ISO27001 Checklist

ISO27001 Audit Checklist
Paladion Networks
ABOUT THIS DOCUMENT This document contains the questions to be asked in a process audit. The controls selected here are primarily from ISO27001 and Internal best practices.
VERSION CONTROL Version 1.0 2.0 Author Shaheem Motlekar Abhishek Kumar Approved By Vinod Vasudevan Firosh Ummer
Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only.
ISO27001 AUDIT QUESTIONNAIRE # Questions Significance Evidence
4 Information Security Management System 4.1 General Requirements The organization shall establish, implement, operate, monitor, review, maintain and improve a documented ISMS within the context of the organizations overall business activities and the risks they face. For the purposes of this International Standard the process used is based on the PDCA model Has the organization established, implemented, operating, monitoring, reviewing, maintaining and improving documented ISMS within the context of the organizations overall business activities and the risks is faces? High
1)
4.2 Establishing and managing the ISMS 4.2.1 Establish the ISMS 4.2.1 a) Define the scope and boundaries of the ISMS in terms of the characteristics of the business, the organization, its location, assets, technology, and including details of and justification for any exclusions from the scope 1) Is the scope and boundaries of the ISMS defined and documented? Does the scope take into consideration the characteristics of the business, the organization, its location, assets, technology, and including details of and justification for any exclusion from the scope? High ISMS policy document
High
Scope document
2)
4.2.1 b) Define an ISMS policy in terms of the characteristics of
Questions
Significance
Evidence
the business, the organization, its location, assets and technology that: 1) includes a framework for setting objectives and establishes an overall sense of direction and principles for action with regard to information security; 2) takes into account business and legal or regulatory requirements, and contractual security obligations; 3) aligns with the organizations strategic risk management context in which the establishment and maintenance of the ISMS will take place; 4) establishes criteria against which risk will be evaluated; 5) has been approved by management. 1) Is the ISMS policy documented and approved by the management? Does the ISMS policy include the following, - a framework for setting objectives and an overall sense of direction and principles for action with regard to information security 2) - business and legal or regulatory requirements, and contractual security obligations - organizations strategic risk management context in which the establishment and maintenance of the ISMS will take place - criteria against which risk will be evaluated 4.2.1 c) Define the risk assessment approach of the organization. 1) Identify a risk assessment methodology that is suited to the ISMS, and the identified business information security, legal and regulatory requirements. 2) Develop criteria for accepting risks and identify the acceptable High Risk assessment methodology document
# levels of risk.
Questions
Significance
Evidence
The risk assessment methodology selected shall ensure that risk assessments produce comparable and reproducible results. 1) 2) Is the risk assessment approach of the organization defined and documented? Are the criteria for accepting risks and identifying the acceptable levels of risk documented?
4.2.1 d) Identify the risks. 1) Identify the assets within the scope of the ISMS, and the owners of these assets. 2) Identify the threats to those assets. 3) Identify the vulnerabilities that might be exploited by the threats. 4) Identify the impacts that losses of confidentiality, integrity and availability may have on the assets. 1) 2) 3) 4) Is risk assessment conducted to identify the risks for the scope of the ISMS? Are all the assets within the scope of the ISMS identified along with their owner? Are threats and vulnerabilities for all the assets identified? Is the impact that losses of confidentiality, integrity and availability may have on the assets identified? High Risk assessment report High Risk assessment report
4.2.1 e) Analyse and evaluate the risks. 1) Assess the business impact upon the organization that might result from a security failure, taking into account the
Questions
Significance
Evidence
consequences of a loss of confidentiality, integrity or availability of the assets. 2) Assess the realistic likelihood of such a security failure occurring in the light of prevailing threats and vulnerabilities, and impacts associated with these assets, and the controls currently implemented. 3) Estimate the levels of risks. 4) Determine whether the risk is acceptable or requires treatment using the risk acceptance criteria established in 4.2.1c)2). 1) Is the business impact upon the organization that might result from a security failure assessed? Is the realistic likelihood of a security failure occurring in the light of prevailing threats and vulnerabilities and the controls currently implemented assessed? For all risks is it decided whether the risk is acceptable or requires treatment?
2)
3)
4.2.1 f) Identify and evaluate options for the treatment of risks. Possible actions include: 1) applying appropriate controls; 2) knowingly and objectively accepting risks, providing they clearly satisfy the organizations policies and the criteria for risk acceptance (see 4.2.1c)2)); 3) avoiding risks; and 4) transferring the associated business risks to other parties, e.g. insurers, suppliers. 1) Are options for the treatment of risks identified and evaluated? Risk treatment plan
# 2)
Questions Are these risks which are accepted, avoided or transferred? Is it done while satisfying the organizations policies and the criteria for risk acceptance?
Significance
Evidence
4.2.1 g) Select control objectives and controls for the treatment of risks. Controls objectives and controls shall be selected and implemented to meet the requirements identified by the risk assessment and risk treatment process. This selection shall take account of the criteria for accepting risks (see 4.2.1c)) as well as legal, regulatory and contractual requirements. The control objectives and controls from Annex A shall be selected as part of this process as suitable to cover these requirements. The control objectives and controls listed in Annex A are not exhaustive and additional control objectives and controls may also be selected. 1) 2) Are control objectives and controls for the treatment of risks identified and implemented? Is any control implemented which is not suggested by ISO 27001 standard Annex A? Management approval for residual risks
Statement of applicability
4.2.1 h) Obtain management approval of the proposed residual risks. 1) Is management approval of the proposed residual risks obtained?
4.2.1 i) Obtain management authorization to implement and operate the ISMS. 1) Is management authorization to implement and operate the ISMS obtained?
Management approval for implementing & operating ISMS
Questions
Significance
Evidence
4.2.1 j) Prepare a Statement of Applicability. A Statement of Applicability shall be prepared that includes the following: 1) the control objectives and controls, selected in 4.2.1g) and the reasons for their selection; 2) the control objectives and controls currently implemented (see 4.2.1e)2)); and 3) the exclusion of any control objectives and controls in Annex A and the justification for their exclusion. 1) 2) Is Statement of Applicability documented? Are the reasons for selection and exclusion of control objectives and controls included in the Statement of Applicability? Statement of Applicability
4.2.2 Implement and operate the ISMS 4.2.2 a) Formulate a risk treatment plan that identifies the appropriate management action, resources, responsibilities and priorities for managing information security risks (see 5). 1) Is a risk treatment plan formulated that identifies the appropriate management action, resources, responsibilities and priorities for managing information security risks? High High Risk treatment plan
4.2.2 b) Implement the risk treatment plan in order to achieve the identified control objectives, which includes consideration of funding and allocation of roles and responsibilities. 1) 2) 3) Is the risk treatment plan implemented? Are funds allocated for risk treatment activities? Are roles and responsibilities defined for risk treatment activities?
Questions
Significance High
Evidence
4.2.2 c) Implement controls selected in 4.2.1g) to meet the control objectives. 1) Are all controls identified during risk treatment phase implemented?
4.2.2 d) Define how to measure the effectiveness of the selected controls or groups of controls and specify how these measurements are to be used to assess control effectiveness to produce comparable and reproducible results (see 4.2.3c)). 1) Is the effectiveness of the selected controls or groups of controls measured?
High
Metrics & effectiveness measurement methodology Effectiveness measurement report
4.2.2 e) Implement training and awareness programmes (see 5.2.2). 1) Are training and awareness program implemented?
Training plan High Training material Training records
4.2.2 f) Manage operations of the ISMS. 1) Are all the operations within ISMS managed?
High
4.2.2 g) Manage resources for the ISMS (see 5.2). 1) Are all the resources required for functioning of ISMS managed?
High
4.2.2 h) Implement procedures and other controls capable of enabling prompt detection of and response to security incidents (see 4.2.3). 1) Are procedures and other controls capable of enabling prompt detection of and response to security incidents implemented?
High
Incident management policy & procedures Incident management records
Questions
Significance
Evidence
4.2.3 Monitor and review the ISMS 4.2.3 a) Execute monitoring and review procedures and other controls to: 1) promptly detect errors in the results of processing; 2) promptly identify attempted and successful security breaches and incidents; 3) enable management to determine whether the security activities delegated to people or implemented by information technology are performing as expected; 4) help detect security events and thereby prevent security incidents by the use of indicators; and 5) determine whether the actions taken to resolve a breach of security were effective. Are monitoring and review procedures implemented to, - promptly detect errors in the results of processing - promptly identify attempted and successful security breaches and incidents 1) - enable management to determine whether the security activities delegated to people or implemented by information technology are performing as expected - help detect security events and thereby prevent security incidents by the use of indicators - determine whether the actions taken to resolve a breach of security were effective 4.2.3 b) Undertake regular reviews of the effectiveness of the ISMS (including meeting ISMS policy and objectives, and review of security controls) taking into account results of security audits, incidents, effectiveness measurements, suggestions and feedback High Minutes of meetings High Monitoring policy & procedures Monitoring records
# from all interested parties.
Questions
Significance
Evidence
1)
Is the effectiveness of the ISMS regularly reviewed taking into account results of security audits, incidents, effectiveness measurements, suggestions and feedback from all interested parties? High Metrics/ Effectiveness measurement report
4.2.3 c) Measure the effectiveness of controls to verify that security requirements have been met. 1) Is control effectiveness measured to ensure that security requirements have been met?
4.2.3 d) Review risk assessments at planned intervals and review the level of residual risk and identified acceptable risk, taking into account changes to: 1) the organization; 2) technology; 3) business objectives and processes; 4) identified threats; 5) effectiveness of the implemented controls; and 6) external events, such as changes to the legal or regulatory environment, changed contractual obligations, and changes in social climate. 1) Are risk assessments reviewed at planned intervals, including the level of residual risk and identified acceptable risk? High ISMS audit report High Risk assessment report
4.2.3 e) Conduct internal ISMS audits at planned intervals. 1) Are internal ISMS audits conducted at planned intervals?
4.2.3 f) Undertake a management review of the ISMS on a regular
High
Review report
Questions
Significance
Evidence Minutes of meetings
basis to ensure that the scope remains adequate and improvements in the ISMS process are identified (see 7.1). 1) Is management review of the ISMS carried out on a regular basis to ensure that the scope remains adequate and improvements in the ISMS process are identified? High
4.2.3 g) Update security plans to take into account the findings of monitoring and reviewing activities. 1) Are security plans updated taking into account the findings of monitoring and reviewing activities?
4.2.3 h) Record actions and events that could have an impact on the effectiveness or performance of the ISMS (see 4.3.3). 1) Are actions and events that could have an impact on the effectiveness or performance of the ISMS recorded?
High
4.2.4 Maintain and improve the ISMS 4.2.4 a) Implement the identified improvements in the ISMS. 1) Are identified improvements in the ISMS implemented? High
4.2.4 b) Take appropriate corrective and preventive actions in accordance with 8.2 and 8.3. Apply the lessons learnt from the security experiences of other organizations and those of the organization itself. 1) Are appropriate corrective and preventive actions implemented in response to security events?
High
Incident management records
4.2.4 c) Communicate the actions and improvements to all interested parties with a level of detail appropriate to the
High
10
Questions
Significance
Evidence
circumstances and, as relevant, agree on how to proceed. 1) Are the actions and improvements communicated to all interested parties? High
4.2.4 d) Ensure that the improvements achieve their intended objectives. 1) Do improvements achieve their intended objectives? How is it assessed?
4.3 Documentation requirements 4.3.1 General Documentation shall include records of management decisions, ensure that actions are traceable to management decisions and policies, and the recorded results are reproducible. It is important to be able to demonstrate the relationship from the selected controls back to the results of the risk assessment and risk treatment process, and subsequently back to the ISMS policy and objectives. The ISMS documentation shall include: a) documented statements of the ISMS policy (see 4.2.1b)) and objectives; b) the scope of the ISMS (see 4.2.1a)); c) procedures and controls in support of the ISMS; d) a description of the risk assessment methodology (see 4.2.1c)); e) the risk assessment report (see 4.2.1c) to 4.2.1g)); f) the risk treatment plan (see 4.2.2b)); g) documented procedures needed by the organization to ensure the effective planning, operation and control of its information High Records of management decisions ISMS policy Scope of the ISMS Procedures and controls in support of the ISMS Risk assessment methodology Risk assessment report Risk treatment plan How to measure the effectiveness of controls Statement of Applicability
11
Questions
Significance
Evidence
security processes and describe how to measure the effectiveness of controls (see 4.2.3c)); h) records required by this International Standard (see 4.3.3); and i) the Statement of Applicability. 1) Is it possible to demonstrate the relationship from the selected controls back to the results of the risk assessment and risk treatment process, and subsequently back to the ISMS policy and objectives? Are the following documented and approved? - Records of management decisions - ISMS policy - Scope of the ISMS 3) - Procedures and controls in support of the ISMS - Risk assessment methodology - Risk assessment report - Risk treatment plan - How to measure the effectiveness of controls - Statement of Applicability 4.3.2 Control of documents Documents required by the ISMS shall be protected and controlled. A documented procedure shall be established to define the management actions needed to: a) approve documents for adequacy prior to issue; b) review and update documents as necessary and re-approve High Document and record control procedure
2)
12
# documents;
Questions
Significance
Evidence
c) ensure that changes and the current revision status of documents are identified; d) ensure that relevant versions of applicable documents are available at points of use; e) ensure that documents remain legible and readily identifiable; f) ensure that documents are available to those who need them, and are transferred, stored and ultimately disposed of in accordance with the procedures applicable to their classification; g) ensure that documents of external origin are identified; h) ensure that the distribution of documents is controlled; i) prevent the unintended use of obsolete documents; and j) apply suitable identification to them if they are retained for any purpose. 1) 2) Are documents required by the ISMS adequately protected and controlled? Is a documented procedure available that defines the management actions needed to, - approve documents for adequacy prior to issue - review and update documents as necessary and re-approve documents - ensure that changes and the current revision status of documents are identified - ensure that relevant versions of applicable documents are available at points of use - ensure that documents remain legible and readily identifiable - ensure that documents are available to those who need them, and are transferred, stored and ultimately disposed of in
13
Questions accordance with the procedures applicable to their classification - ensure that documents of external origin are identified - ensure that the distribution of documents is controlled prevent the unintended use of obsolete documents and apply suitable identification to them if they are retained for any purpose
Significance
Evidence
4.3.3 Control of records Records shall be established and maintained to provide evidence of conformity to requirements and the effective operation of the ISMS. They shall be protected and controlled. The ISMS shall take account of any relevant legal or regulatory requirements and contractual obligations. Records shall remain legible, readily identifiable and retrievable. The controls needed for the identification, storage, protection, retrieval, retention time and disposition of records shall be documented and implemented. Records shall be kept of the performance of the process as outlined in 4.2 and of all occurrences of significant security incidents related to the ISMS. 1) Are records established and maintained to provide evidence of conformity to requirements and the effective operation of the ISMS? How are records protected and controlled? Are controls needed for the identification, storage, protection, retrieval, retention time and disposition of records documented and implemented? 3) Are records maintained to meet relevant legal or regulatory requirements and contractual obligations?
High
Document and record control procedure Records as required by ISO 27001
2)
5 Management responsibility
14
# 5.1 Management commitment
Questions
Significance
Evidence
Management shall provide evidence of its commitment to the establishment, implementation, operation, monitoring, review, maintenance and improvement of the ISMS by: a) establishing an ISMS policy; b) ensuring that ISMS objectives and plans are established; c) establishing roles and responsibilities for information security; d) communicating to the organization the importance of meeting information security objectives and conforming to the information security policy, its responsibilities under the law and the need for continual improvement; e) providing sufficient resources to establish, implement, operate, monitor, review, maintain and improve the ISMS (see 5.2.1); f) deciding the criteria for accepting risks and for acceptable risk levels; g) ensuring that internal ISMS audits are conducted (see 6); and h) conducting management reviews of the ISMS (see 7). 1) 2) Is management committed to the establishment, implementation, operation, monitoring, review, maintenance and improvement of the ISMS? Are following actions carried out by the management, - establishing an ISMS policy, objectives and plans - establishing roles and responsibilities for information security - communicating to the organization the importance of meeting information security objectives and conforming to the information security policy, its responsibilities under the law and the need for continual improvement - providing sufficient resources to establish, implement, operate, High
15
Questions monitor, review, maintain and improve the ISMS - deciding the criteria for accepting risks and for acceptable risk levels - ensuring that internal ISMS audits are conducted - conducting management reviews of the ISMS
Significance
Evidence
5.2 Resource management 5.2.1 Provision of resources The organization shall determine and provide the resources needed to: a) establish, implement, operate, monitor, review, maintain and improve an ISMS; b) ensure that information security procedures support the business requirements; c) identify and address legal and regulatory requirements and contractual security obligations; d) maintain adequate security by correct application of all implemented controls; e) carry out reviews when necessary, and to react appropriately to the results of these reviews; and f) where required, improve the effectiveness of the ISMS. 1) Does the organization determine and provide the resources needed to, - establish, implement, operate, monitor, review, maintain and improve an ISMS - ensure that information security procedures support the business requirements - identify and address legal and regulatory requirements and High
16
Questions contractual security obligations - maintain adequate security by correct application of all implemented controls - carry out reviews when necessary, and to react appropriately to the results of these reviews - where required, improve the effectiveness of the ISMS
Significance
Evidence
5.2.2 Training, awareness and competence The organization shall ensure that all personnel who are assigned responsibilities defined in the ISMS are competent to perform the required tasks by: a) determining the necessary competencies for personnel performing work effecting the ISMS; b) providing training or taking other actions (e.g. employing competent personnel) to satisfy these needs; c) evaluating the effectiveness of the actions taken; and d) maintaining records of education, training, skills, experience and qualifications (see 4.3.3). The organization shall also ensure that all relevant personnel are aware of the relevance and importance of their information security activities and how they contribute to the achievement of the ISMS objectives. 1) 2) 3) 4) Are the necessary competencies for personnel performing work affecting the ISMS identified? Is training provided to personnel? Is the effectiveness of training provided evaluated? Are records of education, training, skills, experience and Training plan High Training material Training records/ feedback
17
# qualifications maintained? 6 Internal ISMS audits
Questions
Significance
Evidence
The organization shall conduct internal ISMS audits at planned intervals to determine whether the control objectives, controls, processes and procedures of its ISMS: a) conform to the requirements of this International Standard and relevant legislation or regulations; b) conform to the identified information security requirements; c) are effectively implemented and maintained; and d) perform as expected. An audit program shall be planned, taking into consideration the status and importance of the processes and areas to be audited, as well as the results of previous audits. The audit criteria, scope, frequency and methods shall be defined. Selection of auditors and conduct of audits shall ensure objectivity and impartiality of the audit process. Auditors shall not audit their own work. The responsibilities and requirements for planning and conducting audits, and for reporting results and maintaining records (see 4.3.3) shall be defined in a documented procedure. The management responsible for the area being audited shall ensure that actions are taken without undue delay to eliminate detected nonconformities and their causes. Follow-up activities shall include the verification of the actions taken and the reporting of verification results (see 8). 1) Are internal ISMS audits conducted at planned intervals? Does the audit verify that ISMS, - conform to the requirements of this International Standard and relevant legislation or regulations High Audit report Audit plan Audit methodology Non compliance closure report
18
Questions - conform to the identified information security requirements - are effectively implemented and maintained - perform as expected Are the audit criteria, scope, frequency and methods defined? Are the responsibilities and requirements for planning and conducting audits, and for reporting results and maintaining records defined in a documented procedure? Are follow-up activities conducted that include the verification of the actions taken and the reporting of verification results?
Significance
Evidence
2)
3)
7 Management review of the ISMS 7.1 General Management shall review the organizations ISMS at planned intervals (at least once a year) to ensure its continuing suitability, adequacy and effectiveness. This review shall include assessing opportunities for improvement and the need for changes to the ISMS, including the information security policy and information security objectives. The results of the reviews shall be clearly documented and records shall be maintained (see 4.3.3). 1) Does the management review the organizations ISMS at planned intervals (at least once a year) to ensure its continuing suitability, adequacy and effectiveness? Are the results of the reviews clearly documented and records maintained? High Review records/ Minutes of meetings
High
Review records/ Minutes of meetings
2)
7.2 Review input The input to a management review shall include: a) results of ISMS audits and reviews;
19
Questions
Significance
Evidence
b) feedback from interested parties; c) techniques, products or procedures, which could be used in the organization to improve the ISMS performance and effectiveness; d) status of preventive and corrective actions; e) vulnerabilities or threats not adequately addressed in the previous risk assessment; f) results from effectiveness measurements; g) follow-up actions from previous management reviews; h) any changes that could affect the ISMS; and i) recommendations for improvement. Does the input to the management review include the following? - results of ISMS audits and reviews - feedback from interested parties - techniques, products or procedures, which could be used in the organization to improve the ISMS performance and effectiveness; 1) - status of preventive and corrective actions - vulnerabilities or threats not adequately addressed in the previous risk assessment - results from effectiveness measurements - follow-up actions from previous management reviews - any changes that could affect the ISMS - recommendations for improvement 7.3 Review output The output from the management review shall include any decisions and actions related to the following. a) Improvement of the effectiveness of the ISMS. High Review records/ Minutes of meetings
20
Questions
Significance
Evidence
b) Update of the risk assessment and risk treatment plan. c) Modification of procedures and controls that effect information security, as necessary, to respond to internal or external events that may impact on the ISMS, including changes to: 1) business requirements; 2) security requirements; 3) business processes effecting the existing business requirements; 4) regulatory or legal requirements; 5) contractual obligations; and 6) levels of risk and/or risk acceptance criteria. d) Resource needs. e) Improvement to how the effectiveness of controls is being measured. 1) Does the output from the management review include decisions and actions related to the following? - Improvement of the effectiveness of the ISMS - Update of the risk assessment and risk treatment plan - Modification of procedures and controls that effect information security, as necessary, to respond to internal or external events that may impact on the ISMS, including changes to: --- business requirements --- security requirements --- business processes effecting the existing business requirements --- regulatory or legal requirements --- contractual obligations
21
# - Resource needs
Questions --- levels of risk and/or risk acceptance criteria - Improvement to how the effectiveness of controls is being measured
Significance
Evidence
8 ISMS improvement 8.1 Continual improvement The organization shall continually improve the effectiveness of the ISMS through the use of the information security policy, information security objectives, audit results, analysis of monitored events, corrective and preventive actions and management review (see 7). Does the organization continually improve the effectiveness of the ISMS through the use of the information security policy, information security objectives, audit results, analysis of monitored events, corrective and preventive actions and management review? High Non compliance closure report Incident management records Corrective action procedure High
1)
8.2 Corrective action The organization shall take action to eliminate the cause of nonconformities with the ISMS requirements in order to prevent recurrence. The documented procedure for corrective action shall define requirements for: a) identifying nonconformities; b) determining the causes of nonconformities; c) evaluating the need for actions to ensure that nonconformities do not recur; d) determining and implementing the corrective action needed; e) recording results of action taken (see 4.3.3); and
22
Questions
Significance
Evidence
f) reviewing of corrective action taken. 1) Does the organization take action to eliminate the cause of nonconformities with the ISMS requirements in order to prevent recurrence? Is the corrective action procedure documented? Does it define requirements for? - identifying nonconformities - determining the causes of nonconformities 2) - evaluating the need for actions to ensure that nonconformities do not recur - determining and implementing the corrective action needed - recording results of action taken - reviewing of corrective action taken 8.3 Preventive action The organization shall determine action to eliminate the cause of potential nonconformities with the ISMS requirements in order to prevent their occurrence. Preventive actions taken shall be appropriate to the impact of the potential problems. The documented procedure for preventive action shall define requirements for: a) identifying potential nonconformities and their causes; b) evaluating the need for action to prevent occurrence of nonconformities; c) determining and implementing preventive action needed; d) recording results of action taken (see 4.3.3); and e) reviewing of preventive action taken. The organization shall identify changed risks and identify High Non compliance closure report Incident management records Preventive action procedure
23
Questions
Significance
Evidence
preventive action requirements focusing attention on significantly changed risks. The priority of preventive actions shall be determined based on the results of the risk assessment. 1) Does the organization determine action to eliminate the cause of potential nonconformities with the ISMS requirements in order to prevent their occurrence? Is the preventive action procedure documented? Does it define requirements for? - identifying potential nonconformities and their causes 2) - evaluating the need for action to prevent occurrence of nonconformities - determining and implementing preventive action needed - recording results of action taken - reviewing of preventive action taken A.5 Security policy A.5.1 Information security policy A.5.1.1 Information security policy document 1) 2) 3) Is there a written policy document which is approved by the management? Is policy document available to all employees responsible for information security? Does the policy contain a definition of information security - its overall objectives and scope, and its importance as an enabling High Security Policy Documents referenced in the Policy
24
Questions mechanism for information sharing?
Significance
Evidence
4)
Does the policy contain a statement of management intention supporting the goals and principles of information security? Does the policy contain a definition of general management responsibilities and specific Company responsibilities for all aspects of information security? Does the policy contain an explanation of security polices, principles, standards and compliance requirements, including the following?
5)
6)
- compliance with legislative, regulatory, and contractual requirements - security education, training, and awareness requirements - business continuity management - consequences of information security policy violations Does the policy contain an explanation of the process for reporting of suspected security incidents? Does the policy contain references to documentation which may support the policy? How is the policy communicated to the users? Medium Last review date Records of management review
7) 8) 9)
A.5.1.2 Review of the information security policy 1) 2) Does the policy have a clear owner? Is there a defined review process, including responsibilities and schedule for review?
25
# 3) 4) 5)
Questions Does the review embrace the effectiveness of the policy, changes to the organizational environment, business circumstances, legal conditions and technical environment? Are the policy documents updated according to defined schedule? Is revised policy approved by management?
Significance
Evidence
A.6 Organizational of information security A.6.1 Internal organization To manage information security within the organization A.6.1.1 Management commitment to information security High Does a high level information security steering forum exist, to give management direction and support? Are information security responsibilities explicitly assigned and acknowledged? Are the following addressed by the information security steering forum? - Identification of information security goals - Formulation, Review and approval of information security Policy - Review the effectiveness of the implementation of the information security policy - Provisioning resources required for information security Organization Chart Documented information security roles and responsibilities Minutes of the meeting of the Information Security Forum
1) 2) 3)
26
Questions - Approving assignment of specific roles and responsibilities for information security across the organization - Approval of Security Initiatives - Ensuring implementation of information security controls being coordinated across the organization - Initiating plans and programs to maintain information security awareness
Significance
Evidence
A.6.1.2 Information security coordination Does a cross-functional committee exist to co-ordinate information security activities? Are the following items addressed by the cross-functional committee? - Non compliances 2) - Risk assessment and information classification and other procedures - Coordination and implementation security controls - Review of security incidents - Security education, training and awareness A.6.1.3 Allocation of information security responsibilities High Medium
Organization Chart Minutes of meetings of the crossfunctional committee
1)
Information Security Policy Asset inventory Documented information security roles and responsibilities
1)
Is ownership of information systems clearly defined and is security recognized as the responsibility of the "owner"?
27
# 2)
Questions Is responsibility for the protection of individual assets and the carrying out of security processes explicitly defined? Are asset owners aware of the responsibility towards the assets?
Significance
Evidence
A.6.1.4 Authorization process for information processing facilities High
Documented authorization procedure Evidence of authorization request and approval
1) 2)
Is there a well defined authorization process for the acquisition and use of any new information processing facility? Is a feasibility study conducted to support purpose and use of any new information processing facilities? Are the following authorizations considered? - User management approval
3)
- Technical approval for hardware and software - Use of privately owned information processing facilities, e.g. laptops, home-computers or hand-held devices
4)
Are specialist information security advisors (internal or external) consulted to ensure consistent and appropriate security decision making? High Sample agreements signed with employees and service providers
A.6.1.5 Confidentiality Agreements 1) 2) Are confidentiality agreements signed with employees, service providers? Do confidentiality agreements address the following requirements?
28
Questions - a definition of the information to be protected - expected duration of an agreement - required actions when an agreement is terminated - responsibilities and actions of signatories to avoid unauthorized information disclosure - ownership of information, trade secrets and intellectual property - the right to audit and monitor activities - the permitted use of confidential information - expected actions to be taken in case of a breach of this agreement
Significance
Evidence
A.6.1.6 Contact with authorities Are there procedures in place that specify when and by whom authorities (e.g. law enforcement, fire department, supervisory authorities) should be contacted, and how identified information security incidents should be reported? Medium Medium
Procedure for contact with authorities Sample report
1)
A.6.1.7 Contact with special interest groups 1) 2) Are contacts with special interest groups or other specialist security forums and professional associations maintained? How is information received from special interest groups and acted upon?
Information received from special interest groups
A.6.1.8 Independent review of information security 1) Is the organizations approach to managing information security
High
Audit report
29
Questions and its implementation reviewed by an independent party periodically?
Significance
Evidence
A.6.2 External parties A.6.2.1 Identification of risks from third party access 1) Is a risk assessment carried out before providing external party access (logical and physical) to information processing facilities? Does risk assessment take into consideration following aspects? - type of access - value and sensitivity of the information involved 2) - controls necessary to protect information during storage, communication, processing, including authentication and authorization controls - terms and conditions for information security incidents - legal and regulatory requirements 3) Is access provided only after controls identified in risk assessment have been implemented? Is a contract and NDA signed with external party before providing access? Are all security requirements mentioned in the contract/ agreement? Is access provided after approval from the concerned authorities? Is the application owner consulted prior to granting access? Are access privileged provided on a need to know and need to do basis? Is there a check on the privileges granted to third party users? High Risk assessment report
4)
5)
6)
30
# 7)
Questions Are third party personnel made aware of the organizations acceptable usage policy?
Significance
Evidence
A.6.2.2 Addressing security when dealing with customers 1) Are all identified security requirements addressed before giving customers access to the organizations information or assets? Are following considered before giving customers access to the organizations information or assets? - asset protection - description of the product or service to be provided - access control policy 2) - arrangements for reporting, notification, and investigation of information inaccuracies (e.g. of personal details), information security incidents - the target level of service and unacceptable levels of service - the right to monitor, and revoke, any activity related to the organizations assets - the respective liabilities of the organization and the customer responsibilities with respect to legal matters intellectual property rights (IPRs) and copyright assignment A.6.2.3 Addressing security in third party agreements 1) Do the contracts with third parties include the following: - General policy on Security - Asset protection - Service to be made available - Unacceptable levels of service
Medium
High
Contract/Agreement/NDA Copy
31
# - Liabilities - Legal responsibilities - Access methods
Questions
Significance
Evidence
- Right to audit contractual responsibilities - Monitoring and reporting of performance - User training - Escalation Process - Defined change management - Physical protection controls and mechanism - Protection against malicious software - Security incident handling A.7 Asset Management A.7.1 Responsibility for assets A.7.1.1 Inventory of assets 1) Is an inventory of all information assets maintained? Are following information recorded in the inventory? - Asset type - location 2) - backup information - license information - business value - classification - owner A.7.1.2 Ownership of assets High Asset inventory High
Asset Inventory
32
# 1) 2)
Questions Are all information and assets associated with information processing facilities owned by a designated part of the organization? Are owners for overall security of the assets?
Significance
Evidence
A.7.1.3 Acceptable use of assets 1) Are rules for the acceptable use of information and assets associated with information processing facilities identified, documented, and implemented? Are all employees, contractors and third party users required to follow rules for the acceptable use of information and assets associated with information processing facilities?
Medium
Acceptable usage policy
2)
A.7.2 Information Classification A.7.2.1 Classification guidelines Are information assets classified considering its business value, legal requirements, sensitivity, and criticality to the organization? Who defines the classification of an information asset? Is information classification reviewed periodically?
High
Information classification guideline Asset register
1) 2)
A.7.2.2 Information labeling and handling 1) Is there a well defined procedure for information labeling and handling in accordance with the organization's classification
Medium
Information labeling and handling procedure Labels on existing assets
33
# scheme?
Questions
Significance
Evidence
Are the following labeled with the appropriate classification(s)? - Printed Reports 2) - Screen Displays - Magnetic Media - Electronic Messages - File Transfers 3) Is classified information labeled? Are secure processing, storage, transmission, declassification, and destruction covered by appropriate information handling procedures? Is chain of custody and logging of any security relevant event also maintained?
4)
A.8 Human resources security A.8.1 Prior to employment A.8.1.1 Roles and responsibilities 1) 2) 3) Do all job descriptions define relevant security responsibilities? Are security responsibilities documented? Are security responsibilities communicated to job candidates during the pre-employment process? High
High
Employee contract or equivalent document
A.8.1.2 Screening
Documented recruitment procedure/ guidelines Records of verification for a
34
Questions
Significance
Evidence sample set of recruitment
1) 2) 3)
Are applications for employment screened if the job involves access to information processing facilities? Are at least two satisfactory character references - one business and one personal - taken up before making a job offer? Is a check for completeness and accuracy of the applicant's curriculum vitae carried out? Are the following checks carried out on applications for employment involving access to Company IT facilities handling sensitive information?
4)
- Academic qualification - Independent identification Check, ex passport or similar doc - Background check - Credit check - Check for criminal record Is a similar screening process carried out for contractors and temporary staff (either directly or through a mandate in the contract with the supplying agency)? Does verification checks take into account all relevant privacy, protection of personal data and/or employment based legislation? High Employee contract or equivalent document
5)
6)
A.8.1.3 Terms and conditions of employment 1) Are the employees responsibilities for information security stated in the terms and conditions for employment?
35
# 2)
Questions Are the employees legal responsibilities and rights included in the terms and conditions for employment? Do the terms and conditions of employment state that all employees, contractors and third party users should sign a confidentiality or NDA prior to access to information processing facilities? Does the terms and conditions of employment include the responsibilities of the organization for the handling of personal information, including the personal information created as a result of, or in course of, employment with the organization? Does it include the responsibilities that are extended outside the organizations premises and outside normal working hours; e.g. home-working? Does it include the actions to be taken if the employee, contractor or third party user disregards the organizations security requirements?
Significance
Evidence
3)
4)
5)
6)
A.8.2 During employment A.8.2.1 Management responsibilities 1) Does the management responsibility include ensuring the employees, contractors and third party users: - are properly briefed on their information security roles and responsibilities prior to being granted access to sensitive information - are provided with guidelines to state security expectations of their role within the organization Medium
Training plan and schedule Training material
36
Questions - conform to the terms and conditions of employment - continue to have the appropriate skills and qualifications Are all users given adequate security education and technical training? Does the education and training include Company policies and procedures as well as the correct use of IT facilities, before access to IT services is granted? Is security training repeated at regular intervals for all staff?
Significance
Evidence
2)
3) 4)
A.8.2.2 Information security awareness, education, and training 1) 2) 3) To be done Are employees specifically made aware of social engineering risks? Does security training and awareness include a testing component? Are resources available for employees on information-security training (e.g., website for security and security issues, brochures, etc.)? For job functions designated in the escalation line for incident response, are staff fully aware of their responsibilities and involved in testing those plans? For job functions designated in the escalation line for disaster recovery plans, are staff fully aware of their responsibilities and involved in testing those plans?
Medium
Training plan and schedule Training material
4)
5)
6)
37
# 7)
Questions How is the effectiveness of the training tested?
Significance
Evidence
A.8.2.3 Disciplinary process 1) Is there a formal disciplinary process for dealing with employees who have allegedly violated Company security policies and procedures?
Medium
Disciplinary procedure
A.8.3 Termination or change of employment A.8.3.1 Termination responsibilities 1) Are the responsibilities for performing employment termination or change of employment clearly defined and assigned? Do the Terms and Condition of employment & Confidentiality Agreement incorporate the termination responsibilities including the ongoing security/ legal responsibilities for a specific defined period of time? High Sample employee termination forms High
Employment termination procedure
2)
A.8.3.2 Return of assets Is there a process defined for the exiting employees, contractors and third party users to return all of the organizations assets in their possession upon termination of their employment/contract?
1)
A.8.3.3 Removal of access rights What are the procedures for removal of access rights (physical and logical access, keys, identification cards etc) of the employees leaving the organization? Are these procedures documented?
High
Sample employee termination forms
1)
38
Questions
Significance
Evidence
A.9 Physical and Environmental Security A.9.1 Secure areas A.9.1.1 Physical Security Perimeter Is the security perimeter for IT facilities supporting critical or sensitive business activities clearly defined? Is the security perimeter physically sound? Is there a manned reception area or equivalent to control physical access? Are all fire doors on a security perimeter alarmed? A.9.1.2 Physical Entry Controls 1) 2) 3) 4) 5) Is date and time of entry and departure recorded for all visitors? Are visitors briefed on the security requirements and on emergency procedures? Are authentication controls (card and PIN) used to authorize all access to information processing facilities? Is access logged? Are all personnel required to wear some visible identification? Is identification card for contractors, visitors or temporary employees physically different from regular employees? High Visitor register Access card Access request forms High 1) 2) 3) 4) Physical Security policy Manned reception Perimeter wall/ fence etc
39
# 6) 7)
Questions Are access rights to secure areas regularly reviewed and updated? Do access requests require written approval of the site owner?
Significance
Evidence
A.9.1.3 Securing offices, rooms and facilities Are relevant health and safety regulations and standards considered for offices, rooms and facilities? Do secure areas give minimum indication of their purpose? Are the secure areas locked when unattended? Are the locations of the sensitive information processing facilities readily accessible to the public? Is there an alerting mechanism if there is a deviation in the operating environment? Is there a fallback procedure when physical access control is down or has failed? Are the security personnel aware of the procedure? Is an alarm system installed to warn against unauthorized access or prolonged open status of access doors?
Medium
Applicable health and safety regulations and standards Physical Security policy
1) 2) 3) 4) 5)
6)
7)
A.9.1.4 Protecting against external and environmental threats
High
Fire fighting equipments Location and storage arrangement of backup media Fireproofing arrangements Air conditioning equipments
40
Questions
Significance
Evidence Location of building
1) 2)
Are hazardous or combustible materials stored securely or at a safe distance from the secure area? Are fallback equipment and back-up media located at a safe distance so as to avoid damage from a disaster at the main site? Is environmental protection equipment (fire suppression, fireproofing, water flooding, heat/air conditioning, power supply) installed, tested and monitored? Is physical protection against damage from flood, earthquake, explosion, civil unrest, and other forms of natural or man-made disaster designed and applied? CCTV records Visitor register Access cards Manned security
3)
4)
A.9.1.5 Working in Secure Areas
Medium
1) 2) 3) 4) 5)
Are the personnel aware of the existence of, or activities within a secure area on a need to know basis? Is working in secure areas supervised? Are the vacant secure areas physically locked and checked periodically? Is the access to secure areas or information processing facilities for third party personnel authorized and monitored? Are any recording equipment (e.g. Photographic) allowed within a secure area?
41
# 6) 7)
Questions Have executives and administrative personnel been trained in fire fighting techniques? Are periodic fire drills practiced? What is the frequency?
Significance
Evidence
A.9.1.6 Public access, delivery and loading areas 1) 2) 3) 4) Is the access to a holding area from outside the building restricted to identified and authorized personnel? Is the holding area separated from the other parts of the building? Are the materials inspected for potential hazards before being used? Are the incoming materials registered in accordance with asset management procedures?
Medium
Material movement register Materials Forms
A.9.2 Control objective: Equipment security A.9.2.1 Equipment Siting and Protection 1) Are the equipments sited and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access? High Power supply sources UPS / Generator Medium
A.9.2.2 Supporting utilities 1) 2) Are there multiple feeds to avoid a single point of failure in the power supply? Is there a UPS in place to support orderly close down or
42
Questions continuous running of critical equipment?
Significance
Evidence
3) 4) 5) 6)
Is there a back-up generator in place and tested? Are emergency power switches located near emergency exits in equipment room to facilitate rapid power down? Are power switches of servers and other critical information processing facilities adequately protected? Is there a procedure for monitoring the health of the power sources? Medium
A.9.2.3 Cabling Security 1) 2) 3) Are power and telecommunications lines placed underground or adequately protected? Are network cables protected from unauthorized interception or damage? Are power cables segregated from the communications cables?
A.9.2.4 Equipment Maintenance Is the maintenance of equipment done in accordance with the suppliers recommended service intervals and specifications? Is the maintenance of equipment done by authorized personnel only? Are records kept of all suspected or actual faults and all maintenance? Medium 1) 2) 3)
Equipment maintenance instructions and schedule Equipment maintenance records
43
Questions
Significance Medium
Evidence
A.9.2.5 Security of equipment off-premises 1) 2) 3) 4) 5) 6) Is the use of any equipment outside an organizations premises authorized by the management? Is the equipment and media left unattended in public places? Is the manufacturers instruction for protecting equipment observed? Are there any controls defined by a risk assessment for using the equipment off-premises? Is there adequate insurance cover? Can maintenance of equipment be performed remotely?
A.9.2.6 Secure Disposal or re-use of Equipment 1) Is sensitive data and licensed software totally erased from equipment prior to disposal?
High
Asset disposal procedure
A.9.2.7 Removal of Property 1) 2) Can the organization's property be removed without formal authorization? Are spot checks undertaken to detect unauthorized removal of property?
Medium
A.10 Communications and Operations Management A.10.1 Operational procedures and responsibilities A.10.1.1 Documented Operating Procedures Medium Documented operating procedures
44
# 1)
Questions Are there documented procedures for the operation of all computer systems? Do the procedures contain instructions for execution of each job like handling of information, scheduling requirements, error handling instructions, support contacts, system restart and recovery procedures and special output handling instructions?
Significance
Evidence
2)
A.10.1.2 Change management 1) 2) 3) 4) Is change control procedure documented? Are significant changes identified and recorded? Is there a change control committee to approve changes? Does change control procedure clearly define roles and responsibilities for all individual associated with changes? Has it been clearly identified, the changes that go through change control procedure? And which do not? What are the changes that have been omitted? Why? Do users use a Change request form while requesting a change? Do asset owners authorize changes requested by users? Can the FW owner authorize Firewall rule base change? How is it being ensured that the requestor and approver should not be the same person? Is an impact analysis done before making any changes to the system?
High
Change Control Policy Change Control Form
5) 6) 7) 8)
9)
45
# 10) 11)
Questions After a change, is the relevant documentation updated? Are the details of change communicated to all relevant persons?
Significance
Evidence
A.10.1.3 Segregation of Duties Has consideration been given to the segregation of certain duties in order to reduce opportunities for unauthorized modification or misuse of data or services? Are activities that require collusion in order to commit fraud segregated? If not possible to segregate duties due to small staff, are compensatory controls implemented, ex: rotation of duties, audit trails?
High
Documented duties which needs to be segregated
1)
2)
3)
A.10.1.4 Separation of development, test and operational facilities 1) 2) 3) 4) 5) Are development and testing facilities isolated from operational systems? Are rules for the transfer of software from development to operational status well defined and documented? Are development and operational software run on different processors? Are sensitive data removed before using them in test environment? Are utilities like compilers and editors disabled from operational systems?
Medium
List of development, test and operational systems
46
# 6)
Questions Does test environment emulate the operational system environment as closely as possible?
Significance
Evidence
A.10.2 Third party service delivery management A.10.2.1 Service Delivery Are security controls, service definitions and delivery levels included in the third party service delivery agreement? Is it implemented, operated and maintained by third party? Does outsourcing arrangements include plans for necessary transitions? Does third party maintains sufficient service capability together with workable plans designed to ensure that agreed service continuity levels are maintained following major service failures or disaster? Medium SLA reports Vendor audit reports High Third party agreements/ Outsourcing contracts/ SLA
1)
2)
3)
A.10.2.2 Monitoring and review of third party services 1) 2) 3) 4) 5) Are the services provided by the vendor monitored and reviewed? Is there an individual in the organization responsible for monitoring and controlling the vendor performance? Are periodic audits carried out on the outsourced vendor? Are third party audit trails and records of security events, operational problems, failures, tracing of faults and disruptions related to the service delivered reviewed? If the contract is granted for more than one year, is there an
47
Questions annual review to ensure that the vendor still meets all necessary criteria?
Significance
Evidence
A.10.2.3 Monitoring changes to third party services Does changes to third party services take into account the following requirements: a) changes made by organization to implement i) enhancements to current services offered ii) development of any new applications & systems iii) modifications of organization policies 1) iv) new controls to resolve information security incidents b) changes in third party services to implement i) changes & enhancements to networks ii) use of new technologies iii) adoption of new products or new versions iv) new development tools v) changes to physical locations vi) change of vendors A.10.3 System planning and acceptance A.10.3.1 Capacity Management 1) 2) Are application, system and network architectures designed for high availability and operational redundancy? Are capacity requirements monitored to ensure that adequate processing power and storage remain available?
Medium
High
Monitoring procedure Monitoring reports
48
# A.10.3.2 System Acceptance
Questions
Significance High
Evidence Requirements specifications System testing reports
1)
Are acceptance criteria established and suitable test carried out prior to acceptance of new information systems, upgrades and new versions? Are the requirements and acceptance criteria for new systems clearly defined, documented and tested? Are there any error recoveries and restart procedures and contingency plans? Are there an agreed set of security controls in place? Are there effective manual procedures? Is there sufficient training imparted in the operation or use of new systems? Is the effect on the existing systems studied?
2) 3) 4) 5) 6) 7)
A.10.4 Protection against malicious and mobile code A.10.4.1 Controls against malicious code Are detection and prevention controls to protect against malicious software and appropriate user awareness procedures formally implemented? Is there a formal policy requiring compliance with software licenses and prohibiting the use of unauthorized software? Is there a formal policy to protect against risks associated with High Anti-Virus Policy Antivirus architecture
1)
2) 3)
49
Questions obtaining files and software either from or via external networks and also to indicate what protective measures should be taken?
Significance
Evidence
4) 5) 6) 7) 8) 9) 10)
Is appropriate anti-virus and anti-spyware software installed and regularly updated? Are formal reviews of the software and data content of systems supporting critical business processes regularly carried out? Are all files and email attachments of uncertain or external origin checked for viruses, trojans before use? Are appropriate management procedures and responsibilities exist for the reporting of, and recovering from, virus attacks? Are appropriate business continuity plans for recovery from virus attack in place? Are remote users and laptop computer users covered under the virus protection program? Is malicious code filtered at the network perimeter? Medium
A.10.4.2 Controls against Mobile code 1) Are any mobile code used in the organization? How is security of mobile code ensured? Are following controls considered? 2) - executing mobile code in a logically isolated environment - control the resources available to mobile code access - cryptographic controls to uniquely authenticate mobile code A.10.5 Backup
50
Questions
Significance
Evidence Backup and Recovery Policy & procedure Backup and Recovery Records and logs Backup media labeling and storage
A.10.5.1 Information Back-up
High
Are back-up copies of essential business information and software taken regularly? Is backup and recovery procedure documented? Does the document identify the Servers and the Data for backing up and the frequency of back up? Does backup data contain audit trails and logs? What are roles and responsibilities defined and assigned for backup activities? What permissions are given to backup operators? Are Back up events logged in the log repository? How is access to backup media controlled? Is backup media stored both onsite and offsite? If offsite backup is taking place what is the frequency and how is the offsite backup tapes integrity assured?
1) 2) 3) 4) 5) 6) 7) 8)
9)
51
# 10) 11) 12)
Questions Is backup media stored in fireproof environment? Is a media labeling procedure in place, with sufficient information? Is there a procedure for media rotation? What are the precautions taken for media (aged/unused) disposal? Does the backup policy identify the period for backup data retention? What is the recommended disposal method? What are the steps followed in restoring backup? Are the steps documented and available to the authorized personnel? Is the media and back up restoration tested periodically? Request for logs and verify Is the back up media password protected or encrypted? Are the tapes left around near tape drives? Is an automated back up tool used? Veritas, IBM Tivoli etc. What are the tracking mechanisms for backup failure and success? Does the document give guidelines on the actions to be taken by the backup operator? Can a backup operator delete backup logs? Where are the backup logs getting logged? What are the assigned permissions to the
Significance
Evidence
13)
14)
15) 16) 17) 18)
19) 20)
52
Questions backup operator on the machine?
Significance
Evidence
A.10.6 Network security management A.10.6.1 Network controls Have network managers implemented controls to ensure the security of data in networks and the protection of connected services from unauthorized access? Are the responsibilities and procedures for the management of remote equipment, including user equipment established? Are special controls established to safeguard the confidentiality and integrity of data passing over public networks? Are there regular, periodic vulnerability and penetration testing in accordance with the risk of each security/control domain and perimeter? Is appropriate logging enabled and are logs reviewed? High Network security features Network monitoring reports High Network policy Network Layout Diagram
1)
2) 3)
4) 5)
A.10.6.2 Security of Network Services Are security features, service levels, and management requirements of all network services identified and included in all network services agreement? Is the ability of the network service provider to manage agreed services in a secure way determined and regularly monitored?
1)
2)
A.10.7 Media Handling
53
Questions
Significance Medium
Evidence Media handling guidelines Media Asset inventory
A.10.7.1 Management of removable computer media 1) 2) 3) 4) 5) 6) Are appropriate procedures and controls exist to protect computer media? Are the contents of a media that are no longer needed in an organization erased? Is an authorization required for all media to be removed from the organization? Is the record of all authorized removals maintained? Are media stored in a safe and secure environment? Is an inventory maintained of all removable media?
A.10.7.2 Disposal of Media 1) 2) 3) Are formal procedures established for the secure disposal of media? Is the disposal of sensitive items logged to maintain an audit trail? How are different types of media (paper, disk, tapes etc) destroyed?
Medium
Media disposal guidelines Media disposal records
A.10.7.3 Information Handling Procedures 1) Are procedures for the handling and storage of information established to prevent their unauthorized disclosure or misuse?
High
Information handling procedure
54
# 2)
Questions Is there maintenance of a formal record of the authorized recipients of data? Are procedures in place to ensure that input data is complete, that processing is properly completed and that output validation is applied? Is the distribution of data kept to a minimum? Is there a review of distribution lists and lists of authorized recipients at regular intervals? Are all media labeled to indicate its classification level? Are access restrictions in place for all media?
Significance
Evidence
3) 4) 5) 6) 7)
A.10.7.4 Security of System Documentation 1) 2) 3) Is the system documentation stored securely? Is the access list for system documentation kept to a minimum and authorized by the application owner? If the system documentation is held on a public network or supplied via a public network, is it appropriately protected?
Medium
A.10.8 Exchanges of information A.10.8.1 Information exchange policies and procedures Are policies, procedure and controls in place to protect the exchange of information through the use of all types of communication facilities? Medium
Information exchange policies and procedures
1)
55
# 2)
Questions What controls are in place to protect exchanged information from interception, copying, modification, mis-routing, and destruction? What retention and disposal guidelines are followed for all business correspondence, including messages, in accordance with relevant national and local legislation and regulations?
Significance
Evidence
3)
A.10.8.2 Exchange agreements 1) Are there agreements for the exchange of information and software between the organization and external parties? Do exchange agreements incorporate the following: 2) Procedures for notifying sender, transmission, dispatch and receipt Escrow agreement Responsibilities and liabilities in the event of information security incidents, such as loss of data Technical standards for packaging and transmission agreed labeling system for sensitive or critical information Courier identification standards Procedures to ensure traceability and non-repudiation Ownership and responsibilities for data protection, copyright, software license compliance any special controls that may be required to protect sensitive items, such as cryptographic keys
Medium
Information exchange agreements
A.10.8.3 Physical media in transit Medium
Media movement/ tracking register Media packaging
56
# 1)
Questions Is a list of authorized couriers agreed with the management and is there a procedure to check the identification of couriers? How is information protected against unauthorized access, misuse or corruption during transportation beyond an organizations physical boundaries? Is the packaging sufficient to protect the contents from any physical damage?
Significance
Evidence
2)
3)
A.10.8.4 Electronic messaging 1) Are the risks associated with the use of electronic messaging assessed? How are following Security considerations for electronic messaging addressed? - protecting messages from unauthorized access, modification or denial of service - ensuring correct addressing and transportation of the message 2) - general reliability and availability of the service - legal considerations, for example requirements for electronic signatures - obtaining approval prior to using external public services such as instant messaging or file sharing - stronger levels of authentication controlling access from publicly accessible networks A.10.8.5 Business information systems 1) Are policies and procedures developed and implemented to protect information associated with the interconnection of
High
Risk assessment/ audit report for electronic messaging systems
Medium
57
Questions business information systems?
Significance
Evidence
A.10.9 Electronic commerce services A.10.9.1 Electronic commerce Are there controls in place to protect information involved in electronic commerce passing over public networks from fraudulent activity, contract dispute, and unauthorized disclosure and modification? High Risk assessment/ audit report for systems providing online transactions High
1)
A.10.9.2 On-Line transactions 1) Are the risks involved in on-line transactions assessed? Does the security requirements for on-line transactions involve the following: 2) Use of electronic signatures by each of the parties involved in the transaction Validation and verification of user credentials Confidentiality and privacy Encryption Use of secure protocols Storage of transaction details outside of any public accessible environment
A.10.9.3 Publicly Available information 1) Is there a formal authorization process before information is made publicly available?
Medium
58
# 2) 3) 4) 5)
Questions How are the information made available on a publicly available system protected from unauthorized modification? Is the information obtained in compliance with data protection legislation? Is the sensitive information protected during collection, processing and storage? Is the access to the publishing system protected such that it does not give access to the network to which the system is connected?
Significance
Evidence
A.10.10 Monitoring A.10.10.1 Audit logging Are audit trails of exceptions and security-relevant events recorded and kept for an agreed period to assist with access control monitoring and possible future investigations? Do audit logs include following data? user IDs dates, times, and details of key events, e.g. log-on and log-off terminal identity or location if possible records of successful and rejected system access attempts records of successful and rejected data and other resource access attempts changes to system configuration use of privileges High Sample audit logs Audit settings in servers, network devices and applications
1) 2)
59
Questions use of system utilities and applications files accessed and the kind of access network addresses and protocols alarms raised by the access control system activation and de-activation of protection systems, such as anti-virus systems and intrusion detection systems
Significance
Evidence
A.10.10.2 Monitoring system use 1) 2) Are procedures established for monitoring use of information processing facilities? Are the results of the monitoring activities reviewed regularly? Are following activities monitored, 3) authorized access all privileged operations unauthorized access attempts system alerts or failures changes to, or attempts to change, system security settings and controls
High
Monitoring Policy and procedure Monitoring records
A.10.10.3 Protection of log information 1) 2) How are logging facilities and log information protected against tampering and unauthorized access? Are there mechanism to detect and prevent, alterations to the message types that are recorded log files being edited or deleted
High
Log storage facilities
60
Questions storage capacity of the log file media being exceeded
Significance
Evidence
A.10.10.4 Administrator and operator logs High
Sample audit logs Audit settings in servers, network devices and applications Monitoring Policy and procedure Monitoring records
1) 2) Are the activities carried out by system administrator and system operator logged? Are system administrator and operator logs reviewed on a regular basis? Do logs include following info, 3) the time at which an event (success or failure) occurred information about the event which account and which administrator or operator was involved which processes were involved A.10.10.5 Fault logging Are faults reported by users or by system programs regarding problems with information processing or communication systems logged? Is there a review of fault logs to ensure that they have been satisfactorily resolved? Medium
Sample fault logs Fault log settings in servers, network devices and applications
1)
2)
61
# 3)
Questions Is there a review of corrective measures to ensure that the controls have not been compromised and that the action taken is authorized?
Significance
Evidence
A.10.10.6 Clock synchronization 1) Are computer clocks synchronized to ensure the accuracy of time information in audit logs? How are the clocks synchronized?
High
Clock settings in servers, network devices
A.11 Access Control A.11.1 Business requirement for access control A.11.1.1 Access Control Policy 1) 2) 3) Is there a documented access control policy? Are both logical and physical access control aspects considered in the policy? Does the policy take account of the following - security requirements of individual business applications - policies for information dissemination and authorization - relevant legislation and any contractual obligations regarding protection of access to data or services - standard user access profiles for common job roles in the organization - segregation of access control roles, e.g. access request, access authorization, access administration - requirements for formal authorization of access requests - requirements for periodic review of access controls High Access Control Policy
62
# - removal of access rights
Questions
Significance
Evidence
A.11.2 User access management A.11.2.1 User Registration Is there a formal user registration/ deregistration procedure for granting and revoking access to all information systems and services? Are unique ID assigned to all users? Is there a check done to verify that the user has authorization from the system owner for the use of the information system or service? Is there a check done to verify that the level of access granted is appropriate to the business purpose? Are the users given a written statement of their access rights? Are the users required to sign statements indicating that they have understood the conditions of access? Is a formal record of all persons registered to use the service maintained? Is there a periodic check for and removal of dormant/ redundant user IDs and accounts? Is it ensured that the dormant/ redundant user ID`s are not issued to other users? High 1) 2) 3) User registration/ deregistration records Review of user ids
4) 5) 6) 7) 8) 9)
63
# 10) 11) 12)
Questions Are the accounts of users who change duties or leave the Company removed immediately? Are any temporary/generic/guest/anonymous user IDs in use? If so, how are they shared? Is user addition and deletion monitored and logged?
Significance
Evidence
A.11.2.2 Privilege Management Is the use of special privileges that enable the user to override system or application controls restricted and controlled? Are the privileges associated with each system (eg. operating system or database) identified and the categories of staff that are allowed access, defined? Are privileges allocated to individuals on a need to know basis and on an "event by event" basis? Is there an authorization process for granting privileges and a record kept of all privileges allocated? Are system routines developed or promoted to avoid the need to grant privileges to users? Are privileges assigned to a different user identity from those used for normal business use? High High 1)
User registration/ deregistration records Review of user ids
2)
3) 4) 5) 6)
A.11.2.3 User Password Management
User acknowledgement records for receipt of passwords Password settings on servers,
64
Questions
Significance
Evidence network devices and applications
1) 2) 3) 4) 5) 6) 7) 8)
Is the allocation of user passwords securely controlled a formal management process? Are users required to sign an undertaking to keep passwords confidential? Is there a secure password policy for various systems? What is the current password policy? Is password policy enforced on all systems, application and firewall? Are users forced to change their password on first login and whenever password is reset? Are passwords communicated to users in a secure manner? Do users acknowledge the receipt of the password? Are default passwords changed? High Review reports for user access rights
A.11.2.4 Review of User Access Rights 1) 2) 3) Are user access rights reviewed at regular intervals? What is the periodicity of review? Are authorizations for privileged access rights reviewed more frequently than others? Are user access rights reviewed and re-allocated when moving from one employment to another within the same organization?
65
# 4) 5)
Questions Are privilege allocations checked at regular intervals? Are changes to privileged accounts logged for periodic review?
Significance
Evidence
A.11.3 User responsibilities A.11.3.1 Password use 1) Are guidelines communicated to users on secure use of passwords? Does the guideline include the following? - keep passwords confidential - avoid keeping a record (e.g. paper, software file or hand-held device) of passwords 2) - change passwords at regular intervals - change temporary passwords at the first log-on - not share individual user passwords - not use the same password for business and non-business purposes - select strong passwords A.11.3.2 Unattended user equipment Are the users trained with regard to terminating active session, logging-off systems and securing PCs or terminals by key lock or equivalent control? Medium Clear desk and clear screen policy Medium
High
Password security guidelines
Unattended user equipment security guideline
1)
A.11.3.3 Clear desk and clear screen policy 1) Is there a clear desk and clear screen policy followed in the organization?
66
# 2) 3) 4) 5) 6) 7)
Questions Is sensitive information locked away when not required? Are personal computers, printers left logged on when unattended? Are incoming and outgoing mail points and unattended fax, telex and Xerox machines protected? Are printers cleared of sensitive information immediately? Is there a screen saver password configured on the desktop? If yes, what is the time limit after which it gets activated? Do user lock the workstation if they know they are not going to be around it for more than 5 minutes?
Significance
Evidence
A.11.4 Network access control A.11.4.1 Policy on use of Network Services Is there a policy concerning the use of networks and network services? Are users only able to gain access to the services that they are authorized to use? Are there authorization procedures for determining who is allowed to access which networks and networked services? Are there management controls and procedures to protect the access to network connections and network services? What is the process for requesting and approving modem High 1) 2) 3) 4) 5) Network policy Network diagram Firewall/ router configuration
67
Questions connections to servers or desktops?
Significance
Evidence
6)
Does the organization have an access control devices like a firewall which segments critical segments from non-critical ones? Is there a policy concerning the use of networks and network services? Are there a set of services that will be blocked across the FW, for example RPC ports, NetBIOS ports etc. High Authentication mechanisms for access to servers, network devices and applications
7)
A.11.4.2 User Authentication for External Connections Are all connections by remote users authenticated (e.g. user id password, hardware tokens, challenge/response systems)?
1)
A.11.4.3 Equipment identification in networks 1) Where applicable, are connections by remote computer systems authenticated through equipment identification?
Medium
A.11.4.4 Remote diagnostic and configuration port protection 1) Is physical and logical access to diagnostic and configuration ports controlled? Is there a well defined procedure, covering request, approval, monitoring and termination of access?
Medium
A.11.4.5 Segregation in Networks Where large networks extend beyond organizational and corporate boundaries, are they separated into logical domains protected by a defined perimeter (e.g. firewall) which restricts the connection capabilities of users?
High
Network diagram Firewall and router configuration
1)
68
# 2)
Questions Is the criterion for segregation based on the access control policy and access requirements and takes into account the relative cost and performance impact?
Significance
Evidence
A.11.4.6 Network Connection Control Are controls implemented to restrict the network connection capability of users (e.g. through gateways that filter traffic by means of pre-defined tables or rules)?
High
1)
A.11.4.7 Network Routing Control Are routing controls implemented to ensure that computer connections and information flows do not breach the access policy of the business applications?
High
1)
A.11.5 Operating system access control A.11.5.1 Secure Log-on Procedures 1) 2) 3) 4) Does the log-on procedure display the system or application identifiers only after the process is successfully completed? Does the log-on procedure display a general notice warning that the computer can be used only by authorized users? Does the log-on procedure provide helpful messages that would aid an unauthorized user? Does the log-on procedure validate the log-on information only on completion of all input data? High Operating system configuration
69
# 5) 6)
Questions Does the log-on procedure limit the number of unsuccessful logon attempts allowed? Does the log-on procedure limit the maximum and minimum time allowed for the log-on procedure? Does the log-on procedure display the date and time of previous successful login and the details of any unsuccessful log-on attempts? Does the log on procedure not display the password being entered or consider hiding the password characters by symbols? Does the log on procedure not transmit passwords in clear text over a network?
Significance
Evidence
7)
8) 9)
A.11.5.2 User Identification and Authentication 1) Do all users have a unique identifier for their personal and sole use?
High
A.11.5.3 Password Management System 1) 2) 3) 4) Does the password management system enforce the use of individual passwords to maintain accountability? Does the password management system allow users to select and change their own passwords? Does the password management system enforce a choice of quality passwords? Does the password management system force users to change temporary passwords on first log-on and when password expires?
High
Password settings in servers, network devices and applications
70
# 5) 6) 7)
Questions Does the password management system maintain a record of previous user passwords? Does the password management not display passwords on screen when being entered? Does the password management system store password files separately from application system data? Does the password management system store and transfer passwords in encrypted form (ex: using a one-way encryption algorithm)?
Significance
Evidence
8)
A.11.5.4 Use of System Utilities Are those system utility programs that might be capable of overriding system and application controls restricted and tightly controlled? Are there authentication and authorization procedures for system utilities? Is there a segregation of system utilities from application software? Is the number of authorized users with access to system utilities restricted? Is a log maintained of all use of system utilities? Are all unnecessary software based utilities and system software removed or disabled? Are authorization levels for system utilities defined and
Medium
Configuration of servers, network devices and applications
1)
2) 3) 4) 5) 6) 7)
71
# documented? A.11.5.5. Session Time-out 1)
Questions
Significance
Evidence
High
Configuration of servers, network devices and applications
Are inactive sessions forced to shut down after a defined period of inactivity? What is the default timeout period? Medium Configuration of servers, network devices and applications
A.11.5.6 Limitation of Connection Time 1) Are connection times restricted for high risk applications (e.g.: to normal office hours)?
A.11.6 Application and information access control A.11.6.1 Information Access Restriction 1) 2) 3) Are appropriate logical access controls implemented in the application systems? Are menus provided to control access to application system functions? Is there a control over the access rights of the users? Is role based access control implemented? Is it ensured that outputs from application systems handling sensitive information contain only the information that are relevant to the use of the output? Is it ensured that outputs from application systems handling sensitive information are sent only to authorized terminals and locations? High Application audit report
4)
5)
72
Questions
Significance Medium
Evidence
A.11.6.2 Sensitive System Isolation 1) 2) Is the sensitivity of an application system explicitly identified and documented by the application owner? Do sensitive systems have a dedicated (isolated) computing environment? If a sensitive application system is to run in a shared environment, are the other application systems with which it will share resources identified and agreed?
3)
A.11.7 Mobile Computing and Teleworking A.11.7.1 Mobile Computing and communications Medium Policy for use of mobile computing facility
1) 2)
Is a formal policy in place to ensure that special care is taken when using mobile computing facilities (e.g.: notebooks, palmtops, laptops and mobile phones)? What controls are in place to protect mobile computing systems? Medium Authorization records for any teleworking facility
A.11.7.2 Teleworking a ) b ) Is all tele-working (i.e.: working from a remote external fixed location) authorized by management and specifically controlled to ensure a suitable level of protection? What controls are in place to protect teleworking facilities?
A.12 Information systems acquisition, development and
73
# maintenance
Questions
Significance
Evidence
A.12.1 Security requirements of information systems A.12.1.1 Security requirements analysis and specification Do the statements of business requirements for new systems or enhancements to existing systems specify the requirements for security controls? Is there a well defined acquisition and procurement process in place? Do contracts with the supplier address the identified security requirements? High Requirements specification Acquisition and procurement policy and procedure
1)
2) 3)
A.12.2 Correct processing in applications A.12.2.1 Input Data Validation 1) Is data input to application systems subject to sufficient validation control to ensure completeness and accuracy? Are the following included in validation checks? - Out-of-range Values 2) - Invalid characters - Missing or incomplete data - Exceeding data volume limits - Unauthorized or inconsistent control data 3) Is there a procedure to conduct periodic reviews of the content of High Application audit report
74
# key fields or data files? 4) 5) 6) 7) 8)
Questions
Significance
Evidence
Is there a procedure to inspect hard-copy input documents for any unauthorized changes to input data? Are there procedures for responding to validation errors? Are there procedures for testing the plausibility of the input data? Are the responsibilities of all the personnel involved in the data input process clearly defined? Is there a log of the activities involved in the data input process? High Application audit report
A.12.2.2 Control of Internal Processing 1) 2) 3) 4) 5) 6) 7) 8) Is data validated throughout the processing cycle? Are there session or batch controls to reconcile data file balances after transaction updates? Are there balancing controls to check the opening balances against previous closing balances? Is there validation of system generated data? Is a hash total of records and files maintained? Are there checks to ensure that application programs are run at the correct time? Are there checks to ensure that programs are run in the correct order? Is all vendor supplied software maintained at a level supported by the supplier and does any upgrade decision take into account the
75
Questions security of the new release?
Significance
Evidence
9)
Are there checks on the integrity of data or software transferred? High Application audit report
A.12.2.3 Message Integrity 1) Are controls implemented to ensure authenticity and protection of message integrity in applications?
A.12.2.4 Output Data Validation 1) Is data output from application systems validated to ensure that the processing of stored information is correct and appropriate to the circumstances? Are plausibility checks done to test whether the output data is reasonable? Are there reconciliation control counts to ensure that all data is processed? Is there sufficient documentation for a reader or for subsequent processing? Is the responsibility of all personnel involved in the data output process defined? Is there a log of activities in the data output validation process?
High
Application audit report
2) 3) 4) 5) 6)
A.12.3 Cryptographic controls A.12.3.1 Policy on the use of Cryptographic Controls High Cryptography policy and procedures List of cryptographic technologies in use
76
# 1) 2) 3) 4) 5)
Questions Is risk assessment used to determine whether cryptographic control is appropriate? Is a policy in place to cover the use of cryptographic controls for protection of information? Does the policy consider the managements approach towards the use of cryptographic controls? Does the policy cover key management? Are the responsibilities of key management and policy implementation defined? When identifying the level of cryptographic protection, which of the following, are taken into account?
Significance
Evidence
1)
Type and quality of algorithm Length of Keys National and regulatory restrictions Export and import controls
2)
What are the mechanisms used for preventing clear text traffic flowing through internet? What are the mechanisms used for preventing clear text traffic flowing through branch offices? What kind of protection is taken against the storage of passwords in clear text? Does the application store the password in clear text?
3)
4) 5)
77
# 6) 7) 8) 9)
Questions If proprietary encryption algorithms are used, have their strength and integrity been certified by an authorized evaluation agency? Where digital signatures are employed, is appropriate care taken to protect the integrity and confidentiality of the private key? Are the cryptographic keys used for digital signatures different to those used for encryption? Has full consideration been given to legislative issues with respect to the status and use of digital signatures? Has the use of non-repudiation services been considered where it might be necessary to resolve disputes about the occurrence or non-occurrence of an event or action?
Significance
Evidence
10)
12.3.2 Key Management 1) 2) Is there a well defined key management procedure in place to support the organizations use of cryptographic techniques? Does the key management procedure take care of the following? - generating keys for different cryptographic systems and different applications - generating and obtaining public key certificates - distributing keys to intended users - storing keys - changing or updating keys - dealing with compromised keys - revoking keys - recovering keys that are lost or corrupted
High
Key management procedure
78
# - archiving keys - destroying keys
Questions
Significance
Evidence
- logging and auditing of key management related activities 12.4 Security of system files 12.4.1 Control of Operational Software High 1) Is strict control maintained over the implementation of software on operational systems? Is the updating of the operational program libraries performed only by the nominated librarian with proper management authorization? What is the process for version management? Is an audit log of all updates to operational program libraries maintained? Are the previous versions of software retained as a contingency measure? Has the organization entered into an Escrow agreement with anyone? Does it insist on escrow agreements when it outsources application development to a 3rd party? What controls have been deployed to ensure that code check in and version changes are carried out by only authorized individuals? Software development policy and procedure Software version control system Escrow arrangements
2) 3) 4) 5)
6)
7)
79
# 8)
Questions Is the access given to the suppliers for support purposes with the managements approval and is it monitored? Are tools available in the production application environment that would allow data to be altered without the production of an audit trail? Is development code or compilers available on operational systems?
Significance
Evidence
9)
10)
12.4.2 Protection of System Test Data High
Software development policy and procedure Approval records for using operational data for testing
1)
Is system test data subject to appropriate protection and controls? Are access control procedures which are applicable to operational application systems, applicable to test application systems as well? Is there a separate authorization each time operational information is copied to a test application system? Is the operational information erased from a test application system immediately after the testing is complete? Is the copying and use of operational information logged to provide an audit trail? Is sensitive data masked before testing? High Software development policy and
2)
3) 4) 5) 6)
12.4.3 Access Control to Program Source Code
80
Questions
Significance procedure
Evidence Software version control system
1) 2) 3) 4) 5) 6) 7)
Are program source libraries held with operational systems? Is a program librarian nominated for each application? Does IT support staff have restricted access to program source libraries? Are programs under development or maintenance separated from operational program source libraries? Are program listings held in a secure environment? Is an audit log of all accesses to program source libraries maintained? Are old versions of source program archived together with all supporting software, job control, data definitions and procedures?
12.5 Security in development and support processes 12.5.1 Change Control Procedures Are there formal change control procedures governing the implementation of changes to systems? Is there a record maintained of agreed authorization levels? Is there a process to ensure that changes can be submitted by authorized users only? High 1) 2) 3) Change control policy and procedure Change control records
81
# 4) 5) 6) 7) 8) 9) 10) 11) 12) 13) 14)
Questions Are security controls reviewed to ensure that they will not be compromised by changes? Is there a process to identify all computer software, information, database entries and hardware that will require amendment? Is there a process to obtain formal approval for detailed proposals before work commences? Is there a process to ensure that authorized users accept the changes before any implementation? Is it ensured that the implementation is carried out with minimum business disruption? Is a record of all software updates maintained? Is an audit trail of all change requests maintained? Is a rollback plan available for the changes? After a change, is the relevant documentation updated? Is there a procedure to handle emergency changes? Is it later authorized and subjected to change control procedure? Is there a verification of the changes that have taken place?
Significance
Evidence
12.5.2 Technical review of applications after Operating System Changes 1) Is the security impact of operating system changes reviewed to ensure that changes do not have an adverse impact on applications?
Medium
Review reports
82
# 2)
Questions Does the review check the application control and integrity procedures to ensure that they have not been compromised by operating system changes? Does the annual support plan and budget cover reviews and system testing resulting from operating system changes? Is the notification of operating system changes provided in time to allow for reviews to take place before implementation? Are the operating system changes reflected in the business continuity plan?
Significance
Evidence
3) 4) 5)
12.5.3 Restrictions on Changes to Software Packages Are vendor-supplied packages used (as far as possible) without modification? Is it checked if the built-in controls or the integrity processes are being compromised while modifying a software package? Is the consent of the vendor taken to modify a package if necessary? Is a risk assessment done prior to changing the package? 12.5.4 Information leakage High 1) When procuring programs/software, are appropriate steps taken Medium 1) 2) 3) 4)
Software development policy and procedure Change control records
Application/ source code audit report Monitoring policy and procedure Monitoring reports
83
Questions to minimize the risk of inclusion of covert channels and Trojan code?
Significance
Evidence
2)
Are programs bought from a reputable source only? Are following requirements considered for limiting the risk of information leakage:
3)
- Scanning of outbound media and communication for hidden information - Monitoring resource usage in computer systems Are only evaluated products used? Is all source code inspected before operational use? Is the access and modification to source code controlled? Are staffs of proven trust used to work on key systems? Is personnel and system activities regularly monitored? Software development policy and procedure Agreements/ Contracts/ NDA/ SLA
4) 5) 6) 7) 8)
12.5.5 Outsourced Software Development
High
1)
Are licensing arrangements, code ownership and intellectual property rights taken care of when software development is outsourced? Are a certification of the quality and the accuracy of the work carried out obtained? Is there a right of access for audit of the quality and accuracy of
2) 3)
84
# work done? 4) 5) 6) 7)
Questions
Significance
Evidence
Are there contractual requirements for quality of code? Is there testing before installation to detect malicious or Trojan code? Who owns the intellectual property of the code? Are Escrow arrangements in place where required? Have developers been trained in programming techniques that provide for more secure applications?
12.6 Technical Vulnerability Management 12.6.1 Control of technical vulnerabilities High Vulnerability assessment reports Penetration testing reports Roles and responsibilities for technical vulnerability management
1) 2) 3) 4) 5) 6)
Is there any vulnerability assessment carried out for the Servers, Network Devices and Security Devices? What is the periodicity of such vulnerability assessments? Is there any patch management system deployed for efficient and timely deployment of patches on the Operating Systems? Are roles and responsibilities associated with technical vulnerability management defined and established? How is timely information for published vulnerabilities obtained? Is there a well defined patch management procedure in place?
85
Questions
Significance
Evidence
13 Information security incident management 13.1 Reporting information security events and weaknesses 13.1.1 Reporting information security events Are there formal procedures for reporting information security incidents? Are all users informed of formal procedures for reporting the different types of security incident? Is contact information for reporting an incident readily accessible to users/administrators? Is there a feedback process to notify the informant about the results after the incident is dealt? Does the incident response team prepare a report for each incident reported/occurred? Is there a report for action taken in rectifying the incident? Is a time frame defined for the incident response team to conduct an investigation? Are incidents reported to senior management? 13.1.2 Reporting security weaknesses 1) Are there formal procedures defined for reporting Security High Incident management policy and procedures Incident management records High 1) 2) 3) 4) 5) 6) 7) 8) Incident management policy and procedures Incident management records
86
# Weakness?
Questions
Significance
Evidence
2)
All employees, contractors and third party users required and trained to note and report any observed or suspected security weaknesses in systems or services?
13.2 Management of information security incidents and improvements 13.2.1 Responsibilities and procedures Are the management responsibilities and procedures to ensure quick, effective, orderly response to information security incidents defined? Does the incident management procedure incorporate the following guidelines: - procedures for handling different types of security incidents - analysis and identification of the cause of the incident 2) - containment - planning and implementation of corrective action - collection of audit trails and other evidences - action to recover from security breaches and correct system failures - reporting the action to the appropriate authority 3) Are all potential types of security incidents covered by the procedures? High 1) Incident management policy and procedures Incident management records
87
# 4) 5)
Questions Are actions and authority to recover from incidents defined? Are recovery mechanisms tested? Are people familiar with the process?
Significance
Evidence
13.2.2 Learning from information security incidents How is learning from security incidents incorporated so as to prevent its reoccurrence? Are there mechanisms in place to quantify and monitor incidents based on types, volumes, and costs etc so as to learn from them? 13.2.3 Collection of evidences Are the rules for evidence laid down by the relevant law or court identified, to ensure admissibility of evidence in case of an incident? Is a procedure developed with instructions for collecting and presenting evidence for the purposes of disciplinary action? High 1) High 1) 2)
Incident management policy and procedures Incident management records
Incident management policy and procedures Incident management records
2)
14 Business Continuity Management 14.1 Information security aspects of business continuity management 14.1.1 Including information security in the Business Continuity Management Process High Business Continuity Policy/Procedure Risk assessment results
88
# 1) 2) 3) 4) 5)
Questions Is there a managed process in place for developing and maintaining business continuity across the Company? Does the process include risk analysis of critical business processes?
Significance
Evidence
Are responsibilities and emergency arrangements identified and agreed? Is the business continuity strategy consistent with the agreed business objectives and priorities? High Business Continuity Policy/Procedure Risk assessment results
14.1.2 Business Continuity and risk assessment 1) 2) Is a risk assessment carried out for business processes? Is the risk assessment procedure well defined? Does the risk assessment identify events that can cause interruptions to business processes, along with the probability and impact of such interruptions and their consequences for information security?
3)
14.1.3 Developing and implementing continuity plans including information security 1) Have continuity plans been developed to maintain or restore business operations in the required time scales following High
Business Continuity Policy/Procedure BCP test plan and results Training plan and records
89
Questions interruptions to, or failure of, critical business processes?
Significance
Evidence
2) 3) 4) 5)
Are all responsibilities and emergency procedures identified and agreed upon? Are the agreed procedures documented? Is the staff trained in the agreed procedures? Are documented procedures tested periodically? High Business Continuity Policy/Procedure
14.1.4 Business Continuity Planning Framework 1) Is a single framework maintained to ensure that all plans are consistent and to identify priorities for testing and maintenance? Does each business continuity plan specify the conditions for its activation as well as individuals responsible for executing each component of the plan? Are emergency procedures with detailed actions identified? Are fallback, temporary and resumption operational procedures identified? Is there a maintenance schedule to specify how and when the plan will be tested? Are responsibilities of all individuals involved in the plan well documented? Are all assets and resources required to perform the emergency, fallback and resumption procedures identified?
2) 3) 4) 5) 6) 7)
90
# 8)
Questions Are sufficient awareness, education, and training activities carried out?
Significance
Evidence
14.1.5 Testing, maintaining and re-assessing business continuity plans 1) At what monthly interval is the business continuity plan tested? Are a variety of techniques used to provide assurance that the plan will operate in real life? (table-top testing, simulations, technical recovery testing, testing recovery at an alternate site, tests of supplier facilities and services, complete rehearsals) Does the business continuity process include reviewing and updating the plan to ensure continued effectiveness? Are the business continuity plans reviewed under the following circumstances? - Acquisition of new equipment - Upgrading of operational systems - Changes in personnel, addresses or telephone 4) - Changes in business strategy - Changes in location, facilities, resources - Changes in legislation - Changes in contractors, suppliers, customers - Changes in processes - Changes in risk 5) Are third-party providers involved in the test exercises?
High
BCP test plan and results Training plan and records
2)
3)
15 Compliance
91
Questions
Significance
Evidence
15.1 Compliance with legal requirements 15.1.1 Identification of Applicable Legislation Are all relevant statutory, regulatory and contractual requirements explicitly defined and documented for each information system? Are specific controls and individual responsibilities to meet these requirements defined and documented? High License keys/ agreements High
List of statutory, regulatory and contractual requirements
1)
2)
15.1.2 Intellectual Property Rights Are there procedures/instructions in place to guide staff on the use of material for which there may be intellectual property rights, including disciplinary action for breach? Are applicable legislative, regulatory, and contractual requirements considered while complying with IPR? Is a software copyright compliance policy published that defines the legal use of software and information products? Are appropriate asset registers maintained? Is proof and evidence of ownership of licenses, master disks, manuals, etc maintained? Are controls implemented to check whether the maximum number of users permitted is not exceeded? Are checks carried out to see that only authorized software and licensed products are installed?
1)
2) 3) 4) 5) 6) 7)
92
# 8) 9) 10) 11)
Questions Is there a policy for maintaining appropriate license conditions? Is there a policy for disposing or transferring software to others? Are appropriate audit tools used? Are terms and conditions for software and information obtained from public networks complied with?
Significance
Evidence
15.1.3 Protection of Organizational Records 1) Are important organizational records safeguarded from loss, destruction or falsification considering the legislative or regulatory environment within which the organization operates? Are records categorized into various types? (accounting records, database records etc) Are guidelines issued on the retention, storage, handling and disposal of records and information? Is a retention schedule drawn up identifying the essential record types and the period of time for which they should be retained? Is an inventory of sources of key information maintained?
High
2) 3) 4) 5)
15.1.4 Data Protection and Privacy of Personal Information 1) 2) Are data protection and privacy requirements in relevant legislations, regulations and contractual clauses identified? How does the organization comply to data protection and privacy requirements?
High
Data privacy policy/ procedure
15.1.5 Prevention of Misuse of Information Processing Facilities
Medium
93
# 1)
Questions Are there procedures and controls in place to ensure that the organization's IT facilities are used only for authorized business purposes, and are not subject to misuse? Are all users aware of the precise scope of their permitted access and of the monitoring in place to detect unauthorized use? Does a warning message appear at the log-on process indicating that unauthorized access is not permitted?
Significance
Evidence
2) 3)
15.1.6 Regulation of Cryptographic Controls 1) 2) Are the requirements regarding use of cryptography in relevant regulations, laws and agreements identified? Is legal advice sought before cryptographic controls are implemented?
High
15.2 Compliance with security policies and standards and technical compliance 15.2.1 Compliance with Security Policies and Standards Are the information systems, service providers, owners, users and management subject to regular review to ensure that they are in compliance with Company security policies and applicable standards? How are non-compliance analyzed, treated, tracked, closed and reviewed? High Vulnerability assessment reports Penetration testing reports High Compliance audit reports
1)
2)
15.2.2 Technical Compliance Checking
94
Questions
Significance
Evidence Application security testing reports
1) 2) 3)
Are information systems regularly checked for compliance with security implementation standards? What are the different kinds of audits that are carried out for technical compliance checking? How are vulnerabilities identified in technical audit tracked and fixed?
15.2 Information system audit considerations Audit plan, schedule, methodology, organization structure
15.3.1 Information System Audit Controls Are audits of operational systems planned, agreed and carried out in a controlled manner (minimizing the risk of disruption to the business process)? Are audit requirements agreed with appropriate management? Is the scope of the audit agreed and controlled? Are the checks limited to read-only access to software and data? Are accesses other than read-only erased when the audit is completed? Are IT resources for performing the audit explicitly identified and made available?
Medium
1) 2) 3) 4) 5) 6)
95
# 7) 8) 9) 10)
Questions Are requirements for additional processing identified and agreed? Are all accesses monitored and logged to produce an audit trail? Are all procedures, requirements and responsibilities documented? Are the person(s) carrying out the audit independent of the activities audited?
Significance
Evidence
15.3.2 Protection of information system audit tools 1) 2) Are audit tools (software or data files) safeguarded so as to prevent any possible misuse? Are system audit tools held separate from development and operational systems, and not kept in tape libraries or user areas?
Medium
96

ISO27001 Checklist

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ISO27001 Checklist

Uploaded by

Copyright:

Available Formats

ISO27001 Audit Checklist

ISO27001 AUDIT QUESTIONNAIRE # Questions Significance Evidence

4.2.1 b) Define an ISMS policy in terms of the characteristics of

Management approval for implementing & operating ISMS

Metrics & effectiveness measurement methodology Effectiveness measurement report

Training plan High Training material Training records

Incident management policy & procedures Incident management records

# from all interested parties.

4.2.3 f) Undertake a management review of the ISMS on a regular

Evidence Minutes of meetings

Incident management records

Document and record control procedure Records as required by ISO 27001

# 5.1 Management commitment

# qualifications maintained? 6 Internal ISMS audits

Review records/ Minutes of meetings

Questions mechanism for information sharing?

Organization Chart Minutes of meetings of the crossfunctional committee

A.6.1.4 Authorization process for information processing facilities High

Documented authorization procedure Evidence of authorization request and approval

Procedure for contact with authorities Sample report

Information received from special interest groups

Questions and its implementation reviewed by an independent party periodically?

# - Liabilities - Legal responsibilities - Access methods

Acceptable usage policy

Information classification guideline Asset register

Information labeling and handling procedure Labels on existing assets

Employee contract or equivalent document

Documented recruitment procedure/ guidelines Records of verification for a

Evidence sample set of recruitment

Training plan and schedule Training material

Training plan and schedule Training material

Questions How is the effectiveness of the training tested?

Employment termination procedure

Sample employee termination forms

A.9.1.4 Protecting against external and environmental threats

Evidence Location of building

A.9.1.5 Working in Secure Areas

Material movement register Materials Forms

Questions continuous running of critical equipment?

Equipment maintenance instructions and schedule Equipment maintenance records

Asset disposal procedure

Change Control Policy Change Control Form

Documented duties which needs to be segregated

List of development, test and operational systems

Monitoring procedure Monitoring reports

# A.10.3.2 System Acceptance

Evidence Requirements specifications System testing reports

A.10.5.1 Information Back-up

# 10) 11) 12)

15) 16) 17) 18)

Questions backup operator on the machine?

A.10.7 Media Handling

Evidence Media handling guidelines Media Asset inventory

Media disposal guidelines Media disposal records

Information handling procedure

Information exchange policies and procedures

Information exchange agreements

A.10.8.3 Physical media in transit Medium

Media movement/ tracking register Media packaging

Risk assessment/ audit report for electronic messaging systems

Questions business information systems?

Monitoring Policy and procedure Monitoring records

Log storage facilities