Are you rea d y for a n I SM S a u d i t ba sed on I SO /I E C 001 ? Are you read y for an ISM S au d i t based on ISO/I EC 27001 ? Secon d ed i ti on Edward (Ted) Humphreys and Bridget Kenyon F i rst p u b l i sh e d S e co n d Th i rd e d i ti o n Re p ri n t e d F o u rt h in e d i ti o n th e UK in 999 002 005 008 e d i ti o n 01 by B SI S ta n d a rd s Li m i t e d 89 C h i swi ck H i g h Lo n d o n © Th e Al l B ri t i s h S t a n d a rd s I n st i tu ti o n ri g h ts re se rve d p u b l i ca t i o n su ch B SI c a u se d , has made co n ta ct B S I has no in t a ke n a t th e e xcl u d e d wh o a b o ve and a sys te m D e si g n s a n d and co m p i l i n g co n n e cti o n P a t e n t s Act 8 , o r tra n s m i tt e d – wi th o u t p ri o r p e rm i ssi o n d e ve l o p i n g in C o p yri g h t, re tri e va l in in wri t i n g a n y fo rm fro m th i s p u b l i c a t i o n , wi t h re l i a n ce on th e B SI no p a rt o f t h i s o r b y a n y m e a n s – e l e ctro n i c, p u b l i sh e r a cc e p ts no l i a b i l i t y fo r a n y l o ss o r i ts co n te n ts e xce p t to th e e xte n t th a t l a w e ffo rt t o l o ca t e , b e l i e ve s t h a t t h e y h a ve co n t a ct a n d a cl a i m a ckn o wl e d g e o f co p yri g h t i n co p yri g h t o wn e rs o f m a te ri a l a n y o f th e i n cl u d ed in co n te n t o f t h i s b o o k sh o u l d a d d re ss re s p o n s i b i l i ty fo r t h e th i s b o o k, in u n d e r th e in d i re ctl y o r i n d i re ctl y i n e ve ry re a so n a b l e An yo n e s to re d o r o th e rwi se h a s been a ri si n g l i a b i l i ty m a y n o t b e th i s b o o k B SI re p ro d u ce d , re co rd i n g Wh i l st e ve ry c a re damage 01 E xce p t a s p e rm i tt e d m ay be p h o t o co p yi n g , to Roa d W4 4AL p e rs i st e n ce d o e s n o t g u a n te e o r a cc u cy o f U RLs fo r e xt e rn a l th a t a n y co n te n t o n su ch o r th i rd - p a rt y i n te rn e t we b si t e s we b si t e s i s, o r wi l l re m a i n , a ccu te re fe rre d or a p p ro p ri a t e Th e ri g h t o f B ri d g e t Ke n yo n b y th e m in a cco rd a n ce wi t h and E d wa rd se ct i o n s 7 H u m p h re ys to and 78 Typ e se t i n G re a t B ri t a i n b y Le tt e rp a rt Li m i t e d P ri n t e d G re a t B ri t a i n b y B e rfo rt s, in o f th e be i d e n t i fi e d C o p yri g h t , - l e tt e rp a rt c o m www b e rfo rt s co u k British Library Cataloguing in Publication Data A ca ta l o g u e I SB N 978 re co rd 580 fo r th i s b o o k i s a va i l a b l e 82 91 fro m th e B ri t i sh a s th e D esi g n s Li b ry a u th o rs o f t h i s wo rk h a ve and P a te n ts Act 8 been a ss e rte d Con ten ts F o re wo rd vi i I n trod u cti on 1 S co p e U se Co m p a n i o n o f th i s g u i d e o f th e s t a n d a rd s 2 I SM S scope H ow to u se th i s g u i d e 3.1 I SM S g u i d es p ro ce s s re q u i re m e n ts 3.2 An n e x A Re fe re n ce 3.3 A sa m p l e of a co n t ro l co m p l e te d o b j e ct i ve s a n d co n tro l s q u e s ti o n n a i re I SM S processes workbook (a ssessm en t of I SM S process req u i rem en ts) An n ex A G a p a n a l ysi s workbook (a ssessm en t of I SM S trol s) Are you rea dy for a n ISMS a udit ba sed on ISO/IEC 27001 ? 44 v I n fo rm a ti o n se cu ri ty m a n a g e m e n t syste m s g u i d a n ce se ri e s The Information Security Management Systems (ISMS) series of books is designed to provide users with assistance on establishing, implementing, maintaining, checking and auditing their ISMS in order to prepare for certification Titles in this Information Security Management Systems Guidance series include: • B I P 00 , Guidelin es o n requirem en ts a n d p rep a tio n fo r ISMS certifica tion ba sed o n ISO/IEC 27001 ; • B I P 00 , A re yo u rea dy for a n ISMS a udit ba sed o n ISO/IEC 27001 ?; • B I P 00 , Guide to th e im plem en ta tio n a n d a uditin g of ISMS trols b a sed on ISO/IEC 27001 ; • B I P 00 4, Mea surin g th e effectiven ess o f your ISMS im plem en ta tio n s b a sed on ISO/IEC 27001 ; • B I P 00 , In fo rm a tio n security risk m a n a gem en t — Ha n db oo k for ISO/IEC 27001 Foreword Information is one of your organization’s most valuable assets The objectives of information security are to protect the confidentiality, integrity and availability of information These basic elements of information security help to ensure that an organization can protect against: • • • • • sensitive or confidential information being given away, leaked or disclosed both accidentally or in an unauthorized way; personally identifiable information being compromised; critical information being accidentally or intentionally modified without your knowledge; any important business information being lost without trace or hope of recovery; any important business information being rendered unavailable when needed It should be the responsibility of all managers, information system owners or custodians, and users in general, to ensure that the information they are processing is properly managed and protected from a variety of risks and threats faced by every organization The two standards ISO/IEC 27001 :201 3, Information technology – Security techniques – Information security management systems — Requirements and ISO/IEC 27002:201 3, Information technology — Security techniques — Code of practice for information security controls together provide a basis for organizations to develop an effective information security management framework for managing and protecting their important business assets whilst minimizing their risks, helping to maximize the organization’s investments and business opportunities and ensuring their information systems continue to be available and operational ISO/IEC 27001 :201 is the requirements standard that can be used for accredited third-party information security management system (ISMS) certifications Organizations going through the accredited certification route to obtain an ISMS certificate would need their ISMS to be audited and assessed by an accredited certification body to ensure that they have appropriate management processes and systems in place that conform to the requirements specified in the ISO/IEC 27001 ISMS standard The standard ISO/IEC 27002:201 3, Information technology — Security techniques — Code of practice for information security controls provides a comprehensive set of best practice controls for information security and implementation guidance Organizations can adopt these controls as part of the risk treatment process specified in ISO/IEC 27001 :201 in order to manage the risks they face to their information assets This guide, BIP 0072, as with the other guides in the BIP 0070 series, is designed to provide users with assistance in checking the processes and controls in place in their ISMS against the requirements laid out in ISO/IEC 27001 :201 and ISO/IEC 27002:201 Note: The information provided in this document is provided with the best of intentions It reflects common practice that is derived by a consensus among those with a wide variety of skills, knowledge and experience in the subject This guide makes no claim to be exhaustive or definitive and users of this guide may need to seek further guidance more specific to the business context of the organization implementing the requirements of ISO/IEC 27001:2013 Furthermore, there will always be other aspects where additional guidance is required relevant Are you ready for an ISMS audit based on ISO/IEC 27001? vii Annex A Gap analysis workbook (assessment of ISMS controls) I SO /I E C 27 001 , In form a tion security m a n a gem en t system s — Requirem en ts A.1 Communications security A.1 3.2 Information transfer Objective: To maintain the security of information transferred within an organization and with any external entity Q1 Implementation status Tick one box for each control requirement Con trol req u i rem en t YE S PARTI AL NO A.1 3.2.1 Are formal transfer policies, procedures and controls in place to protect the transfer of information through the use of all types of communication facilities? A.1 3.2.2 Are agreements in place to address the secure transfer of business information between the organization and external parties? A.1 3.2.3 Is information involved in electronic messaging being appropriately protected? A.1 3.2.4 Are requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information being identified, regularly reviewed and have they been documented? Q2 If you have ticked either of the boxes marked justification in the following boxes Con trol PARTI AL Rea son s a n d j u sti fi ca ti on (wi th or NO you should indicate the reasons and Acti on to be ta ken referen ce to su pporti n g evi d en ce) A.1 3.2.1 A.1 3.2.2 A.1 3.2.3 A.1 3.2.4 CO M M E N TS: Enter a more detailed explanation of the reason(s) indicated above as appropriate Where control measures are in place it may be helpful to provide details on actions taken See Section 3.2 for details Use additional sheets if necessary 70 Are you ready for an ISMS audit based on ISO/IEC 27001 ? I SO /I E C 27 001 , Annex A Gap analysis workbook (assessment of ISMS controls) In form a tion security m a n a gem en t system s — Requirem en ts A.1 System acquisition, development and maintenance A.1 4.1 Security requirements of information systems Objective: To ensure that information security is an integral part of information systems across the entire life cycle This also includes the requirements for information systems, which provide services over public networks Q1 Implementation status Tick one box for each control requirement Con trol req u i rem en t YE S PARTI AL NO A.1 4.1 Are information security related requirements included in the requirements for new information systems or enhancements to existing information? systems? A.1 4.1 Is information involved in application services passing over public networks being protected from fraudulent activity, contract dispute and unauthorized disclosure and modification? A.1 4.1 Is information involved in application service transactions being protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay? Q2 If you have ticked either of the boxes marked justification in the following boxes Con trol PARTI AL Rea son s a n d j u sti fi ca ti on (wi th or NO you should indicate the reasons and Acti on to be ta ken referen ce to su pporti n g evi d en ce) A.1 4.1 A.1 4.1 A.1 4.1 Enter a more detailed explanation of the reason(s) indicated above as appropriate Where control measures are in place it may be helpful to provide details on actions taken See Section 3.2 for details Use additional sheets if necessary COM M E N TS: Are you ready for an ISMS audit based on ISO/IEC 27001 ? 71 Annex A Gap analysis workbook (assessment of ISMS controls) I S O /I E C 0 , In form a tion security m a n a gem en t system s — Requirem en ts A S ys te m A a cq u i s i ti o n , S e cu ri ty i n d e ve l o p m e n t a n d d e ve l o p m e n t a n d m a i n te n a n ce s u p p o rt p ro ce s s e s Objective: To ensure that information security is designed and implemented within the development life cycle of information systems Q I m p l e m e n ta ti o n Co n tro l s ta tu s b o x fo r e a ch co n tro l re q u i re m e n t re q u i re m e n t A Are and d e ve l o p m e n ts wi t h i n A Are bei n g YE S ru l e s fo r th e s ys te m s e s ta b l i s h e d cycl e Ti ck o n e th e ch a n g e s to co n tro l l e d d e ve l o p m e n t o f s o ftwa re a re th e y b e i n g a ppl i ed PARTI AL NO and to o rg a n i z a t i o n ? s ys te m s wi th i n b y th e u se th e o f fo rm a l d e ve l o p m e n t l i fe ch a n g e co n t ro l p ro ce d u re s ? A cri ti ca l Wh e n o p e ti n g p l a tfo rm s a re a p p l i ca ti o n s re vi e we d a d ve rs e i m p a ct o n A Are l i m i te d to and o rg a n i z a ti o n a l m o d i fi ca t i o n s to to a re e n s u re b u si n e ss th e re is no o p e ti o n s o r s e cu ri ty? s o ftwa re n e ce s s a ry ch a n g e s a n d ch a n g e d , te s te d a re p a cka g e s d i s co u g e d , all ch a n g e s s tri ctl y co n tro l l e d ? A Are p ri n ci p l e s fo r e n g i n e e ri n g e sta b l i sh e d , d o cu m e n te d , i n fo rm a ti o n s ys te m A D o e s th e p ro te ct s e cu re m a i n ta i n e d i m p l e m e n ta ti o n o rg a n i z a t i o n d e ve l o p m e n t l i fe i n te g ti o n any e s ta b l i s h and a p p ro p ri a te l y e ffo rts D o e s th e A I s t e s ti n g Do th e s e e n ti re s e cu re s ys t e m cycl e ? o rg a n i z a t i o n a ct i vi t y o f o u ts o u rce d s ys te m s u p e rvi s e and m o n i to r th e d e ve l o p m e n t? o f s e cu ri ty fu n cti o n a l i ty b e i n g ca rri e d ou t d e ve l o p m e n t? A bei n g to d e ve l o p m e n t e n vi ro n m e n ts fo r s ys t e m d e ve l o p m e n t a n d d u ri n g s ys te m s b e i n g a ppl i ed e ffo rts ? d e ve l o p m e n t e n vi ro n m e n t s co ve r th e A s e cu re and Are a cc e p ta n ce e s ta b l i s h e d te s ti n g p ro g m s a n d fo r n e w i n fo rm a ti o n re l a te d s ys te m s , cri te ri a u p g d e s a n d n e w ve rs i o n s ? 72 Are you ready for an ISMS audit based on ISO/IEC 27001 ? Annex A Gap analysis workbook (assessment of ISMS controls) Q2 If you have ticked either of the boxes marked justification in the following boxes Con trol PARTI AL Rea son s a n d j u sti fi ca ti on (wi th or NO you should indicate the reasons and Acti on to be ta ken referen ce to su pporti n g evi d en ce) A.1 4.2.1 A.1 4.2.2 A.1 4.2.3 A.1 4.2.4 A.1 4.2.5 A.1 4.2.6 A.1 4.2.7 A.1 4.2.8 A.1 4.2.9 Enter a more detailed explanation of the reason(s) indicated above as appropriate Where control measures are in place it may be helpful to provide details on actions taken See Section 3.2 for details Use additional sheets if necessary COM M E N TS: Are you ready for an ISMS audit based on ISO/IEC 27001 ? 73 Annex A Gap analysis workbook (assessment of ISMS controls) I SO /I E C 27 001 , In form a tion security m a n a gem en t system s — Requirem en ts A.1 System acquisition, development and maintenance A.1 4.3 Test data Objective: To ensure the protection of data used for testing Q1 Implementation status Tick one box for each control requirement Con trol req u i rem en t YE S PARTI AL NO A.1 4.3.1 Is test data being selected carefully, protected and controlled? Q2 If you have ticked either of the boxes marked justification in the following boxes Con trol PARTI AL Rea son s a n d j u sti fi ca ti on (wi th or NO you should indicate the reasons and Acti on to be ta ken referen ce to su pporti n g evi d en ce) A.1 4.3.1 CO M M E N TS: Enter a more detailed explanation of the reason(s) indicated above as appropriate Where control measures are in place it may be helpful to provide details on actions taken See Section 3.2 for details Use additional sheets if necessary 74 Are you ready for an ISMS audit based on ISO/IEC 27001 ? I SO /I E C 27 001 , Annex A Gap analysis workbook (assessment of ISMS controls) In form a tion security m a n a gem en t system s — Requirem en ts A.1 Supplier relationships A.1 5.1 Information security in supplier relationships Objective: To ensure protection of the organization’s assets that is accessible by suppliers Q1 Implementation status Tick one box for each control requirement Con trol req u i rem en t YE S PARTI AL NO A.1 5.1 Have information security requirements for mitigating the risks associated with each supplier’s access to the organization’s assets been agreed with the supplier and documented? A.1 5.1 Have all relevant information security requirements been established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organization’s information? A.1 5.1 Do agreements with suppliers include requirements to address the information security risks associated with information and communications technology services and product supply chain? Q2 If you have ticked either of the boxes marked justification in the following boxes Con trol PARTI AL Rea son s a n d j u sti fi ca ti on (wi th or NO you should indicate the reasons and Acti on to be ta ken referen ce to su pporti n g evi d en ce) A.1 5.1 A.1 5.1 A.1 5.1 Enter a more detailed explanation of the reason(s) indicated above as appropriate Where control measures are in place it may be helpful to provide details on actions taken See Section 3.2 for details Use additional sheets if necessary COM M E N TS: Are you ready for an ISMS audit based on ISO/IEC 27001 ? 75 Annex A Gap analysis workbook (assessment of ISMS controls) I SO /I E C 27 001 , In form a tion security m a n a gem en t system s — Requirem en ts A.1 Supplier relationships A.1 5.2 Supplier service delivery management Objective: To maintain an agreed level of information security and service delivery in line with supplier agreements Q1 Implementation status Tick one box for each control requirement Con trol req u i rem en t YE S PARTI AL NO A.1 5.2.1 Does the organization regularly monitor, review and audit supplier service delivery? A.1 5.2.2 Are changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures and controls, being managed, taking account of the criticality of business information, systems and processes involved and re-assessment of risks? Q2 If you have ticked either of the boxes marked justification in the following boxes Con trol PARTI AL Rea son s a n d j u sti fi ca ti on (wi th or NO you should indicate the reasons and Acti on to be ta ken referen ce to su pporti n g evi d en ce) A.1 5.2.1 A.1 5.2.2 CO M M E N TS: Enter a more detailed explanation of the reason(s) indicated above as appropriate Where control measures are in place it may be helpful to provide details on actions taken See Section 3.2 for details Use additional sheets if necessary 76 Are you ready for an ISMS audit based on ISO/IEC 27001 ? Annex A Gap analysis workbook (assessment of ISMS controls) I S O /I E C 0 , In form a tion security m a n a gem en t system s — Requirem en ts A I n fo rm a ti o n A s e c u ri ty i n ci d e n t m a n a g e m e n t M a n a g e m e n t o f i n fo rm a t i o n s e cu ri ty i n ci d e n ts a n d i m p ro ve m e n ts Objective: To ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses Q I m p l e m e n ta ti o n Co n tro l Ti ck o n e b o x fo r e a ch co n tro l re q u i re m e n t re q u i re m e n t A been s ta tu s H a ve m a n a g e m e n t re s p o n s i b i l i ti e s a n d e sta b l i sh e d re s p o n s e to YE S to e n s u re i n fo rm a ti o n A Are t h ro u g h a p p ro p ri a te a q u i ck, e ffe c ti ve PARTI AL NO p ro ce d u re s and o rd e rl y s e cu ri ty i n ci d e n ts ? i n fo rm a ti o n s e cu ri t y e ve n ts b e i n g re p o rte d m a n a g e m e n t ch a n n e l s a s q u i ckl y a s p o ssi b l e ? A Are e m p l o ye e s a n d o rg a n i z a ti o n ’s i n fo rm a t i o n n o te and re p o rt a n y o b s e rve d s e cu ri ty we a kn e s s e s i n A Are i t bei n g co n tra cto rs u s i n g s ys te m s a n d o r s u s p e cte d to i n fo rm a ti o n s ys te m s o r s e rvi ce s ? i n fo rm a ti o n d e ci d e d th e s e rvi ce s re q u i re d s e cu ri t y e ve n ts b e i n g i f th e y a re to be cl a s s i fi e d a sse sse d and is a s i n fo rm a ti o n s e cu ri ty i n ci d e n ts ? A to in Are A I s th e re s o l vi n g th e i n fo rm a ti o n a cco rd a n ce fo r th e s e cu ri t y i n ci d e n t s b e i n g th e kn o wl e d g e i n fo rm a ti o n l i ke l i h o o d A wi th d o cu m e n te d g a i n ed D o e s th e o rg a n i z a t i o n i d e n ti fi ca ti o n , o f i n fo rm a t i o n , wh i ch fro m a n a l ys i n g s e cu ri t y i n ci d e n ts b e i n g o r i m p a ct o f fu tu re ca n s e rve and u se d to re d u ce i n ci d e n t s ? d e fi n e co l l e ct i o n , re s p o n d e d p ro ce d u re s ? and a p p l y p ro ce d u re s a cq u i s i ti o n and p re s e rva ti o n a s e vi d e n ce ? Are you ready for an ISMS audit based on ISO/IEC 27001 ? 77 Annex A Gap analysis workbook (assessment of ISMS controls) Q2 If you have ticked either of the boxes marked justification in the following boxes Con trol PARTI AL Rea son s a n d j u sti fi ca ti on (wi th or NO you should indicate the reasons and Acti on to be ta ken referen ce to su pporti n g evi d en ce) A.1 6.1 A.1 6.1 A.1 6.1 A.1 6.1 A.1 6.1 A.1 6.1 A.1 6.1 CO M M E N TS: Enter a more detailed explanation of the reason(s) indicated above Where control measures are in place it may be helpful to provide details on actions taken See Section 3.2 for details Use additional sheets if necessary 78 Are you ready for an ISMS audit based on ISO/IEC 27001 ? I SO /I E C 27 001 , Annex A Gap analysis workbook (assessment of ISMS controls) In form a tion security m a n a gem en t system s — Requirem en ts A.1 Information security aspects of business continuity management A.1 7.1 Information security continuity Objective: Information security continuity shall be embedded in the organization’s business continuity management systems Q1 Implementation status Tick one box for each control requirement Con trol req u i rem en t YE S PARTI AL NO A.1 7.1 Has the organization determined its requirements for information security and the continuity of information security management in adverse situations, e.g during a crisis or disaster? A.1 7.1 Has the organization established, documented and implemented, and does it maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation? A.1 7.1 Does the organization verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations? Q2 If you have ticked either of the boxes marked justification in the following boxes Con trol PARTI AL Rea son s a n d j u sti fi ca ti on (wi th or NO you should indicate the reasons and Acti on to be ta ken referen ce to su pporti n g evi d en ce) A.1 7.1 A.1 7.1 A.1 7.1 Enter a more detailed explanation of the reason(s) indicated above as appropriate Where control measures are in place it may be helpful to provide details on actions taken See Section 3.2 for details Use additional sheets if necessary COM M E N TS: Are you ready for an ISMS audit based on ISO/IEC 27001 ? 79 Annex A Gap analysis workbook (assessment of ISMS controls) I SO /I E C 27 001 , In form a tion security m a n a gem en t system s — Requirem en ts A.1 Information security aspects of business continuity management A.1 7.2 Redundancies Objective: To ensure availability of information processing facilities Q1 Implementation status Tick one box for each control requirement Con trol req u i rem en t YE S PARTI AL NO A.1 7.2.1 Have information processing facilities been implemented with redundancy sufficient to meet availability requirements? Q2 If you have ticked either of the boxes marked justification in the following boxes Con trol PARTI AL Rea son s a n d j u sti fi ca ti on (wi th or NO you should indicate the reasons and Acti on to be ta ken referen ce to su pporti n g evi d en ce) A.1 7.2.1 CO M M E N TS: Enter a more detailed explanation of the reason(s) indicated above as appropriate Where control measures are in place it may be helpful to provide details on actions taken See Section 3.2 for details Use additional sheets if necessary 80 Are you ready for an ISMS audit based on ISO/IEC 27001 ? I SO /I E C 27 001 , Annex A Gap analysis workbook (assessment of ISMS controls) In form a tion security m a n a gem en t system s — Requirem en ts A.1 Compliance A.1 8.1 Compliance with legal and contractual requirements Objective: To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements Q1 Implementation status Tick one box for each control requirement Con trol req u i rem en t YE S PARTI AL NO A.1 8.1 Are all relevant legislative statutory, regulatory and contractual requirements and the organization’s approach to meet these requirements, explicitly identified, documented and kept up to date for each information system and the organization? A.1 8.1 Are appropriate procedures implemented to ensure compliance with legislative, regulatory and contractual requirements related to intellectual property rights and use of proprietary software products? A.1 8.1 Are records protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislative, regulatory, contractual and business requirements? A.1 8.1 Is the privacy and protection of personally identifiable information ensured as required in relevant legislation and regulation where applicable? A.1 8.1 Are cryptographic controls used in compliance with all relevant agreements, legislation and regulations? Q2 If you have ticked either of the boxes marked justification in the following boxes Con trol PARTI AL Rea son s a n d j u sti fi ca ti on (wi th or NO you should indicate the reasons and Acti on to be ta ken referen ce to su pporti n g evi d en ce) A.1 8.1 A.1 8.1 A.1 8.1 A.1 8.1 A.1 8.1 Enter a more detailed explanation of the reason(s) indicated above as appropriate Where control measures are in place it may be helpful to provide details on actions taken See Section 3.2 for details Use additional sheets if necessary COM M E N TS: Are you ready for an ISMS audit based on ISO/IEC 27001 ? 81 Annex A Gap analysis workbook (assessment of ISMS controls) I SO /I E C 27 001 , In form a tion security m a n a gem en t system s — Requirem en ts A.1 Compliance A.1 8.2 Information security reviews Objective: To ensure that information security is implemented and operated in accordance with the organizational policies and procedures Q1 Implementation status Tick one box for each control requirement Con trol req u i rem en t YE S PARTI AL NO A.1 8.2.1 Is the organization’s approach to managing information security and its implementation (i.e control objectives, controls, policies, processes and procedures for information security) reviewed independently at planned intervals or when significant changes occur? A.1 8.2.2 Do managers regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements? A.1 8.2.3 Are information systems regularly reviewed for compliance with the organization’s information security policies and standards? Q2 If you have ticked either of the boxes marked justification in the following boxes Con trol PARTI AL Rea son s a n d j u sti fi ca ti on (wi th or NO you should indicate the reasons and Acti on to be ta ken referen ce to su pporti n g evi d en ce) A.1 8.2.1 A.1 8.2.2 A.1 8.2.3 Enter a more detailed explanation of the reason(s) indicated above as appropriate Where control measures are in place it may be helpful to provide details on actions taken See Section 3.2 for details Use additional sheets if necessary CO M M E N TS: 82 Are you ready for an ISMS audit based on ISO/IEC 27001 ?