iso27001 checklist

117

Click here to load reader

Upload: chhanda-mishra

Post on 24-Oct-2014

619 views

Category:

Documents


25 download

TRANSCRIPT

Page 1: ISO27001 Checklist

ISO27001 Audit Checklist

Paladion Networks

Page 2: ISO27001 Checklist

ABOUT THIS DOCUMENT

This document contains the questions to be asked in a process audit. The controls selected here are primarily from ISO27001 and Internal best practices.

VERSION CONTROL

Version Author Approved By

1.0 Shaheem Motlekar Vinod Vasudevan

2.0 Abhishek Kumar Firosh Ummer

Confidentiality Agreement: This document is to be used for internal purpose of Paladion Networks only.

Page 3: ISO27001 Checklist

ISO27001 AUDIT QUESTIONNAIRE

# Questions Significance Evidence

4 Information Security Management System

4.1 General Requirements

The organization shall establish, implement, operate, monitor, review, maintain and improve a documented ISMS within the context of the organization’s overall business activities and the risks they face. For the purposes of this International Standard the process used is based on the PDCA model

High

1)

Has the organization established, implemented, operating, monitoring, reviewing, maintaining and improving documented ISMS within the context of the organization’s overall business activities and the risks is faces?

4.2 Establishing and managing the ISMS

4.2.1 Establish the ISMS

4.2.1 a) Define the scope and boundaries of the ISMS in terms of the characteristics of the business, the organization, its location, assets, technology, and including details of and justification for any exclusions from the scope

High Scope document

1) Is the scope and boundaries of the ISMS defined and documented?

2)

Does the scope take into consideration the characteristics of the business, the organization, its location, assets, technology, and including details of and justification for any exclusion from the scope?

4.2.1 b) Define an ISMS policy in terms of the characteristics of the business, the organization, its location, assets and

High ISMS policy document

Confidentiality Agreement: This document is to be used for internal 1purpose of Paladion Networks only.

Page 4: ISO27001 Checklist

# Questions Significance Evidence

technology that:

1) includes a framework for setting objectives and establishes an overall sense of direction and principles for action with regard to information security;

2) takes into account business and legal or regulatory requirements, and contractual security obligations;

3) aligns with the organization’s strategic risk management context in which the establishment and maintenance of the ISMS will take place;

4) establishes criteria against which risk will be evaluated;

5) has been approved by management.

1) Is the ISMS policy documented and approved by the management?

2)

Does the ISMS policy include the following,

- a framework for setting objectives and an overall sense of direction and principles for action with regard to information security

- business and legal or regulatory requirements, and contractual security obligations

- organization’s strategic risk management context in which the establishment and maintenance of the ISMS will take place

- criteria against which risk will be evaluated

4.2.1 c) Define the risk assessment approach of the organization.

1) Identify a risk assessment methodology that is suited to the ISMS, and the identified business information security, legal and regulatory requirements.

2) Develop criteria for accepting risks and identify the acceptable levels of risk.

High Risk assessment methodology document

Confidentiality Agreement: This document is to be used for internal 2purpose of Paladion Networks only.

Page 5: ISO27001 Checklist

# Questions Significance Evidence

The risk assessment methodology selected shall ensure that risk assessments produce comparable and reproducible results.

1) Is the risk assessment approach of the organization defined and documented?

2) Are the criteria for accepting risks and identifying the acceptable levels of risk documented?

4.2.1 d) Identify the risks.

1) Identify the assets within the scope of the ISMS, and the owners of these assets.

2) Identify the threats to those assets.

3) Identify the vulnerabilities that might be exploited by the threats.

4) Identify the impacts that losses of confidentiality, integrity and availability may have on the assets.

High Risk assessment report

1) Is risk assessment conducted to identify the risks for the scope of the ISMS?

2) Are all the assets within the scope of the ISMS identified along with their owner?

3) Are threats and vulnerabilities for all the assets identified?

4) Is the impact that losses of confidentiality, integrity and availability may have on the assets identified?

4.2.1 e) Analyse and evaluate the risks.

1) Assess the business impact upon the organization that might result from a security failure, taking into account the consequences of a loss of confidentiality, integrity or availability of the assets.

High Risk assessment report

Confidentiality Agreement: This document is to be used for internal 3purpose of Paladion Networks only.

Page 6: ISO27001 Checklist

# Questions Significance Evidence

2) Assess the realistic likelihood of such a security failure occurring in the light of prevailing threats and vulnerabilities, and impacts associated with these assets, and the controls currently implemented.

3) Estimate the levels of risks.

4) Determine whether the risk is acceptable or requires treatment using the risk acceptance criteria established in 4.2.1c)2).

1) Is the business impact upon the organization that might result from a security failure assessed?

2)Is the realistic likelihood of a security failure occurring in the light of prevailing threats and vulnerabilities and the controls currently implemented assessed?

3) For all risks is it decided whether the risk is acceptable or requires treatment?

4.2.1 f) Identify and evaluate options for the treatment of risks.

Possible actions include:

1) applying appropriate controls;

2) knowingly and objectively accepting risks, providing they clearly satisfy the organization’s policies and the criteria for risk acceptance (see 4.2.1c)2));

3) avoiding risks; and

4) transferring the associated business risks to other parties, e.g. insurers, suppliers.

Risk treatment plan

1) Are options for the treatment of risks identified and evaluated?

2) Are these risks which are accepted, avoided or transferred? Is it done while satisfying the organization’s policies and the criteria

Confidentiality Agreement: This document is to be used for internal 4purpose of Paladion Networks only.

Page 7: ISO27001 Checklist

# Questions Significance Evidence

for risk acceptance?

4.2.1 g) Select control objectives and controls for the treatment of risks.

Controls objectives and controls shall be selected and implemented to meet the requirements identified by the risk assessment and risk treatment process. This selection shall take account of the criteria for accepting risks (see 4.2.1c)) as well as legal, regulatory and contractual requirements.

The control objectives and controls from Annex A shall be selected as part of this process as suitable to cover these requirements. The control objectives and controls listed in Annex A are not exhaustive and additional control objectives and controls may also be selected.

Statement of applicability

1) Are control objectives and controls for the treatment of risks identified and implemented?

2) Is any control implemented which is not suggested by ISO 27001 standard Annex A?

4.2.1 h) Obtain management approval of the proposed residual risks.

Management approval for residual risks

1) Is management approval of the proposed residual risks obtained?

4.2.1 i) Obtain management authorization to implement and operate the ISMS.

Management approval for implementing & operating ISMS

1) Is management authorization to implement and operate the ISMS obtained?

4.2.1 j) Prepare a Statement of Applicability.

A Statement of Applicability shall be prepared that includes the

Statement of Applicability

Confidentiality Agreement: This document is to be used for internal 5purpose of Paladion Networks only.

Page 8: ISO27001 Checklist

# Questions Significance Evidence

following:

1) the control objectives and controls, selected in 4.2.1g) and the reasons for their selection;

2) the control objectives and controls currently implemented (see 4.2.1e)2)); and

3) the exclusion of any control objectives and controls in Annex A and the justification for their exclusion.

1) Is Statement of Applicability documented?

2) Are the reasons for selection and exclusion of control objectives and controls included in the Statement of Applicability?

4.2.2 Implement and operate the ISMS

4.2.2 a) Formulate a risk treatment plan that identifies the appropriate management action, resources, responsibilities and priorities for managing information security risks (see 5).

High Risk treatment plan

1)Is a risk treatment plan formulated that identifies the appropriate management action, resources, responsibilities and priorities for managing information security risks?

4.2.2 b) Implement the risk treatment plan in order to achieve the identified control objectives, which includes consideration of funding and allocation of roles and responsibilities.

High

1) Is the risk treatment plan implemented?

2) Are funds allocated for risk treatment activities?

3) Are roles and responsibilities defined for risk treatment activities?

4.2.2 c) Implement controls selected in 4.2.1g) to meet the control objectives.

High

Confidentiality Agreement: This document is to be used for internal 6purpose of Paladion Networks only.

Page 9: ISO27001 Checklist

# Questions Significance Evidence

1) Are all controls identified during risk treatment phase implemented?

4.2.2 d) Define how to measure the effectiveness of the selected controls or groups of controls and specify how these measurements are to be used to assess control effectiveness to produce comparable and reproducible results (see 4.2.3c)).

HighMetrics & effectiveness measurement methodology

Effectiveness measurement report

1) Is the effectiveness of the selected controls or groups of controls measured?

4.2.2 e) Implement training and awareness programmes (see 5.2.2). High

Training plan

Training material

Training records

1) Are training and awareness program implemented?

4.2.2 f) Manage operations of the ISMS. High

1) Are all the operations within ISMS managed?

4.2.2 g) Manage resources for the ISMS (see 5.2). High

1) Are all the resources required for functioning of ISMS managed?

4.2.2 h) Implement procedures and other controls capable of enabling prompt detection of and response to security incidents (see 4.2.3).

HighIncident management policy & procedures

Incident management records

1) Are procedures and other controls capable of enabling prompt detection of and response to security incidents implemented?

4.2.3 Monitor and review the ISMS

4.2.3 a) Execute monitoring and review procedures and other High Monitoring policy & procedures

Confidentiality Agreement: This document is to be used for internal 7purpose of Paladion Networks only.

Page 10: ISO27001 Checklist

# Questions Significance Evidence

controls to:

1) promptly detect errors in the results of processing;

2) promptly identify attempted and successful security breaches and incidents;

3) enable management to determine whether the security activities delegated to people or implemented by information technology are performing as expected;

4) help detect security events and thereby prevent security incidents by the use of indicators; and

5) determine whether the actions taken to resolve a breach of security were effective.

Monitoring records

1)

Are monitoring and review procedures implemented to,

- promptly detect errors in the results of processing

- promptly identify attempted and successful security breaches and incidents

- enable management to determine whether the security activities delegated to people or implemented by information technology are performing as expected

- help detect security events and thereby prevent security incidents by the use of indicators

- determine whether the actions taken to resolve a breach of security were effective

4.2.3 b) Undertake regular reviews of the effectiveness of the ISMS (including meeting ISMS policy and objectives, and review of security controls) taking into account results of security audits, incidents, effectiveness measurements, suggestions and feedback from all interested parties.

High Minutes of meetings

1) Is the effectiveness of the ISMS regularly reviewed taking into account results of security audits, incidents, effectiveness

Confidentiality Agreement: This document is to be used for internal 8purpose of Paladion Networks only.

Page 11: ISO27001 Checklist

# Questions Significance Evidence

measurements, suggestions and feedback from all interested parties?

4.2.3 c) Measure the effectiveness of controls to verify that security requirements have been met.

High Metrics/ Effectiveness measurement report

1) Is control effectiveness measured to ensure that security requirements have been met?

4.2.3 d) Review risk assessments at planned intervals and review the level of residual risk and identified acceptable risk, taking into account changes to:

1) the organization;

2) technology;

3) business objectives and processes;

4) identified threats;

5) effectiveness of the implemented controls; and

6) external events, such as changes to the legal or regulatory environment, changed contractual obligations, and changes in social climate.

High Risk assessment report

1) Are risk assessments reviewed at planned intervals, including the level of residual risk and identified acceptable risk?

4.2.3 e) Conduct internal ISMS audits at planned intervals. High ISMS audit report

1) Are internal ISMS audits conducted at planned intervals?

4.2.3 f) Undertake a management review of the ISMS on a regular basis to ensure that the scope remains adequate and improvements in the ISMS process are identified (see 7.1).

HighReview report

Minutes of meetings

1) Is management review of the ISMS carried out on a regular basis to ensure that the scope remains adequate and improvements in

Confidentiality Agreement: This document is to be used for internal 9purpose of Paladion Networks only.

Page 12: ISO27001 Checklist

# Questions Significance Evidence

the ISMS process are identified?

4.2.3 g) Update security plans to take into account the findings of monitoring and reviewing activities.

High

1) Are security plans updated taking into account the findings of monitoring and reviewing activities?

4.2.3 h) Record actions and events that could have an impact on the effectiveness or performance of the ISMS (see 4.3.3).

High

1) Are actions and events that could have an impact on the effectiveness or performance of the ISMS recorded?

4.2.4 Maintain and improve the ISMS

4.2.4 a) Implement the identified improvements in the ISMS. High

1) Are identified improvements in the ISMS implemented?

4.2.4 b) Take appropriate corrective and preventive actions in accordance with 8.2 and 8.3. Apply the lessons learnt from the security experiences of other organizations and those of the organization itself.

High Incident management records

1) Are appropriate corrective and preventive actions implemented in response to security events?

4.2.4 c) Communicate the actions and improvements to all interested parties with a level of detail appropriate to the circumstances and, as relevant, agree on how to proceed.

High

1) Are the actions and improvements communicated to all interested parties?

4.2.4 d) Ensure that the improvements achieve their intended High

Confidentiality Agreement: This document is to be used for internal 10purpose of Paladion Networks only.

Page 13: ISO27001 Checklist

# Questions Significance Evidence

objectives.

1) Do improvements achieve their intended objectives? How is it assessed?

4.3 Documentation requirements

4.3.1 General

Documentation shall include records of management decisions, ensure that actions are traceable to management decisions and policies, and the recorded results are reproducible.

It is important to be able to demonstrate the relationship from the selected controls back to the results of the risk assessment and risk treatment process, and subsequently back to the ISMS policy and objectives.

The ISMS documentation shall include:

a) documented statements of the ISMS policy (see 4.2.1b)) and objectives;

b) the scope of the ISMS (see 4.2.1a));

c) procedures and controls in support of the ISMS;

d) a description of the risk assessment methodology (see 4.2.1c));

e) the risk assessment report (see 4.2.1c) to 4.2.1g));

f) the risk treatment plan (see 4.2.2b));

g) documented procedures needed by the organization to ensure the effective planning, operation and control of its information security processes and describe how to measure the effectiveness of controls (see 4.2.3c));

h) records required by this International Standard (see 4.3.3); and

i) the Statement of Applicability.

High

Records of management decisions

ISMS policy

Scope of the ISMS

Procedures and controls in support of the ISMS

Risk assessment methodology

Risk assessment report

Risk treatment plan

How to measure the effectiveness of controls

Statement of Applicability

Confidentiality Agreement: This document is to be used for internal 11purpose of Paladion Networks only.

Page 14: ISO27001 Checklist

# Questions Significance Evidence

1)

2)

Is it possible to demonstrate the relationship from the selected controls back to the results of the risk assessment and risk treatment process, and subsequently back to the ISMS policy and objectives?

3)

Are the following documented and approved?

- Records of management decisions

- ISMS policy

- Scope of the ISMS

- Procedures and controls in support of the ISMS

- Risk assessment methodology

- Risk assessment report

- Risk treatment plan

- How to measure the effectiveness of controls

- Statement of Applicability

4.3.2 Control of documents

Documents required by the ISMS shall be protected and controlled. A documented procedure shall be established to define the management actions needed to:

a) approve documents for adequacy prior to issue;

b) review and update documents as necessary and re-approve documents;

c) ensure that changes and the current revision status of documents are identified;

d) ensure that relevant versions of applicable documents are available at points of use;

e) ensure that documents remain legible and readily identifiable;

f) ensure that documents are available to those who need them,

High Document and record control procedure

Confidentiality Agreement: This document is to be used for internal 12purpose of Paladion Networks only.

Page 15: ISO27001 Checklist

# Questions Significance Evidence

and are transferred, stored and ultimately disposed of in accordance with the procedures applicable to their classification;

g) ensure that documents of external origin are identified;

h) ensure that the distribution of documents is controlled;

i) prevent the unintended use of obsolete documents; and

j) apply suitable identification to them if they are retained for any purpose.

1) Are documents required by the ISMS adequately protected and controlled?

2)

Is a documented procedure available that defines the management actions needed to,

- approve documents for adequacy prior to issue

- review and update documents as necessary and re-approve documents

- ensure that changes and the current revision status of documents are identified

- ensure that relevant versions of applicable documents are available at points of use

- ensure that documents remain legible and readily identifiable

- ensure that documents are available to those who need them, and are transferred, stored and ultimately disposed of in accordance with the procedures applicable to their classification

- ensure that documents of external origin are identified

- ensure that the distribution of documents is controlled

prevent the unintended use of obsolete documents and

apply suitable identification to them if they are retained for any purpose

Confidentiality Agreement: This document is to be used for internal 13purpose of Paladion Networks only.

Page 16: ISO27001 Checklist

# Questions Significance Evidence

4.3.3 Control of records

Records shall be established and maintained to provide evidence of conformity to requirements and the effective operation of the ISMS. They shall be protected and controlled. The ISMS shall take account of any relevant legal or regulatory requirements and contractual obligations. Records shall remain legible, readily identifiable and retrievable. The controls needed for the identification, storage, protection, retrieval, retention time and disposition of records shall be documented and implemented. Records shall be kept of the performance of the process as outlined in 4.2 and of all occurrences of significant security incidents related to the ISMS.

HighDocument and record control procedure

Records as required by ISO 27001

1)Are records established and maintained to provide evidence of conformity to requirements and the effective operation of the ISMS?

2)How are records protected and controlled? Are controls needed for the identification, storage, protection, retrieval, retention

time and disposition of records documented and implemented?

3) Are records maintained to meet relevant legal or regulatory requirements and contractual obligations?

5 Management responsibility

5.1 Management commitment

Management shall provide evidence of its commitment to the establishment, implementation, operation, monitoring, review, maintenance and improvement of the ISMS by:

a) establishing an ISMS policy;

b) ensuring that ISMS objectives and plans are established;

c) establishing roles and responsibilities for information

High

Confidentiality Agreement: This document is to be used for internal 14purpose of Paladion Networks only.

Page 17: ISO27001 Checklist

# Questions Significance Evidence

security;

d) communicating to the organization the importance of meeting information security objectives and conforming to the information security policy, its responsibilities under the law and the need for continual improvement;

e) providing sufficient resources to establish, implement, operate, monitor, review, maintain and improve the ISMS (see 5.2.1);

f) deciding the criteria for accepting risks and for acceptable risk levels;

g) ensuring that internal ISMS audits are conducted (see 6); and

h) conducting management reviews of the ISMS (see 7).

1)Is management committed to the establishment, implementation, operation, monitoring, review, maintenance and improvement of the ISMS?

2)

Are following actions carried out by the management,

- establishing an ISMS policy, objectives and plans

- establishing roles and responsibilities for information security

- communicating to the organization the importance of meeting information security objectives and conforming to the information security policy, its responsibilities under the law and the need for continual improvement

- providing sufficient resources to establish, implement, operate, monitor, review, maintain and improve the ISMS

- deciding the criteria for accepting risks and for acceptable risk levels

- ensuring that internal ISMS audits are conducted

- conducting management reviews of the ISMS

Confidentiality Agreement: This document is to be used for internal 15purpose of Paladion Networks only.

Page 18: ISO27001 Checklist

# Questions Significance Evidence

5.2 Resource management

5.2.1 Provision of resources

The organization shall determine and provide the resources needed to:

a) establish, implement, operate, monitor, review, maintain and improve an ISMS;

b) ensure that information security procedures support the business requirements;

c) identify and address legal and regulatory requirements and contractual security obligations;

d) maintain adequate security by correct application of all implemented controls;

e) carry out reviews when necessary, and to react appropriately to the results of these reviews; and

f) where required, improve the effectiveness of the ISMS.

High

1)

Does the organization determine and provide the resources needed to,

- establish, implement, operate, monitor, review, maintain and improve an ISMS

- ensure that information security procedures support the business requirements

- identify and address legal and regulatory requirements and contractual security obligations

- maintain adequate security by correct application of all implemented controls

- carry out reviews when necessary, and to react appropriately to the results of these reviews

- where required, improve the effectiveness of the ISMS

Confidentiality Agreement: This document is to be used for internal 16purpose of Paladion Networks only.

Page 19: ISO27001 Checklist

# Questions Significance Evidence

5.2.2 Training, awareness and competence

The organization shall ensure that all personnel who are assigned responsibilities defined in the ISMS are competent to perform the required tasks by:

a) determining the necessary competencies for personnel performing work effecting the ISMS;

b) providing training or taking other actions (e.g. employing competent personnel) to satisfy these needs;

c) evaluating the effectiveness of the actions taken; and

d) maintaining records of education, training, skills, experience and qualifications (see 4.3.3).

The organization shall also ensure that all relevant personnel are aware of the relevance and importance of their information security activities and how they contribute to the achievement of the ISMS objectives.

High

Training plan

Training material

Training records/ feedback

1) Are the necessary competencies for personnel performing work affecting the ISMS identified?

2) Is training provided to personnel?

3) Is the effectiveness of training provided evaluated?

4) Are records of education, training, skills, experience and qualifications maintained?

6 Internal ISMS audits

The organization shall conduct internal ISMS audits at planned intervals to determine whether the control objectives, controls, processes and procedures of its ISMS:

a) conform to the requirements of this International Standard and relevant legislation or regulations;

High Audit report

Audit plan

Audit methodology

Non compliance closure report

Confidentiality Agreement: This document is to be used for internal 17purpose of Paladion Networks only.

Page 20: ISO27001 Checklist

# Questions Significance Evidence

b) conform to the identified information security requirements;

c) are effectively implemented and maintained; and

d) perform as expected.

An audit program shall be planned, taking into consideration the status and importance of the processes and areas to be audited, as well as the results of previous audits. The audit criteria, scope, frequency and methods shall be defined. Selection of auditors and conduct of audits shall ensure objectivity and impartiality of the audit process. Auditors shall not audit their own work.

The responsibilities and requirements for planning and conducting audits, and for reporting results and maintaining records (see 4.3.3) shall be defined in a documented procedure.

The management responsible for the area being audited shall ensure that actions are taken without undue delay to eliminate detected nonconformities and their causes. Follow-up activities shall include the verification of the actions taken and the reporting of verification results (see 8).

1)

Are internal ISMS audits conducted at planned intervals? Does the audit verify that ISMS,

- conform to the requirements of this International Standard and relevant legislation or regulations

- conform to the identified information security requirements

- are effectively implemented and maintained

- perform as expected

2)

Are the audit criteria, scope, frequency and methods defined? Are the responsibilities and requirements for planning and conducting audits, and for reporting results and maintaining records defined in a documented procedure?

Confidentiality Agreement: This document is to be used for internal 18purpose of Paladion Networks only.

Page 21: ISO27001 Checklist

# Questions Significance Evidence

3) Are follow-up activities conducted that include the verification of the actions taken and the reporting of verification results?

7 Management review of the ISMS

7.1 General

Management shall review the organization’s ISMS at planned intervals (at least once a year) to ensure its continuing suitability, adequacy and effectiveness. This review shall include assessing opportunities for improvement and the need for changes to the ISMS, including the information security policy and information security objectives. The results of the reviews shall be clearly documented and records shall be maintained (see 4.3.3).

HighReview records/ Minutes of meetings

1)Does the management review the organization’s ISMS at planned intervals (at least once a year) to ensure its continuing suitability, adequacy and effectiveness?

2) Are the results of the reviews clearly documented and records maintained?

7.2 Review input

The input to a management review shall include:

a) results of ISMS audits and reviews;

b) feedback from interested parties;

c) techniques, products or procedures, which could be used in the organization to improve the ISMS performance and effectiveness;

d) status of preventive and corrective actions;

e) vulnerabilities or threats not adequately addressed in the previous risk assessment;

f) results from effectiveness measurements;

High Review records/ Minutes of meetings

Confidentiality Agreement: This document is to be used for internal 19purpose of Paladion Networks only.

Page 22: ISO27001 Checklist

# Questions Significance Evidence

g) follow-up actions from previous management reviews;

h) any changes that could affect the ISMS; and

i) recommendations for improvement.

1)

Does the input to the management review include the following?

- results of ISMS audits and reviews

- feedback from interested parties

- techniques, products or procedures, which could be used in the organization to improve the ISMS performance and effectiveness;

- status of preventive and corrective actions

- vulnerabilities or threats not adequately addressed in the previous risk assessment

- results from effectiveness measurements

- follow-up actions from previous management reviews

- any changes that could affect the ISMS

- recommendations for improvement

7.3 Review output

The output from the management review shall include any decisions and actions related to the following.

a) Improvement of the effectiveness of the ISMS.

b) Update of the risk assessment and risk treatment plan.

c) Modification of procedures and controls that effect information security, as necessary, to respond to internal or external events that may impact on the ISMS, including changes to:

1) business requirements;

2) security requirements;

3) business processes effecting the existing business requirements;

High Review records/ Minutes of meetings

Confidentiality Agreement: This document is to be used for internal 20purpose of Paladion Networks only.

Page 23: ISO27001 Checklist

# Questions Significance Evidence

4) regulatory or legal requirements;

5) contractual obligations; and

6) levels of risk and/or risk acceptance criteria.

d) Resource needs.

e) Improvement to how the effectiveness of controls is being measured.

1)

Does the output from the management review include decisions and actions related to the following?

- Improvement of the effectiveness of the ISMS

- Update of the risk assessment and risk treatment plan

- Modification of procedures and controls that effect information security, as necessary, to respond to internal or external events that may impact on the ISMS, including changes to:

--- business requirements

--- security requirements

--- business processes effecting the existing business requirements

--- regulatory or legal requirements

--- contractual obligations

--- levels of risk and/or risk acceptance criteria

- Resource needs

- Improvement to how the effectiveness of controls is being measured

8 ISMS improvement

8.1 Continual improvement

The organization shall continually improve the effectiveness of the ISMS through the use of the information security policy,

High

Confidentiality Agreement: This document is to be used for internal 21purpose of Paladion Networks only.

Page 24: ISO27001 Checklist

# Questions Significance Evidence

information security objectives, audit results, analysis of monitored events, corrective and preventive actions and management review (see 7).

1)

Does the organization continually improve the effectiveness of the ISMS through the use of the information security policy, information security objectives, audit results, analysis of monitored events, corrective and preventive actions and management review?

8.2 Corrective action

The organization shall take action to eliminate the cause of nonconformities with the ISMS requirements in order to prevent recurrence. The documented procedure for corrective action shall define requirements for:

a) identifying nonconformities;

b) determining the causes of nonconformities;

c) evaluating the need for actions to ensure that nonconformities do not recur;

d) determining and implementing the corrective action needed;

e) recording results of action taken (see 4.3.3); and

f) reviewing of corrective action taken.

High

Non compliance closure report

Incident management records

Corrective action procedure

1)Does the organization take action to eliminate the cause of nonconformities with the ISMS requirements in order to prevent recurrence?

2) Is the corrective action procedure documented? Does it define requirements for?

- identifying nonconformities

- determining the causes of nonconformities

- evaluating the need for actions to ensure that nonconformities

Confidentiality Agreement: This document is to be used for internal 22purpose of Paladion Networks only.

Page 25: ISO27001 Checklist

# Questions Significance Evidence

do not recur

- determining and implementing the corrective action needed

- recording results of action taken

- reviewing of corrective action taken

8.3 Preventive action

The organization shall determine action to eliminate the cause of potential nonconformities with the ISMS requirements in order to prevent their occurrence. Preventive actions taken shall be appropriate to the impact of the potential problems. The documented procedure for preventive action shall define requirements for:

a) identifying potential nonconformities and their causes;

b) evaluating the need for action to prevent occurrence of nonconformities;

c) determining and implementing preventive action needed;

d) recording results of action taken (see 4.3.3); and

e) reviewing of preventive action taken.

The organization shall identify changed risks and identify preventive action requirements focusing attention on significantly changed risks.

The priority of preventive actions shall be determined based on the results of the risk assessment.

High

Non compliance closure report

Incident management records

Preventive action procedure

1)Does the organization determine action to eliminate the cause of potential nonconformities with the ISMS requirements in order to prevent their occurrence?

2) Is the preventive action procedure documented? Does it define requirements for?

- identifying potential nonconformities and their causes

Confidentiality Agreement: This document is to be used for internal 23purpose of Paladion Networks only.

Page 26: ISO27001 Checklist

# Questions Significance Evidence

- evaluating the need for action to prevent occurrence of nonconformities

- determining and implementing preventive action needed

- recording results of action taken

- reviewing of preventive action taken

A.5 Security policy

A.5.1 Information security policy

A.5.1.1 Information security policy document High Security Policy

Documents referenced in the Policy

1) Is there a written policy document which is approved by the management?

2) Is policy document available to all employees responsible for information security?

3)Does the policy contain a definition of information security - its overall objectives and scope, and its importance as an enabling mechanism for information sharing?

4) Does the policy contain a statement of management intention supporting the goals and principles of information security?

5)Does the policy contain a definition of general management responsibilities and specific Company responsibilities for all aspects of information security?

6) Does the policy contain an explanation of security polices, principles, standards and compliance requirements, including the following?

- compliance with legislative, regulatory, and contractual

Confidentiality Agreement: This document is to be used for internal 24purpose of Paladion Networks only.

Page 27: ISO27001 Checklist

# Questions Significance Evidence

requirements

- security education, training, and awareness requirements

- business continuity management

- consequences of information security policy violations

7) Does the policy contain an explanation of the process for reporting of suspected security incidents?

8) Does the policy contain references to documentation which may support the policy?

9) How is the policy communicated to the users?

A.5.1.2 Review of the information security policy Medium Last review date

Records of management review

1) Does the policy have a clear owner?

2) Is there a defined review process, including responsibilities and schedule for review?

3)Does the review embrace the effectiveness of the policy, changes to the organizational environment, business circumstances, legal conditions and technical environment?

4) Are the policy documents updated according to defined schedule?

5) Is revised policy approved by management?

A.6 Organizational of information security

A.6.1 Internal organization

To manage information security within the organization

A.6.1.1 Management commitment to information security High Organization Chart

Confidentiality Agreement: This document is to be used for internal 25purpose of Paladion Networks only.

Page 28: ISO27001 Checklist

# Questions Significance Evidence

Documented information security roles and responsibilities

Minutes of the meeting of the Information Security Forum

1) Does a high level information security steering forum exist, to give management direction and support?

2) Are information security responsibilities explicitly assigned and acknowledged?

3)

Are the following addressed by the information security steering forum?

- Identification of information security goals

- Formulation, Review and approval of information security Policy

- Review the effectiveness of the implementation of the information security policy

- Provisioning resources required for information security

- Approving assignment of specific roles and responsibilities for information security across the organization

- Approval of Security Initiatives

- Ensuring implementation of information security controls being coordinated across the organization

- Initiating plans and programs to maintain information security awareness

A.6.1.2 Information security coordination Medium Organization Chart

Minutes of meetings of the cross-functional committee

1) Does a cross-functional committee exist to co-ordinate information security activities?

Confidentiality Agreement: This document is to be used for internal 26purpose of Paladion Networks only.

Page 29: ISO27001 Checklist

# Questions Significance Evidence

2)

Are the following items addressed by the cross-functional committee?

- Non compliances

- Risk assessment and information classification and other procedures

- Coordination and implementation security controls

- Review of security incidents

- Security education, training and awareness

A.6.1.3 Allocation of information security responsibilities High

Information Security Policy

Asset inventory

Documented information security roles and responsibilities

1) Is ownership of information systems clearly defined and is security recognized as the responsibility of the "owner"?

2)Is responsibility for the protection of individual assets and the carrying out of security processes explicitly defined? Are asset owners aware of the responsibility towards the assets?

A.6.1.4 Authorization process for information processing facilities

High

Documented authorization procedure

Evidence of authorization request and approval

1) Is there a well defined authorization process for the acquisition and use of any new information processing facility?

2) Is a feasibility study conducted to support purpose and use of any new information processing facilities?

3) Are the following authorizations considered?

Confidentiality Agreement: This document is to be used for internal 27purpose of Paladion Networks only.

Page 30: ISO27001 Checklist

# Questions Significance Evidence

- User management approval

- Technical approval for hardware and software

- Use of privately owned information processing facilities, e.g. laptops, home-computers or hand-held devices

4)Are specialist information security advisors (internal or external) consulted to ensure consistent and appropriate security decision making?

A.6.1.5 Confidentiality Agreements High Sample agreements signed with employees and service providers

1) Are confidentiality agreements signed with employees, service providers?

2)

Do confidentiality agreements address the following requirements?

- a definition of the information to be protected

- expected duration of an agreement

- required actions when an agreement is terminated

- responsibilities and actions of signatories to avoid unauthorized information disclosure

- ownership of information, trade secrets and intellectual property

- the right to audit and monitor activities

- the permitted use of confidential information

- expected actions to be taken in case of a breach of this agreement

A.6.1.6 Contact with authorities Medium Procedure for contact with

authorities

Sample report

Confidentiality Agreement: This document is to be used for internal 28purpose of Paladion Networks only.

Page 31: ISO27001 Checklist

# Questions Significance Evidence

1)

Are there procedures in place that specify when and by whom authorities (e.g. law enforcement, fire department, supervisory authorities) should be contacted, and how identified information security incidents should be reported?

A.6.1.7 Contact with special interest groups Medium Information received from special interest groups

1) Are contacts with special interest groups or other specialist security forums and professional associations maintained?

2) How is information received from special interest groups and acted upon?

A.6.1.8 Independent review of information security High Audit report

1)Is the organization’s approach to managing information security and its implementation reviewed by an independent party periodically?

A.6.2 External parties

A.6.2.1 Identification of risks from third party access High Risk assessment report

1) Is a risk assessment carried out before providing external party access (logical and physical) to information processing facilities?

2) Does risk assessment take into consideration following aspects?

- type of access

- value and sensitivity of the information involved

- controls necessary to protect information during storage, communication, processing, including authentication and authorization controls

- terms and conditions for information security incidents

Confidentiality Agreement: This document is to be used for internal 29purpose of Paladion Networks only.

Page 32: ISO27001 Checklist

# Questions Significance Evidence

- legal and regulatory requirements

3) Is access provided only after controls identified in risk assessment have been implemented?

4)Is a contract and NDA signed with external party before providing access? Are all security requirements mentioned in the contract/ agreement?

5) Is access provided after approval from the concerned authorities? Is the application owner consulted prior to granting access?

6)Are access privileged provided on a need to know and need to do basis? Is there a check on the privileges granted to third party users?

7) Are third party personnel made aware of the organization’s acceptable usage policy?

A.6.2.2 Addressing security when dealing with customers Medium

1) Are all identified security requirements addressed before giving customers access to the organization’s information or assets?

2) Are following considered before giving customers access to the organization’s information or assets?

- asset protection

- description of the product or service to be provided

- access control policy

- arrangements for reporting, notification, and investigation of information inaccuracies (e.g. of personal details), information security incidents

- the target level of service and unacceptable levels of service

- the right to monitor, and revoke, any activity related to the

Confidentiality Agreement: This document is to be used for internal 30purpose of Paladion Networks only.

Page 33: ISO27001 Checklist

# Questions Significance Evidence

organization’s assets

- the respective liabilities of the organization and the customer

responsibilities with respect to legal matters

intellectual property rights (IPRs) and copyright assignment

A.6.2.3 Addressing security in third party agreements High Contract/Agreement/NDA Copy

1)

Do the contracts with third parties include the following:

- General policy on Security

- Asset protection

- Service to be made available

- Unacceptable levels of service

- Liabilities

- Legal responsibilities

- Access methods

- Right to audit contractual responsibilities

- Monitoring and reporting of performance

- User training

- Escalation Process

- Defined change management

- Physical protection controls and mechanism

- Protection against malicious software

- Security incident handling

A.7 Asset Management

A.7.1 Responsibility for assets

A.7.1.1 Inventory of assets High Asset Inventory

Confidentiality Agreement: This document is to be used for internal 31purpose of Paladion Networks only.

Page 34: ISO27001 Checklist

# Questions Significance Evidence

1) Is an inventory of all information assets maintained?

2)

Are following information recorded in the inventory?

- Asset type

- location

- backup information

- license information

- business value

- classification

- owner

A.7.1.2 Ownership of assets High Asset inventory

1)Are all information and assets associated with information processing facilities owned by a designated part of the organization?

2) Are owners for overall security of the assets?

A.7.1.3 Acceptable use of assets Medium Acceptable usage policy

1)Are rules for the acceptable use of information and assets associated with information processing facilities identified, documented, and implemented?

2)Are all employees, contractors and third party users required to follow rules for the acceptable use of information and assets associated with information processing facilities?

A.7.2 Information Classification

A.7.2.1 Classification guidelines High Information classification guideline

Confidentiality Agreement: This document is to be used for internal 32purpose of Paladion Networks only.

Page 35: ISO27001 Checklist

# Questions Significance Evidence

Asset register

1) Are information assets classified considering its business value, legal requirements, sensitivity, and criticality to the organization?

2) Who defines the classification of an information asset? Is information classification reviewed periodically?

A.7.2.2 Information labeling and handling Medium Information labeling and

handling procedure

Labels on existing assets

1)Is there a well defined procedure for information labeling and handling in accordance with the organization's classification scheme?

2)

Are the following labeled with the appropriate classification(s)?

- Printed Reports

- Screen Displays

- Magnetic Media

- Electronic Messages

- File Transfers

3) Is classified information labeled?

4)

Are secure processing, storage, transmission, declassification, and destruction covered by appropriate information handling procedures? Is chain of custody and logging of any security relevant event also maintained?

A.8 Human resources security

A.8.1 Prior to employment

Confidentiality Agreement: This document is to be used for internal 33purpose of Paladion Networks only.

Page 36: ISO27001 Checklist

# Questions Significance Evidence

A.8.1.1 Roles and responsibilities High Employee contract or equivalent document

1) Do all job descriptions define relevant security responsibilities?

2) Are security responsibilities documented?

3) Are security responsibilities communicated to job candidates during the pre-employment process?

A.8.1.2 Screening High

Documented recruitment procedure/ guidelines

Records of verification for a sample set of recruitment

1) Are applications for employment screened if the job involves access to information processing facilities?

2) Are at least two satisfactory character references - one business and one personal - taken up before making a job offer?

3) Is a check for completeness and accuracy of the applicant's curriculum vitae carried out?

4)

Are the following checks carried out on applications for employment involving access to Company IT facilities handling sensitive information?

- Academic qualification

- Independent identification Check, ex – passport or similar doc

- Background check

- Credit check

- Check for criminal record

5) Is a similar screening process carried out for contractors and

Confidentiality Agreement: This document is to be used for internal 34purpose of Paladion Networks only.

Page 37: ISO27001 Checklist

# Questions Significance Evidence

temporary staff (either directly or through a mandate in the contract with the supplying agency)?

6) Does verification checks take into account all relevant privacy, protection of personal data and/or employment based legislation?

A.8.1.3 Terms and conditions of employment High Employee contract or equivalent document

1) Are the employee’s responsibilities for information security stated in the terms and conditions for employment?

2) Are the employee’s legal responsibilities and rights included in the terms and conditions for employment?

3)

Do the terms and conditions of employment state that all employees, contractors and third party users should sign a confidentiality or NDA prior to access to information processing facilities?

4)

Does the terms and conditions of employment include the responsibilities of the organization for the handling of personal information, including the personal information created as a result of, or in course of, employment with the organization?

5)Does it include the responsibilities that are extended outside the organizations premises and outside normal working hours; e.g. home-working?

6)Does it include the actions to be taken if the employee, contractor or third party user disregards the organizations security requirements?

A.8.2 During employment

A.8.2.1 Management responsibilities Medium Training plan and schedule

Confidentiality Agreement: This document is to be used for internal 35purpose of Paladion Networks only.

Page 38: ISO27001 Checklist

# Questions Significance Evidence

Training material

1)

Does the management responsibility include ensuring the employees, contractors and third party users:

- are properly briefed on their information security roles and responsibilities prior to being granted access to sensitive information

- are provided with guidelines to state security expectations of their role within the organization

- conform to the terms and conditions of employment

- continue to have the appropriate skills and qualifications

2) Are all users given adequate security education and technical training?

3)Does the education and training include Company policies and procedures as well as the correct use of IT facilities, before access to IT services is granted?

4) Is security training repeated at regular intervals for all staff?

A.8.2.2 Information security awareness, education, and training Medium Training plan and schedule

Training material

1) To be done

2) Are employees specifically made aware of “social engineering” risks?

3) Does security training and awareness include a testing component?

4) Are resources available for employees on information-security training (e.g., website for security and security issues, brochures,

Confidentiality Agreement: This document is to be used for internal 36purpose of Paladion Networks only.

Page 39: ISO27001 Checklist

# Questions Significance Evidence

etc.)?

5)For job functions designated in the escalation line for incident response, are staff fully aware of their responsibilities and involved in testing those plans?

6)For job functions designated in the escalation line for disaster recovery plans, are staff fully aware of their responsibilities and involved in testing those plans?

7) How is the effectiveness of the training tested?

A.8.2.3 Disciplinary process Medium Disciplinary procedure

1)Is there a formal disciplinary process for dealing with employees who have allegedly violated Company security policies and procedures?

A.8.3 Termination or change of employment

A.8.3.1 Termination responsibilities High Employment termination procedure

1) Are the responsibilities for performing employment termination or change of employment clearly defined and assigned?

2)

Do the Terms and Condition of employment & Confidentiality Agreement incorporate the termination responsibilities including the ongoing security/ legal responsibilities for a specific defined period of time?

A.8.3.2 Return of assets High Sample employee termination forms

1) Is there a process defined for the exiting employees, contractors and third party users to return all of the organizations assets in

Confidentiality Agreement: This document is to be used for internal 37purpose of Paladion Networks only.

Page 40: ISO27001 Checklist

# Questions Significance Evidence

their possession upon termination of their employment/contract?

A.8.3.3 Removal of access rights High Sample employee termination forms

1)

What are the procedures for removal of access rights (physical and logical access, keys, identification cards etc) of the employees leaving the organization? Are these procedures documented?

A.9 Physical and Environmental Security

A.9.1 Secure areas

A.9.1.1 Physical Security Perimeter High

Physical Security policy

Manned reception

Perimeter wall/ fence etc

1) Is the security perimeter for IT facilities supporting critical or sensitive business activities clearly defined?

2) Is the security perimeter physically sound?

3) Is there a manned reception area or equivalent to control physical access?

4) Are all fire doors on a security perimeter alarmed?

A.9.1.2 Physical Entry Controls High

Visitor register

Access card

Access request forms

1) Is date and time of entry and departure recorded for all visitors?

2) Are visitors briefed on the security requirements and on

Confidentiality Agreement: This document is to be used for internal 38purpose of Paladion Networks only.

Page 41: ISO27001 Checklist

# Questions Significance Evidence

emergency procedures?

3) Are authentication controls (card and PIN) used to authorize all access to information processing facilities? Is access logged?

4) Are all personnel required to wear some visible identification?

5) Is identification card for contractors, visitors or temporary employees physically different from regular employees?

6) Are access rights to secure areas regularly reviewed and updated?

7) Do access requests require written approval of the site owner?

A.9.1.3 Securing offices, rooms and facilities Medium Applicable health and safety

regulations and standards

Physical Security policy

1) Are relevant health and safety regulations and standards considered for offices, rooms and facilities?

2) Do secure areas give minimum indication of their purpose?

3) Are the secure areas locked when unattended?

4) Are the locations of the sensitive information processing facilities readily accessible to the public?

5) Is there an alerting mechanism if there is a deviation in the operating environment?

6)Is there a fallback procedure when physical access control is down or has failed? Are the security personnel aware of the procedure?

Confidentiality Agreement: This document is to be used for internal 39purpose of Paladion Networks only.

Page 42: ISO27001 Checklist

# Questions Significance Evidence

7) Is an alarm system installed to warn against unauthorized access or prolonged open status of access doors?

A.9.1.4 Protecting against external and environmental threats High

Fire fighting equipments

Location and storage arrangement of backup media

Fireproofing arrangements

Air conditioning equipments

Location of building

1) Are hazardous or combustible materials stored securely or at a safe distance from the secure area?

2) Are fallback equipment and back-up media located at a safe distance so as to avoid damage from a disaster at the main site?

3)Is environmental protection equipment (fire suppression, fireproofing, water flooding, heat/air conditioning, power supply) installed, tested and monitored?

4)Is physical protection against damage from flood, earthquake, explosion, civil unrest, and other forms of natural or man-made disaster designed and applied?

A.9.1.5 Working in Secure Areas Medium

CCTV records

Visitor register

Access cards

Manned security

1) Are the personnel aware of the existence of, or activities within a secure area on a need to know basis?

2) Is working in secure areas supervised?

Confidentiality Agreement: This document is to be used for internal 40purpose of Paladion Networks only.

Page 43: ISO27001 Checklist

# Questions Significance Evidence

3) Are the vacant secure areas physically locked and checked periodically?

4) Is the access to secure areas or information processing facilities for third party personnel authorized and monitored?

5) Are any recording equipment (e.g. Photographic) allowed within a secure area?

6) Have executives and administrative personnel been trained in fire fighting techniques?

7) Are periodic fire drills practiced? What is the frequency?

A.9.1.6 Public access, delivery and loading areas Medium Material movement register

Materials Forms

1) Is the access to a holding area from outside the building restricted to identified and authorized personnel?

2) Is the holding area separated from the other parts of the building?

3) Are the materials inspected for potential hazards before being used?

4) Are the incoming materials registered in accordance with asset management procedures?

A.9.2 Control objective: Equipment security

A.9.2.1 Equipment Siting and Protection Medium

1)Are the equipments sited and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access?

Confidentiality Agreement: This document is to be used for internal 41purpose of Paladion Networks only.

Page 44: ISO27001 Checklist

# Questions Significance Evidence

A.9.2.2 Supporting utilities High Power supply sources

UPS / Generator

1) Are there multiple feeds to avoid a single point of failure in the power supply?

2) Is there a UPS in place to support orderly close down or continuous running of critical equipment?

3) Is there a back-up generator in place and tested?

4) Are emergency power switches located near emergency exits in equipment room to facilitate rapid power down?

5) Are power switches of servers and other critical information processing facilities adequately protected?

6) Is there a procedure for monitoring the health of the power sources?

A.9.2.3 Cabling Security Medium

1) Are power and telecommunications lines placed underground or adequately protected?

2) Are network cables protected from unauthorized interception or damage?

3) Are power cables segregated from the communications cables?

A.9.2.4 Equipment Maintenance Medium Equipment maintenance

instructions and schedule

Equipment maintenance records

1) Is the maintenance of equipment done in accordance with the

Confidentiality Agreement: This document is to be used for internal 42purpose of Paladion Networks only.

Page 45: ISO27001 Checklist

# Questions Significance Evidence

suppliers recommended service intervals and specifications?

2) Is the maintenance of equipment done by authorized personnel only?

3) Are records kept of all suspected or actual faults and all maintenance?

A.9.2.5 Security of equipment off-premises Medium

1) Is the use of any equipment outside an organization’s premises authorized by the management?

2) Is the equipment and media left unattended in public places?

3) Is the manufacturer’s instruction for protecting equipment observed?

4) Are there any controls defined by a risk assessment for using the equipment off-premises?

5) Is there adequate insurance cover?

6) Can maintenance of equipment be performed remotely?

A.9.2.6 Secure Disposal or re-use of Equipment High Asset disposal procedure

1) Is sensitive data and licensed software totally erased from equipment prior to disposal?

A.9.2.7 Removal of Property Medium

1) Can the organization's property be removed without formal authorization?

2) Are spot checks undertaken to detect unauthorized removal of

Confidentiality Agreement: This document is to be used for internal 43purpose of Paladion Networks only.

Page 46: ISO27001 Checklist

# Questions Significance Evidence

property?

A.10 Communications and Operations Management

A.10.1 Operational procedures and responsibilities

A.10.1.1 Documented Operating Procedures Medium Documented operating procedures

1) Are there documented procedures for the operation of all computer systems?

2)

Do the procedures contain instructions for execution of each job like handling of information, scheduling requirements, error handling instructions, support contacts, system restart and recovery procedures and special output handling instructions?

A.10.1.2 Change management High Change Control Policy

Change Control Form

1) Is change control procedure documented?

2) Are significant changes identified and recorded?

3) Is there a change control committee to approve changes?

4) Does change control procedure clearly define roles and responsibilities for all individual associated with changes?

5)Has it been clearly identified, the changes that go through change control procedure? And which do not? What are the changes that have been omitted? Why?

6) Do users use a Change request form while requesting a change?

7) Do asset owners authorize changes requested by users?

Confidentiality Agreement: This document is to be used for internal 44purpose of Paladion Networks only.

Page 47: ISO27001 Checklist

# Questions Significance Evidence

8)Can the FW owner authorize Firewall rule base change? How is it being ensured that the requestor and approver should not be the same person?

9) Is an impact analysis done before making any changes to the system?

10) After a change, is the relevant documentation updated?

11) Are the details of change communicated to all relevant persons?

A.10.1.3 Segregation of Duties High Documented duties which needs to be segregated

1)Has consideration been given to the segregation of certain duties in order to reduce opportunities for unauthorized modification or misuse of data or services?

2) Are activities that require collusion in order to commit fraud segregated?

3)If not possible to segregate duties due to small staff, are compensatory controls implemented, ex: rotation of duties, audit trails?

A.10.1.4 Separation of development, test and operational facilities

Medium List of development, test and operational systems

1) Are development and testing facilities isolated from operational systems?

2) Are rules for the transfer of software from development to operational status well defined and documented?

3) Are development and operational software run on different processors?

Confidentiality Agreement: This document is to be used for internal 45purpose of Paladion Networks only.

Page 48: ISO27001 Checklist

# Questions Significance Evidence

4) Are sensitive data removed before using them in test environment?

5) Are utilities like compilers and editors disabled from operational systems?

6) Does test environment emulate the operational system environment as closely as possible?

A.10.2 Third party service delivery management

A.10.2.1 Service Delivery High Third party agreements/ Outsourcing contracts/ SLA

1)Are security controls, service definitions and delivery levels included in the third party service delivery agreement? Is it implemented, operated and maintained by third party?

2) Does outsourcing arrangements include plans for necessary transitions?

3)

Does third party maintains sufficient service capability together with workable plans designed to ensure that agreed service continuity levels are maintained following major service failures or disaster?

A.10.2.2 Monitoring and review of third party services Medium SLA reports

Vendor audit reports

1) Are the services provided by the vendor monitored and reviewed?

2) Is there an individual in the organization responsible for monitoring and controlling the vendor performance?

3) Are periodic audits carried out on the outsourced vendor?

Confidentiality Agreement: This document is to be used for internal 46purpose of Paladion Networks only.

Page 49: ISO27001 Checklist

# Questions Significance Evidence

4)Are third party audit trails and records of security events, operational problems, failures, tracing of faults and disruptions related to the service delivered reviewed?

5)If the contract is granted for more than one year, is there an annual review to ensure that the vendor still meets all necessary criteria?

A.10.2.3 Monitoring changes to third party services Medium

1)

Does changes to third party services take into account the following requirements:

a) changes made by organization to implement

i) enhancements to current services offered

ii) development of any new applications & systems

iii) modifications of organization policies

iv) new controls to resolve information security incidents

b) changes in third party services to implement

i) changes & enhancements to networks

ii) use of new technologies

iii) adoption of new products or new versions

iv) new development tools

v) changes to physical locations

vi) change of vendors

A.10.3 System planning and acceptance

A.10.3.1 Capacity Management High Monitoring procedure

Monitoring reports

1) Are application, system and network architectures designed for high availability and operational redundancy?

Confidentiality Agreement: This document is to be used for internal 47purpose of Paladion Networks only.

Page 50: ISO27001 Checklist

# Questions Significance Evidence

2) Are capacity requirements monitored to ensure that adequate processing power and storage remain available?

A.10.3.2 System Acceptance High Requirements specifications

System testing reports

1)Are acceptance criteria established and suitable test carried out prior to acceptance of new information systems, upgrades and new versions?

2) Are the requirements and acceptance criteria for new systems clearly defined, documented and tested?

3) Are there any error recoveries and restart procedures and contingency plans?

4) Are there an agreed set of security controls in place?

5) Are there effective manual procedures?

6) Is there sufficient training imparted in the operation or use of new systems?

7) Is the effect on the existing systems studied?

A.10.4 Protection against malicious and mobile code

A.10.4.1 Controls against malicious code High Anti-Virus Policy

Antivirus architecture

1)Are detection and prevention controls to protect against malicious software and appropriate user awareness procedures formally implemented?

2) Is there a formal policy requiring compliance with software

Confidentiality Agreement: This document is to be used for internal 48purpose of Paladion Networks only.

Page 51: ISO27001 Checklist

# Questions Significance Evidence

licenses and prohibiting the use of unauthorized software?

3)Is there a formal policy to protect against risks associated with obtaining files and software either from or via external networks and also to indicate what protective measures should be taken?

4) Is appropriate anti-virus and anti-spyware software installed and regularly updated?

5) Are formal reviews of the software and data content of systems supporting critical business processes regularly carried out?

6) Are all files and email attachments of uncertain or external origin checked for viruses, trojans before use?

7) Are appropriate management procedures and responsibilities exist for the reporting of, and recovering from, virus attacks?

8) Are appropriate business continuity plans for recovery from virus attack in place?

9) Are remote users and laptop computer users covered under the virus protection program?

10) Is malicious code filtered at the network perimeter?

A.10.4.2 Controls against Mobile code Medium

1) Are any mobile code used in the organization?

2)

How is security of mobile code ensured? Are following controls considered?

- executing mobile code in a logically isolated environment

- control the resources available to mobile code access

- cryptographic controls to uniquely authenticate mobile code

Confidentiality Agreement: This document is to be used for internal 49purpose of Paladion Networks only.

Page 52: ISO27001 Checklist

# Questions Significance Evidence

A.10.5 Backup

A.10.5.1 Information Back-up High

Backup and Recovery Policy & procedure

Backup and Recovery Records and logs

Backup media labeling and storage

1) Are back-up copies of essential business information and software taken regularly?

2) Is backup and recovery procedure documented?

3) Does the document identify the Servers and the Data for backing up and the frequency of back up?

4) Does backup data contain audit trails and logs?

5) What are roles and responsibilities defined and assigned for back-up activities?

6) What permissions are given to backup operators?

7) Are Back up events logged in the log repository?

8) How is access to backup media controlled?

9)Is backup media stored both onsite and offsite? If offsite backup is taking place what is the frequency and how is the offsite backup tapes integrity assured?

Confidentiality Agreement: This document is to be used for internal 50purpose of Paladion Networks only.

Page 53: ISO27001 Checklist

# Questions Significance Evidence

10) Is backup media stored in fireproof environment?

11) Is a media labeling procedure in place, with sufficient information?

12) Is there a procedure for media rotation?

13)What are the precautions taken for media (aged/unused) disposal? Does the backup policy identify the period for backup data retention? What is the recommended disposal method?

14) What are the steps followed in restoring backup? Are the steps documented and available to the authorized personnel?

15) Is the media and back up restoration tested periodically? Request for logs and verify

16) Is the back up media password protected or encrypted?

17) Are the tapes left around near tape drives?

18) Is an automated back up tool used? Veritas, IBM Tivoli etc.

19)What are the tracking mechanisms for backup failure and success? Does the document give guidelines on the actions to be taken by the backup operator?

20)Can a backup operator delete backup logs? Where are the backup logs getting logged? What are the assigned permissions to the backup operator on the machine?

Confidentiality Agreement: This document is to be used for internal 51purpose of Paladion Networks only.

Page 54: ISO27001 Checklist

# Questions Significance Evidence

A.10.6 Network security management

A.10.6.1 Network controls High Network policy

Network Layout Diagram

1)Have network managers implemented controls to ensure the security of data in networks and the protection of connected services from unauthorized access?

2) Are the responsibilities and procedures for the management of remote equipment, including user equipment established?

3) Are special controls established to safeguard the confidentiality and integrity of data passing over public networks?

4)Are there regular, periodic vulnerability and penetration testing in accordance with the risk of each security/control domain and perimeter?

5) Is appropriate logging enabled and are logs reviewed?

A.10.6.2 Security of Network Services High Network security features

Network monitoring reports

1)Are security features, service levels, and management requirements of all network services identified and included in all network services agreement?

2) Is the ability of the network service provider to manage agreed services in a secure way determined and regularly monitored?

A.10.7 Media Handling

A.10.7.1 Management of removable computer media Medium Media handling guidelines

Media Asset inventory

Confidentiality Agreement: This document is to be used for internal 52purpose of Paladion Networks only.

Page 55: ISO27001 Checklist

# Questions Significance Evidence

1) Are appropriate procedures and controls exist to protect computer media?

2) Are the contents of a media that are no longer needed in an organization erased?

3) Is an authorization required for all media to be removed from the organization?

4) Is the record of all authorized removals maintained?

5) Are media stored in a safe and secure environment?

6) Is an inventory maintained of all removable media?

A.10.7.2 Disposal of Media Medium Media disposal guidelines

Media disposal records

1) Are formal procedures established for the secure disposal of media?

2) Is the disposal of sensitive items logged to maintain an audit trail?

3) How are different types of media (paper, disk, tapes etc) destroyed?

A.10.7.3 Information Handling Procedures High Information handling procedure

1) Are procedures for the handling and storage of information established to prevent their unauthorized disclosure or misuse?

2) Is there maintenance of a formal record of the authorized recipients of data?

3) Are procedures in place to ensure that input data is complete,

Confidentiality Agreement: This document is to be used for internal 53purpose of Paladion Networks only.

Page 56: ISO27001 Checklist

# Questions Significance Evidence

that processing is properly completed and that output validation is applied?

4) Is the distribution of data kept to a minimum?

5) Is there a review of distribution lists and lists of authorized recipients at regular intervals?

6) Are all media labeled to indicate its classification level?

7) Are access restrictions in place for all media?

A.10.7.4 Security of System Documentation Medium

1) Is the system documentation stored securely?

2) Is the access list for system documentation kept to a minimum and authorized by the application owner?

3) If the system documentation is held on a public network or supplied via a public network, is it appropriately protected?

A.10.8 Exchanges of information

A.10.8.1 Information exchange policies and procedures Medium Information exchange policies and procedures

1)Are policies, procedure and controls in place to protect the exchange of information through the use of all types of communication facilities?

2) What controls are in place to protect exchanged information from interception, copying, modification, mis-routing, and destruction?

3) What retention and disposal guidelines are followed for all business correspondence, including messages, in accordance

Confidentiality Agreement: This document is to be used for internal 54purpose of Paladion Networks only.

Page 57: ISO27001 Checklist

# Questions Significance Evidence

with relevant national and local legislation and regulations?

A.10.8.2 Exchange agreements Medium Information exchange agreements

1) Are there agreements for the exchange of information and software between the organization and external parties?

2)

Do exchange agreements incorporate the following:

Procedures for notifying sender, transmission, dispatch and receipt

Escrow agreement

Responsibilities and liabilities in the event of information security incidents, such as loss of data

Technical standards for packaging and transmission

agreed labeling system for sensitive or critical information

Courier identification standards

Procedures to ensure traceability and non-repudiation

Ownership and responsibilities for data protection, copyright, software license compliance

any special controls that may be required to protect sensitive items, such as cryptographic keys

A.10.8.3 Physical media in transit Medium Media movement/ tracking

register

Media packaging

1) Is a list of authorized couriers agreed with the management and is there a procedure to check the identification of couriers?

2) How is information protected against unauthorized access, misuse or corruption during transportation beyond an

Confidentiality Agreement: This document is to be used for internal 55purpose of Paladion Networks only.

Page 58: ISO27001 Checklist

# Questions Significance Evidence

organization’s physical boundaries?

3) Is the packaging sufficient to protect the contents from any physical damage?

A.10.8.4 Electronic messaging High Risk assessment/ audit report for electronic messaging systems

1) Are the risks associated with the use of electronic messaging assessed?

2)

How are following Security considerations for electronic messaging addressed?

- protecting messages from unauthorized access, modification or denial of service

- ensuring correct addressing and transportation of the message

- general reliability and availability of the service

- legal considerations, for example requirements for electronic signatures

- obtaining approval prior to using external public services such as instant messaging or file sharing

- stronger levels of authentication controlling access from publicly accessible networks

A.10.8.5 Business information systems Medium

1)Are policies and procedures developed and implemented to protect information associated with the interconnection of business information systems?

A.10.9 Electronic commerce services

A.10.9.1 Electronic commerce High

Confidentiality Agreement: This document is to be used for internal 56purpose of Paladion Networks only.

Page 59: ISO27001 Checklist

# Questions Significance Evidence

1)

Are there controls in place to protect information involved in electronic commerce passing over public networks from fraudulent activity, contract dispute, and unauthorized disclosure and modification?

A.10.9.2 On-Line transactions High Risk assessment/ audit report for

systems providing online transactions

1) Are the risks involved in on-line transactions assessed?

2)

Does the security requirements for on-line transactions involve the following:

Use of electronic signatures by each of the parties involved in the transaction

Validation and verification of user credentials

Confidentiality and privacy

Encryption

Use of secure protocols

Storage of transaction details outside of any public accessible environment

A.10.9.3 Publicly Available information Medium

1) Is there a formal authorization process before information is made publicly available?

2) How are the information made available on a publicly available system protected from unauthorized modification?

3) Is the information obtained in compliance with data protection legislation?

4) Is the sensitive information protected during collection,

Confidentiality Agreement: This document is to be used for internal 57purpose of Paladion Networks only.

Page 60: ISO27001 Checklist

# Questions Significance Evidence

processing and storage?

5) Is the access to the publishing system protected such that it does not give access to the network to which the system is connected?

A.10.10 Monitoring

A.10.10.1 Audit logging High Sample audit logs

Audit settings in servers, network devices and applications

1)Are audit trails of exceptions and security-relevant events recorded and kept for an agreed period to assist with access control monitoring and possible future investigations?

2)

Do audit logs include following data?

user IDs

dates, times, and details of key events, e.g. log-on and log-off

terminal identity or location if possible

records of successful and rejected system access attempts

records of successful and rejected data and other resource access attempts

changes to system configuration

use of privileges

use of system utilities and applications

files accessed and the kind of access

network addresses and protocols

alarms raised by the access control system

activation and de-activation of protection systems, such as anti-virus systems and intrusion detection systems

Confidentiality Agreement: This document is to be used for internal 58purpose of Paladion Networks only.

Page 61: ISO27001 Checklist

# Questions Significance Evidence

A.10.10.2 Monitoring system use High Monitoring Policy and procedure

Monitoring records

1) Are procedures established for monitoring use of information processing facilities?

2) Are the results of the monitoring activities reviewed regularly?

3)

Are following activities monitored,

authorized access

all privileged operations

unauthorized access attempts

system alerts or failures

changes to, or attempts to change, system security settings and controls

A.10.10.3 Protection of log information High Log storage facilities

1) How are logging facilities and log information protected against tampering and unauthorized access?

2)

Are there mechanism to detect and prevent,

alterations to the message types that are recorded

log files being edited or deleted

storage capacity of the log file media being exceeded

A.10.10.4 Administrator and operator logs High

Sample audit logs

Audit settings in servers, network devices and applications

Monitoring Policy and procedure

Monitoring records

Confidentiality Agreement: This document is to be used for internal 59purpose of Paladion Networks only.

Page 62: ISO27001 Checklist

# Questions Significance Evidence

1) Are the activities carried out by system administrator and system operator logged?

2) Are system administrator and operator logs reviewed on a regular basis?

3)

Do logs include following info,

the time at which an event (success or failure) occurred

information about the event

which account and which administrator or operator was involved

which processes were involved

A.10.10.5 Fault logging Medium Sample fault logs

Fault log settings in servers, network devices and applications

1)Are faults reported by users or by system programs regarding problems with information processing or communication systems logged?

2) Is there a review of fault logs to ensure that they have been satisfactorily resolved?

3)Is there a review of corrective measures to ensure that the controls have not been compromised and that the action taken is authorized?

A.10.10.6 Clock synchronization High Clock settings in servers, network devices

1) Are computer clocks synchronized to ensure the accuracy of time information in audit logs? How are the clocks synchronized?

Confidentiality Agreement: This document is to be used for internal 60purpose of Paladion Networks only.

Page 63: ISO27001 Checklist

# Questions Significance Evidence

A.11 Access Control

A.11.1 Business requirement for access control

A.11.1.1 Access Control Policy High Access Control Policy

1) Is there a documented access control policy?

2) Are both logical and physical access control aspects considered in the policy?

3)

Does the policy take account of the following

- security requirements of individual business applications

- policies for information dissemination and authorization

- relevant legislation and any contractual obligations regarding protection of access to data or services

- standard user access profiles for common job roles in the organization

- segregation of access control roles, e.g. access request, access authorization, access administration

- requirements for formal authorization of access requests

- requirements for periodic review of access controls

- removal of access rights

A.11.2 User access management

A.11.2.1 User Registration High User registration/ deregistration

records

Review of user ids

1)Is there a formal user registration/ deregistration procedure for granting and revoking access to all information systems and services?

Confidentiality Agreement: This document is to be used for internal 61purpose of Paladion Networks only.

Page 64: ISO27001 Checklist

# Questions Significance Evidence

2) Are unique ID assigned to all users?

3)Is there a check done to verify that the user has authorization from the system owner for the use of the information system or service?

4) Is there a check done to verify that the level of access granted is appropriate to the business purpose?

5) Are the users given a written statement of their access rights?

6) Are the users required to sign statements indicating that they have understood the conditions of access?

7) Is a formal record of all persons registered to use the service maintained?

8) Is there a periodic check for and removal of dormant/ redundant user IDs and accounts?

9) Is it ensured that the dormant/ redundant user ID`s are not issued to other users?

10) Are the accounts of users who change duties or leave the Company removed immediately?

11) Are any temporary/generic/guest/anonymous user IDs in use? If so, how are they shared?

12) Is user addition and deletion monitored and logged?

A.11.2.2 Privilege Management High User registration/ deregistration

records

Review of user ids

1) Is the use of special privileges that enable the user to override

Confidentiality Agreement: This document is to be used for internal 62purpose of Paladion Networks only.

Page 65: ISO27001 Checklist

# Questions Significance Evidence

system or application controls restricted and controlled?

2)Are the privileges associated with each system (eg. operating system or database) identified and the categories of staff that are allowed access, defined?

3) Are privileges allocated to individuals on a “need to know” basis and on an "event by event" basis?

4) Is there an authorization process for granting privileges and a record kept of all privileges allocated?

5) Are system routines developed or promoted to avoid the need to grant privileges to users?

6) Are privileges assigned to a different user identity from those used for normal business use?

A.11.2.3 User Password Management High

User acknowledgement records for receipt of passwords

Password settings on servers, network devices and applications

1) Is the allocation of user passwords securely controlled a formal management process?

2) Are users required to sign an undertaking to keep passwords confidential?

3) Is there a secure password policy for various systems? What is the current password policy?

4) Is password policy enforced on all systems, application and firewall?

Confidentiality Agreement: This document is to be used for internal 63purpose of Paladion Networks only.

Page 66: ISO27001 Checklist

# Questions Significance Evidence

5) Are users forced to change their password on first login and whenever password is reset?

6) Are passwords communicated to users in a secure manner?

7) Do users acknowledge the receipt of the password?

8) Are default passwords changed?

A.11.2.4 Review of User Access Rights High Review reports for user access rights

1) Are user access rights reviewed at regular intervals? What is the periodicity of review?

2) Are authorizations for privileged access rights reviewed more frequently than others?

3) Are user access rights reviewed and re-allocated when moving from one employment to another within the same organization?

4) Are privilege allocations checked at regular intervals?

5) Are changes to privileged accounts logged for periodic review?

A.11.3 User responsibilities

A.11.3.1 Password use High Password security guidelines

1) Are guidelines communicated to users on secure use of passwords?

2) Does the guideline include the following?

- keep passwords confidential

- avoid keeping a record (e.g. paper, software file or hand-held device) of passwords

Confidentiality Agreement: This document is to be used for internal 64purpose of Paladion Networks only.

Page 67: ISO27001 Checklist

# Questions Significance Evidence

- change passwords at regular intervals

- change temporary passwords at the first log-on

- not share individual user passwords

- not use the same password for business and non-business purposes

- select strong passwords

A.11.3.2 Unattended user equipment Medium Unattended user equipment security guideline

1)Are the users trained with regard to terminating active session, logging-off systems and securing PCs or terminals by key lock or equivalent control?

A.11.3.3 Clear desk and clear screen policy Medium Clear desk and clear screen policy

1) Is there a clear desk and clear screen policy followed in the organization?

2) Is sensitive information locked away when not required?

3) Are personal computers, printers left logged on when unattended?

4) Are incoming and outgoing mail points and unattended fax, telex and Xerox machines protected?

5) Are printers cleared of sensitive information immediately?

6) Is there a screen saver password configured on the desktop? If yes, what is the time limit after which it gets activated?

7) Do user’ lock the workstation if they know they are not going to be around it for more than 5 minutes?

Confidentiality Agreement: This document is to be used for internal 65purpose of Paladion Networks only.

Page 68: ISO27001 Checklist

# Questions Significance Evidence

A.11.4 Network access control

A.11.4.1 Policy on use of Network Services High

Network policy

Network diagram

Firewall/ router configuration

1) Is there a policy concerning the use of networks and network services?

2) Are users only able to gain access to the services that they are authorized to use?

3) Are there authorization procedures for determining who is allowed to access which networks and networked services?

4) Are there management controls and procedures to protect the access to network connections and network services?

5) What is the process for requesting and approving modem connections to servers or desktops?

6) Does the organization have an access control devices like a firewall which segments critical segments from non-critical ones?

7)Is there a policy concerning the use of networks and network services? Are there a set of services that will be blocked across the FW, for example RPC ports, NetBIOS ports etc.

A.11.4.2 User Authentication for External Connections High Authentication mechanisms for

access to servers, network devices and applications

1) Are all connections by remote users authenticated (e.g. user id password, hardware tokens, challenge/response systems)?

Confidentiality Agreement: This document is to be used for internal 66purpose of Paladion Networks only.

Page 69: ISO27001 Checklist

# Questions Significance Evidence

A.11.4.3 Equipment identification in networks Medium

1) Where applicable, are connections by remote computer systems authenticated through equipment identification?

A.11.4.4 Remote diagnostic and configuration port protection Medium

1)Is physical and logical access to diagnostic and configuration ports controlled? Is there a well defined procedure, covering request, approval, monitoring and termination of access?

A.11.4.5 Segregation in Networks High Network diagram

Firewall and router configuration

1)

Where large networks extend beyond organizational and corporate boundaries, are they separated into logical domains protected by a defined perimeter (e.g. firewall) which restricts the connection capabilities of users?

2)Is the criterion for segregation based on the access control policy and access requirements and takes into account the relative cost and performance impact?

A.11.4.6 Network Connection Control High Network diagram

Firewall and router configuration

1)Are controls implemented to restrict the network connection capability of users (e.g. through gateways that filter traffic by means of pre-defined tables or rules)?

A.11.4.7 Network Routing Control High Network diagram

Firewall and router configuration

1) Are routing controls implemented to ensure that computer connections and information flows do not breach the access

Confidentiality Agreement: This document is to be used for internal 67purpose of Paladion Networks only.

Page 70: ISO27001 Checklist

# Questions Significance Evidence

policy of the business applications?

A.11.5 Operating system access control

A.11.5.1 Secure Log-on Procedures High Operating system configuration

1) Does the log-on procedure display the system or application identifiers only after the process is successfully completed?

2) Does the log-on procedure display a general notice warning that the computer can be used only by authorized users?

3) Does the log-on procedure provide helpful messages that would aid an unauthorized user?

4) Does the log-on procedure validate the log-on information only on completion of all input data?

5) Does the log-on procedure limit the number of unsuccessful log-on attempts allowed?

6) Does the log-on procedure limit the maximum and minimum time allowed for the log-on procedure?

7)Does the log-on procedure display the date and time of previous successful login and the details of any unsuccessful log-on attempts?

8) Does the log on procedure not display the password being entered or consider hiding the password characters by symbols?

9) Does the log on procedure not transmit passwords in clear text over a network?

A.11.5.2 User Identification and Authentication High

Confidentiality Agreement: This document is to be used for internal 68purpose of Paladion Networks only.

Page 71: ISO27001 Checklist

# Questions Significance Evidence

1) Do all users have a unique identifier for their personal and sole use?

A.11.5.3 Password Management System High Password settings in servers, network devices and applications

1) Does the password management system enforce the use of individual passwords to maintain accountability?

2) Does the password management system allow users to select and change their own passwords?

3) Does the password management system enforce a choice of quality passwords?

4) Does the password management system force users to change temporary passwords on first log-on and when password expires?

5) Does the password management system maintain a record of previous user passwords?

6) Does the password management not display passwords on screen when being entered?

7) Does the password management system store password files separately from application system data?

8)Does the password management system store and transfer passwords in encrypted form (ex: using a one-way encryption algorithm)?

A.11.5.4 Use of System Utilities Medium Configuration of servers, network devices and applications

1) Are those system utility programs that might be capable of overriding system and application controls restricted and tightly

Confidentiality Agreement: This document is to be used for internal 69purpose of Paladion Networks only.

Page 72: ISO27001 Checklist

# Questions Significance Evidence

controlled?

2) Are there authentication and authorization procedures for system utilities?

3) Is there a segregation of system utilities from application software?

4) Is the number of authorized users with access to system utilities restricted?

5) Is a log maintained of all use of system utilities?

6) Are all unnecessary software based utilities and system software removed or disabled?

7) Are authorization levels for system utilities defined and documented?

A.11.5.5. Session Time-out High Configuration of servers, network devices and applications

1) Are inactive sessions forced to shut down after a defined period of inactivity? What is the default timeout period?

A.11.5.6 Limitation of Connection Time Medium Configuration of servers, network devices and applications

1) Are connection times restricted for high risk applications (e.g.: to normal office hours)?

A.11.6 Application and information access control

A.11.6.1 Information Access Restriction High Application audit report

1) Are appropriate logical access controls implemented in the

Confidentiality Agreement: This document is to be used for internal 70purpose of Paladion Networks only.

Page 73: ISO27001 Checklist

# Questions Significance Evidence

application systems?

2) Are menus provided to control access to application system functions?

3) Is there a control over the access rights of the users? Is role based access control implemented?

4)Is it ensured that outputs from application systems handling sensitive information contain only the information that are relevant to the use of the output?

5)Is it ensured that outputs from application systems handling sensitive information are sent only to authorized terminals and locations?

A.11.6.2 Sensitive System Isolation Medium

1) Is the sensitivity of an application system explicitly identified and documented by the application owner?

2) Do sensitive systems have a dedicated (isolated) computing environment?

3)If a sensitive application system is to run in a shared environment, are the other application systems with which it will share resources identified and agreed?

A.11.7 Mobile Computing and Teleworking

A.11.7.1 Mobile Computing and communications Medium Policy for use of mobile computing facility

1)Is a formal policy in place to ensure that special care is taken when using mobile computing facilities (e.g.: notebooks, palmtops, laptops and mobile phones)?

Confidentiality Agreement: This document is to be used for internal 71purpose of Paladion Networks only.

Page 74: ISO27001 Checklist

# Questions Significance Evidence

2) What controls are in place to protect mobile computing systems?

A.11.7.2 Teleworking Medium Authorization records for any teleworking facility

a)Is all tele-working (i.e.: working from a remote external fixed location) authorized by management and specifically controlled to ensure a suitable level of protection?

b) What controls are in place to protect teleworking facilities?

A.12 Information systems acquisition, development and maintenance

A.12.1 Security requirements of information systems

A.12.1.1 Security requirements analysis and specification High Requirements specification

Acquisition and procurement policy and procedure

1)Do the statements of business requirements for new systems or enhancements to existing systems specify the requirements for security controls?

2) Is there a well defined acquisition and procurement process in place?

3) Do contracts with the supplier address the identified security requirements?

A.12.2 Correct processing in applications

A.12.2.1 Input Data Validation High Application audit report

1) Is data input to application systems subject to sufficient validation control to ensure completeness and accuracy?

Confidentiality Agreement: This document is to be used for internal 72purpose of Paladion Networks only.

Page 75: ISO27001 Checklist

# Questions Significance Evidence

2)

Are the following included in validation checks?

- Out-of-range Values

- Invalid characters

- Missing or incomplete data

- Exceeding data volume limits

- Unauthorized or inconsistent control data

3) Is there a procedure to conduct periodic reviews of the content of key fields or data files?

4) Is there a procedure to inspect hard-copy input documents for any unauthorized changes to input data?

5) Are there procedures for responding to validation errors?

6) Are there procedures for testing the plausibility of the input data?

7) Are the responsibilities of all the personnel involved in the data input process clearly defined?

8) Is there a log of the activities involved in the data input process?

A.12.2.2 Control of Internal Processing High Application audit report

1) Is data validated throughout the processing cycle?

2) Are there session or batch controls to reconcile data file balances after transaction updates?

3) Are there balancing controls to check the opening balances against previous closing balances?

4) Is there validation of system generated data?

5) Is a hash total of records and files maintained?

Confidentiality Agreement: This document is to be used for internal 73purpose of Paladion Networks only.

Page 76: ISO27001 Checklist

# Questions Significance Evidence

6) Are there checks to ensure that application programs are run at the correct time?

7) Are there checks to ensure that programs are run in the correct order?

8)Is all vendor supplied software maintained at a level supported by the supplier and does any upgrade decision take into account the security of the new release?

9) Are there checks on the integrity of data or software transferred?

A.12.2.3 Message Integrity High Application audit report

1) Are controls implemented to ensure authenticity and protection of message integrity in applications?

A.12.2.4 Output Data Validation High Application audit report

1)Is data output from application systems validated to ensure that the processing of stored information is correct and appropriate to the circumstances?

2) Are plausibility checks done to test whether the output data is reasonable?

3) Are there reconciliation control counts to ensure that all data is processed?

4) Is there sufficient documentation for a reader or for subsequent processing?

5) Is the responsibility of all personnel involved in the data output process defined?

6) Is there a log of activities in the data output validation process?

Confidentiality Agreement: This document is to be used for internal 74purpose of Paladion Networks only.

Page 77: ISO27001 Checklist

# Questions Significance Evidence

A.12.3 Cryptographic controls

A.12.3.1 Policy on the use of Cryptographic Controls High

Cryptography policy and procedures

List of cryptographic technologies in use

1) Is risk assessment used to determine whether cryptographic control is appropriate?

2) Is a policy in place to cover the use of cryptographic controls for protection of information?

3) Does the policy consider the managements approach towards the use of cryptographic controls?

4) Does the policy cover key management?

5) Are the responsibilities of key management and policy implementation defined?

1)

When identifying the level of cryptographic protection, which of the following, are taken into account?

Type and quality of algorithm

Length of Keys

National and regulatory restrictions

Export and import controls

2) What are the mechanisms used for preventing clear text traffic flowing through internet?

3) What are the mechanisms used for preventing clear text traffic flowing through branch offices?

Confidentiality Agreement: This document is to be used for internal 75purpose of Paladion Networks only.

Page 78: ISO27001 Checklist

# Questions Significance Evidence

4) What kind of protection is taken against the storage of passwords in clear text?

5) Does the application store the password in clear text?

6) If proprietary encryption algorithms are used, have their strength and integrity been certified by an authorized evaluation agency?

7) Where digital signatures are employed, is appropriate care taken to protect the integrity and confidentiality of the private key?

8) Are the cryptographic keys used for digital signatures different to those used for encryption?

9) Has full consideration been given to legislative issues with respect to the status and use of digital signatures?

10) Has the use of non-repudiation services been considered where it might be necessary to resolve disputes about the occurrence or non-occurrence of an event or action?

12.3.2 Key Management High Key management procedure

1) Is there a well defined key management procedure in place to support the organization’s use of cryptographic techniques?

2) Does the key management procedure take care of the following?

- generating keys for different cryptographic systems and different applications

- generating and obtaining public key certificates

- distributing keys to intended users

- storing keys

- changing or updating keys

Confidentiality Agreement: This document is to be used for internal 76purpose of Paladion Networks only.

Page 79: ISO27001 Checklist

# Questions Significance Evidence

- dealing with compromised keys

- revoking keys

- recovering keys that are lost or corrupted

- archiving keys

- destroying keys

- logging and auditing of key management related activities

12.4 Security of system files

12.4.1 Control of Operational Software High

Software development policy and procedure

Software version control system

Escrow arrangements

1) Is strict control maintained over the implementation of software on operational systems?

2)Is the updating of the operational program libraries performed only by the nominated librarian with proper management authorization?

3) What is the process for version management?

4) Is an audit log of all updates to operational program libraries maintained?

5) Are the previous versions of software retained as a contingency measure?

6)Has the organization entered into an Escrow agreement with anyone? Does it insist on escrow agreements when it outsources application development to a 3rd party?

Confidentiality Agreement: This document is to be used for internal 77purpose of Paladion Networks only.

Page 80: ISO27001 Checklist

# Questions Significance Evidence

7)What controls have been deployed to ensure that code check in and version changes are carried out by only authorized individuals?

8) Is the access given to the suppliers for support purposes with the management’s approval and is it monitored?

9)Are tools available in the production application environment that would allow data to be altered without the production of an audit trail?

10) Is development code or compilers available on operational systems?

12.4.2 Protection of System Test Data High

Software development policy and procedure

Approval records for using operational data for testing

1) Is system test data subject to appropriate protection and controls?

2)Are access control procedures which are applicable to operational application systems, applicable to test application systems as well?

3) Is there a separate authorization each time operational information is copied to a test application system?

4) Is the operational information erased from a test application system immediately after the testing is complete?

5) Is the copying and use of operational information logged to provide an audit trail?

Confidentiality Agreement: This document is to be used for internal 78purpose of Paladion Networks only.

Page 81: ISO27001 Checklist

# Questions Significance Evidence

6) Is sensitive data masked before testing?

12.4.3 Access Control to Program Source Code High Software development policy

and procedure

Software version control system

1) Are program source libraries held with operational systems?

2) Is a program librarian nominated for each application?

3) Does IT support staff have restricted access to program source libraries?

4) Are programs under development or maintenance separated from operational program source libraries?

5) Are program listings held in a secure environment?

6) Is an audit log of all accesses to program source libraries maintained?

7) Are old versions of source program archived together with all supporting software, job control, data definitions and procedures?

12.5 Security in development and support processes

12.5.1 Change Control Procedures High Change control policy and

procedure

Change control records

1) Are there formal change control procedures governing the implementation of changes to systems?

2) Is there a record maintained of agreed authorization levels?

3) Is there a process to ensure that changes can be submitted by

Confidentiality Agreement: This document is to be used for internal 79purpose of Paladion Networks only.

Page 82: ISO27001 Checklist

# Questions Significance Evidence

authorized users only?

4) Are security controls reviewed to ensure that they will not be compromised by changes?

5) Is there a process to identify all computer software, information, database entries and hardware that will require amendment?

6) Is there a process to obtain formal approval for detailed proposals before work commences?

7) Is there a process to ensure that authorized users accept the changes before any implementation?

8) Is it ensured that the implementation is carried out with minimum business disruption?

9) Is a record of all software updates maintained?

10) Is an audit trail of all change requests maintained?

11) Is a rollback plan available for the changes?

12) After a change, is the relevant documentation updated?

13) Is there a procedure to handle emergency changes? Is it later authorized and subjected to change control procedure?

14) Is there a verification of the changes that have taken place?

12.5.2 Technical review of applications after Operating System Changes

Medium Review reports

1)Is the security impact of operating system changes reviewed to ensure that changes do not have an adverse impact on applications?

Confidentiality Agreement: This document is to be used for internal 80purpose of Paladion Networks only.

Page 83: ISO27001 Checklist

# Questions Significance Evidence

2)Does the review check the application control and integrity procedures to ensure that they have not been compromised by operating system changes?

3) Does the annual support plan and budget cover reviews and system testing resulting from operating system changes?

4) Is the notification of operating system changes provided in time to allow for reviews to take place before implementation?

5) Are the operating system changes reflected in the business continuity plan?

12.5.3 Restrictions on Changes to Software Packages Medium Software development policy

and procedure

Change control records

1) Are vendor-supplied packages used (as far as possible) without modification?

2) Is it checked if the built-in controls or the integrity processes are being compromised while modifying a software package?

3) Is the consent of the vendor taken to modify a package if necessary?

4) Is a risk assessment done prior to changing the package?

12.5.4 Information leakage High

Application/ source code audit report

Monitoring policy and procedure

Monitoring reports

1) When procuring programs/software, are appropriate steps taken to minimize the risk of inclusion of covert channels and Trojan

Confidentiality Agreement: This document is to be used for internal 81purpose of Paladion Networks only.

Page 84: ISO27001 Checklist

# Questions Significance Evidence

code?

2) Are programs bought from a reputable source only?

3)

Are following requirements considered for limiting the risk of information leakage:

- Scanning of outbound media and communication for hidden information

- Monitoring resource usage in computer systems

4) Are only evaluated products used?

5) Is all source code inspected before operational use?

6) Is the access and modification to source code controlled?

7) Are staffs of proven trust used to work on key systems?

8) Is personnel and system activities regularly monitored?

12.5.5 Outsourced Software Development High

Software development policy and procedure

Agreements/ Contracts/ NDA/ SLA

1)Are licensing arrangements, code ownership and intellectual property rights taken care of when software development is outsourced?

2) Are a certification of the quality and the accuracy of the work carried out obtained?

3) Is there a right of access for audit of the quality and accuracy of work done?

Confidentiality Agreement: This document is to be used for internal 82purpose of Paladion Networks only.

Page 85: ISO27001 Checklist

# Questions Significance Evidence

4) Are there contractual requirements for quality of code?

5) Is there testing before installation to detect malicious or Trojan code?

6) Who owns the intellectual property of the code? Are Escrow arrangements in place where required?

7) Have developers been trained in programming techniques that provide for more secure applications?

12.6 Technical Vulnerability Management

12.6.1 Control of technical vulnerabilities High

Vulnerability assessment reports

Penetration testing reports

Roles and responsibilities for technical vulnerability management

1) Is there any vulnerability assessment carried out for the Servers, Network Devices and Security Devices?

2) What is the periodicity of such vulnerability assessments?

3) Is there any patch management system deployed for efficient and timely deployment of patches on the Operating Systems?

4) Are roles and responsibilities associated with technical vulnerability management defined and established?

5) How is timely information for published vulnerabilities obtained?

6) Is there a well defined patch management procedure in place?

13 Information security incident management

Confidentiality Agreement: This document is to be used for internal 83purpose of Paladion Networks only.

Page 86: ISO27001 Checklist

# Questions Significance Evidence

13.1 Reporting information security events and weaknesses

13.1.1 Reporting information security events High Incident management policy and

procedures

Incident management records

1) Are there formal procedures for reporting information security incidents?

2) Are all users informed of formal procedures for reporting the different types of security incident?

3) Is contact information for reporting an incident readily accessible to users/administrators?

4) Is there a feedback process to notify the informant about the results after the incident is dealt?

5) Does the incident response team prepare a report for each incident reported/occurred?

6) Is there a report for action taken in rectifying the incident?

7) Is a time frame defined for the incident response team to conduct an investigation?

8) Are incidents reported to senior management?

13.1.2 Reporting security weaknesses High Incident management policy and

procedures

Incident management records

1)Are there formal procedures defined for reporting Security Weakness?

Confidentiality Agreement: This document is to be used for internal 84purpose of Paladion Networks only.

Page 87: ISO27001 Checklist

# Questions Significance Evidence

2)All employees, contractors and third party users required and trained to note and report any observed or suspected security weaknesses in systems or services?

13.2 Management of information security incidents and improvements

13.2.1 Responsibilities and procedures High Incident management policy and

procedures

Incident management records

1)Are the management responsibilities and procedures to ensure quick, effective, orderly response to information security incidents defined?

2)

Does the incident management procedure incorporate the following guidelines:

- procedures for handling different types of security incidents

- analysis and identification of the cause of the incident

- containment

- planning and implementation of corrective action

- collection of audit trails and other evidences

- action to recover from security breaches and correct system failures

- reporting the action to the appropriate authority

3) Are all potential types of security incidents covered by the procedures?

4) Are actions and authority to recover from incidents defined?

5) Are recovery mechanisms tested? Are people familiar with the process?

Confidentiality Agreement: This document is to be used for internal 85purpose of Paladion Networks only.

Page 88: ISO27001 Checklist

# Questions Significance Evidence

13.2.2 Learning from information security incidents High Incident management policy and

procedures

Incident management records

1) How is learning from security incidents incorporated so as to prevent its reoccurrence?

2) Are there mechanisms in place to quantify and monitor incidents based on types, volumes, and costs etc so as to learn from them?

13.2.3 Collection of evidences High Incident management policy and

procedures

Incident management records

1)Are the rules for evidence laid down by the relevant law or court identified, to ensure admissibility of evidence in case of an incident?

2) Is a procedure developed with instructions for collecting and presenting evidence for the purposes of disciplinary action?

14 Business Continuity Management

14.1 Information security aspects of business continuity management

14.1.1 Including information security in the Business Continuity Management Process High

Business Continuity Policy/Procedure

Risk assessment results

1) Is there a managed process in place for developing and maintaining business continuity across the Company?

2) Does the process include risk analysis of critical business processes?

Confidentiality Agreement: This document is to be used for internal 86purpose of Paladion Networks only.

Page 89: ISO27001 Checklist

# Questions Significance Evidence

3)

4) Are responsibilities and emergency arrangements identified and agreed?

5) Is the business continuity strategy consistent with the agreed business objectives and priorities?

14.1.2 Business Continuity and risk assessment High Business Continuity

Policy/Procedure

Risk assessment results

1) Is a risk assessment carried out for business processes?

2) Is the risk assessment procedure well defined?

3)

Does the risk assessment identify events that can cause interruptions to business processes, along with the probability and impact of such interruptions and their consequences for information security?

14.1.3 Developing and implementing continuity plans including information security

High

Business Continuity Policy/Procedure

BCP test plan and results

Training plan and records

1)Have continuity plans been developed to maintain or restore business operations in the required time scales following interruptions to, or failure of, critical business processes?

2) Are all responsibilities and emergency procedures identified and agreed upon?

3) Are the agreed procedures documented?

Confidentiality Agreement: This document is to be used for internal 87purpose of Paladion Networks only.

Page 90: ISO27001 Checklist

# Questions Significance Evidence

4) Is the staff trained in the agreed procedures?

5) Are documented procedures tested periodically?

14.1.4 Business Continuity Planning Framework High Business Continuity Policy/Procedure

1) Is a single framework maintained to ensure that all plans are consistent and to identify priorities for testing and maintenance?

2)Does each business continuity plan specify the conditions for its activation as well as individuals responsible for executing each component of the plan?

3) Are emergency procedures with detailed actions identified?

4) Are fallback, temporary and resumption operational procedures identified?

5) Is there a maintenance schedule to specify how and when the plan will be tested?

6) Are responsibilities of all individuals involved in the plan well documented?

7) Are all assets and resources required to perform the emergency, fallback and resumption procedures identified?

8) Are sufficient awareness, education, and training activities carried out?

14.1.5 Testing, maintaining and re-assessing business continuity plans

High BCP test plan and results

Training plan and records

1) At what monthly interval is the business continuity plan tested?

Confidentiality Agreement: This document is to be used for internal 88purpose of Paladion Networks only.

Page 91: ISO27001 Checklist

# Questions Significance Evidence

2)

Are a variety of techniques used to provide assurance that the plan will operate in real life? (table-top testing, simulations, technical recovery testing, testing recovery at an alternate site, tests of supplier facilities and services, complete rehearsals)

3) Does the business continuity process include reviewing and updating the plan to ensure continued effectiveness?

4)

Are the business continuity plans reviewed under the following circumstances?

- Acquisition of new equipment

- Upgrading of operational systems

- Changes in personnel, addresses or telephone

- Changes in business strategy

- Changes in location, facilities, resources

- Changes in legislation

- Changes in contractors, suppliers, customers

- Changes in processes

- Changes in risk

5) Are third-party providers involved in the test exercises?

15 Compliance

15.1 Compliance with legal requirements

15.1.1 Identification of Applicable Legislation High List of statutory, regulatory and contractual requirements

1)Are all relevant statutory, regulatory and contractual requirements explicitly defined and documented for each information system?

Confidentiality Agreement: This document is to be used for internal 89purpose of Paladion Networks only.

Page 92: ISO27001 Checklist

# Questions Significance Evidence

2) Are specific controls and individual responsibilities to meet these requirements defined and documented?

15.1.2 Intellectual Property Rights High License keys/ agreements

1)Are there procedures/instructions in place to guide staff on the use of material for which there may be intellectual property rights, including disciplinary action for breach?

2) Are applicable legislative, regulatory, and contractual requirements considered while complying with IPR?

3) Is a software copyright compliance policy published that defines the legal use of software and information products?

4) Are appropriate asset registers maintained?

5) Is proof and evidence of ownership of licenses, master disks, manuals, etc maintained?

6) Are controls implemented to check whether the maximum number of users permitted is not exceeded?

7) Are checks carried out to see that only authorized software and licensed products are installed?

8) Is there a policy for maintaining appropriate license conditions?

9) Is there a policy for disposing or transferring software to others?

10) Are appropriate audit tools used?

11) Are terms and conditions for software and information obtained from public networks complied with?

Confidentiality Agreement: This document is to be used for internal 90purpose of Paladion Networks only.

Page 93: ISO27001 Checklist

# Questions Significance Evidence

15.1.3 Protection of Organizational Records High

1)Are important organizational records safeguarded from loss, destruction or falsification considering the legislative or regulatory environment within which the organization operates?

2) Are records categorized into various types? (accounting records, database records etc)

3) Are guidelines issued on the retention, storage, handling and disposal of records and information?

4) Is a retention schedule drawn up identifying the essential record types and the period of time for which they should be retained?

5) Is an inventory of sources of key information maintained?

15.1.4 Data Protection and Privacy of Personal Information High Data privacy policy/ procedure

1) Are data protection and privacy requirements in relevant legislations, regulations and contractual clauses identified?

2) How does the organization comply to data protection and privacy requirements?

15.1.5 Prevention of Misuse of Information Processing Facilities Medium

1)Are there procedures and controls in place to ensure that the organization's IT facilities are used only for authorized business purposes, and are not subject to misuse?

2) Are all users aware of the precise scope of their permitted access and of the monitoring in place to detect unauthorized use?

3) Does a warning message appear at the log-on process indicating that unauthorized access is not permitted?

Confidentiality Agreement: This document is to be used for internal 91purpose of Paladion Networks only.

Page 94: ISO27001 Checklist

# Questions Significance Evidence

15.1.6 Regulation of Cryptographic Controls High

1) Are the requirements regarding use of cryptography in relevant regulations, laws and agreements identified?

2) Is legal advice sought before cryptographic controls are implemented?

15.2 Compliance with security policies and standards and technical compliance

15.2.1 Compliance with Security Policies and Standards High Compliance audit reports

1)

Are the information systems, service providers, owners, users and management subject to regular review to ensure that they are in compliance with Company security policies and applicable standards?

2)How are non-compliance analyzed, treated, tracked, closed and reviewed?

15.2.2 Technical Compliance Checking High

Vulnerability assessment reports

Penetration testing reports

Application security testing reports

1) Are information systems regularly checked for compliance with security implementation standards?

2) What are the different kinds of audits that are carried out for technical compliance checking?

3) How are vulnerabilities identified in technical audit tracked and fixed?

Confidentiality Agreement: This document is to be used for internal 92purpose of Paladion Networks only.

Page 95: ISO27001 Checklist

# Questions Significance Evidence

15.2 Information system audit considerations

15.3.1 Information System Audit Controls Medium Audit plan, schedule,

methodology, organization structure

1)Are audits of operational systems planned, agreed and carried out in a controlled manner (minimizing the risk of disruption to the business process)?

2) Are audit requirements agreed with appropriate management?

3) Is the scope of the audit agreed and controlled?

4) Are the checks limited to read-only access to software and data?

5) Are accesses other than read-only erased when the audit is completed?

6) Are IT resources for performing the audit explicitly identified and made available?

7) Are requirements for additional processing identified and agreed?

8) Are all accesses monitored and logged to produce an audit trail?

9) Are all procedures, requirements and responsibilities documented?

10) Are the person(s) carrying out the audit independent of the activities audited?

15.3.2 Protection of information system audit tools Medium

Confidentiality Agreement: This document is to be used for internal 93purpose of Paladion Networks only.

Page 96: ISO27001 Checklist

# Questions Significance Evidence

1) Are audit tools (software or data files) safeguarded so as to prevent any possible misuse?

2) Are system audit tools held separate from development and operational systems, and not kept in tape libraries or user areas?

Confidentiality Agreement: This document is to be used for internal 94purpose of Paladion Networks only.