Professional Documents
Culture Documents
0.9
0.8
0.7
0.6
0.5
0.4
0.3
0.2
0.1
0
A.5
A.6
A.7
A.8
Co mp lia n ce
S ys te m a cq u is itio n , d e ve lo p me n t a n d ma in te n a n ce
Op e ra tio n s s e c u rity
Cryp to g ra p h y
As s e t ma n a g e me n t
ISO27001:2013 Assessment
0.8
0.6
0.4
A.9 A.10 A.11 A.12 A.13 A.14 A.15 A.16 A.17 A.18
0.2
0
Introduction
This tool is designed to assist a skilled and experienced professional ensure that the relevant contr
of
ISO
/ IEC
27001:2013
haveabeen
This
tool
does
not constitute
validaddressed.
assessment and the use of this tool does not confer ISO/IEC 27
certification. The findings here must be confirmed as part of a formal audit / assessment visit.
2. Collect evidence.
3. Prepare toolkit.
Assessment
4. Review control areas.
Post Assessment
6. Record areas of weakness
7. Determine improvement plan
8. Schedule re-assessment
Lifecycle Review
9. ISMS Review Schedules
troduction
Standard
A.5
A.6
A.7
A.8
A.9
A.10
A.11
A.12
A.13
A.14
A.15
A.16
A.17
A.18
Overall Compliance
Overall Compliance
Status
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
Standard
A.5.1
A.6.1
A.6.2
A.7.1
A.7.2
A.7.3
A.8.1
A.8.2
A.8.3
A.9.1
A.9.2
A.9.3
A.9.4
A.10.1
A.11.1
A.11.2
A.12.1
A.12.2
A.12.3
A.12.4
A.12.5
A.12.6
A.12.7
A.13.1
A.13.2
A.14.1
A.14.2
A.14.3
A.15.1
A.15.2
A.16.1
A.17.1
A.17.2
A.18.1
A.18.2
Status
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
Reference
Checklist
Standard
A.5
A.5.1
A.5.1.1
A.5.1.2
A.6
A.6.1
A.6.1.1
A.6.1.2
A.6.1.3
A.6.1.4
A.6.1.5
A.6.2
A.6.2.1
A.6.2
A.7
A.7.1
A.7.1.1
A.7.1.2
A.7.2
A.7.2.1
A.7.2.2
A.7.2.3
A.7.3
A.8
A.8.1
A.8.1.1
A.8.1.2
A.8.1.3
A.8.1.4
A.8.2
A.8.2.1
A.8.2.2
A.8.2.3
A.8.3
A.8.3.1
A.8.3.2
A.8.3.3
A.9
A.9.1
A.9.1.1
A.9.1.2
A.9.2
A.9.2.1
A.9.2.2
A.9.2.3
A.9.2.4
A.9.2.5
A.9.2.6
A.9.3
A.9.3.1
A.9.4
A.9.4.1
A.9.4.2
A.9.4.3
A.9.4.4
A.9.4.5
A.10
A.10.1
A.10.1.1
A.10.1.2
A.11
A.11.1
A.11.1.1
A.11.1.2
A.11.1.3
A.11.1.4
A11.1.5
A.11.1.6
A11.2
A11.2.1
A11.2.2
A11.2.3
A11.2.4
A11.2.5
A11.2.6
A11.2.7
A11.2.8
A11.2.9
A.12
A.12.1
A.12.1.1
A12.1.2
A.12.1.3
A.12.1.4
A.12.2
A.12.2.1
A.12.3
A.12.3.1
A.12.4
A.12.4.1
A.12.4.2
A.12.4.3
A.12.4.4
A.12.5
A.12.5.1
A.12.6
A.12.6.1
A.12.6.2
A.12.7
A.12.7.1
A.13
A.13.1
A.13.1.1
A.13.1.2
A.13.1.3
A.13.2
A.13.2.1
A.13.2.2
A.13.2.3
A.13.2.4
A.14
A.14.1
A.14.1.1
A.14.1.2
A.14.1.3
A.14.2
A.14.2.1
A.14.2.2
A.14.2.3
A.14.2.4
A.14.2.5
A.14.2.6
A.12.2.7
A.12.2.8
A.12.2.9
A.14.3
A.14.3.1
A.15
A.15.1
A.15.1.1
A.15.1.2
A.15.1.3
A.15.2
A.15.2.1
A.15.2.2
A.16
A.16.1
A.16.1.1
A.16.1.2
A.16.1.3
A.16.1.4
A.16.1.5
A.16.1.6
A.16.1.7
A.17
A.17.1
A.17.1.1
A.17.1.2
A.17.1.3
A.17.2
A.17.2.1
A.18
A.18.1
A.18.1.1
A.18.1.2
A.18.1.3
A.18.1.4
A.18.1.5
A.18.2
A.18.2.1
A.18.2.2
A.18.2.3
Compliance
Section
Information Security Policies
Management direction for information security
Policies for information security
Segregation of duties
Teleworking
During employment
Management responsibilities
Disciplinary process
Asset Management
Responsibility for assets
Inventory of assets
Ownership of assets
Return of assets
Information classification
Classification of information
Labelling of information
Handling of assets
Media handling
Management of removable media
Disposal of media
Access Control
Business requirements for access control
Access control policy
User responsibilities
Use of secret authentication information
Cryptography
Cryptographic controls
Policy on the use of cryptographic controls
Key management
Equipment
Equipment siting and protection
Supporting utilities
Cabling security
Equipment maintenance
Removal of assets
Operations Security
Operational procedures and responsibilities
Documented operating procedures
Change management
Capacity management
Backup
Information backup
Clock synchronisation
Communications Security
Network security management
Network controls
Segregation in networks
Information transfer
Information transfer policies and procedures
Electronic messaging
Outsourced development
Test data
Protection of test data
Supplier Relationships
Information security in supplier relationships
Collection of evidence
Redundancies
Availability of information processing facilities
Compliance
Compliance with legal and contractual requirements
Identification of applicable legislation and
contractual requirements
Protection of records
Assessment
Results
Findings
Status
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%