4.1a | Has the organization determined external and internal issues that are relevant to and affect the ISMS' ability to achieve its intended outcomes? | |
4.1a | Has the organization determined external and internal issues that are relevant to and affect the ISMS' ability to achieve its intended outcomes? | |
4.2a | Has the organization identified interested parties relevant to the ISMS, their relevant requirements and which of these will be addressed by the ISMS? | |
4.3a | Has the organization determined the scope of its ISMS? | |
4.4a | Has the organization established, implemented, maintained, and continually improves an ISMS in accordance with the requirements of ISO/IEC 27001:2022? | |
5.1a | Are the objectives of the ISMS compatible with the organization's strategic direction and mission? | |
5.2a | Is an Information Security Policy available and appropriate to the purpose and context of the organization and does it support the strategic direction of the company? | |
5.3a | Has the organization's top management established (and are they supportive of,) a mechanism for communicating responsibilities and authorities for roles relevant to information security within the organization? | |
6.1a | Has organization defined and applied an information security risk assessment process? | |
6.1b | Does the organization have a documented risk treatment process? | |
6.1c | Has the organization produced a Statement of Applicability (SoA)? | |
6.2a | Has the organization established information security objectives at applicable functions and levels within the business and are they consistent with the Information Security Policy? | |
6.3a | When the organization determines the need for changes to the information security management system, are the changes carried out in a planned manner? | |
7.1a | Has the organization determined and does it provide the resources needed for the establishment, implementation, maintenance, and continual improvement of the ISMS? | |
7.2a | Has the organization determined the necessary competence of person(s) doing work under its control that affects its information security performance? | |
7.3a | Are the organizations employees made aware of the Information Security Policy? | |
7.4a | Has the organization determined the need for internal and external communications relevant to the ISMS? | |
7.5a | Does the organization's ISMS include documented information as required by ISO/IEC 27001:2022? | |
7.5b | Is documented information required by the ISMS and ISO/IEC 27001:2022 controlled? | |
8.1a | Has the organization planned, implemented and does it control the processes needed to meet requirements, and to implement the actions determined in Clause 6 (Planning)? | |
8.2a | Does the organization perform information security risk assessments at planned intervals or when significant changes are proposed or occur? | |
8.3a | Has the organization implemented an information security risk treatment plan? | |
9.1a | Has the organization determined what needs to monitored and measured, including information security processes and controls? | |
9.2a | Does the organization conduct internal audits of their ISMS at planned intervals? | |
9.2b | Has the organization planned, established, implemented and does it maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting? | |
9.3a | Does the organizations top management review the organization's ISMS at planned intervals to ensure its continuing suitability, adequacy and effectiveness? | |
9.3b | Do the results of management reviews include decisions related to continual improvement opportunities and any needs for changes to the ISMS? | |
10.1a | Does the organization continually improve the suitability, adequacy, and effectiveness of their ISMS? | |
10.2a | When a nonconformity occurs, does the organization react to the nonconformity, and as applicable take action to control and correct it? | |
5.1a | Has an Information Security policy and topic-specific policies been defined, approved by management and published? | |
5.1b | Has the Information Security policy and topic-specific policies been communicated to and acknowledged by relevant personnel and relevant interested parties? | |
5.1c | Are the Information Security policy and topic-specific policies reviewed at planned intervals and if significant changes occur? | |
5.2 | Have Information Security roles and responsibilities been defined and allocated according to organizational needs? | |
5.3 | Are conflicting duties and conflicting areas of responsibility segregated? | |
5.4 | Does management ensure that all personnel to apply Information Security in accordance with the established Information Security policy, topic-specific policies and procedures of the organization? | |
5.5 | Does the organization maintain contact with relevant authorities? | |
5.6 | Does the organization maintain contact with special interest groups or other specialist security forums and professional associations? | |
5.7a | Is information relating to information security threats collected and analysed to produce threat intelligence? | |
5.7b | Does the organization categorize threats at the strategic, tactical and operational levels? | |
5.7c | Does the organization share threat intelligence with other organizations on a mutual basis in order to improve overall threat intelligence? | |
5.8a | Does the organization integrate information security into project management? | |
5.8b | Are information security risks assessed and treated at an early stage and periodically as part of project risks throughout the project life cycle? | |
5.8c | Are information security requirements determined for all types of projects? | |
5.9a | Has an inventory of information and other associated assets, including owners, been developed and maintained? | |
5.9b | Is the inventory of information and other associated assets accurate, up to date, consistent and aligned with other inventories? | |
5.9c | Is the location of assets included in the inventory? | |
5.9d | Are assets classified in accordance with the organizations classification scheme? | |
5.9e | Is ownership of assets assigned when the assets are created or when assets are transferred? | |
5.9f | Is asset ownership reassigned when asset owners leave or change job roles? | |
5.10a | Have rules for the acceptable use and procedures for handling information and other associated assets been identified, documented and implemented? | |
5.10b | Has the organization established a topic-specific policy on the acceptable use of information and other associated assets and communicated it to anyone who uses or handles information and other associated assets? | |
5.10c | Has the organization developed and implemented acceptable use procedures? | |
5.11a | Do personnel and other interested parties return all the organization’s assets in their possession upon change or termination of their employment, contract or agreement? | |
5.11b | Does the organization clearly identify and document all the information and other assocaited assets that should be returned? | |
5.12a | Is information classified according to the information security needs of the organization based on confidentiality, integrity, availability and relevant interested party requirements? | |
5.12b | Has the organization established a topic-specific policy on information classification and communicated it to all relevant interested parties? | |
5.12c | Does the organizations information classification scheme take into account requirements for confidentiality, integrity and availability? | |
5.12d | Is the classification scheeme consistent across the whole organization? | |
5.13a | Has the organization developed and implemented an appropriate set of procedures for information labelling in accordance with the information classification scheme? | |
5.13b | Are personnel and other interested parties made aware of labelling procedures? | |
5.14a | Are information transfer rules, procedures, or agreements in place for all types of transfer facilities within the organization and between the organization and other parties? | |
5.14b | Has the organization established and communicated a topic-specific policy on information transfer to all relevant interested parties? | |
5.15a | Have rules to control physical and logical access to information and other associated assets been established and implemented based on business and information security requirements? | |
5.15b | Has the organization established and implemented a topic specific policy for access control? | |
5.16 | Does the organization manage the full life cycle of identities? | |
5.17a | Is the allocation and management of authentication information controlled by a management process? | |
5.17b | Does the allocation and management of authentication information include advising personnel on the appropriate handling of authentication information? | |
5.17c | Are personnel who have access to or use authentication advised on their responsibilities? | |
5.17d | Does the organization have a password management system in place? | |
5.18a | Are access rights to information and other associated assets provisioned, reviewed, modified and removed in accordance with the organization’s topic-specific policy on and rules for access control? | |
5.18b | Does the organization have a process for the review of access rights? | |
5.19 | Have processes and procedures been defined and implemented to manage the information security risks associated with the use of supplier’s products or services? | |
5.2 | Have the relevant information security requirements been established and agreed with each supplier based on the type of supplier relationship? | |
5.21 | Have processes and procedures been defined and implemented to manage the information security risks associated with the ICT products and services supply chain? | |
5.22 | Does the organization regularly monitor, review, evaluate and manage change in supplier information security practices and service delivery? | |
5.23a | Have processes for acquisition, use, management and exit from cloud services been established in accordance with the organization’s information security requirements? | |
5.23b | Has the organization established and communicated topic-specific policy on the use of cloud services to all relevant interested parties? | |
5.24a | Has the organization established appropriate information security incident management processes? | |
5.24b | Has the organization defined roles and responsibilities for the information security incident management process? | |
5.25 | Does the organization have a categorization and prioritization scheme of information security incidents? | |
5.26 | Are information security incidents responded to in accordance with documented procedures? | |
5.27 | Has the organization established procedures to quantify and monitor the types, volumes and costs of information security incidents? | |
5.28 | Has the organization established and implemented procedures for the identification, collection, acquisition and preservation of evidence related to information security events? | |
5.29 | Does the organization determine its requirements for adapting information security controls during disruption? | |
5.30a | Has ICT readiness been planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements? | |
5.30b | Has the organization conducted a Business Impact Analysis (BIA) to determine ICT continuity requirements? | |
5.31 | Have legal, statutory, regulatory and contractual requirements relevant to information security been identified, documented and are they kept up to date? | |
5.32 | Has the organization implemented appropriate procedures to protect intellectual property rights? | |
5.33a | Does the organization protect records from loss, destruction, falsification, unauthorized access and unauthorized release? | |
5.33b | Does the organization use data storage systems that allow records to be retrieved in an acceptable time frame and format? | |
5.34a | Has the organization identified and met the requirements regarding the preservation of privacy and protection of PII according to applicable laws and regulations and contractual requirements? | |
5.34b | Has the organization established and communicated a topic-specific policy on privacy and protection of PII to all relevant interested parties? | |
5.35 | Does the organization have processes in place to conduct independent reviews? | |
5.36 | Does the organization have a process for how to review that information security requirements defined in the information security policy, topic-specific policies, rules, standards and other applicable regulations are met? | |
5.37 | Are operating procedures for information processing facilities documented and made available to personnel who need them? | |
6.1a | Are background verification checks carried out prior personnel to joining the organization? | |
6.1b | Are background verification checks carried out on an ongoing basis to take into consideration applicable laws, regulations and ethics? | |
6.1c | Are background verification checks proportional to the business requirements, the classification of the information to be accessed and the perceived risks? | |
6.2 | Do employment contracts state the personnel's and organization's responsibilities for information security? | |
6.3a | Do personnel and relevant interested parties receive appropriate information security awareness, education and training? | |
6.3b | Do personnel and relevant interested parties receive regular updates of the organization's information security policy, topic-specific policies and procedures, as relevant for their job function? | |
6.4a | Does the organization have a formalized disciplinary policy? | |
6.4b | Does the organization take action against personnel and other relevant interested parties who have committed an information security policy violation? | |
6.5 | Are information security responsibilities and duties that remain valid after termination or change of employment defined, enforced and communicated to relevant personnel and other interested parties? | |
6.6a | Have confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information been identified and documented? | |
6.6b | Are confidentiality or non-disclosure agreements regularly reviewed? | |
6.6c | Are confidentiality or non-disclosure agreements signed by personnel and other relevant interested parties? | |
6.7a | Have security measures been implemented for personnel who work remotely? | |
6.7b | Do remote working security measures adequately protect information accessed, processed or stored outside the organization’s premises? | |
6.8 | Has the organization established a mechanism for reporting observed or suspected information security events through appropriate channels in a timely manner? | |
7.1 | Are security perimeters defined and used to protect areas that contain information and other associated assets? | |
7.2 | Are secure areas protected by appropriate entry controls and access points? | |
7.3 | Are physical security for offices, rooms and facilities designed and implemented? | |
7.4 | Are premises continuously monitored for unauthorized physical access? | |
7.5 | Are protection against physical and environmental threats, such as natural disasters and other intentional or unintentional physical threats to infrastructure designed and implemented? | |
7.6 | Are security measures for working in secure areas designed and implemented? | |
7.7 | Are clear desk rules for papers and removable storage media and clear screen rules for information processing facilities defined and appropriately enforced? | |
7.8 | Are equipment sited securely and protected? | |
7.9 | Are off-site assets protected? | |
7.1 | Is storage media managed through their life cycle of acquisition, use, transportation and disposal in accordance with the organization’s classification scheme and handling requirements.? | |
7.11 | Are information processing facilities protected from power failures and other disruptions caused by failures in supporting utilities? | |
7.12 | Are cables carrying power, data or supporting information services protected from interception, interference or damage? | |
7.13 | Is equipment maintained correctly to ensure availability, integrity and confidentiality of information? | |
7.14 | Are items of equipment containing storage media verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use? | |
8.1 | Is information stored on, processed by or accessible via user end point devices protected? | |
8.2 | Are the allocation and use of privileged access rights restricted and managed? | |
8.3 | Is access to information and other associated assets restricted in accordance with the established topic-specific policy on access control? | |
8.4 | Is read and write access to source code, development tools and software libraries appropriately managed? | |
8.5 | Has the organization implemented secure authentication technologies and procedures based on information access restrictions and the topic-specific policy on access control? | |
8.6 | Are the use of resources monitored and adjusted in line with current and expected capacity requirements? | |
8.7a | Has the organization implemented protection against malware? | |
8.7b | Is the organizations approach to malware protection supported by appropriate user awareness? | |
8.8a | Is information about technical vulnerabilities of information systems in use obtained? | |
8.8b | Does the organization evalute their exposure to technical vulnerabilities and take the appropriate measures? | |
8.9a | Have configurations, including security configurations, of hardware, software, services and networks been established, documented and implemented? | |
8.9b | Are configurations, including security configurations, of hardware, software, services and networks monitored and reviewed? | |
8.1 | Is information stored in information systems, devices or in any other storage media deleted when no longer required? | |
8.11 | Is data masking used in accordance with the organization’s topic-specific policy on access control and other related topic-specific policies, and business requirements, taking applicable legislation into consideration? | |
8.12 | Are data leakage prevention measures applied to systems, networks and any other devices that process, store or transmit sensitive information? | |
8.13 | Are backup copies of information, software and systems maintained and regularly tested in accordance with the agreed topic-specific policy on backup? | |
8.14 | Are information processing facilities implemented with redundancy sufficient to meet availability requirements? | |
8.15 | Are logs that record activities, exceptions, faults and other relevant events produced, stored, protected and analysed? | |
8.16a | Does the organization monitor networks, systems and applications for anomalous behaviour evaluate potential information security incidents? | |
8.16b | Does the organization take the appropriate actions when information security incidents are identified? | |
8.17 | Are the clocks of information processing systems used by the organization synchronized to approved time sources? | |
8.18 | Are the use of utility programs that can be capable of overriding system and application controls restricted and tightly controlled? | |
8.19 | Has the organization implemented procedures and measures to securely manage software installation on operational systems? | |
8.2 | Are networks and network devices secured, managed and controlled to protect information in systems and applications? | |
8.21 | Are security mechanisms, service levels and service requirements of network services identified, implemented and monitored? | |
8.22 | Does the organization segregate groups of information services, users and information systems in the organization’s networks? | |
8.23 | Is access to external websites managed to reduce exposure to malicious content? | |
8.24 | Are rules for the effective use of cryptography, including cryptographic key management, defined and implemented? | |
8.25 | Has the organization established and applied rules for the secure development of software and systems? | |
8.26 | Are information security requirements identified, specified and approved when developing or acquiring applications? | |
8.27 | Are principles for engineering secure systems established, documented, maintained and applied to any information system development activities? | |
8.28 | Does the organization apply secure coding principles to software development? | |
8.29 | Are security testing processes defined and implemented in the development life cycle? | |
8.3 | Does the organization direct, monitor and review the activities related to outsourced system development? | |
8.31 | Are development, testing and production environments separated and secured? | |
8.32 | Are changes to information processing facilities and information systems subject to change management procedures? | |
8.33 | Is test information appropriately selected, protected and managed? | |
8.34 | Are audit tests and other assurance activities involving assessment of operational systems planned and agreed between the tester and appropriate management? | |