ISO 27001 compliance checklist

ISO 27001 Compliance Checklist Reference Checklist 1.1 Audit area, objective and question Section Information Security Policy Whether there exists an Information security policy, w ‎ hich is approved by the management, published and c ‎ ommunicated as appropriate to all employees. Information security policy document Whether the policy states management commitment a ‎ nd sets out the organizational approach to managing i ‎nformation security.‎ Whether the Information Security Policy is reviewed at p ‎ lanned intervals, or if significant changes occur to e ‎ nsure its continuing suitability, adequacy and e ‎ ffectiveness. Whether the Information Security policy has an owner, w ‎ ho has approved management responsibility for d ‎ evelopment, review and evaluation of the security Review of Informational Security Policy policy.‎ Whether any defined Information Security Policy r ‎ eview procedures exist and do they include r ‎ equirements for the management review. ‎ Whether the results of the management review are taken into account.‎ Whether management approval is obtained for the r ‎ evised policy.‎ Internal Organization Whether management demonstrates active support for security measures within the organization. This can be done via clear direction, demonstrated commitment, explicit assignment and acknowledgement of information security responsibilities. Whether information security activities are coordinated by representatives from diverse parts of the organization, with pertinent roles and responsibilities Results Findings Status (%) Standard 5.1 Audit Question Security Policy 1.1.1 5.1.1 1.1.2 5.1.2 Organization of Information Security 2.1 6.1 2.11 6.11 Management Commitment to Informaiton Security 2.1.2 6.1.2 Information Security coordination Hakim Kt hakimkt@yahoo.com Page 1 10/27/2008 ISO 27001 Compliance Checklist 2.1.3 6.1.3 Allocation of Information Security responsibilities Authorization process for Information processing facilities 2.1.4 6.1.4 2.1.5 6.1.5 Confidentiality Agreements 2.1.6 6.1.6 Contact with Authorities 2.1.7 6.1.7 Contact with special interest groups 2.1.8 2.2 6.2 6.1.8 Independent review of Information Security External Parties Whether responsibilities for the protection of individual assets, and for carrying out specific security processes, were clearly identified and defined. Whether management authorization process is defined and implemented for any new information processing facility within the organization. Whether the organization’s need for Confidentiality or N ‎ on-Disclosure Agreement (NDA) for protection of i ‎nformation is clearly defined and regularly reviewed. Does this address the requirement to protect the c ‎ onfidential information using legal enforceable terms Whether there exists a procedure that describes when, and by whom: relevant authorities such as Law enforcement, fire department etc., should be contacted, and how the incident should be reported Whether appropriate contacts with special interest groups or other specialist security forums, and professional associations are maintained. Whether the organization’s approach to managing information security, and its implementation, is reviewed independently at planned intervals, or when major changes to security implementation occur. 2.2.1 6.2.1 2.2.2 6.2.2 2.2.3 6.2.3 Whether risks to the organization’s information and information processing facility, from a process Identification of risks related to external involving external party access, is identified and parties appropriate control measures implemented before granting access. Whether all identified security requirements are Addressing security while dealing with fulfilled before granting customer access to the customers organization’s information or assets. Whether the agreement with third parties, involving accessing, processing, communicating or managing the organization’s information or information processing Addressing security in third party facility, or introducing products or services to agreements information processing facility, complies with all appropriate security requirements. Responsibility for assets Asset Management 3.1 7.1 Hakim Kt hakimkt@yahoo.com Page 2 10/27/2008 ISO 27001 Compliance Checklist 3.1.1 3.1.2 7.1.1 7.1.2 Inventory of Assets Ownership of Assets Whether all assets are identified and an inventory or register is maintained with all the important assets. Whether each asset identified has an owner, a defined and agreed-upon security classification, and access restrictions that are periodically reviewed. Whether regulations for acceptable use of information and assets associated with an information processing facility were identified, documented and implemented. Whether the information is classified in terms of its value, legal requirements, sensitivity and criticality to the organization. Whether an appropriate set of procedures are defined for information labelling and handling, in accordance with the classification scheme adopted by the organization. 3.1.3 3.2 3.2.1 7.2 7.1.3 Acceptable use of assets Information Classification 7.2.1 Classification guidelines 3.2.2 7.2.2 Information labelling and handling Human resources security 4.1 8.1 Prior to employment Whether employee security roles and responsibilities, c ‎ ontractors and third party users were defined and d ‎ ocumented in accordance with the organization’s i ‎nformation security policy. Were the roles and responsibilities defined and clearly c ‎ ommunicated to job candidates during the pree ‎ mployment process Whether background verification checks for all c ‎ andidates for employment, contractors, and third party ‎ sers were carried out in accordance to the u relevant ‎ egulations. r Does the check include character reference, c ‎ onfirmation of claimed academic and professional q ‎ ualifications and independent identity checks Whether employee, contractors and third party users a ‎ re asked to sign confidentiality or non-disclosure a ‎ greement as a part of their initial terms and conditions ‎ f the employment contract.‎ o 4.1.1 8.1.1 Roles and responsibilities 4.1.2 8.1.2 Screening 4.1.3 8.1.3 Terms and conditions of employment Hakim Kt hakimkt@yahoo.com Page 3 10/27/2008 ISO 27001 Compliance Checklist 4.1.3 8.1.3 Terms and conditions of employment Whether this agreement covers the information s ‎ ecurity responsibility of the organization and the e ‎ mployee, third party users and contractors. ‎ 4.2 4.2.1 8.2 8.2.1 During Employment Management Responsibilities Whether the management requires employees, contractors and third party users to apply security in accordance with the established policies and procedures of the organization. Whether all employees in the organization, and where relevant, contractors and third party users, receive appropriate security awareness training and regular updates in organizational policies and procedures as it pertains to their job function. Whether there is a formal disciplinary process for the e ‎ mployees who have committed a security breach.‎ Whether responsibilities for performing employment termination, or change of employment, are clearly defined and assigned. Whether there is a process in place that ensures all employees, contractors and third party users surrender all of the organization’s assets in their possession upon termination of their employment, contract or agreement. Whether access rights of all employees, contractors and third party users, to information and information processing facilities, will be removed upon termination of their employment, contract or agreement, or will be adjusted upon change. 4.2.2 8.2.2 Infromation security awareness, education and training 4.2.3 4.3 4.3.1 8.3 8.2.3 Disciplinary process Termination or change of employment 8.3.1 Termination responsibilities 4.3.2 8.3.2 Return of assets 4.3.3 8.3.3 Removal of access rights Physical and Enviornmental security 5.1 5.1.1 9.1 9.1.1 Secure Areas Physical security perimeter Whether a physical border security facility has been i ‎mplemented to protect the information processing s ‎ ervice. ‎ ome examples of such security facilities are S card ‎ ontrol entry gates, walls, manned reception, etc‎ c Whether entry controls are in place to allow only authorized personnel into various areas within the organization. 5.1.2 9.1.2 Physical entry controls Hakim Kt hakimkt@yahoo.com Page 4 10/27/2008 ISO 27001 Compliance Checklist 5.1.3 9.1.3 5.1.4 9.1.4 5.1.5 9.1.5 5.1.6 5.2 5.2.1 9.2 9.1.6 9.2.1 5.2.2 9.2.2 5.2.3 9.2.3 5.2.4 9.2.4 Whether the rooms, which have the information processing service, are locked or have lockable cabinets or safes. Whether the physical protection against damage from fire, flood, earthquake, explosion, civil unrest and Protecting against external and other forms of natural or man-made disaster should be enviornmental threats designed and applied. Whether there is any potential threat from neighbouring premises. Whether physical protection and guidelines for Working in secure areas working in secure areas is designed and implemented Whether the delivery, loading, and other areas where unauthorized persons may enter the premises are Public access delivery and loading areas controlled, and information processing facilities are isolated, to avoid unauthorized access. Equipment Security Whether the equipment is protected to reduce the risks from environmental threats and hazards, and Equipment siting and protection opportunities for unauthorized access. Whether the equipment is protected from power f ‎ ailures and other disruptions caused by failures in s ‎ upporting utilities. Supporting utilities Whether permanence of power supplies, such as a m ‎ ultiple feed, an Uninterruptible Power Supply (ups), a ‎ backup generator, etc. are being utilized‎ Whether the power and telecommunications cable, carrying data or supporting information services, is Cabling security protected from interception or damage Whether there are any additional security controls in place for sensitive or critical information Whether the equipment is correctly maintained to e ‎ nsure its continued availability and integrity. ‎ Whether the equipment is maintained, as per the s ‎ upplier’s recommended service intervals and s ‎ pecifications. ‎ Whether the maintenance is carried out only by a ‎ uthorized personnel.‎ Equipment Maintenance Securing offices, rooms and facilities Hakim Kt hakimkt@yahoo.com Page 5 10/27/2008 ISO 27001 Compliance Checklist 5.2.4 9.2.4 Equipment Maintenance 5.2.5 9.2.5 Securiing of equipment off-premises 5.2.6 9.2.6 Secure disposal or re-use of equipment 5.2.7 9.2.7 Removal of property Whether logs are maintained with all suspected or actual faults and all preventive and corrective measures. Whether appropriate controls are implemented while s ‎ ending equipment off premises. ‎ Are the equipment covered by insurance and the i ‎nsurance requirements satisfied‎ Whether risks were assessed with regards to any e ‎ quipment usage outside an organization’s premises, a ‎ nd mitigation controls implemented. ‎ Whether the usage of an information processing f ‎ acility outside the organization has been authorized by ‎ he management. ‎ t Whether all equipment, containing storage media, is checked to ensure that any sensitive information or licensed software is physically destroyed, or securely over-written, prior to disposal or reuse. Whether any controls are in place so that equipment, information and software is not taken off-site without prior authorization. Communication and Operations Management 6.1 10.1 Operational procedures and responsibilites Whether the operating procedure is documented, maintained and available to all users who need it. Whether such procedures are treated as formal Documented Operating procedures documents, and therefore any changes made need management authorization. Whether all changes to information processing Change Management facilities and systems are controlled. Whether duties and areas of responsibility are separated, in order to reduce opportunities for Segregation of duties unauthorized modification or misuse of information, or services. Whether the development and testing facilities are isolated from operational facilities. For example, development and production software should be run Seperation of development, test and on different computers. Where necessary, operational facilities development and production networks should be kept separate from each other. 6.1.1 10.1.1 6.1.2 10.1.2 6.1.3 10.1.3 6.1.4 10.1.4 Hakim Kt hakimkt@yahoo.com Page 6 10/27/2008 ISO 27001 Compliance Checklist 6.2 10.2 Third party service delivery management Whether measures are taken to ensure that the security controls, service definitions and delivery levels, included in the third party service delivery agreement, Service delivery are implemented, operated and maintained by a third party. Whether the services, reports and records provided by t ‎ hird party are regularly monitored and reviewed.‎ Monitoring and review of third party services Whether audita are conducted on the above third party s ‎ ervices, reports and records, on regular interval.‎ Whether changes to provision of services, including m ‎ aintaining and improving existing information s ‎ ecurity policies, procedures and controls, are Managing changes to third party services ‎ anaged.‎ m Does this take into account criticality of business s ‎ ystems, processes involved and re-assessment of risks 6.2.1 10.2.1 6.2.2 10.2.2 6.2.3 10.2.3 6.3 10.3 System planning and acceptance Whether the capacity demands are monitored and p ‎ rojections of future capacity requirements are made, t ‎ o ensure that adequate processing power and storage Capacity Management a ‎ re available.‎ Example: Monitoring hard disk space, RAM and CPU o ‎ n critical servers. ‎ Whether system acceptance criteria are established for n ‎ ew information systems, upgrades and new versions.‎ System acceptance Whether suitable tests were carried out prior to a ‎ cceptance.‎ Protection against malicious and mobile code Whether detection, prevention and recovery controls, to protect against malicious code and appropriate user Controls against malicious code awareness procedures, were developed and implemented 6.3.1 10.3.1 6.3.2 6.4 6.4.1 10.4 10.3.2 10.4.1 Hakim Kt hakimkt@yahoo.com Page 7 10/27/2008 ISO 27001 Compliance Checklist 6.4.2 10.4.2 Controls against mobile code Whether only authorized mobile code is used. ‎ Whether the configuration ensures that authorized m ‎ obile code operates according to security policy.‎ Whether execution of unauthorized mobile code is p ‎ revented. ‎ ( ‎ Mobile code is software code that transfers from one c ‎ omputer to another computer and then executes a ‎ utomatically. It performs a specific function with l ‎ittle or no user intervention. Mobile code is associated w ‎ ith a number of middleware services.)‎ Whether back-ups of information and software is taken a ‎ nd tested regularly in accordance with the agreed b ‎ ackup policy.‎ Whether all essential information and software can be recovered following a disaster or media failure. Whether the network is adequately managed and controlled, to protect from threats, and to maintain security for the systems and applications using the network, including the information in transit. Whether controls were implemented to ensure the security of the information in networks, and the protection of the connected services from threats, such as unauthorized access. Whether security features, service levels and m ‎ anagement requirements, of all network services, are i ‎dentified and included in any network services a ‎ greement. Whether the ability of the network service provider, to m ‎ anage agreed services in a secure way, is determined a ‎ nd regularly monitored, and the right to audit is a ‎ greed upon. ‎ Whether procedures exist for management of r ‎ emovable media, such as tapes, disks, cassettes, m ‎ emory cards, and reports. Whether all procedures and authorization levels are c ‎ learly defined and documented.‎ 6.5 10.5 Backup 6.5.1 10.5.1 Information backup 6.6 10.6 Network Security Management 6.6.1 10.6.1 Network Controls 6.6.2 10.6.2 Security of network services 6.7 10.7 Media handling 6.7.1 10.7.1 Management of removable media Hakim Kt hakimkt@yahoo.com Page 8 10/27/2008 ISO 27001 Compliance Checklist 6.7.2 10.7.2 Disposal of Media 6.7.3 10.7.3 Information handling procedures 6.7.4 6.8 10.8 10.7.4 Security of system documentation Exchange of information Information exchange policies and procedures Whether the media that are no longer required are disposed of securely and safely, as per formal procedures. Whether a procedure exists for handling information s ‎ torage. ‎ Does this procedure address issues, such as i ‎nformation protection, from unauthorized disclosure o ‎ r misuse ‎ Whether the system documentation is protected against unauthorized access. Whether there is a formal exchange policy, procedure a ‎ nd control in place to ensure the protection of i ‎nformation.‎ Does the procedure and control cover using electronic c ‎ ommunication facilities for information exchange. ‎ Whether agreements are established concerning e ‎ xchange of information and software between the o ‎ rganization and external parties. Whether the security content of the agreement reflects t ‎ he sensitivity of the business information involved.‎ Whether media containing information is protected against unauthorized access, misuse or corruption during transportation beyond the organization’s physical boundary. Whether the information involved in electronic m ‎ essaging is well protected. ‎ ( ‎ Electronic messaging includes but is not restricted to E ‎ mail, Electronic Data Interchange, Instant Messaging)‎ Whether policies and procedures are developed and enforced to protect information associated with the interconnection of business information systems. Whether the information involved in electronic commerce passing over the public network is protected from fraudulent activity, contract dispute, and any unauthorized access or modification. 6.8.1 10.8.1 6.8.2 10.8.2 Exchange Agreements 6.8.3 10.8.3 Physical media in transit 6.8.4 10.8.4 Electronic messaging 6.8.5 6.9 10.9 10.8.5 Business Information systems Electronic commerce services 6.9.1 10.9.1 Electronic commerce Hakim Kt hakimkt@yahoo.com Page 9 10/27/2008 ISO 27001 Compliance Checklist 6.9.1 10.9.1 Electronic commerce 6.9.2 10.9.2 On-line transactions 6.9.3 6.10 10.9.3 10.10 Publicly available information Monitoring Whether Security control such as application of cryptographic controls are taken into consideration Whether electronic commerce arrangements between trading partners include a documented agreement, which commits both parties to the agreed terms of trading, including details of security issues. Whether information involved in online transactions is protected to prevent incomplete transmission, misrouting, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay Whether the integrity of the publicly available information is protected against any unauthorized modification. Whether audit logs recording user activities, e ‎ xceptions, and information security events are p ‎ roduced and kept for an agreed period to assist in f ‎ uture investigations and access control monitoring.‎ Whether appropriate Privacy protection measures are c ‎ onsidered in Audit log maintenance. ‎ Whether procedures are developed and enforced for m ‎ onitoring system use for information processing f ‎ acility. Whether the results of the monitoring activity reviewed ‎ egularly.‎ r Whether the level of monitoring required for individual ‎nformation processing facility is i determined by a risk ‎ ssessment‎ a Whether logging facility and log information are well protected against tampering and unauthorized access Whether system administrator and system operator a ‎ ctivities are logged. Whether the logged activities are reviewed on regular b ‎ asis.‎ Whether faults are logged analysed and appropriate a ‎ ction taken.‎ 6.10.1 10.10.1 Audit Logging 6.10.2 10.10.2 Monitoring system use 6.10.3 10.10.3 Protection of log information 6.10.4 10.10.4 Administrator and operator log 6.10.5 10.10.5 Fault logging Hakim Kt hakimkt@yahoo.com Page 10 10/27/2008 ISO 27001 Compliance Checklist 6.10.5 10.10.5 Fault logging 6.10.6 10.10.6 Clock Synchronisation Whether level of logging required for individual s ‎ ystem are determined by a risk assessment, taking p ‎ erformance degradation into account.‎ Whether system clocks of all information processing s ‎ ystem within the organization or security domain is s ‎ ynchronised with an agreed accurate time source.‎ ( ‎ The correct setting of computer clock is important to e ‎ nsure the accuracy of audit logs)‎ Access Control 7.1 11.1 Business requirement for access control Whether an access control policy is developed and r ‎ eviewed based on the business and security r ‎ equirements.‎ Whether both logical and physical access control are t ‎ aken into consideration in the policy Whether the users and service providers were given a c ‎ lear statement of the business requirement to be met b ‎ y access controls‎ Whether there is any formal user registration and deregistration procedure for granting access to all information systems and services. Whether the allocation and use of any privileges in information system environment is restricted and controlled i.e., Privileges are allocated on need-to-use basis, privileges are allocated only after formal authorization process. The allocation and reallocation of passwords should be controlled through a formal management process. Whether the users are asked to sign a statement to keep the password confidential. Whether there exists a process to review user access rights at regular intervals. Example: Special privilege review every 3 months, normal privileges every 6 months. 7.1.1 11.1.1 Access Control policy 7.2 7.2.1 11.2 11.2.1 User Access Management User Registration 7.2.2 11.2.2 Privilege Management 7.2.3 11.2.3 User Password Management Review of user access rights 7.2.4 7.3 11.2.4 11.3 User Responsibilities Hakim Kt hakimkt@yahoo.com Page 11 10/27/2008 ISO 27001 Compliance Checklist 7.3.1 11.3.1 Password use 7.3.2 11.3.2 Unattended user equipment 7.3.3 11.3.3 Clear desk and clear screen policy Whether there are any security practice in place to guide users in selecting and maintaining secure passwords Whether the users and contractors are made aware of t ‎ he security requirements and procedures for protecting ‎ nattended equipment. . ‎ u Example: Logoff when session is finished or set up a ‎ uto log off, terminate sessions when finished etc.,‎ Whether the organisation has adopted clear desk policy ‎ ith regards to papers and removable storage w media Whether the organisation has adopted clear screen p ‎ olicy with regards to information processing facility Whether users are provided with access only to the s ‎ ervices that they have been specifically authorized to u ‎ se. Whether there exists a policy that does address c ‎ oncerns relating to networks and network services. ‎ Whether appropriate authentication mechanism is used to control access by remote users. Whether automatic equipment identification is considered as a means to authenticate connections from specific locations and equipment. Whether physical and logical access to diagnostic ports are securely controlled i.e., protected by a security mechanism. Whether groups of information services, users and i ‎nformation systems are segregated on networks.‎ Whether the network (where business partner’s and/ or ‎ hird parties need access to information system) is t s ‎ egregated using perimeter security mechanisms such a ‎ s firewalls.‎ Whether consideration is made to segregation of w ‎ ireless networks from internal and private networks. ‎ 7.4 11.4 Network Access Control 7.4.1 11.4.1 Policy on use of network services 7.4.2 11.4.2 User authentication for external connections Equipment identification in networks 7.4.3 11.4.3 Remote diagnostic and configuration port protection 7.4.4 11.4.4 7.4.5 11.4.5 Segregation in networks Hakim Kt hakimkt@yahoo.com Page 12 10/27/2008 ISO 27001 Compliance Checklist 7.4.6 11.4.6 Network connection control Whether there exists an access control policy which states network connection control for shared networks, especially for those extend across organization’s boundaries. Whether the access control policy states routing controls are to be implemented for networks Whether the routing controls are based on the positive source and destination identification mechanism. 7.4.7 11.4.7 Network routing control 7.5 7.5.1 11.5 11.5.1 Operating system access control Whether access to operating system is controlled by secure log-on procedure. Whether unique identifier (user ID) is provided to e ‎ very user such as operators, system administrators and ‎ ll other staff including technical. ‎ a Whether suitable authentication technique is chosen to User Identification and authentication ‎ ubstantiate the claimed identity of user.‎ s Whether generic user accounts are supplied only under e ‎ xceptional circumstances where there is a clear b ‎ usiness benefit. Additional controls may be necessary t ‎ o maintain accountability.‎ Whether there exists a password management system that enforces various password controls such as: individual password for accountability, enforce Password Management system password changes, store passwords in encrypted form, not display passwords on screen etc., Whether the utility programs that might be capable of overriding system and application controls is restricted Use of system utilities and tightly controlled. Whether inactive session is shutdown after a defined p ‎ eriod of inactivity.‎ Session time-out ( ‎ A limited form of timeouts can be provided for some s ‎ ystems, which clears the screen and prevents Whether there exists restriction on connection time for high-risk applications. This type of set up should be Limitation of connection time considered for sensitive applications for which the terminals are installed in high-risk locations. Application and Information access control Secure log-on procedures 7.5.2 11.5.2 7.5.3 11.5.3 7.5.4 11.5.4 7.5.5 11.5.5 7.5.6 7.6 11.6 11.5.6 Hakim Kt hakimkt@yahoo.com Page 13 10/27/2008 ISO 27001 Compliance Checklist 7.6.1 11.6.1 Information access restriction 7.6.2 7.7 11.7 11.6.2 Sensitive system isolation Mobile computing and teleworking Whether access to information and application system f ‎ unctions by users and support personnel is restricted i ‎n accordance with the defined access control policy.‎ Whether sensitive systems are provided with dedicated ‎ isolated) computing environment such as ( running on a ‎ edicated computer, share resources only d with trusted ‎ pplication systems, etc.,‎ a 7.7.1 11.7.1 Whether a formal policy is in place, and appropriate s ‎ ecurity measures are adopted to protect against the r ‎ isk of using mobile computing and communication f ‎ acilities.‎ Some example of Mobile computing and Mobile computing and communications c ‎ ommunications facility include: notebooks, palmtops, l ‎aptops, smart cards, mobile phones. ‎ Whether risks such as working in unprotected e ‎ nvironment is taken into account by Mobile c ‎ omputing policy.‎ Whether policy, operational plan and procedures are d ‎ eveloped and implemented for teleworking activities.‎ Whether teleworking activity is authorized and c ‎ ontrolled by management and does it ensure that s ‎ uitable arrangements are in place for this way of w ‎ orking.‎ 7.7.2 11.7.2 Teleworking Information systems acquisition, development and maintenance 8.1 12.1 Security requirements of information systems Whether security requirements for new information s ‎ ystems and enhancement to existing information s ‎ ystem specify the requirements for security controls. ‎ Whether the Security requirements and controls Security requirements analysis and i ‎dentified reflects the business value of information specification a ‎ ssets involved and the consequence from failure of S ‎ ecurity.‎ Whether system requirements for information security and processes for implementing security is integrated in the early stages of information system projects. Correct processing in applications 8.1.1 12.1.1 8.2 12.2 Hakim Kt hakimkt@yahoo.com Page 14 10/27/2008 ISO 27001 Compliance Checklist 8.2.1 12.2.1 Input data validation 8.2.2 12.2.2 Control of internal processing 8.2.3 12.2.3 Message integrity 8.2.4 8.3 12.3 12.2.4 Output data validation Cryptographic controls Whether data input to application system is validated t ‎ o ensure that it is correct and appropriate. ‎ Whether the controls such as: Different types of inputs t ‎ o check for error messages, Procedures for responding t ‎ o validation errors, defining responsibilities of all p ‎ ersonnel involved in data input process etc., are c ‎ onsidered.‎ Whether validation checks are incorporated into a ‎ pplications to detect any corruption of information t ‎ hrough processing errors or deliberate acts. ‎ Whether the design and implementation of applications ‎ nsure that the risks of processing failures e leading to a ‎oss of integrity are minimised. ‎ l Whether requirements for ensuring and protecting m ‎ essage integrity in applications are identified, and a ‎ ppropriate controls identified and implemented. ‎ Whether an security risk assessment was carried out to d ‎ etermine if message integrity is required, and to i ‎dentify the most appropriate method of i ‎mplementation. ‎ Whether the data output of application system is validated to ensure that the processing of stored information is correct and appropriate to circumstances. 8.3.1 12.3.1 Policy on use of cryptographic controls Whether the organization has Policy on use of c ‎ ryptographic controls for protection of information. . ‎ Whether the policy is successfully implemented.‎ Whether the cryptographic policy does consider the management approach towards the use of cryptographic controls, risk assessment results to identify required level of protection, key management methods and various standards for effective implementation Whether key management is in place to support the o ‎ rganizations use of cryptographic techniques. ‎ Whether cryptographic keys are protected against m ‎ odification, loss, and destruction.‎ 8.3.2 12.3.2 Key Management Hakim Kt hakimkt@yahoo.com Page 15 10/27/2008 ISO 27001 Compliance Checklist 8.3.2 12.3.2 Key Management Whether secret keys and private keys are protected a ‎ gainst unauthorized disclosure.‎ Whether equipments used to generate, store keys are p ‎ hysically protected. ‎ Whether the Key management system is based on agreed set of standards, procedures and secure methods. Whether there are any procedures in place to control installation of software on operational systems. (This is to minimise the risk of corruption of operational systems.) 8.4 8.4.1 12.4 12.4.1 Security of system files Control of operational software 8.4.2 12.4.2 8.4.3 8.5 12.5 12.4.3 8.5.1 12.5.1 8.5.2 12.5.2 8.5.3 12.5.3 Whether system test data is protected and controlled. ‎ Whether use of personal information or any sensitive i ‎nformation for testing operational database is shunned‎ Whether strict controls are in place to restrict access to p ‎ rogram source libraries. ‎ Access control to program source code ( ‎ This is to avoid the potential for unauthorized, u ‎ nintentional changes.)‎ Security in development and support services Whether there is strict control procedure in place over i ‎mplementation of changes to the information system. ( ‎ This is to minimise the corruption of information Change control procedures s ‎ ystem.)‎ Whether this procedure addresses need for risk a ‎ ssessment, analysis of impacts of changes, ‎ Whether there is process or procedure in place to r ‎ eview and test business critical applications for a ‎ dverse impact on organizational operations or Technical review of applications after security ‎ fter the change to Operating Systems. ‎ a operating system changes Periodically it is necessary to upgrade operating system ‎.e., to install service packs, patches, hot fixes i etc., ‎ Whether modifications to software package is Restrictions on changes to software d ‎ iscouraged and/ or limited to necessary changes.‎ packages Whether all changes are strictly controlled. ‎ Whether controls are in place to prevent information l ‎eakage. ‎ Protection of system test data Information leakage 8.5.4 12.5.4 Hakim Kt hakimkt@yahoo.com Page 16 10/27/2008 ISO 27001 Compliance Checklist 8.5.4 12.5.4 Information leakage 8.5.5 12.5.5 Outsourced software development Whether controls such as scanning of outbound media, r ‎ egular monitoring of personnel and system activities p ‎ ermitted under local legislation, monitoring resource u ‎ sage are considered. ‎ Whether the outsourced software development is s ‎ upervised and monitored by the organization. ‎ Whether points such as: Licensing arrangements, e ‎ scrow arrangements, contractual requirement for q ‎ uality assurance, testing before installation to detect T ‎ rojan code etc., are considered. ‎ Whether timely information about technical v ‎ ulnerabilities of information systems being used is o ‎ btained.‎ Whether the organization’s exposure to such v ‎ ulnerabilities evaluated and appropriate measures t ‎ aken to mitigate the associated risk.‎ 8.6 12.6 Technical vulnerability management 8.6.1 12.6.1 Control of technical vulnerabilities Information Security Incident Management 9.1 13.1 Reporting information security events and weaknesses Whether information security events are reported t ‎ hrough appropriate management channels as quickly a ‎ s possible. ‎ Reporting information security events Whether formal information security event reporting p ‎ rocedure, Incident response and escalation procedure i ‎s developed and implemented. ‎ Whether there exists a procedure that ensures all e ‎ mployees of information systems and services are Reporting security weaknesses r ‎ equired to note and report any observed or suspected s ‎ ecurity weakness in the system or services. ‎ Management of information security incidents and improvements Whether management responsibilities and procedures w ‎ ere established to ensure quick, effective and orderly r ‎ esponse to information security incidents. ‎ Whether monitoring of systems, alerts and v ‎ ulnerabilities are used to detect information security i ‎ncidents. ‎ 9.1.1 13.1.1 9.1.2 9.2 13.2 13.1.2 9.2.1 13.2.1 Responsibilities and procedures Hakim Kt hakimkt@yahoo.com Page 17 10/27/2008 ISO 27001 Compliance Checklist 9.2.1 13.2.1 Responsibilities and procedures 9.2.2 13.2.2 Learning from information security incidents Whether the objective of information security incident m ‎ anagement is agreed with the management.‎ Whether there is a mechanism in place to identify and q ‎ uantify the type, volume and costs of information s ‎ ecurity incidents. Whether the information gained from the evaluation of t ‎ he past information security incidents are used to i ‎dentify recurring or high impact incidents. ‎ Whether follow-up action against a person or o ‎ rganization after an information security incident i ‎nvolves legal action (either civil or criminal). ‎ Whether evidence relating to the incident are collected, r ‎ etained and presented to conform to the rules for e ‎ vidence laid down in the relevant jurisdiction(s). ‎ Whether internal procedures are developed and followed when collecting and presenting evidence for the purpose of disciplinary action within the organization 9.2.3 13.2.3 Collection of evidence Business Continuity Management 10.1 14.1 Information security aspects of business continuity management Whether there is a managed process in place that a ‎ ddresses the information security requirements for d ‎ eveloping and maintaining business continuity t ‎ hroughout the organization. ‎ Whether this process understands the risks the Including informaiton security in the o business continuity management process ‎ rganization is facing, identify business critical assets, i ‎dentify incident impacts, consider the implementation o ‎ f additional preventative controls and documenting t ‎ he business continuity plans addressing the security r ‎ equirements.‎ Whether events that cause interruption to business p ‎ rocess is identified along with the probability and Business continuity and risk assessement i ‎mpact of such interruptions and their consequence for i ‎nformation security.‎ 10.1.1 14.1.1 10.1.2 14.1.2 Hakim Kt hakimkt@yahoo.com Page 18 10/27/2008 ISO 27001 Compliance Checklist 10.1.3 14.1.3 10.1.4 14.1.4 Whether plans were developed to maintain and restore b ‎ usiness operations, ensure availability of information w ‎ ithin the required level in the required time frame f ‎ ollowing an interruption or failure to business Developing and implementing p ‎ rocesses. continuity plans including information Whether the plan considers identification and security a ‎ greement of responsibilities, identification of a ‎ cceptable loss, implementation of recovery and r ‎ estoration procedure, documentation of procedure and ‎ egular testing.‎ r Whether there is a single framework of Business c ‎ ontinuity plan.‎ Whether this framework is maintained to ensure that a Business continuity planning framework ‎ ll plans are consistent and identify priorities for t ‎ esting and maintenance. ‎ Whether business continuity plan addresses the i ‎dentified information security requirement. ‎ Whether Business continuity plans are tested regularly t ‎ o ensure that they are up to date and effective.‎ Whether business continuity plan tests ensure that all m ‎ embers of the recovery team and other relevant staff a ‎ re aware of the plans and their responsibility for b ‎ usiness continuity and information security and know ‎ heir role when plan is evoked. ‎ t 10.1.5 14.1.5 Testing maintaining and re-assessing business continuity plans Compliance 11.1 15.1 Compliance with legal requirements Whether all relevant statutory, regulatory, contractual r ‎ equirements and organizational approach to meet the r ‎ equirements were explicitly defined and documented f ‎ or each information system and organization. Whether specific controls and individual r ‎ esponsibilities to meet these requirements were d ‎ efined and documented.‎ 11.1.1 15.1.1 Identification of applicable legislation Hakim Kt hakimkt@yahoo.com Page 19 10/27/2008 ISO 27001 Compliance Checklist 11.1.2 15.1.2 11.1.3 15.1.3 11.1.4 15.1.4 11.1.5 15.1.5 11.1.6 11.2 15.2 15.1.6 Whether there are procedures to ensure compliance w ‎ ith legislative, regulatory and contractual r ‎ equirements on the use of material in respect of which t ‎ here may be intellectual property rights and on the use ‎ f proprietary software products. ‎ o Intellectual property rights (IPR) Whether the procedures are well implemented.‎ Whether controls such as: publishing intellectual p ‎ roperty rights compliance policy, procedures for a ‎ cquiring software, policy awareness, maintaining p ‎ roof of ownership, complying with software terms a ‎ nd conditions are considered. ‎ Whether important records of the organization is p ‎ rotected from loss destruction and falsification, in a ‎ ccordance with statutory, regulatory, contractual and b ‎ usiness requirement.‎ Whether consideration is given to possibility of Protection of organizational records d ‎ eterioration of media used for storage of records.‎ Whether data storage systems were chosen so that r ‎ equired data can be retrieved in an acceptable t ‎ imeframe and format, depending on requirements to b ‎ e fulfilled.‎ Whether data protection and privacy is ensured as per Data protection and privacy of personal r ‎ elevant legislation, regulations and if applicable as per information t ‎ he contractual clauses. ‎ Whether use of information processing facilities for a ‎ ny non-business or unauthorized purpose, without m ‎ anagement approval is treated as improper use of the f ‎ acility. Whether a log-on a warning message is presented on Prevention of misuse of information t ‎ he computer screen prior to log-on. Whether the user processing facilities h ‎ as to acknowledge the warning and react a ‎ ppropriately to the message on the screen to continue w ‎ ith the log-on process. Whether legal advice is taken before implementing any m ‎ onitoring procedures.‎ Whether the cryptographic controls are used in c ‎ ompliance with all relevant agreements, laws, and Regulation of cryptographic controls r ‎ egulations. ‎ Compliance with techincal policies and standards and technical compliance Hakim Kt hakimkt@yahoo.com Page 20 10/27/2008 ISO 27001 Compliance Checklist 11.2.1 15.2.1 Compliance with security policies and standards Whether managers ensure that all security procedures w ‎ ithin their area of responsibility are carried out c ‎ orrectly to achieve compliance with security policies a ‎ nd standards. Do managers regularly review the compliance of i ‎nformation processing facility within their area of r ‎ esponsibility for compliance with appropriate security p ‎ olicy and procedure Whether information systems are regularly checked for c ‎ ompliance with security implementation standards. ‎ Whether the technical compliance check is carried out b ‎ y, or under the supervision of, competent, authorized p ‎ ersonnel‎ Whether audit requirements and activities involving c ‎ hecks on operational systems should be carefully p ‎ lanned and agreed to minimise the risk of disruptions t ‎ o business process. ‎ Whether the audit requirements, scope are agreed with a ‎ ppropriate management.‎ Whether access to information system audit tools such a ‎ s software or data files are protected to prevent any p ‎ ossible misuse or compromise. Whether information system audit tools are separated f ‎ rom development and operational systems, unless g ‎ iven an appropriate level of additional protection.‎ 11.2.2 15.2.2 Technical compliance checking 11.3 15.3 Information systems audit considerations 11.3.1 15.3.1 Information systems audit control 11.3.2 15.3.2 Protection of informaiton system audit tools Hakim Kt hakimkt@yahoo.com Page 21 10/27/2008 ISO 27001 Compliance Checklist Domain Security Policy Organization of Information Security Objectives Information Security Policy Internal Organization External Parties Responsibilities for assets Information Classification Prior to Employment During Employment Termination or change of employment Secure Areas Equipment Security Operational procedures and responsibilities Third party service delivery management System planning and acceptance Protection against malicious and mobile code Backup Network Security Management Media handling Exchange of information Electronic commerce services Monitoring Business Control for access control User Access Management User Responsibilities Network Access control Operating system access control Application and information access control Mobile computing and teleworking Security requirements of information systems Correct processing in applications Cryptographic controls Security of system files Security in development and support services Technical vulnerability management Reporting information security events and weaknesses Management of information security incidents and imporvements Information security aspects of Business continuity management Compliance with legal requirements Complinace with techincal policies and standards and technical complinace Information system audit considerations Status (%) 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% Asset Management Human resources security Physical and Enviornmental security Communication and Operations Management Access Control Information system acquisition, development and maintanence Information security incident management Business Continuity Management Compliance Vinod Kumar vinodjis@hotmail.com Page 22 10/27/2008 ISO 27001 Compliance Checklist Domain Security Policy Organization of Information Security Asset Management Human resources security Physical and Enviornmental security Communication and Operations Management Access Control Information system acquisition, development and maintanence Information security incident management Business Continuity Management Compliance Status (%) 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% Compliance per Domain Status 100% 10% 20% 30% 40% 50% 60% 70% 80% 90% 0% Security Policy Organization of Information Security Asset Management Human resources security Physical and Enviornmental security 0% 0% 0% 0% 0% 0% Domain Communication and Operations Management Access Control Information system … Information security incident management Business Continuity Management Compliance 0% 0% 0% 0% 0% ISO 27001 Compliance Checklist Compliance Checklist A conditional formatting has been provided on "Compliance checklist" sheet under the "Status (%)" filed and is as m 1 to 25 26 to 75 76 to 100 In the field "Findings" fill in the evidence that you saw and your thoughts of the implementation In the field "Status (%)" fill in the compliance level on the scale as mentioned above If any of the controls in not applicable, please put in "NA" or anything that denotes that particular control is not app Compliance Per Control Kindly note: this sheet has been automated and will show you the status pertaining to each control objective, as per the "Complinace Checklist" sheet Compliance Per Domain Kindly note: this sheet has been automated and will show you the status pertaining to each domain, as per your sta "Complinace Checklist" sheet Graphical Representation This will give you a graphical representation of the status per domain. Which can be in-corporated into your presen ISO 27001 Compliance Checklist he "Status (%)" filed and is as mentioned below lementation hat particular control is not applicable to the organization o each control objective, as per your status in o each domain, as per your status in the in-corporated into your presentation to the management