Incident Assessment Process Reviews
ISO-280 A.16.1.6 Incidence Response Process
ISO-281 A.16.1.6 Evidence of Incident Response Process Reviews
ISO-282 A.16.1.6 Evidence of Incident Response
ISO-283 A.16.1.7 Evidence Collection Procedures
ISO-284 A.16.1.7 Evidence of Evidence Collection Procedures Reviews
ISO-285 A.16.1.7 Evidence Collection Template
ISO-286 A.17 Business Continuity Management Policy

ISO-287 A.17 Evidence of Business Continuity Management Policy Reviews
ISO-288 A.17 Business Continuity Strategy
ISO-289 A.17 Evidence of Business Continuity Strategy Reviews
EXT-003 N/A Supplier Security Checklist
ISO-291 A.17 Business Continuity Plan
ISO-292 A.17 Evidence of Business Continuity Plan Reviews
ISO-293 A.17 Business Continuity Management System Maintenance and Review Plan
ISO-294 A.17 Evidence of Business Continuity Management System Maintenance and
Review Plan Reviews
ISO-295 A.17.1.1 Business Continuity Requirements
ISO-296 A.17.1.1 Evidence of Business Continuity Requirements Reviews
ISO-297 A.17.1.1 Business Impact Analysis
ISO-298 A.17.1.1 Business Impact Analysis Template
ISO-299 A.17.1.1 Business Impact Analysis Analysis Questionnaire(s)
ISO-300 A.17.1.2 Business Continuity Process

ISO-301 A.17.1.2 Evidence of Business Continuity Process Reviews
ISO-302 A.17.1.2 Business Continuity Procedures
ISO-303 A.17.1.2 Evidence of Business Continuity Procedures Reviews
ISO-304 A.17.1.2 Business Continuity Controls
ISO-305 A.17.1.2 Evidence of Business Continuity Controls Reviews
A.17.1.3
ISO-306 A.17.1.3 Business Continuity Exercising and Testing Plan
ISO-307 A.17.1.3 Evidence of Business Continuity Exercising and Testing Plan Reviews
ISO-308 A.17.1.3 Business Continuity Exercises and Tests
ISO-309 A.17.1.3 Business Continuity Post-Incident Review Form
ISO-310 A.17 Disaster Recovery Plan

ISO-311 A.17 Evidence of Disaster Recovery Plan Reviews
ISO-312 A.17.1.1 Disaster Recovery Requirements
ISO-313 A.17.1.1 Evidence of Disaster Recovery Requirements Reviews
ISO-314 A.17.1.2 Disaster Recovery Process
ISO-315 A.17.1.2 Evidence of Disaster Recovery Process Reviews
ISO-316 A.17.1.2 Disaster Recovery Procedures
ISO-317 A.17.1.2 Evidence of Disaster Recovery Procedures Reviews
ISO-318 A.17.1.2 Disaster Recovery Controls
ISO-319 A.17.1.2 Evidence of Disaster Recovery Controls Reviews
A.17.1.3
ISO-320 A.17.1.3 Disaster Recovery Exercises and Tests
ISO-321 A.17.1.3 Disaster Recovery Post-Incident Review Form
ISO-322 A.17.2.1 Redundancy Requirements

ISO-323 A.17.2.1 Evidence of Redundancy Requirements Reviews
ISO-324 A.18.1.1 Legal, Regulatory and Contractual Requirements
ISO-325 A.18.1.1 Evidence of Legal, Regulatory and Contractual Requirements Reviews
ISO-326 A.18.1.2 Intellectual Property Compliance Procedure

ISO-327 A.18.1.2 Evidence of Intellectual Property Compliance Procedure Reviews
ISO-328 A.18.1.3 Record Protection
ISO-329 A.18.1.3 Evidence of Record Protection Reviews
ISO-330 A.18.1.4 Privacy and Protection of PII
ISO-331 A.18.1.4 Evidence of Privacy and Protection of PII Reviews
ISO-332 A.18.1.5 Regulation of Cryptographic Controls
ISO-333 A.18.1.5 Evidence of Regulation of Cryptographic Controls Reviews
ISO-334 A.18.2.1 External Audit Plan
ISO-335 A.18.2.1 Evidence of External Audit Plan Reviews
ISO-336 A.18.2.1 Evidence of External Audits
ISO-337 A.18.2.2 Management Compliance Review Process
ISO-338 A.18.2.2 Evidence of Management Compliance Review Process Reviews
ISO-339 A.18.2.2 Evidence of Management Compliance Reviews
ISO-340 A.18.2.3 Technical Compliance Review Process
ISO-341 A.18.2.3 Evidence of Technical Compliance Review Process Reviews
ISO-342 A.18.2.3 Evidence of Technical Compliance Reviews
EXT-004 N/A CSWG Program
EXT-005 N/A Information Security Risk Council Program
EXT-006 N/A Security Integration Plan
EXT-007 N/A Security Integration Questionnaire
EXT-008 N/A HR Employee Change Procedure
EXT-009 N/A Data Governance Policy
EXT-009 N/A Security Review Checklist
EXT-009 N/A Multi-Factor Authentication Procedure
Total 350
Link to mandatory/non-mandatory documents: http://advisera.com/27001academy/knowledgebase/list-o
Contained In Requirement Doc Type ISMS Project Included

Scope Scope
Own Doc Optional Description No

Part of EXT-001 Implied Record Yes
TBD Implied Procedure Yes

Part of EXT-001 Required Description Yes
TBD Implied Record Yes
TBD Implied Description Yes
Own Doc Required Policy Yes
TBD Implied Plan Yes
TBD Required Process Yes
Own Doc Implied Record Yes

Own Doc Optional Form or Template Yes
Part of EXT-001 Required Process Yes

Own Doc Required Record Yes
Own Doc Required Plan Yes
Part of EXT-001 Required Record Yes

Part of EXT-001 Implied Description Yes

Own Doc Implied Process Yes
Own Doc Optional No
Part of EXT-001 Implied Process Yes
TBD Implied Policy Yes

TBD Implied Process Yes
TBD Required Record Yes

Part of ISO-011 Required Record Yes
Part of ISO-016 Required Record Yes

Own Doc Required Description Yes
Part of ISO-038 Implied Record Yes

Own Doc Optional Process Yes
Part of ISO-040 Optional Record Yes
TBD Optional Form or Template Yes

Own Doc Required Policy Yes
TBD Optional Procedure Yes


Part of ISO-052 Required Policy Yes
Part of ISO-052 Optional Policy Yes


Part of ISO-066 Required Procedure Yes
Own Doc Optional Description Yes

Part of ISO-075 Implied Process Yes

Part of ISO-075 Required Procedure Yes

Part of ISO-054 Implied Procedure Yes
Part of ISO-052 Implied Policy Yes








TBD Required Procedure Yes


TBD Optional Record Yes
Part of ISO-052 Implied Record Yes




TBD Required Description Yes










TBD Optional Description Yes
Own Doc Optional Form or Template No
TBD Optional Plan Yes




TBD Optional Process Yes
TBD Optional Procedure Yes



TBD Optional Plan No
TBD Optional Form or Template No
Own Doc Optional Procedure No
Own Doc Optional Policy No
Part of ISO-054 Optional Form or Template No
Own Doc Optional Procedure No
Required 54 Policy 36
Implied 221 Process 51
Optional 75 Procedure 28
Plan 11
Unique Docs 23 Description 42
Form or Template 22
Record 159
Total Included 0
ISO 27001 Documents Policy Process Procedure Plan Description
Implemented 0 0 0 0 0
Approved 0 0 0 0 0
Written 0 0 0 0 0
In Progress 0 0 0 0 0
Waiting 0 0 0 0 0
Phase 2 0 0 0 0 0
Unknown 0 0 0 0 0
Total 0 0 0 0 0
ISO 27001 Documents Policy Process Procedure Plan Description
Phase 1
Implemented 0 0 0 0 0
Approved 0 0 0 0 0
Written 0 0 0 0 0
In Progress 0 0 0 0 0
Total 0 0 0 0 0
my/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
Due Status Consultant Est. Customer Comments

Owner Consultant Owner
Hrs
Implemented 0 0
Approved 0
Written 0
In Progress 0
Waiting 0
Phase 2 0
Unknown 0
Skipped 0
Form or Record Total %

Template
0 0 0 #DIV/0!
0 0 0 #DIV/0!
0 0 0 #DIV/0!
0 0 0 #DIV/0!
0 0 0 #DIV/0!
0 0 0 #DIV/0!
0 0 0 #DIV/0!
0 0 0 #DIV/0!
Form or Record Total %
Template
0 0 0 #DIV/0!
0 0 0 #DIV/0!
0 0 0 #DIV/0!
0 0 0 #DIV/0!
0 0 0 #DIV/0!
Approved by Date Last Location Document
Approved Name

ISO 27001 Project Tasks and Status Tracking

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ISO 27001 Project Tasks and Status Tracking

Uploaded by

Copyright:

Available Formats

ISO 27001 Project Tasks

Last Updated: 2016-03-29

ISO 27001 Task Status Resources -

Phase 1: Develop the Information Security Management System (ISMS)

N/A Identify Key Department Staff and Process Owners

N/A Schedule initial kickoff meetings

N/A Refine the mapping of ISO 27001 controls to specific

4.1 Determine applicability

4.2 Understanding the needs and expectations of interested parties

4.3.a Include Risk Register

4.3.a Include Risk Analysis Report

4.3.a Include Security Questionnaires

4.3.b Include scope item

N/A Approve the Scope document

N/A Approve the Information Security Policy

5.3.a Ensure conformance with ISO 27001

5.3.b Ensure performance reporting

6.1.1.b Minimize adverse effects

6.1.1.c Build in continual improvement

6.1.1.d Plan actions to address risks and opportunities

6.1.2.c-d Review the most recent Risk Assessment

6.1.2.c-d Perform a Risk Assessment with each business unit

6.1.2.c-d Business unit: Information Security

6.1.3.b Select controls

N/A Map the controls to the SOC framework

6.1.3.e Create a Risk Treatment Plan

6.2 Information security objectives and planning to achieve them

6.2.a-e Define information security objectives

6.2.f-j Plan how to achieve information security objectives

6.2.a-j TBD: Function/level 1

N/A Provide estimate of Internal Audit cost

7.1 Select external audit/certification firm

7.1 Determine ongoing resource requirements

7.2.b Evaluate competence of resources

7.5 Documented information

7.5.1.a Monitoring and measurement results (9.1)

7.5.2 Creating and updating

7.5.2.c Ensure acceptability of ISMS documents

N/A Setup project document repository

8.1 Control of outsourced processes

8.1 Create operational control records

8.2 Create risk assessment records

8.3 Create risk treatment records

9.1 Define record keeping for monitoring and measurement

9.1 Create monitoring and measurement records

9.2.g Define record keeping for internal audit

9.3 Management review

9.3 Define record keeping for management review

10.1.f-g Define record keeping for corrective action

10.2 Continual improvement

Schedule weekly status meetings for the duration of the project.

Determine the boundaries and applicability of the ISMS.

Demonstrate leadership and commitment with respect to the ISMS.

Address risks and opportunities related to the ISMS.

Review the most recent security audit.

Evaluate the information security risks.

For each risk to be mitigated, determine the controls to be implemented.

Determine and provide the resources needed for the ISMS.

Evaluate the effectiveness of actions taken to ensure competence of relevant staff.

Retain documented evidence of competence (and records of competence evaluations).

The ISMS shall include required documented information.

Create this document.

Create this document.