ISO 27001 - 2022 Gap Analysis

Yes: 0 | No: 0
Control IDControl Question Status
4.1aHas the organization determined external and internal issues that are relevant to and affect the ISMS' ability to achieve its intended outcomes?
4.1aHas the organization determined external and internal issues that are relevant to and affect the ISMS' ability to achieve its intended outcomes?
4.2aHas the organization identified interested parties relevant to the ISMS, their relevant requirements and which of these will be addressed by the ISMS?
4.3aHas the organization determined the scope of its ISMS?
4.4aHas the organization established, implemented, maintained, and continually improves an ISMS in accordance with the requirements of ISO/IEC 27001:2022?
5.1aAre the objectives of the ISMS compatible with the organization's strategic direction and mission?
5.2aIs an Information Security Policy available and appropriate to the purpose and context of the organization and does it support the strategic direction of the company?
5.3aHas the organization's top management established (and are they supportive of,) a mechanism for communicating responsibilities and authorities for roles relevant to information security within the organization?
6.1aHas organization defined and applied an information security risk assessment process?
6.1bDoes the organization have a documented risk treatment process?
6.1cHas the organization produced a Statement of Applicability (SoA)?
6.2aHas the organization established information security objectives at applicable functions and levels within the business and are they consistent with the Information Security Policy?
6.3aWhen the organization determines the need for changes to the information security management system, are the changes carried out in a planned manner?
7.1aHas the organization determined and does it provide the resources needed for the establishment, implementation, maintenance, and continual improvement of the ISMS?
7.2aHas the organization determined the necessary competence of person(s) doing work under its control that affects its information security performance?
7.3aAre the organizations employees made aware of the Information Security Policy?
7.4aHas the organization determined the need for internal and external communications relevant to the ISMS?
7.5aDoes the organization's ISMS include documented information as required by ISO/IEC 27001:2022?
7.5bIs documented information required by the ISMS and ISO/IEC 27001:2022 controlled?
8.1aHas the organization planned, implemented and does it control the processes needed to meet requirements, and to implement the actions determined in Clause 6 (Planning)?
8.2aDoes the organization perform information security risk assessments at planned intervals or when significant changes are proposed or occur?
8.3aHas the organization implemented an information security risk treatment plan?
9.1aHas the organization determined what needs to monitored and measured, including information security processes and controls?
9.2aDoes the organization conduct internal audits of their ISMS at planned intervals?
9.2bHas the organization planned, established, implemented and does it maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting?
9.3aDoes the organizations top management review the organization's ISMS at planned intervals to ensure its continuing suitability, adequacy and effectiveness?
9.3bDo the results of management reviews include decisions related to continual improvement opportunities and any needs for changes to the ISMS?
10.1aDoes the organization continually improve the suitability, adequacy, and effectiveness of their ISMS?
10.2aWhen a nonconformity occurs, does the organization react to the nonconformity, and as applicable take action to control and correct it?
5.1aHas an Information Security policy and topic-specific policies been defined, approved by management and published?
5.1bHas the Information Security policy and topic-specific policies been communicated to and acknowledged by relevant personnel and relevant interested parties?
5.1cAre the Information Security policy and topic-specific policies reviewed at planned intervals and if significant changes occur?
5.2Have Information Security roles and responsibilities been defined and allocated according to organizational needs?
5.3Are conflicting duties and conflicting areas of responsibility segregated?
5.4Does management ensure that all personnel to apply Information Security in accordance with the established Information Security policy, topic-specific policies and procedures of the organization?
5.5Does the organization maintain contact with relevant authorities?
5.6Does the organization maintain contact with special interest groups or other specialist security forums and professional associations?
5.7aIs information relating to information security threats collected and analysed to produce threat intelligence?
5.7bDoes the organization categorize threats at the strategic, tactical and operational levels?
5.7cDoes the organization share threat intelligence with other organizations on a mutual basis in order to improve overall threat intelligence?
5.8aDoes the organization integrate information security into project management?
5.8bAre information security risks assessed and treated at an early stage and periodically as part of project risks throughout the project life cycle?
5.8cAre information security requirements determined for all types of projects?
5.9aHas an inventory of information and other associated assets, including owners, been developed and maintained?
5.9bIs the inventory of information and other associated assets accurate, up to date, consistent and aligned with other inventories?
5.9cIs the location of assets included in the inventory?
5.9dAre assets classified in accordance with the organizations classification scheme?
5.9eIs ownership of assets assigned when the assets are created or when assets are transferred?
5.9fIs asset ownership reassigned when asset owners leave or change job roles?
5.10aHave rules for the acceptable use and procedures for handling information and other associated assets been identified, documented and implemented?
5.10bHas the organization established a topic-specific policy on the acceptable use of information and other associated assets and communicated it to anyone who uses or handles information and other associated assets?
5.10cHas the organization developed and implemented acceptable use procedures?
5.11aDo personnel and other interested parties return all the organization’s assets in their possession upon change or termination of their employment, contract or agreement?
5.11bDoes the organization clearly identify and document all the information and other assocaited assets that should be returned?
5.12aIs information classified according to the information security needs of the organization based on confidentiality, integrity, availability and relevant interested party requirements?
5.12bHas the organization established a topic-specific policy on information classification and communicated it to all relevant interested parties?
5.12cDoes the organizations information classification scheme take into account requirements for confidentiality, integrity and availability?
5.12dIs the classification scheeme consistent across the whole organization?
5.13aHas the organization developed and implemented an appropriate set of procedures for information labelling in accordance with the information classification scheme?
5.13bAre personnel and other interested parties made aware of labelling procedures?
5.14aAre information transfer rules, procedures, or agreements in place for all types of transfer facilities within the organization and between the organization and other parties?
5.14bHas the organization established and communicated a topic-specific policy on information transfer to all relevant interested parties?
5.15aHave rules to control physical and logical access to information and other associated assets been established and implemented based on business and information security requirements?
5.15bHas the organization established and implemented a topic specific policy for access control?
5.16Does the organization manage the full life cycle of identities?
5.17aIs the allocation and management of authentication information controlled by a management process?
5.17bDoes the allocation and management of authentication information include advising personnel on the appropriate handling of authentication information?
5.17cAre personnel who have access to or use authentication advised on their responsibilities?
5.17dDoes the organization have a password management system in place?
5.18aAre access rights to information and other associated assets provisioned, reviewed, modified and removed in accordance with the organization’s topic-specific policy on and rules for access control?
5.18bDoes the organization have a process for the review of access rights?
5.19Have processes and procedures been defined and implemented to manage the information security risks associated with the use of supplier’s products or services?
5.2Have the relevant information security requirements been established and agreed with each supplier based on the type of supplier relationship?
5.21Have processes and procedures been defined and implemented to manage the information security risks associated with the ICT products and services supply chain?
5.22Does the organization regularly monitor, review, evaluate and manage change in supplier information security practices and service delivery?
5.23aHave processes for acquisition, use, management and exit from cloud services been established in accordance with the organization’s information security requirements?
5.23bHas the organization established and communicated topic-specific policy on the use of cloud services to all relevant interested parties?
5.24aHas the organization established appropriate information security incident management processes?
5.24bHas the organization defined roles and responsibilities for the information security incident management process?
5.25Does the organization have a categorization and prioritization scheme of information security incidents?
5.26Are information security incidents responded to in accordance with documented procedures?
5.27Has the organization established procedures to quantify and monitor the types, volumes and costs of information security incidents?
5.28Has the organization established and implemented procedures for the identification, collection, acquisition and preservation of evidence related to information security events?
5.29Does the organization determine its requirements for adapting information security controls during disruption?
5.30aHas ICT readiness been planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements?
5.30bHas the organization conducted a Business Impact Analysis (BIA) to determine ICT continuity requirements?
5.31Have legal, statutory, regulatory and contractual requirements relevant to information security been identified, documented and are they kept up to date?
5.32Has the organization implemented appropriate procedures to protect intellectual property rights?
5.33aDoes the organization protect records from loss, destruction, falsification, unauthorized access and unauthorized release?
5.33bDoes the organization use data storage systems that allow records to be retrieved in an acceptable time frame and format?
5.34aHas the organization identified and met the requirements regarding the preservation of privacy and protection of PII according to applicable laws and regulations and contractual requirements?
5.34bHas the organization established and communicated a topic-specific policy on privacy and protection of PII to all relevant interested parties?
5.35Does the organization have processes in place to conduct independent reviews?
5.36Does the organization have a process for how to review that information security requirements defined in the information security policy, topic-specific policies, rules, standards and other applicable regulations are met?
5.37Are operating procedures for information processing facilities documented and made available to personnel who need them?
6.1aAre background verification checks carried out prior personnel to joining the organization?
6.1bAre background verification checks carried out on an ongoing basis to take into consideration applicable laws, regulations and ethics?
6.1cAre background verification checks proportional to the business requirements, the classification of the information to be accessed and the perceived risks?
6.2Do employment contracts state the personnel's and organization's responsibilities for information security?
6.3aDo personnel and relevant interested parties receive appropriate information security awareness, education and training?
6.3bDo personnel and relevant interested parties receive regular updates of the organization's information security policy, topic-specific policies and procedures, as relevant for their job function?
6.4aDoes the organization have a formalized disciplinary policy?
6.4bDoes the organization take action against personnel and other relevant interested parties who have committed an information security policy violation?
6.5Are information security responsibilities and duties that remain valid after termination or change of employment defined, enforced and communicated to relevant personnel and other interested parties?
6.6aHave confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information been identified and documented?
6.6bAre confidentiality or non-disclosure agreements regularly reviewed?
6.6cAre confidentiality or non-disclosure agreements signed by personnel and other relevant interested parties?
6.7aHave security measures been implemented for personnel who work remotely?
6.7bDo remote working security measures adequately protect information accessed, processed or stored outside the organization’s premises?
6.8Has the organization established a mechanism for reporting observed or suspected information security events through appropriate channels in a timely manner?
7.1Are security perimeters defined and used to protect areas that contain information and other associated assets?
7.2Are secure areas protected by appropriate entry controls and access points?
7.3Are physical security for offices, rooms and facilities designed and implemented?
7.4Are premises continuously monitored for unauthorized physical access?
7.5Are protection against physical and environmental threats, such as natural disasters and other intentional or unintentional physical threats to infrastructure designed and implemented?
7.6Are security measures for working in secure areas designed and implemented?
7.7Are clear desk rules for papers and removable storage media and clear screen rules for information processing facilities defined and appropriately enforced?
7.8Are equipment sited securely and protected?
7.9Are off-site assets protected?
7.1Is storage media managed through their life cycle of acquisition, use, transportation and disposal in accordance with the organization’s classification scheme and handling requirements.?
7.11Are information processing facilities protected from power failures and other disruptions caused by failures in supporting utilities?
7.12Are cables carrying power, data or supporting information services protected from interception, interference or damage?
7.13Is equipment maintained correctly to ensure availability, integrity and confidentiality of information?
7.14Are items of equipment containing storage media verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use?
8.1Is information stored on, processed by or accessible via user end point devices protected?
8.2Are the allocation and use of privileged access rights restricted and managed?
8.3Is access to information and other associated assets restricted in accordance with the established topic-specific policy on access control?
8.4Is read and write access to source code, development tools and software libraries appropriately managed?
8.5Has the organization implemented secure authentication technologies and procedures based on information access restrictions and the topic-specific policy on access control?
8.6Are the use of resources monitored and adjusted in line with current and expected capacity requirements?
8.7aHas the organization implemented protection against malware?
8.7bIs the organizations approach to malware protection supported by appropriate user awareness?
8.8aIs information about technical vulnerabilities of information systems in use obtained?
8.8bDoes the organization evalute their exposure to technical vulnerabilities and take the appropriate measures?
8.9aHave configurations, including security configurations, of hardware, software, services and networks been established, documented and implemented?
8.9bAre configurations, including security configurations, of hardware, software, services and networks monitored and reviewed?
8.1Is information stored in information systems, devices or in any other storage media deleted when no longer required?
8.11Is data masking used in accordance with the organization’s topic-specific policy on access control and other related topic-specific policies, and business requirements, taking applicable legislation into consideration?
8.12Are data leakage prevention measures applied to systems, networks and any other devices that process, store or transmit sensitive information?
8.13Are backup copies of information, software and systems maintained and regularly tested in accordance with the agreed topic-specific policy on backup?
8.14Are information processing facilities implemented with redundancy sufficient to meet availability requirements?
8.15Are logs that record activities, exceptions, faults and other relevant events produced, stored, protected and analysed?
8.16aDoes the organization monitor networks, systems and applications for anomalous behaviour evaluate potential information security incidents?
8.16bDoes the organization take the appropriate actions when information security incidents are identified?
8.17Are the clocks of information processing systems used by the organization synchronized to approved time sources?
8.18Are the use of utility programs that can be capable of overriding system and application controls restricted and tightly controlled?
8.19Has the organization implemented procedures and measures to securely manage software installation on operational systems?
8.2Are networks and network devices secured, managed and controlled to protect information in systems and applications?
8.21Are security mechanisms, service levels and service requirements of network services identified, implemented and monitored?
8.22Does the organization segregate groups of information services, users and information systems in the organization’s networks?
8.23Is access to external websites managed to reduce exposure to malicious content?
8.24Are rules for the effective use of cryptography, including cryptographic key management, defined and implemented?
8.25Has the organization established and applied rules for the secure development of software and systems?
8.26Are information security requirements identified, specified and approved when developing or acquiring applications?
8.27Are principles for engineering secure systems established, documented, maintained and applied to any information system development activities?
8.28Does the organization apply secure coding principles to software development?
8.29Are security testing processes defined and implemented in the development life cycle?
8.3Does the organization direct, monitor and review the activities related to outsourced system development?
8.31Are development, testing and production environments separated and secured?
8.32Are changes to information processing facilities and information systems subject to change management procedures?
8.33Is test information appropriately selected, protected and managed?
8.34Are audit tests and other assurance activities involving assessment of operational systems planned and agreed between the tester and appropriate management?