Iso 27001 Project Template Pbmnpd (1)

ISO 27001 Project Tasks Last Updated: 2016-03-29

ISO 27001 Task Section

Status

Resources Customer

Phase 1: Develop the Information Security Management System (ISMS) N/A

Initiation

N/A N/A N/A

Approve the project Set up project communications Agree on the project timeline

Part 1: "Plan" 4

Context of the organization

N/A N/A

Create document list Create an Organization Chart

N/A N/A

Identify Key Department Staff and Process Owners Create initial mapping of ISO 27001 controls to departments

N/A N/A N/A

Schedule initial kickoff meetings Schedule first onsite travel for Consultant team Present the initial kickoff meetings

N/A

Refine the mapping of ISO 27001 controls to specific application/data owners

4.1 4.1

Understanding the organization and its context Document external and internal relevant issues

4.1

Determine applicability

4.2 4.2.a 4.2.b 4.1 4.2 4.4 5.1 5.2.c-d 5.3 4.3

Understanding the needs and expectations of interested parties Document interested third parties Document requirements of interested third parties Draft the Information Security Policy

Determining the scope of the information security management system (ISMS)

4.3 N/A 4.3.a

Create the Scope document Discuss observations and pertinent details Include scope item

4.3.a

Include Risk Register

4.3.a

Include Risk Analysis Report

4.3.a

Include Security Questionnaires

4.3.b 4.3.c N/A 4.4 4.4

5

Include scope item Include scope item Approve the Scope document Information security management system Document the ISMS

Leadership

5.1 5.1 5.2.c-d

Leadership and commitment Commit to the Information Security Policy

5.2 5.2.a-b

Policy Establish the Information Security Policy

N/A 5.2.e 5.2.f 5.2.g 5.3 5.3

Approve the Information Security Policy Document the Information Security Policy Internally publish the Information Security Policy Externally publish the Information Security Policy Organizational roles, responsibilities, and authorities Assign responsibilities and authority

5.3.a

Ensure conformance with ISO 27001

5.3.b

Ensure performance reporting

6 6.1 6.1.1 6.1.1.a

Planning Actions to address risks and opportunities General Ensure ISMS success

6.1.1.b

Minimize adverse effects

6.1.1.c

Build in continual improvement

6.1.1.d 6.1.1.e.1 6.1.1.e..2

Plan actions to address risks and opportunities Plan how to integrate these into ISMS processes Plan how to evaluate effectiveness of actions

N/A Provide initial control lists 6.1.2 Information security risk assessment 6.1.2.a Define the risk criteria 6.1.2.a.1 Define the risk acceptance criteria 6.1.2.a.2 Define the risk assessment performance criteria 6.1.2.b Define the risk assessment process N/A Develop the Risk Assessment Program in accordance with the NIST 800-30 Standard. 6.1.2.c-d

Identify and analyze the information security risks

6.1.2.c-d [part 1]

Review the most recent Risk Assessment

6.1.2.c-d [part 2]

Review the most recent security audit results

6.1.2.c-d [part 3]

Review the most recent risk questionnaires

N/A 6.1.2.c-d

Create discussion documents Perform a Risk Assessment with each business unit

6.1.2.c-d Business unit: Information Security 6.1.2.c-d Business unit: Legal/Compliance 6.1.2.c-d Business unit: Internal Audit 6.1.2.c-d Business unit: IT 6.1.2.c-d Business unit: Engineering 6.1.2.c-d Business unit: Accounting 6.1.2.c-d Business unit: Finance/Strategy 6.1.2.c-d Business unit: M&A and Business Analysis 6.1.2.c-d Business unit: HR 6.1.2.c-d Business unit: Sales 6.1.2.c-d Business unit: Marketing 6.1.2.c-d Business unit: Customer Support 6.1.2.e Evaluate the information security risks 6.1.2.e.1 Review the identified risks against the criteria 6.1.2.e.2 Prioritize the risks 6.1.3 Information security risk treatment 6.1.3 Define the risk treatment process 6.1.3.a Treat the risks 6.1.3.b 6.1.3.c N/A

Select controls Compare selected controls to ISO 27001 controls Map the controls to the SOC framework

6.1.3.d

Document a Statement of Applicability

6.1.3.e 6.1.3.f 6.2 6.2

Create a Risk Treatment Plan Obtain risk acceptance/approval for mitigation Information security objectives and planning to achieve them Information security objectives and planning

6.2.a-e

Define information security objectives

6.2.f-j

Plan how to achieve information security objectives

6.2.a-j 6.2.a-j 6.2.a-j 6.2.a-j

TBD: Function/level 1 TBD: Function/level 2 TBD: Function/level 3 …

Part 2: "Do" 7 7.1 7.1 N/A 7.1 N/A

Support Resources Determine initial resource requirements Determine client project resources Identify Internal Audit resource Provide estimate of Internal Audit cost

7.1

Select external audit/certification firm

7.1 7.2 7.2.a

Determine ongoing resource requirements Competence Define competence requirements

7.2.b

Evaluate competence of resources

7.2.c [part 1]

Acquire competence

7.2.c [part 2]

Evaluate effectives of actions taken

7.2.d 7.3 7.3

Define record keeping for competence Awareness Security Awareness Training

7.4 7.4

Communication Establish Communication

7.5 N/A N/A 7.5

Documented information Agree on documents to be included Update Section 7.5.1 in this project plan Create required documentation

7.5.1 7.5.1.a 7.5.1.a 7.5.1.a 7.5.1.a 7.5.1.a 7.5.1.a 7.5.1.a 7.5.1.a 7.5.1.a 7.5.1.a 7.5.1.a 7.5.1.a 7.5.1.a 7.5.1.a 7.5.1.a 7.5.1.a 7.5.1.a

General Scope of the ISMS (4.3) Information security policy and objectives (5.2 and 6.2) Risk assessment methodology (6.1.2) Risk treatment methodology (6.1.2) Statement of Applicability (6.1.3 d) Risk treatment plan (6.1.3 e and 6.2) Risk assessment report (8.2) Definition of security roles and responsibilities (A.7.1.2 and A.13.2.4) Inventory of assets (A.8.1.1) Acceptable use of assets (A.8.1.3) Access control policy (A.9.1.1) Operating procedures for IT management (A.12.1.1) Secure system engineering principles (A.14.2.5) Supplier security policy (A.15.1.1) Incident management procedure (A.16.1.5) Business continuity procedures (A.17.1.2) Statutory, regulatory, and contractual requirements (A.18.1.1)

7.5.1.a 7.5.1.a 7.5.1.a 7.5.1.a 7.5.1.a 7.5.1.a 7.5.1.a 7.5.1.a 7.5.1.a 7.5.1.b

Create templates for required records Competence (7.2) Monitoring and measurement results (9.1) Change control records (implied in 8.1) Internal audit program (9.2) Results of internal audits (9.2) Results of the management review (9.3) Results of corrective actions (10.1) Logs of user activities, exceptions, and security events (A.12.4.1 and A.12.4.3) Create documentation as appropriate

7.5.2 Creating and updating 7.5.2 Define document creation and updating process 7.5.2.a-b Ensure appropriate content, format, and media

7.5.2.c N/A 7.5.3 7.5.3

Ensure acceptability of ISMS documents Perform review of ISMS documentation Control of documented information Define control of ISMS documentation

7.5.3.a 7.5.3.b 7.5.3 7.5.3.c 7.5.3.d 7.5.3.e 7.5.3.f 7.5.3.* N/A

Availability Protection Document control of ISMS documentation Transmission and access Storage Version control Retention and destruction Identification of externally originating documents Create document management and workflow

N/A

8 8.1 8.1 8.1 8.1 8.1 8.1 8.2 8.2

Setup project document repository

Operation Operational planning and control Implement operational planning and control Implement record keeping for operational control Implement change control Control of outsourced processes Create operational control records Information security risk assessment Schedule information security risk assessments

8.2 8.2

Specify criteria for unscheduled risk assessments Define record keeping for risk assessments

8.2 8.3 8.3 8.3

Create risk assessment records Information security risk treatment Implement the information security risk treatment plan Implement record keeping for risk treatments

8.3

Create risk treatment records

Part 3: "Check" 9 9.1 9.1.a-f

9.1 9.1 9.2 9.2.a-f

9.2.g

Performance evaluation Monitoring, measurement, analysis, and evaluation Document the evaluation process

Define record keeping for monitoring and measurement Create monitoring and measurement records Internal audit Document the audit program

Define record keeping for internal audit

9.3 9.3

Management review Document the management review process

9.3

Define record keeping for management review

Part 4: "Act" 10 10.1

Improvement Nonconformity and corrective action

10.1.a-e

Document the process for response to nonconformities

10.1.f-g

Define record keeping for corrective action

10.2

Continual improvement Commit to continual improvement

Phase 2: Test and Audit the ISMS I

Internal Audit

Internal Audit Project manage and perform internal audit Coordinate remediation Management review

II

External Audit (Part 1)

Stage 1 Audit Coordinate the Stage 1 audit schedule and activities Gather supporting evidence Finish compiling evidence Review Stage 1 audit findings Coordinate remediation

III

External Audit (Part 2)

Stage 2 Audit Coordinate the Stage 2 audit schedule and activities Obtain evidence requirements list Gather required evidence

Phase 3: Achieve Certification IV

Finalize Certification

ISO 27001 Certification Receive official certification

ISO 27001 Implementation and Certifi Resources Consultant

ISO 27001 Implementation and Certification Task Details and Next Steps

Schedule weekly status meetings for the duration of the project. Confirm the timing for the various work steps and key milestones based on the external certification firm’s audit schedule, Customer's timing boundaries and availability of key contacts, and Consultant team’s schedule.

Create comprehensive list of documents for consideration for inclusion in the ISMS. Add details for key staff to PM workbook. Create visual organization chart. Create initial mapping of ISO 27001 controls to departments, indicating expected applicability of each. Use the data to estimate required interview time for each department. Provide the control mappings to the corresponding departments for initial feedback and to help them become familiar with the items of future discussions.

Meet key subject matter experts (SME’s), Customer committee members, and layout the project plan and timeline. Meet with business unit leaders together to determine the breakdown of future groups/meetings (based on which data/applications they use).

Determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcom Document external and internal issues relevant to the company's purpose and that affect its ability to achieve the ISMS goals. Review with each Business Unit the ISO 27001 Requirements (Annex A); results of recent risk analyses and/or related initiatives; and Questionnaire results. Determine relevant interested parties and their requirements. Document interested parties that are relevant to the ISMS. Document the requirements of these interested parties relevant to information security. Include or reference the following items: 1) External and internal issues relevant to the company's purpose and that affect its ability to achieve the ISMS goals (4.1) 2) Interested parties and their requirements/objectives (4.2) 3) Statement of leadership commitment (5.1, 5.2.c, 5.2.d) 4) Assignment of key roles and responsibilities [by titles] (5.3)

Determine the boundaries and applicability of the ISMS.

Create the Scope document as defined below. Review any observations prior to the start of the project. Include external and internal issues relevant to the company's purpose and that affect its ability to achieve the ISMS goals. Review the most recent risk analysis, and include the recommendations to be addressed in the Scope document. Map the results of any recent risk analyses to the ISO 27001 requirements. Include the ones to be addressed in the Scope document. Map the results of the internal security questionnaires to the ISO 27001 requirements. Include the ones to be addressed in the Scope document. Include interested parties and their requirements/objectives. Include interfaces and dependencies between internal and external activities (may be specified in the Information Security Policy). Approve the Scope document. Establish, implement, maintain and continually improve the ISMS. Create the ISMS Master Document. Demonstrate leadership and commitment with respect to the ISMS. Have senior leadership review the Information Security Policy and sign off on the commitments specified in Sections 5.1, 5.2.c, and 5.2.d of the standard. Establish an information security policy. Document the Information Security Policy, making sure that it: a) is appropriate to the purpose of the organization; and b) includes the information security objectives determined in Section 6.2. Have senior leadership review the Information Security Policy and formally approve (sign off on) it. Document the Information Security Policy. Publish and announce to internal staff the Information Security Policy. Publish and announce to external stakeholders and interested parties the Information Security Policy. Ensure that the responsibilities and authorities for roles relevant to information security are assigned and communicated. Top management shall ensure that the responsibilities and authorities for roles relevant to information security are assigned and communicated. Assign responsibilities and authority for ensuring that the ISMS conforms to the requirements of ISO 27001:2013. Assign responsibilities and authority for reporting on the performance of the ISMS to top management. Address risks and opportunities related to the ISMS. Include internal and external issues, and interested parties and their requirements, when planning for the ISMS. Determine and document risks and opportunities (based on results of Sections 4.1 and 4.2) that need to be addressed to ensure the information security management system can achieve its intended outcome(s). Determine and document risks and opportunities (based on results of Sections 4.1 and 4.2) that need to be addressed to prevent, or reduce, undesired effects. Determine and document risks and opportunities (based on results of Sections 4.1 and 4.2) that need to be addressed to achieve continual improvement. Plan actions to address the risks and opportunities determined in Sections 6.1.1a-c. Plan how to integrate and implement the actions determined in Section 6.1.1.d into the ISMS processes. Plan how to evaluate the effectiveness of the actions implemented in Section 6.1.1.e.1.

Discuss which business units should receive initial control lists. Define and apply an information security risk assessment process. Define and document the Risk Assessment criteria. Define and document the risk acceptance criteria. Define and document the criteria for performing information security risk assessments. Define and document the Risk Assessment process. Review the Risk Assessment Program and align it with NIST Special Publication 800-30 Revision 1. Apply the information security risk process; identify the risk owners; and analyze the impact and likelihood of each risk and combine these to specify the level of each risk. Review the most recent risk assessment. Review the most recent security audit. Review results from Customer business units Internal Risk Analysis Scoping Questionnaires. Combine the responses from the internal Security Questionnaires, ISO 27001 controls, and set of additional discussion items into a single document for each business unit. Facilitate discussions with each business unit regarding their processes; applicable ISO 27001 controls; and answers to the security questionnaires.

Evaluate the information security risks. Compare the results of risk analysis with the risk criteria established in 6.1.2.a. Rank the risks by level (as determined in Section 6.1.2.c-d). Define and apply an information security risk treatment process. Define and document the risk treatment process. For each risk identified in the Risk Assessment, select a risk treatment option (Accept, Mitigate, Transfer, or Avoid). For each risk to be mitigated, determine the controls to be implemented. Compare the selected controls to the 114 controls in ISO 27001 Annex A, and include all relevant controls from the Annex. SOW Step 15 ISO 27001 Annex A controls and documentation mapping – align with the existing SOC framework where relevant.

Produce a Statement of Applicability that contains the necessary controls (see 6.1.3.b-c) and justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A. Document the Risk Treatment Plan. For each Risk Treatment Plan item, review with the business unit managers and get their sign-off for each risk's treatment option. Establish information security objectives at relevant functions and levels. Determine and document the relevant functions and levels for establishment of information security objectives. For each function/level determined in Section 6.2, work with the business owners to determine and document the corresponding information security objectives. Make sure they are: a) be consistent with the information security policy; b) be measurable (if practicable); c) take into account applicable information security requirements, and results from risk assessment and risk treatment; d) be communicated; and e) be updated as appropriate.

For each objective determined in Section 6.2, work with the business owners to plan how to achieve the objectives by determining: f) what will be done; g) what resources will be required (see Section 7.1); h) who will be responsible; i) when it will be completed; and j) how the results will be evaluated.

Determine and provide the resources needed for the ISMS. Determine and document the resources required to establish and implement the ISMS. Determine client resource to attend meetings with client process owners SOW Step 10 Customer PM has selected Consultant to perform the internal audit function for this project. As appropriate and possible, provide an estimate of internal audit costs, and coordinate the appropriate resource and scheduling. Assist Customer with the selection of the external certification firm. This needs to be initiated early in the project in order to ensure that the firm can schedule and prepare for the audit and certification within our timeframe. Determine and document the resources required to maintain and continuously improve the ISMS. Ensure appropriate competence for all persons whose work affects information security performance. Define and document the necessary competence of all staff who affect the performance of information security. Review the competence of the corresponding personnel based on the criteria defined in Section 7.2.a (e.g., education, training, and experience).

Take actions to bring all relevant personnel to the required levels of competence. Evaluate the effectiveness of actions taken to ensure competence of relevant staff. Retain documented evidence of competence (and records of competence evaluations). Ensure appropriate security awareness for all persons doing work under the organization's control. Review the current security awareness program, and enhance it as necessary to ensure that all personnel are aware of: a) the information security policy; b) their contribution to the effectiveness of the information security management system, including the benefits of improved information security performance; and c) the implications of not conforming with the information security management system requirements.

Determine and document the need for internal and external communications relevant to the ISMS. Determine the need for internal and external communications relevant to the ISMS including: a) on what to communicate; b) when to communicate; c) with whom to communicate; d) who shall communicate; and e) the processes by which communication shall be effected. Documented information pertinent to the organization and the ISMS shall be included. Confirm the documents intended to be included in the ISMS implementation, and approval from Customer PM. Update Section 7.5.1 below with documents to be included Develop the ISO 27001 Required Documents section in accordance with sections 4-8 of the 2013 Standard. Ensure Policies and Procedures Documentation is updated or developed to support the relevant Annex A controls. The ISMS shall include required documented information.

Create this document. Create this document. Create this document. Check with HR. Create this document. Create this document. Create this document. Create this document. Create this document. Create this document. Create this document.

Create this document. Create record templates as evidence of competence (e.g., records of training, skills, experience and qualifications) (7.2). Create this document. Create this document. Create this document. Create this document. Create this document. Create this document. Create this document. Determine and create any additional documents necessary for the effectiveness of the ISMS. See the Documents worksheet. When creating and updating documented information, appropriate measures will be taken. Define the content, format, media, and review/approval process for the ISMS documentation. Review the ISMS documents and ensure appropriate: a) identification and description (e.g. a title, date, author, or reference number) b) format (e.g. language, software version, graphics) and media (e.g. paper, electronic) Review the ISMS documents for suitability and adequacy, and approve them. Quality Review – address completeness and accuracy of the entire documentation set. Documented information required by the ISMS shall be controlled. Determine and document how the ISMS documented information will be controlled in regards to the following: a) availability and suitability b) protection (e.g., from loss of confidentiality, improper use, or loss of integrity) Document the policies, procedures, and controls for the ISMS documentation pertaining to: c) distribution, access, retrieval and use d) storage and preservation, including the preservation of legibility e) control of changes (e.g. version control) f) retention and disposition *) identification and inclusion of externally originating ISMS documented information Setup document management to manage the project documentation components, including the ability to handle version control, workflow, and approvals. Create and specify a shared Customer location for the project documentation. Plan, implement, and control the processes needed to meet information security requirements. Implement actions and plans determined in Sections 6.1 and 6.2. Define the requirements for keeping records as evidence that processes have been carried out as planned. Document and implement change control policies and procedures, including response to unintended changes and mitigation of adverse effects. Document outsourced processes and how they are controlled. Bring this up during facilitated discussions with the business units. Create the appropriate operational control records. Perform information security risk assessments. Specify the schedule of risk assessments.

Determine triggers ("when significant changes are proposed or occur" for unscheduled risk assessments. Define the requirements for keeping records as evidence that risk assessments have been carried out as planned, and their results. Create the appropriate risk assessment records. Perform information security risk treatment. Implement the risk treatment plan documented and approved in Sections 6.1.3.e-f. Define the requirements for keeping records as evidence that risk treatments have been carried out as planned, and their results. Create the appropriate risk treatment records.

Evaluate the information security performance and the effectiveness of the ISMS. Document the methodology to evaluate the performance and effectiveness of the ISMS. Determine what needs to be monitored and measured, including information security processes and controls; the methods for monitoring, measurement, analysis and evaluation; when the monitoring and measuring shall be performed; who shall perform the monitoring and measuring; when the results from monitoring and measurement shall be analyzed and evaluated; and who shall analyze and evaluate these results. Define the requirements for keeping records as evidence that monitoring and measurement have been carried out as planned, and their results. Create the appropriate monitoring and measurement records. Plan, establish, implement, and maintain an internal audit program. Determine and document the methodology to evaluate the performance and effectiveness of the ISMS. Specify the frequency, methods, responsibilities, planning requirements, and reporting. Also specify how the audit criteria and scope will be defined for each audit; how auditors will be selected and audits will be conducted to ensure objectivity and impartiality f the audit process; how and to whom the audit results will be reported; and the records to be retained as evidence of the audit program and the results of each audit. Define the requirements for the records to be retained as evidence of the audit program and the results of each audit. Review the ISMS at planned intervals to ensure its continuing suitability, adequacy and effectiveness. Document the management review process including: a) reviews of the status of actions from previous management reviews; b) changes in external and internal issues that are relevant to the ISMS; c) feedback on the information security performance (including trends in: 1) nonconformities and corrective actions; 2) monitoring and measurement results; 3) audit results; and 4) fulfilment of information security objectives); d) feedback from interested parties; e) results of risk assessment and status of risk treatment plan; and f) opportunities for continual improvement. The outputs of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system.

Define the requirements for keeping records as evidence that management reviews have been carried out as planned, and their results.

React appropriately to nonconformities.

Document the process for response to nonconformities, including how the organization: a) reacts to the nonconformity (and as applicable: 1) takes action to control and correct it; and 2) deals with the consequences); b) evaluates the need for action to eliminate the causes of nonconformity, in order that it does not recur or occur elsewhere (by: 1) reviewing the nonconformity; 2) determining the causes of the nonconformity; and 3) determining if similar nonconformities exist, or could potentially occur); c) implements any action needed; d) reviews the effectiveness of any corrective action taken; and e) makes changes to the ISMS, if necessary. Define the requirements for keeping records as evidence of f) the nature of the nonconformities and any subsequent actions taken, and g) the results of any corrective action. Continually improve the suitability, adequacy and effectiveness of the ISMS. No tasks

Coordinate and perform internal audit. Coordinate Internal Audit. Coordinate remediation in preparation for Part 1 audit. Facilitate management review of internal audit findings. Coordinate Stage 1 audit. Coordinate the Stage 1 audit. Begin pulling together the supporting evidence for the Stage 2 audit. Finish compiling evidence for the Stage 2 audit. Facilitate management review of Stage 1 audit findings. Coordinate remediation in prep for Stage 2 audit. Coordinate Stage 2 audit. Coordinate external certification firm’s ISO 27001 Stage 2 audit. Obtain evidence requirements listings from the external certification firm. Coordinate the evidence gathering.

Coordinate ISO 27001 certification. Coordinate the draft and finalization of the certification.

ation Dated Comments

nded outcome(s) of its ISMS.

ISO 27001 Annex A Control List and Statement of Applicability

Section Objective/Control Description

Marketing

ISO 27001 Statement of Applicability (SoA) Control Justification Customer Support

HR

Accounting

TO - Engineering

IT - Corp

Internal Audit

Legal / Compliance

Information Security

Control ID Section/Control Title

Other

Sales

Finance

ISO 27001 Controls

Finance - M&A and Bus. Analysis

Technical

Finance - Strategy

Oversight

TO - Infrastructure

Last Updated: 2016-02-16

L - Legal & Regulatory C - Contractual B - Business Req. & Best Practices R - Risk Assessment O - Other (explain)

Inclusion

Existing Controls

L

C

B

R

O

Comments

Suggested Effectiveness Measurement(s)

A.5 A.5.1

Information Security Policies Management direction Objective: To provide management direction and support for for information security information security in accordance with business requirements and relevant laws and regulations.

A.5.1.1

The policies for information security

A.5.1.2

Review of the policies The policies for information security shall be reviewed at planned for information security intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness.

A.6 A.6.1

Organization of information security Internal organization Objective: To establish a management framework to initiate and control the implementation and operation of information security within the organization.

A.6.1.1

Information security All information security roles and responsibilities shall be defined roles and responsibilities and allocated.

Perform an annual review of information security roles and responsibilities.

A.6.1.2

Segregation of duties

Perform an annual review of the segregation of duties requirements in the security policies as well as a review of any segregation of duties related security incidents.

A.6.1.3

Contact with authorities Appropriate contacts with relevant authorities shall be maintained.

Verify contact information on an annual basis during the policy and procedure review.

A.6.1.4

Contact with special interest groups

Appropriate contacts with special interest groups or other specialist security forums and professional associations shall be maintained.

Review the group memberships on an annual basis (measure their industry contribution) and consider new groups if available.

A.6.1.5

Information security in project management

Information security shall be addressed in project management, regardless of the type of the project.

Audit the security incidents to identify any incidents related to the releases.

A.6.2

Mobile devices and teleworking

Objective: To ensure the security of teleworking and use of mobile devices.

A.6.2.1

Mobile device policy

A policy and supporting security measures shall be adopted to manage the risks introduced by using mobile devices.

Review number of mobile device related security instances.

A.6.2.2

Teleworking

A policy and supporting security measures shall be implemented to protect information accessed, processed or stored at teleworking sites.

Review number of mobile workers and security incidents involving off-site work.

A.7 A.7.1

Human resource security Prior to employment Objective: To ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered.

A.7.1.1

Screening

A.7.1.2

Terms and conditions of The contractual agreements with employees and contractors shall employment state their and the organization’s responsibilities for information security.

A.7.2

During employment

Objective: To ensure that employees and contractors are aware of and fulfil their information security responsibilities.

A.7.2.1

Management responsibilities

Management shall require all employees and contractors to apply information security in accordance with the established policies and procedures of the organization.

A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties.

Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s assets.

Background verification checks on all candidates for employment shall be carried out in accordance with relevant laws, regulations and ethics and shall be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.

Review policies on an annual basis and look for security issues related to policy controls. Discuss the effectiveness of the review process with the management team.

Audit the service level agreement with HR.

Review the employee handbook.

Ensure all employees attest to agreeing to the Employee Handbook at least once a year.

A.7.2.2

Information security All employees of the organization and, where relevant, contractors awareness, education and shall receive appropriate awareness education and training and training regular updates in organizational policies and procedures, as relevant for their job function.

Survey after training - 100% attendance by Ops and 10 question quiz scores.

A.7.2.3

Disciplinary process

Verify employees have signed off on the employee handbook and gather feedback on the disciplinary process from HR.

A.7.3

Termination and change Objective: To protect the organization’s interests as part of the of employment process of changing or terminating employment.

A.7.3.1

Termination or change of Information security responsibilities and duties that remain valid after employment termination or change of employment shall be defined, communicated responsibilities to the employee or contractor and enforced.

A.8 A.8.1

Asset management Responsibility for assets Objective: To identify organizational assets and define appropriate protection responsibilities.

A.8.1.1

Inventory of assets

Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained.

Perform a bi-annual audit to ensure that assets are tracked in the system of record.

A.8.1.2

Ownership of assets

Assets maintained in the inventory shall be owned.

Perform an annual audit to ensure asset owners are accurate.

A.8.1.3

Acceptable use of assets Rules for the acceptable use of information and of assets associated with information and information processing facilities shall be identified, documented and implemented.

Evaluate the number of issues or disciplinary actions related to acceptable use of company assets.

A.8.1.4

Return of assets

Perform an annual audit to ensure that terminated employees returned their equipment

A.8.2

Information classification Objective: To ensure that information receives an appropriate level of protection in accordance with its importance to the organization.

A.8.2.1

Classification of information

A.8.2.2

Labelling of information An appropriate set of procedures for information labelling shall be developed and implemented in accordance with the information classification scheme adopted by the organization.

Perform an annual information security policy review and review any security incidents related to the labeling of sensitive information.

A.8.2.3

Handling of assets

Procedures for handling assets shall be developed and implemented in accordance with the information classification scheme adopted by the organization.

Perform an annual information security policy review and review any security incidents related to the handling of sensitive information.

A.8.3

Media handling

Objective: To prevent unauthorized disclosure, modification, removal or destruction of information stored on media.

A.8.3.1

Management of removable media

Procedures shall be implemented for the management of removable media in accordance with the classification scheme adopted by the organization.

Assess the use of removable media and any security incidents involving removable media.

A.8.3.2

Disposal of media

Media shall be disposed of securely when no longer required, using formal procedures.

Assess the media disposal practices.

A.8.3.3

Physical media transfer

Media containing information shall be protected against unauthorized access, misuse or corruption during transportation.

Assess the use of removable media and any security incidents involving removable media.

A.9 A.9.1

Access control Business requirements of Objective: To limit access to information and information processing access control facilities.

A.9.1.1

Access control policy

An access control policy shall be established, documented and reviewed based on business and information security requirements.

Perform a quarterly user account and access audit.

A.9.1.2

Access to networks and network services

Users shall only be provided with access to the network and network services that they have been specifically authorized to use.

Perform a quarterly user account and access audit.

A.9.2

User access management Objective: To ensure authorized user access and to prevent unauthorized access to systems and services.

A.9.2.1

User registration and de- A formal user registration and de-registration process shall be registration implemented to enable assignment of access rights.

There shall be a formal and communicated disciplinary process in place to take action against employees who have committed an information security breach.

All employees and external party users shall return all of the organizational assets in their possession upon termination of their employment, contract or agreement.

Information shall be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification.

Perform a quarterly user account and access audit to ensure that access was revoked for all terminated employees.

Perform an annual information security policy review and review any security incidents related to the classification of sensitive information.

Perform a quarterly user account and access audit.

A.9.2.2

User access provisioning A formal user access provisioning process shall be implemented to assign or revoke access rights for all user types to all systems and services.

Perform a quarterly user account and access audit.

A.9.2.3

Management of privileged access rights

The allocation and use of privileged access rights shall be restricted and controlled.

Perform a quarterly user account and access audit.

A.9.2.4

Management of secret authentication information of users

The allocation of secret authentication information shall be controlled through a formal management process.

Perform a quarterly user account and access audit.

A.9.2.5

Review of user access rights

Asset owners shall review users’ access rights at regular intervals.

Perform a quarterly user account and access audit.

A.9.2.6

Removal or adjustment of access rights

The access rights of all employees and external party users to information and information processing facilities shall be removed upon termination of their employment, contract or agreement, or adjusted upon change.

Perform a quarterly user account and access audit.

A.9.3

User responsibilities

Objective: To make users accountable for safeguarding their authentication information.

A.9.3.1

Use of secret authentication information

Users shall be required to follow the organization’s practices in the use of secret authentication information.

A.9.4

System and application access control

Objective: To prevent unauthorized access to systems and applications.

A.9.4.1

Information access restriction

Access to information and application system functions shall be restricted in accordance with the access control policy.

A.9.4.2

Secure log-on procedures Where required by the access control policy, access to systems and applications shall be controlled by a secure log-on procedure.

Perform an annual information security policy review and review any security incidents related to authentication information.

A.9.4.3

Password management system

Review password requirements during the annual policy review and review any security incidents related to passwords.

A.9.4.4

Use of privileged utility The use of utility programs that might be capable of overriding programs system and application controls shall be restricted and tightly controlled.

Perform a quarterly user account and access audit.

A.9.4.5

Access control to program source code

Perform a quarterly user account and access audit.

A.10 A.10.1

Cryptography Cryptographic controls

A.10.1.1

Policy on the use of cryptographic controls

A policy on the use of cryptographic controls for protection of information shall be developed and implemented.

Review encryption requirements during the annual policy review and review any security incidents related to information exposure.

A.10.1.2

Key management

A policy on the use, protection and lifetime of cryptographic keys shall be developed and implemented through their whole lifecycle.

Review encryption requirements during the annual policy review and review any security incidents related to information exposure.

A.11 A.11.1

Physical and environmental security Secure areas Objective: To prevent unauthorized physical access, damage and interference to the organization’s information and information processing facilities.

A.11.1.1

Physical security perimeter

Security perimeters shall be defined and used to protect areas that contain either sensitive or critical information and information processing facilities.

Perform an annual review of the data center SOC/ISO reports.

A.11.1.2

Physical entry controls

Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access.

Perform an annual review of the data center SOC/ISO reports.

A.11.1.3

Securing offices, rooms Physical security for offices, rooms and facilities shall be designed and facilities and applied.

Perform an annual review of the data center SOC/ISO reports.

A.11.1.4

Protecting against external and environmental threats

Perform an annual review of the data center SOC/ISO reports.

A.11.1.5

Working in secure areas Procedures for working in secure areas shall be designed and applied.

Perform an annual information security policy review.

A.11.1.6

Delivery and loading areas

Access points such as delivery and loading areas and other points where unauthorized persons could enter the premises shall be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access.

Review security incidents related to unauthorized physical access.

A.11.2

Equipment

Objective: To prevent loss, damage, theft or compromise of assets and interruption to the organization's operations.

Password management systems shall be interactive and shall ensure quality passwords.

Access to program source code shall be restricted.

Perform an annual information security policy review and review any security incidents related to authentication information.

Perform a quarterly user account and access audit.

Objective: To ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information.

Physical protection against natural disasters, malicious attack or accidents shall be designed and applied.

A.11.2.1

Equipment siting and protection

Equipment shall be sited and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access.

Perform an annual information security policy review. Annual review of SOC/ISO reports

A.11.2.2

Supporting utilities

Equipment shall be protected from power failures and other disruptions caused by failures in supporting utilities.

Perform an annual information security policy review. Annual review of SOC/ISO reports

A.11.2.3

Cabling security

Power and telecommunications cabling carrying data or supporting information services shall be protected from interception, interference or damage.

Perform an annual information security policy review. Annual review of SOC/ISO reports

A.11.2.4

Equipment maintenance Equipment shall be correctly maintained to ensure its continued availability and integrity.

Annual equipment audit to ensure replacement of non-supported hardware.

A.11.2.5

Removal of assets

Equipment, information or software shall not be taken off-site without prior authorization.

Perform an annual information security policy review. Annual review of SOC/ISO reports

A.11.2.6

Security of equipment and assets off-premises

Security shall be applied to off-site assets taking into account the different risks of working outside the organization’s premises.

Perform an annual information security policy review.

A.11.2.7

Secure disposal or reuse All items of equipment containing storage media shall be verified to of equipment ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use.

Perform an annual information security policy review.

A.11.2.8

Unattended user equipment

Users shall ensure that unattended equipment has appropriate protection.

Perform an annual information security policy review.

A.11.2.9

Clear desk and clear screen policy

A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities shall be adopted.

Perform an annual information security policy review.

A.12 A.12.1

Operations security Operational procedures and responsibilities

Objective: To ensure correct and secure operations of information processing facilities.

A.12.1.1

Documented operating procedures

Operating procedures shall be documented and made available to all users who need them.

Perform an annual procedures audit.

A.12.1.2

Change management

Changes to the organization, business processes, information processing facilities and systems that affect information security shall be controlled.

Annual review of the change management process.

A.12.1.3

Capacity management

The use of resources shall be monitored, tuned and projections made of future capacity requirements to ensure the required system performance.

Review the number of security or availability issues related to capacity management.

A.12.1.4

Separation of Development, testing, and operational environments shall be development, testing and separated to reduce the risks of unauthorized access or changes to the operational environments operational environment.

A.12.2

Protection from malware Objective: To ensure that information and information processing facilities are protected against malware.

A.12.2.1

Controls against malware Detection, prevention and recovery controls to protect against malware shall be implemented, combined with appropriate user awareness.

A.12.3 A.12.3.1

Backup Information backup

A.12.4 A.12.4.1

Logging and monitoring Objective: To record events and generate evidence. Event logging Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed.

A.12.4.2

Protection of log information

Logging facilities and log information shall be protected against tampering and unauthorized access.

Annual review of controls and measure number of log releated security events.

A.12.4.3

Administrator and operator logs

System administrator and system operator activities shall be logged and the logs protected and regularly reviewed.

Annual review of the administrator access logging capabilties.

A.12.4.4

Clock synchronisation

The clocks of all relevant information processing systems within an organization or security domain shall be synchronised to a single reference time source.

Annual audit of time syncronization.

A.12.5

Control of operational software

Objective: To ensure the integrity of operational systems.

A.12.5.1

Installation of software on operational systems

Procedures shall be implemented to control the installation of software on operational systems.

A.12.6

Technical vulnerability management

Objective: To prevent exploitation of technical vulnerabilities.

A.12.6.1

Management of technical Information about technical vulnerabilities of information systems vulnerabilities being used shall be obtained in a timely fashion, the organization’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk.

Objective: To protect against loss of data. Backup copies of information, software and system images shall be taken and tested regularly in accordance with an agreed backup policy.

Review the requirements and any security incidents related to system isolation.

Review the number of security incidents and impacs related to malware.

Success of restore procedures. Log of restores required

Annual review to confirm log file information is still sufficent and the availablity of the log files meets management/customer expectations.

Annual review of system failures and related security and operational system incidents.

Review the number of failures due to not acting on system vulnerbilities.

A.12.6.2

Restrictions on software Rules governing the installation of software by users shall be installation established and implemented.

Perform an annual information security policy review.

A.12.7

Information systems audit considerations

Objective: To minimise the impact of audit activities on operational systems.

A.12.7.1

Information systems audit controls

Audit requirements and activities involving verification of operational systems shall be carefully planned and agreed to minimise disruptions to business processes.

A.13 A.13.1

Communications security Network security Objective: To ensure the protection of information in networks and its management supporting information processing facilities.

A.13.1.1

Network controls

Networks shall be managed and controlled to protect information in systems and applications.

Perform an annual information security policy and procedures review.

A.13.1.2

Security of network services

Security mechanisms, service levels and management requirements of all network services shall be identified and included in network services agreements, whether these services are provided in-house or outsourced.

Review vendor SLAs.

A.13.1.3

Segregation in networks Groups of information services, users and information systems shall be segregated on networks.

A.13.2

Information transfer

Objective: To maintain the security of information transferred within an organization and with any external entity.

A.13.2.1

Information transfer policies and procedures

Formal transfer policies, procedures and controls shall be in place to protect the transfer of information through the use of all types of communication facilities.

Perform an annual information security policy and procedures review.

A.13.2.2

Agreements on information transfer

Agreements shall address the secure transfer of business information between the organization and external parties.

Review 3rd party contract language on an annual basis.

A.13.2.3

Electronic messaging

Information involved in electronic messaging shall be appropriately protected.

Perform an annual information security policy and procedures review.

A.13.2.4

Confidentiality or nondisclosure agreements

Requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information shall be identified, regularly reviewed and documented.

Review the Legal SLA.

A.14 A.14.1

System acquisition, development and maintenance Security requirements of Objective: To ensure that information security is an integral part of information systems information systems across the entire lifecycle. This also includes the requirements for information systems which provide services over public networks.

A.14.1.1

Information security requirements analysis and specification

The information security related requirements shall be included in the requirements for new information systems or enhancements to existing information systems.

Perform a review of the Release Management and Software Deployment document.

A.14.1.2

Securing application services on public networks

Information involved in application services passing over public networks shall be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification.

Ensure the use of SSL/TLS is appropriate.

A.14.1.3

Protecting application services transactions

Information involved in application service transactions shall be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay.

Ensure the use of SSL/TLS is appropriate.

A.14.2

Security in development Objective: To ensure that information security is designed and and support processes implemented within the development lifecycle of information systems.

A.14.2.1

Secure development policy

Rules for the development of software and systems shall be established and applied to developments within the organization.

Review the Engineering SLA.

A.14.2.2

System change control procedures

Changes to systems within the development lifecycle shall be controlled by the use of formal change control procedures.

Review the change management process.

A.14.2.3

Technical review of applications after operating platform changes

When operating platforms are changed, business critical applications shall be reviewed and tested to ensure there is no adverse impact on organizational operations or security.

Review whether not operating platforms changed and if so, whether or not an application review was performed.

A.14.2.4

Restrictions on changes Modifications to software packages shall be discouraged, limited to to software packages necessary changes and all changes shall be strictly controlled.

Perform a review of the Release Management and Software Deployment document.

A.14.2.5

Secure system engineering principles

Principles for engineering secure systems shall be established, documented, maintained and applied to any information system implementation efforts.

Review the Engineering SLA.

A.14.2.6

Secure development environment

Organizations shall establish and appropriately protect secure development environments for system development and integration efforts that cover the entire system development lifecycle.

Review the Engineering SLA.

A.14.2.7

Outsourced development The organization shall supervise and monitor the activity of outsourced system development.

Perform an annual information security policy and procedures review.

Perform an annual information security policy and procedures review.

A.14.2.8

System security testing

Testing of security functionality shall be carried out during development.

Review the Engineering SLA and perform a review of the Release Management and Software Deployment document.

A.14.2.9

System acceptance testing

Acceptance testing programs and related criteria shall be established for new information systems, upgrades and new versions.

Perform a review of the Release Management and Software Deployment document.

A.14.3 A.14.3.1

Test data Protection of test data

Objective: To ensure the protection of data used for testing. Test data shall be selected carefully, protected and controlled.

A.15 A.15.1

Supplier relationships Information security in supplier relationships

To ensure protection of the organization’s assets that is accessible by suppliers.

A.15.1.1

Information security policy for supplier relationships

Information security requirements for mitigating the risks associated with supplier’s access to the organization’s assets shall be agreed with the supplier and documented.

Audit all failures due to supplier security events.

A.15.1.2

Addressing security within supplier agreements

All relevant information security requirements shall be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organization’s information.

Audit all failures due to supplier security events.

A.15.1.3

Information and Agreements with suppliers shall include requirements to address the communication information security risks associated with information and technology supply chain communications technology services and product supply chain.

A.15.2

Supplier service delivery Objective: To maintain an agreed level of information security and management service delivery in line with supplier agreements.

A.15.2.1

Monitoring and review of supplier services

Organizations shall regularly monitor, review and audit supplier service delivery.

Supplier review results.

A.15.2.2

Managing changes to supplier services

Changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures and controls, shall be managed, taking account of the criticality of business information, systems and processes involved and re-assessment of risks.

Supplier review results.

A.16 A.16.1

Information security incident management Management of Objective: To ensure a consistent and effective approach to the information security management of information security incidents, including incidents and communication on security events and weaknesses. improvements

A.16.1.1

Responsibilities and procedures

Management responsibilities and procedures shall be established to ensure a quick, effective and orderly response to information security incidents.

Perform a review of the incident response procedures.

A.16.1.2

Reporting information security events

Information security events shall be reported through appropriate management channels as quickly as possible.

Perform a review of the incident response procedures.

A.16.1.3

Reporting information security weaknesses

Employees and contractors using the organization’s information systems and services shall be required to note and report any observed or suspected information security weaknesses in systems or services.

Perform a review of the incident response procedures.

A.16.1.4

Assessment of and Information security events shall be assessed and it shall be decided if decision on information they are to be classified as information security incidents. security events

Perform a review of the incident response procedures.

A.16.1.5

Response to information Information security incidents shall be responded to in accordance security incidents with the documented procedures.

Perform a review of the incident response procedures.

A.16.1.6

Learning from information security incidents

Knowledge gained from analysing and resolving information security incidents shall be used to reduce the likelihood or impact of future incidents.

Perform a review of the incident response procedures.

A.16.1.7

Collection of evidence

The organization shall define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence.

Perform a review of the incident response procedures.

A.17 A.17.1

Information security aspects of business continuity management Information security Objective: Information security continuity shall be embedded in the continuity organization’s business continuity management systems.

A.17.1.1

Planning information security continuity

The organization shall determine its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or disaster.

Review the BCP/DR table top test results.

A.17.1.2

Implementing information security continuity

The organization shall establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation.

Review the BCP/DR table top test results.

A.17.1.3

Verify, review and evaluate information security continuity

The organization shall verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations.

Review the BCP/DR table top test results.

Review the master information security policy and the Engineering SLA.

Audit all failures due to supplier security events.

A.17.2

Redundancies

Objective: To ensure availability of information processing facilities.

A.17.2.1

Availability of information processing facilities

Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements.

A.18 A.18.1

Compliance Compliance with legal and contractual requirements

A.18.1.1

Identification of All relevant legislative statutory, regulatory, contractual requirements applicable legislation and and the organization’s approach to meet these requirements shall be contractual requirements explicitly identified, documented and kept up to date for each information system and the organization.

Review the Legal SLA.

A.18.1.2

Intellectual property rights

Appropriate procedures shall be implemented to ensure compliance with legislative, regulatory and contractual requirements related to intellectual property rights and use of proprietary software products.

Perform an annual information security policy and procedures review.

A.18.1.3

Protection of records

Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislatory, regulatory, contractual and business requirements.

Perform an annual information security policy and procedures review.

A.18.1.4

Privacy and protection of Privacy and protection of personally identifiable information shall be personally identifiable ensured as required in relevant legislation and regulation where information applicable.

Annual review of privacy policy and privacyrelated incidents.

A.18.1.5

Regulation of cryptographic controls

Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations.

Review the Legal SLA.

A.18.2

Information security reviews

Objective: To ensure that information security is implemented and operated in accordance with the organizational policies and procedures.

A.18.2.1

Independent review of information security

The organization’s approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes and procedures for information security) shall be reviewed independently at planned intervals or when significant changes occur.

Annual review of internal audit and management review findings

A.18.2.2

Compliance with security policies and standards

Managers shall regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements.

Annual review of internal audit and management review findings

A.18.2.3

Technical compliance review

Information systems shall be regularly reviewed for compliance with the organization’s information security policies and standards.

Annual review of internal audit and management review findings

Review any incidents related to the availability of the data centers.

Objective: To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements.

ISO 27001 Documents Last Updated: 2016-02-11

Doc ID

ISO 27001 Clause

Doc Short Description

EXT-001 ISO-001

N/A 4.1

ISMS Master Document External and internal issues relevant to the company's purpose and that affect its ability to achieve the ISMS goals

ISO-002

4.1

Procedure for Identifying Interested Parties and their relevant Requirements

ISO-003 ISO-004 ISO-005 ISO-006 ISO-007 ISO-008 ISO-009 ISO-010

4.2 4.3 4.4 5.1 5.2 6.1.1 6.1.1 6.1.2

Interested Parties and their relevant Requirements ISMS Scope Evidence of ISMS Implementation ISMS Requirements Information Security Policy ISMS Risks and Opportunities Action Plan to Address Risks and Opportunities Information Security Risk Assessment Methodology

ISO-011 ISO-012

6.1.2 6.1.2

Risk Assessment Report Risk Assessment Template

ISO-013 ISO-014 ISO-015 ISO-016 ISO-017 ISO-018

6.1.3 6.1.3.d 6.1.3.e 6.1.3 6.2 6.2

ISO-019 ISO-020 ISO-021

7.1 7.2.a 7.2.b 7.2.c

ISO-022 ISO-023 ISO-024 ISO-025 ISO-026 ISO-027

7.2.c 7.2.d 7.3 7.4 7.4 7.5.1.b

ISO-028

7.5.2 7.5.3

Information Security Risk Treatment Methodology Statement of Applicability Risk Treatment Plan Risk Treatment Report Information Security Objectives Plan to Achieve Information Security Objectives ISMS Required Resources Description of Necessary Competence Competence Determination/Review Procedure Competence Achievement Plan Evidence of Competence Security Awareness Program Security Awareness Training Slide Deck Communication Process Documented information determined by the organization as being necessary for the effectiveness of the ISMS Document Control Policy (including Creating and Updating Requirements and Control of Records)

ISO-029

7.5.2 7.5.3

Document Control Methodology (including Creating and Updating Requirements and Control of Records)

ISO-030

8.1

Evidence of completion of the Plan to Achieve Information Security Objectives

ISO-031 ISO-032

8.1 8.2

Determination and Control of Outsourced Processes Results of the Information Security Risk Assessment (Risk Assessment Report)

ISO-033

8.3

Results of the Information Security Risk Treatment (Risk Treatment Report)

ISO-034 ISO-035 ISO-036 ISO-037 ISO-038

9.1 9.1 9.1 9.1 9.2 A.12.7.1

ISO-039 ISO-040 ISO-041 ISO-042 ISO-043 ISO-044 ISO-045 ISO-046

9.2 9.2 9.2 9.2 9.2.g 9.2g 9.3 9.3

ISO-047 ISO-048 ISO-049 ISO-050 ISO-051 ISO-052 ISO-053

9.3 10.1 10.1.f 10.1.g 10.2 A.5.1.1 A.5.1.2

Evidence of Management Reviews of the ISMS, and their Results Nonconformity Response and Corrective Action Procedures Evidence Regarding Nonconformities Evidence of the Results of any Corrective Action Continual Improvement Process Set of Information Security Policies Evidence of Review of Information Security Policies

ISO-054 ISO-055 ISO-056

A.5.1.1 A.6.1.1 A.6.1.1.

Set of Information Security Procedures Information Security Roles and Responsibilities (also Section 5.3) Evidence that Information Security Responsibilities are enacted (Records)

ISO-057 ISO-058 ISO-059 ISO-060 ISO-061 ISO-062 ISO-063 ISO-064

A.6.1.2 A.6.1.3 A.6.1.4 A.6.1.5 A.6.2.1 A.6.2.2 A.6.2.2 A.7.1.1

Segregation of Duties Process Authority Contacts Special Interest Group Contacts Information Security Process for Project Management Mobile Device Policy BYOD Policy Teleworking Policy Background Check Process

Monitoring and Measurement Methodology Evidence of the Monitoring and Measurement Results Analysis and Evaluation Methodology Evidence of the Analysis and Evaluation Results Internal Audit Program Evidence of Internal Audit Program Reviews Internal Audit Procedure ISMS Audit Checklist Evidence of Internal Audit Procedure Reviews Evidence of Internal Audit Results ISMS Corrective Action Form Management Review of the ISMS Form for Management Review Minutes

ISO-065 ISO-066 ISO-067

A.7.1.1 A.7.1.2 A.7.1.2

Evidence of Background Checks (Records) Employment Contract Security Responsibility Stipulations Evidence of Security Responsibility Stipulations in Employment Contracts (Records)

ISO-068 ISO-069

A.7.2.2 A.7.2.2

Evidence of Security Awareness Training Evidence of Communication of Information Security Policy Change(s) (Records)

ISO-070 ISO-071 ISO-072 ISO-073

A.7.2.3 A.7.2.3 A.7.2.3 A.7.3.1

Disciplinary Process (including communication of it) Evidence that Disciplinary Process is being communicated (Records) Evidence that Disciplinary Process is being carried out (Records) Change of Employment Procedures Regarding Information Security Responsibilities

ISO-074

A.7.3.1

Evidence that Employment Procedures for InfoSec Responsibilities are enacted (Records)

ISO-075 ISO-076

A.8 A.8.1.1 A.8.1.2

Asset Management Program Asset Inventory including Management Ownership

ISO-077

A.8.1.1 A.8.1.2

Asset Inventory Review Process

ISO-078

A.8.1.1 A.8.1.2

Evidence of Asset Inventory Reviews (Records)

ISO-079

A.8.1.3

Rules for the Acceptable Use of Information and of Assets (Acceptable Use Policy)

ISO-080

A.8.1.3

Evidence of Communication of Acceptable Use of Information and of Assets (Records)

ISO-081 ISO-082 ISO-083

A.8.1.4 A.8.1.4 A.8.2.1 A.8.2.2

Asset Return Process Evidence of Asset Returns (Records) Information Classification Schema

ISO-084

A.8.2.1 A.8.2.2

Information Classification and Labeling Process

ISO-085

A.8.2.1 A.8.2.2

Evidence of Information Classification and Labeling Reviews (Records)

ISO-086 ISO-087 ISO-088 ISO-089 ISO-090 ISO-091 ISO-092 ISO-093 ISO-094 ISO-095 ISO-096 ISO-097

A.8.2.3 A.8.2.3 A.8.3.1 A.8.3.1 A.8.3.1 A.8.3.2 A.8.3.2 A.8.3.2 A.8.3.3 A.8.3.3 A.8.3.3 A.9.1.1

Asset Handling Procedures Evidence of Implementation of Asset Handling Procedures (Records) Management of Removable Media Policy Management of Removable Media Procedures Evidence that Removable Media Procedures are enacted (Records) Disposal of Media Policy Disposal of Media Procedures Evidence that Disposal of Media Procedures are enacted (Records) Physical Media Transfer Policy Physical Media Transfer Procedures Evidence that Physical Media Transfer Procedures are enacted (Records) Access Control Policy

ISO-098 ISO-099 ISO-100 ISO-101

A.9.1.1 A.9.1.1 A.9.1.2 A.9.1.2

Access Control Policy Review Process Evidence of Access Control Policy Reviews (Records) Network and Network Service Access Authorization Procedure Evidence that Network and Network Service Access Authorization Procedure is enacted (Records)

ISO-102 ISO-103

A.9.2.1 A.9.2.1

User Registration and De-registration Process Evidence that User Registration and De-registration Processes are enacted (Records)

ISO-104 ISO-105 ISO-106

A.9.2.2 A.9.2.2 A.9.2.3

User Access Provisioning Process Evidence that User Access Provisioning Process is enacted (Records) Privileged Access Management Process

ISO-107

A.9.2.3

Evidence that Privileged Access Management Process is enacted (Records)

ISO-108 ISO-109

A.9.2.4 A.9.2.4

Secret Authentication (e.g., Password) Policy Secret Authentication (e.g., Password) Information Management Process

ISO-110

A.9.2.4

Evidence that Secret Authentication Information Management Process is enacted (Records)

ISO-111

A.9.2.5

Asset Access Review Process

ISO-112 ISO-113 ISO-114

A.9.2.5 A.9.2.6 A.9.2.6

Evidence of Asset Access Reviews (Records) Removal or Adjustment of Access Rights Process Evidence that Removal or Adjustment of Access Rights Process is enacted (Records)

ISO-115

A.9.3.1

Authentication Safeguarding Policy

ISO-116

A.9.3.1

Authentication Safeguarding Process

ISO-117 ISO-118 ISO-119

A.9.3.1 A.9.4.1 A.9.4.1

Evidence that Authentication Safeguarding Process is enacted Data and Application Access Authorization Procedure Data and Application Access Request and Authorization Form

ISO-120

A.9.4.1

Evidence that Data and Application Access Authorization Procedure is enacted

ISO-121

A.9.4.2

Secure Log-on Procedure (if required by Access Control Policy)

ISO-122 ISO-123

A.9.4.2 A.9.4.3

Evidence that Secure Log-on Procedure is enacted Password Management System Description

ISO-124 ISO-125 ISO-126 ISO-127

A.9.4.3 A.9.4.4 A.9.4.4 A.9.4.4

Evidence that Password Management System is enacted Utility Program Policy Utility Program Review Process Data and Application Access Request and Authorization Form

ISO-128

A.9.4.5

Access Control to Source Code Authorization Process

ISO-129

A.9.4.5

Source Code Access Request and Authorization Form

ISO-130

A.10.1.1

Cryptographic Controls Policy

ISO-131 ISO-132 ISO-133 ISO-134 ISO-135 ISO-136 ISO-137 ISO-138 ISO-139 ISO-140 ISO-141 ISO-142 ISO-143

A.10.1.1 A.10.1.1 A.10.1.2 A.10.1.2 A.10.1.2 A.11.1.1 A.11.1.1 A.11.1.2 A.11.1.2 A.11.1.3 A.11.1.3 A.11.1.4 A.11.1.4

Cryptographic Controls Process Evidence that Cryptograpic Controls Process is enacted Key Management Policy Key Management Process Evidence that Key Management Process is enacted Physical Security Perimeters Definition Evidence of Physical Security Perimeters Definition Reviews Physical Entry Controls Evidence of Physical Entry Controls Reviews Physical Security Design Evidence of Physical Security Design Reviews Design for Protection Against External and Environmental Threats Evidence of Design for Protection Against External and Environmental Threats Reviews

ISO-144 ISO-145 ISO-146 ISO-147 ISO-148 ISO-149 ISO-150 ISO-151 ISO-152 ISO-153 ISO-154 ISO-155 ISO-156 ISO-157 ISO-158 ISO-159

A.11.1.5 A.11.1.5 A.11.1.6 A.11.1.6 A.11.2.1 A.11.2.1 A.11.2.2 A.11.2.2 A.11.2.3 A.11.2.3 A.11.2.4 A.11.2.4 A.11.2.4 A.11.2.5 A.11.2.5 A.11.2.5

Procedures for Working in Secured Areas Evidence of Reviews of Procedures for Working in Secured Areas Physical Access Point Security Designs Evidence of Reviews of Physical Access Point Security Designs Equipment Siting and Protection Design Evidence of Equipment Siting and Protection Design Reviews Design for Protection Against Utility Failures Evidence of Design for Protection Against Utility Failures Reviews Cabling Protection Design Evidence of Cabling Protection Design Reviews Equipment Maintenance Process Evidence of Equipment Maintenance Process Reviews Evidence that Equipment Maintenance Process is enacted Removal of Asset Authorization Process Evidence of Removal of Asset Authorization Process Reviews Removal of Asset Authorization Form

ISO-160 ISO-161 ISO-162 ISO-163 ISO-164 ISO-165 ISO-166 ISO-167

A.11.2.6 A.11.2.6 A.11.2.7 A.11.2.7 A.11.2.7 A.11.2.7 A.11.2.8 A.11.2.8

Offsite Asset Security Process Evidence of Offsite Asset Security Process Reviews Secure Media Disposal and Re-use Policy Evidence of Secure Media Disposal and Re-use Policy Reviews Secure Media Disposal and Re-use Process Evidence of Secure Media Disposal and Re-use Process Reviews Protection of Unattended Equipment Policy Evidence of Protection of Unattended Equipment Policy Reviews

ISO-168 ISO-169 ISO-170 ISO-171 ISO-172 ISO-173 ISO-174 ISO-175 ISO-176

A.11.2.8 A.11.2.8 A.11.2.9 A.11.2.9 A.11.2.9 A.11.2.9 A.12.1.1 A.12.1.1 8.1 A.12.1.2 A.14.2.2 A.14.2.3 A.14.2.4

Protection of Unattended Equipment Process Evidence of Protection of Unattended Equipment Process Reviews Clear Desk Policy Evidence of Clear Desk Policy Reviews Clear Screen Policy Evidence of Clear Screen Policy Reviews Operating Procedures Evidence of Operating Procedures Reviews Change Management Policy

ISO-177

8.1 A.12.1.2 A.14.2.2 A.14.2.3 A.14.2.4

Evidence of Change Management Policy Reviews

ISO-178

8.1 A.12.1.2 A.14.2.2 A.14.2.3 A.14.2.4

Change Management Process

ISO-179

8.1 A.12.1.2 A.14.2.2 A.14.2.3 A.14.2.4

Evidence of Change Management Process Reviews

ISO-180 ISO-181 ISO-182 ISO-183 ISO-184 ISO-185 ISO-186 ISO-187 ISO-188 ISO-189 ISO-190 ISO-191 ISO-192 ISO-193 ISO-194 ISO-195 ISO-196

A.12.1.3 A.12.1.3 A.12.1.3 A.12.1.4 A.12.1.4 A.12.1.4 A.12.1.4 A.12.2.1 A.12.2.1 A.12.2.1 A.12.2.1 A.12.3.1 A.12.3.1 A.12.3.1 A.12.3.1 A.12.3.1 A.12.3.1

Capacity Management Process Evidence of Capacity Management Process Reviews Capacity Management Plans/Reports Separation of Environments Policy Evidence of Separation of Environments Policy Reviews Separation of Environments Design Evidence of Separation of Environments Design Reviews Malware Protection Policy Evidence of Malware Protection Policy Reviews Malware Protection Design Evidence of Malware Protection Design Reviews Data Backup and Recovery Policy Evidence of Data Backup and Recovery Policy Reviews Data Backup and Recovery Procedures Evidence of Data Backup and Recovery Procedures Reviews Data Backup and Recovery Test Process Evidence of Data Backup and Recovery Test Process Reviews

ISO-197

A.12.4.1

Event Logging Design

ISO-198 ISO-199 ISO-200 ISO-201 ISO-202 ISO-203 ISO-204 ISO-205 ISO-206 ISO-207 ISO-208

A.12.4.1 A.12.4.1 A.12.4.2 A.12.4.2 A.12.4.3 A.12.4.3 A.12.4.3 A.12.4.3 A.12.4.4 A.12.4.4 A.12.5.1 A.12.6.2

Evidence of Event Logging Design Reviews Event Log Reviews Design for Protection of Log Information Evidence of Reviews of Design for Protection of Log Information Operator Logging Design Evidence of Operator Logging Design Reviews Operator Log Review Process Evidence of Operator Log Reviews Clock Synchronization Design Evidence of Clock Synchronization Reviews Software Installation Policy

ISO-209

A.12.5.1 A.12.6.2

Evidence of Software Installation Policy Reviews

ISO-210

A.12.5.1 A.12.6.2

Software Installation Control Procedures

ISO-211

A.12.5.1 A.12.6.2

Evidence of Software Installation Control Procedures Reviews

ISO-212 ISO-213 ISO-214 ISO-215 ISO-216

A.12.6.1 A.12.6.1 A.12.6.1 A.12.6.1 A.12.7.1

Vulnerability Management Policy Evidence of Vulnerability Management Policy Reviews Vulnerability Management Process Evidence that Vulnerability Management Process is enacted External Audit Activity Planning Process

ISO-217 ISO-218 EXT-002 ISO-220 ISO-221 ISO-222 ISO-223 ISO-224 ISO-225 ISO-226 ISO-227 ISO-228 ISO-229 ISO-230 ISO-231 ISO-232 ISO-233 ISO-234

A.12.7.1 A.12.7.1 N/A A.13.1.1 A.13.1.1 A.13.1.2 A.13.1.2 A.13.1.3 A.13.1.3 A.13.2.1 A.13.2.1 A.13.2.1 A.13.2.1 A.13.2.1 A.13.2.1 A.13.2.2 A.13.2.2 A.13.2.2

Evidence that External Audit Activity Planning Process is enacted External Audit Activity Report Network Security Policy Design of Network Controls Evidence of Design of Network Controls Reviews Design of Controls for Network Services Evidence of Design of Controls for Network Services Reviews Design of Network Segregation Evidence of Design of Network Segregation Reviews Information Transfer Policies Evidence of Information Transfer Policies Reviews Information Transfer Procedures Evidence of Information Transfer Procedures Reviews Information Transfer Control Design Evidence of Information Transfer Control Design Reviews Information Transfer Agreement Policy Evidence of Information Transfer Agreement Policy Reviews Information Transfer Agreement Template

ISO-235 ISO-236 ISO-237 ISO-238 ISO-239 ISO-240

A.13.2.2 A.13.2.3 A.13.2.3 A.13.2.3 A.13.2.3 A.13.2.4

Evidence of Information Transfer Agreements Secure Electronic Messaging Policy Evidence of Secure Electronic Messaging Policy Reviews Secure Electronic Messaging Procedure Evidence of Secure Electronic Messaging Procedure Reviews Confidentiality and NDA Requirements Design

ISO-241 ISO-242 ISO-243 ISO-244

A.13.2.4 A.14.1.1 A.14.1.1 A.14.1.1 A.14.2.5

Evidence of Confidentiality and NDA Requirements Design Reviews Security in New or Modified Systems Policy Evidence of Security in New or Modified Systems Policy Reviews Security in New or Modified Systems Process

ISO-245

A.14.1.1 A.14.2.5

Evidence of Security in New or Modified Systems Process Reviews

ISO-246 ISO-247

A.14.1.2 A.14.1.2

Protection of Applications on Public Networks Design Evidence of Protection of Applications on Public Networks Design Reviews

ISO-248 ISO-249 ISO-250

A.14.1.3 A.14.1.3 A.14.2.1 A.14.2.6 A.14.2.7 A.14.2.8 A.14.2.9

Application Service Transaction Protection Design Evidence of Application Service Transaction Protection Design Reviews Secure SDLC Policy

ISO-251

A.14.2.1 A.14.2.6 A.14.2.7 A.14.2.8 A.14.2.9

Evidence of Secure SDLC Policy Reviews

ISO-252

A.14.2.1 A.14.2.6 A.14.2.7 A.14.2.8 A.14.2.9

Secure SDLC Process

ISO-253

A.14.2.1 A.14.2.6 A.14.2.7 A.14.2.8 A.14.2.9

Evidence of Secure SDLC Process Reviews

ISO-254 ISO-255 ISO-256

A.14.3.1 A.14.3.1 A.15.1.1 A.15.1.2

Protection of Test Data Process Evidence of Protection of Test Data Process Reviews Supplier Security Policy

ISO-257

A.15.1.1 A.15.1.2

Evidence of Supplier Security Policy Reviews

ISO-258

A.15.1.2

Supplier Security Template

ISO-259 ISO-260 ISO-261 ISO-262

A.15.1.2 A.15.1.3 A.15.1.3 A.15.1.3

Evidence of Information Security in Supplier Agreements Information Security for IT Service Providers Policy Evidence of Information Security for IT Service Providers Policy Reviews Information Security for IT Service Providers Template

ISO-263

A.15.2.1 A.15.2.2

Supplier Services Management Process

ISO-264

A.15.2.1 A.15.2.2

Evidence of Supplier Services Management Process Reviews

ISO-265

A.15.2.1 A.15.2.2

Evidence of Supplier Services Management Reviews

ISO-266

A.15.2.1 A.15.2.2

Supplier Services Review Template

ISO-267

A.16

ISO-268 ISO-269 ISO-270 ISO-271 ISO-272 ISO-273

A.16 A.16.1.1 A.16.1.1 A.16.1.1 A.16.1.1 A.16.1.2

Evidence of Incident Management Policy Reviews Incident Management Roles and Responsibilities Evidence of Incident Management Roles and Responsibilities Reviews Incident Management Procedures Evidence of Incident Management Procedures Reviews Incident Report Template

ISO-274 ISO-275 ISO-276 ISO-277

A.16.1.2 A.16.1.3 A.16.1.3 A.16.1.3

Evidence of Incident Reports Security Weakness Reporting Process Evidence of Security Weakness Reporting Process Reviews Security Weakness Report Template

ISO-278 ISO-279 ISO-280 ISO-281 ISO-282 ISO-283 ISO-284 ISO-285

A.16.1.4 A.16.1.5 A.16.1.6 A.16.1.6 A.16.1.6 A.16.1.7 A.16.1.7 A.16.1.7

Incident Assessment Process Evidence of Incident Assessment Process Reviews Incidence Response Process Evidence of Incident Response Process Reviews Evidence of Incident Response Evidence Collection Procedures Evidence of Evidence Collection Procedures Reviews Evidence Collection Template

ISO-286 ISO-287 ISO-288 ISO-289 EXT-003 ISO-291 ISO-292

A.17 A.17 A.17 A.17 N/A A.17 A.17

Incident Management Policy

Business Continuity Management Policy Evidence of Business Continuity Management Policy Reviews Business Continuity Strategy Evidence of Business Continuity Strategy Reviews Supplier Security Checklist Business Continuity Plan Evidence of Business Continuity Plan Reviews

ISO-293 ISO-294

A.17 A.17

Business Continuity Management System Maintenance and Review Plan Evidence of Business Continuity Management System Maintenance and Review Plan Reviews

ISO-295 ISO-296 ISO-297 ISO-298

A.17.1.1 A.17.1.1 A.17.1.1 A.17.1.1

Business Continuity Requirements Evidence of Business Continuity Requirements Reviews Business Impact Analysis Business Impact Analysis Template

ISO-299

A.17.1.1

Business Impact Analysis Analysis Questionnaire(s)

ISO-300 ISO-301 ISO-302 ISO-303 ISO-304 ISO-305

A.17.1.2 A.17.1.2 A.17.1.2 A.17.1.2 A.17.1.2 A.17.1.2 A.17.1.3

Business Continuity Process Evidence of Business Continuity Process Reviews Business Continuity Procedures Evidence of Business Continuity Procedures Reviews Business Continuity Controls Evidence of Business Continuity Controls Reviews

ISO-306 ISO-307 ISO-308 ISO-309

A.17.1.3 A.17.1.3 A.17.1.3 A.17.1.3

Business Continuity Exercising and Testing Plan Evidence of Business Continuity Exercising and Testing Plan Reviews Business Continuity Exercises and Tests Business Continuity Post-Incident Review Form

ISO-310 ISO-311 ISO-312 ISO-313 ISO-314 ISO-315 ISO-316 ISO-317 ISO-318 ISO-319

A.17 A.17 A.17.1.1 A.17.1.1 A.17.1.2 A.17.1.2 A.17.1.2 A.17.1.2 A.17.1.2 A.17.1.2 A.17.1.3

Disaster Recovery Plan Evidence of Disaster Recovery Plan Reviews Disaster Recovery Requirements Evidence of Disaster Recovery Requirements Reviews Disaster Recovery Process Evidence of Disaster Recovery Process Reviews Disaster Recovery Procedures Evidence of Disaster Recovery Procedures Reviews Disaster Recovery Controls Evidence of Disaster Recovery Controls Reviews

ISO-320 ISO-321

A.17.1.3 A.17.1.3

Disaster Recovery Exercises and Tests Disaster Recovery Post-Incident Review Form

ISO-322 ISO-323 ISO-324

A.17.2.1 A.17.2.1 A.18.1.1

Redundancy Requirements Evidence of Redundancy Requirements Reviews Legal, Regulatory and Contractual Requirements

ISO-325

A.18.1.1

Evidence of Legal, Regulatory and Contractual Requirements Reviews

ISO-326 ISO-327 ISO-328

A.18.1.2 A.18.1.2 A.18.1.3

Intellectual Property Compliance Procedure Evidence of Intellectual Property Compliance Procedure Reviews Record Protection

ISO-329 ISO-330 ISO-331 ISO-332 ISO-333 ISO-334 ISO-335 ISO-336 ISO-337 ISO-338 ISO-339 ISO-340 ISO-341 ISO-342 EXT-004 EXT-005 EXT-006 EXT-007 EXT-008 EXT-009 EXT-009 EXT-009

A.18.1.3 A.18.1.4 A.18.1.4 A.18.1.5 A.18.1.5 A.18.2.1 A.18.2.1 A.18.2.1 A.18.2.2 A.18.2.2 A.18.2.2 A.18.2.3 A.18.2.3 A.18.2.3 N/A N/A N/A N/A N/A N/A N/A N/A

Total

350

Evidence of Record Protection Reviews Privacy and Protection of PII Evidence of Privacy and Protection of PII Reviews Regulation of Cryptographic Controls Evidence of Regulation of Cryptographic Controls Reviews External Audit Plan Evidence of External Audit Plan Reviews Evidence of External Audits Management Compliance Review Process Evidence of Management Compliance Review Process Reviews Evidence of Management Compliance Reviews Technical Compliance Review Process Evidence of Technical Compliance Review Process Reviews Evidence of Technical Compliance Reviews CSWG Program Information Security Risk Council Program Security Integration Plan Security Integration Questionnaire HR Employee Change Procedure Data Governance Policy Security Review Checklist Multi-Factor Authentication Procedure

Link to mandatory/non-mandatory documents: http://advisera.com/27001academy/knowledgebase/list-o

Contained In

Requirement

Doc Type

ISMS Scope

Own Doc Part of EXT-001

Optional Implied

Description Record

No Yes

TBD

Implied

Procedure

Yes

Part of EXT-001 Part of EXT-001 TBD TBD Own Doc TBD TBD TBD

Implied Required Implied Implied Required Implied Implied Required

Record Description Record Description Policy Record Plan Process

Yes Yes Yes Yes Yes Yes Yes Yes

Own Doc Own Doc

Implied Optional

Record Form or Template

Yes Yes

Part of EXT-001 Own Doc Own Doc TBD Part of EXT-001 TBD

Required Required Required Implied Required Implied

Process Record Plan Record Record Plan

Yes Yes Yes Yes Yes Yes

Part of EXT-001 Part of EXT-001 TBD

Implied Implied Implied

Record Description Procedure

Yes Yes Yes

TBD Own Doc Own Doc Own Doc Part of EXT-001 Part of EXT-001

Implied Required Implied Optional Implied Required

Plan Record Process Process Record

Yes Yes Yes No Yes Yes

TBD

Implied

Policy

Yes

Project Scope

Included

TBD

Implied

Process

Yes

TBD

Required

Record

Yes

TBD Part of ISO-011

Implied Required

Policy Record

Yes Yes

Part of ISO-016

Required

Record

Yes

TBD TBD TBD TBD Own Doc

Implied Required Implied Implied Required

Procedure Record Procedure Record Description

Yes Yes Yes Yes Yes

Part of ISO-038 Own Doc Own Doc Part of ISO-040 Own Doc Own Doc TBD TBD

Implied Optional Optional Optional Required Optional Implied Optional

Record Process Form or Template Record Record Form or Template Process Form or Template

Yes Yes Yes Yes Yes Yes Yes Yes

TBD TBD TBD TBD TBD Own Doc TBD

Required Implied Required Required Implied Required Required

Record Procedure Record Record Process Policy Record

Yes Yes Yes Yes Yes Yes Yes

TBD Part of EXT-001 TBD

Optional Required Implied

Procedure Record Record

Yes Yes Yes

TBD TBD TBD TBD Part of ISO-052 Part of ISO-052 Part of ISO-052 TBD

Implied Required Required Implied Required Optional Required Implied

Process Record Record Process Policy Policy Policy Process

Yes Yes Yes Yes Yes Yes Yes Yes

TBD TBD TBD

Implied Implied Implied

Record Record Record

Yes Yes Yes

TBD TBD

Implied Implied

Record Record

Yes Yes

TBD TBD TBD Part of ISO-066

Required Implied Implied Required

Process Record Record Procedure

Yes Yes Yes Yes

TBD

Implied

Record

Yes

Own Doc Own Doc

Optional Required

Description Record

Yes Yes

Part of ISO-075

Implied

Process

Yes

TBD

Implied

Record

Yes

Part of ISO-052

Required

Policy

Yes

TBD

Implied

Record

Yes

Part of ISO-075 TBD TBD

Implied Implied Implied

Process Record Description

Yes Yes Yes

TBD

Implied

Process

Yes

TBD

Implied

Record

Yes

Part of ISO-075 TBD Part of ISO-052 Part of ISO-054 TBD Part of ISO-052 Part of ISO-054 TBD Part of ISO-052 Part of ISO-054 TBD Part of ISO-052

Required Implied Required Implied Implied Required Implied Implied Implied Implied Implied Required

Procedure Record Policy Procedure Record Policy Procedure Record Policy Procedure Record Policy

Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes

TBD TBD TBD TBD

Implied Implied Implied Implied

Process Record Procedure Record

Yes Yes Yes Yes

TBD TBD

Required Implied

Process Record

Yes Yes

TBD TBD TBD

Required Implied Implied

Process Record Process

Yes Yes Yes

TBD

Implied

Record

Yes

TBD TBD

Implied Implied

Policy Process

Yes Yes

TBD

Implied

Record

Yes

TBD

Implied

Process

Yes

TBD TBD TBD

Implied Implied Implied

Record Process Record

Yes Yes Yes

Part of ISO-052

Implied

Process

Yes

TBD

Implied

Process

Yes

TBD Part of ISO-054 TBD

Implied Implied Optional

Record Procedure Form or Template

Yes Yes Yes

TBD

Implied

Record

Yes

Part of ISO-054

Implied

Procedure

Yes

TBD TBD

Implied Implied

Record Description

Yes Yes

TBD Part of ISO-052 TBD TBD

Implied Implied Implied Optional

Record Policy Process Form or Template

Yes Yes Yes Yes

TBD

Implied

Process

Yes

TBD

Optional

Form or Template

Yes

Part of ISO-052

Required

Policy

Yes

TBD TBD Part of ISO-052 TBD TBD TBD TBD TBD TBD TBD TBD TBD TBD

Implied Implied Required Implied Implied Implied Implied Implied Implied Implied Implied Implied Implied

Process Record Policy Process Record Description Record Description Record Description Record Description Record

Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes

TBD TBD TBD TBD TBD TBD TBD TBD TBD TBD TBD TBD TBD Part of ISO-075 TBD TBD

Required Implied Implied Implied Implied Implied Implied Implied Implied Implied Implied Implied Implied Implied Implied Optional

Procedure Record Description Record Description Record Description Record Description Record Process Record Record Process Record Form or Template

Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes

TBD TBD Part of ISO-052 TBD TBD TBD Part of ISO-052 TBD

Implied Implied Optional Optional Implied Implied Optional Optional

Process Record Policy Record Process Record Policy Record

Yes Yes Yes Yes Yes Yes Yes Yes

TBD TBD Part of ISO-052 TBD Part of ISO-052 TBD TBD TBD Part of ISO-052

Implied Implied Required Implied Required Implied Required Implied Implied

Process Record Policy Record Policy Record Procedure Record Record

Yes Yes Yes Yes Yes Yes Yes Yes Yes

TBD

Implied

Process

Yes

TBD

Implied

Process

Yes

TBD

Implied

Process

Yes

TBD TBD TBD Part of ISO-052 TBD TBD TBD Part of ISO-052 TBD TBD TBD Part of ISO-052 TBD TBD TBD TBD TBD

Implied Implied Implied Implied Implied Implied Implied Optional Implied Implied Implied Required Implied Implied Implied Implied Implied

Process Record Plan Policy Record Description Record Policy Record Description Record Policy Record Procedure Record Process Record

Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes

TBD

Implied

Description

Yes

TBD TBD TBD TBD TBD TBD TBD TBD TBD TBD Part of ISO-052

Implied Required Implied Implied Implied Implied Implied Required Implied Implied Optional

Record Record Description Record Description Record Process Record Description Record Policy

Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes

TBD

Optional

Record

Yes

TBD

Implied

Procedure

Yes

TBD

Implied

Record

Yes

Part of ISO-052 TBD TBD TBD TBD

Optional Optional Implied Implied Implied

Policy Record Process Record Plan

Yes Yes Yes Yes Yes

TBD TBD Part of ISO-052 TBD TBD TBD TBD TBD TBD Part of ISO-052 TBD TBD TBD TBD TBD Part of ISO-052 TBD TBD

Implied Optional Optional Implied Implied Implied Implied Implied Implied Required Implied Required Implied Implied Implied Optional Optional Optional

Record Record Policy Description Record Description Record Description Record Policy Record Procedure Record Description Record Policy Record Form or Template

Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes

TBD Part of ISO-052 TBD TBD TBD TBD

Implied Optional Optional Implied Implied Required

Record Policy Record Procedure Record Description

Yes Yes Yes Yes Yes Yes

TBD Part of ISO-052 TBD TBD

Implied Optional Optional Implied

Record Policy Record Process

Yes Yes Yes Yes

TBD

Implied

Record

Yes

TBD TBD

Implied Implied

Description Record

Yes Yes

TBD TBD Part of ISO-052

Implied Implied Required

Description Record Policy

Yes Yes Yes

TBD

Implied

Record

Yes

TBD

Implied

Process

Yes

TBD

Implied

Record

Yes

TBD TBD Part of ISO-052

Implied Implied Required

Process Record Policy

Yes Yes Yes

TBD

Implied

Record

Yes

TBD

Optional

Form or Template

Yes

TBD Part of ISO-052 TBD TBD

Implied Implied Implied Optional

Record Policy Record Form or Template

Yes Yes Yes Yes

TBD

Implied

Process

Yes

TBD

Implied

Record

Yes

TBD

Implied

Record

Yes

TBD

Optional

Form or Template

Yes

Part of ISO-052

Optional

Policy

Yes

TBD TBD TBD TBD TBD TBD

Optional Implied Implied Implied Implied Optional

Record Description Record Procedure Record Form or Template

Yes Yes Yes Yes Yes Yes

TBD TBD TBD TBD

Optional Implied Implied Optional

Record Process Record Form or Template

Yes Yes Yes Yes

TBD TBD TBD TBD TBD TBD TBD TBD

Implied Implied Implied Implied Implied Implied Implied Optional

Process Record Process Record Record Procedure Record Form or Template

Yes Yes Yes Yes Yes Yes Yes Yes

Part of ISO-052 TBD TBD TBD Own Doc TBD TBD

Optional Optional Optional Optional Optional Optional Optional

Policy Record Description Record Form or Template Plan Record

Yes Yes Yes Yes No Yes Yes

TBD TBD

Optional Optional

Plan Record

Yes Yes

TBD TBD TBD TBD

Implied Implied Implied Optional

Description Record Description Form or Template

Yes Yes Yes Yes

TBD

Optional

Form or Template

Yes

TBD TBD TBD TBD TBD TBD

Required Implied Required Implied Required Implied

Process Record Procedure Record Description Record

Yes Yes Yes Yes Yes Yes

TBD TBD TBD TBD

Optional Optional Implied Optional

Plan Record Record Form or Template

Yes Yes Yes Yes

TBD TBD TBD TBD TBD TBD TBD TBD TBD TBD

Optional Optional Optional Optional Optional Optional Optional Optional Optional Optional

Plan Record Description Record Process Record Procedure Record Description Record

Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes

TBD TBD

Optional Optional

Record Form or Template

Yes Yes

TBD TBD TBD

Implied Implied Required

Description Record Description

Yes Yes Yes

TBD

Required

Record

Yes

TBD TBD TBD

Implied Implied Implied

Procedure Record Description

Yes Yes Yes

TBD TBD TBD TBD TBD Part of ISO-038 TBD TBD TBD TBD TBD TBD TBD TBD Own Doc Own Doc TBD TBD Own Doc Own Doc Part of ISO-054 Own Doc

Implied Implied Implied Implied Implied Implied Implied Implied Implied Implied Implied Implied Implied Implied Optional Optional Optional Optional Optional Optional Optional Optional

Required Implied Optional

54 221 75

Unique Docs

23

Total Included

0

Record Description Record Description Record Procedure Record Record Process Record Record Process Record Record Description Description Plan Form or Template Procedure Policy Form or Template Procedure

Policy Process Procedure Plan Description Form or Template Record

Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes No No No No No No No No

36 51 28 11 42 22 159

ISO 27001 Documents

Policy

Process

Procedure

Plan

Description

Implemented Approved Written In Progress Waiting Phase 2 Unknown Total

0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0

ISO 27001 Documents Phase 1

Policy

Process

Procedure

Plan

Description

Implemented Approved Written In Progress Total

0 0 0 0 0

0 0 0 0 0

0 0 0 0 0

0 0 0 0 0

0 0 0 0 0

my/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

Due

Status

Consultant Owner

Est. Consultant Hrs

Customer Comments Owner

Implemented Approved Written In Progress Waiting Phase 2 Unknown Skipped

0 0 0 0 0 0 0 0

0

Form or Template

Record

Total

%

0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0

#DIV/0! #DIV/0! #DIV/0! #DIV/0! #DIV/0! #DIV/0! #DIV/0! #DIV/0!

Form or Template

Record

Total

%

0 0 0 0 0

0 0 0 0 0

0 0 0 0 0

#DIV/0! #DIV/0! #DIV/0! #DIV/0! #DIV/0!

Approved by

Date Last Approved

Location

Document Name