ISO 27001 : 2013 COMPLIANCE CHECKLIST

REFERENCE COMPLIANCE ASSESSMENT AREA RESULT

STANDARDS SECTION INITIAL ASSESSMENT FINDINGS STATUS
POINTS

A.5 INFORMATION SECURITY POLICIES

A.5.1 MANAGEMENT DIRECTION FOR INFORMATION SECURITY
Policies for information security
1. Do Security policies exist?
2. Are all policies approved by
management? 0%
3. Are policies properly
communicated to employees?
A.5.1.2 Review of the policies for
information security 1. Are security policies subject to
review?
2. Are the reviews
conducted at regular 0%
intervals?
3. Are reviews conducted
when circumstances
change?
A.6 ORGANIZATION OF INFORMATION SECURITY
A.6.1 INTERNAL ORGANIZATION
Are responsibilities for the
protection of individual assets,
Information security
A.6.1.1 and for carrying out specific
roles and
security processes, clearly 0%
responsibilities
identified and defined and
communicated to the relevant
parties?

Are duties and areas of

responsibility separated, in order 0%
A.6.1.2 Segregation of duties
to reduce opportunities for
unauthorized modification or

www.iascertification.com
 ISO 27001 : 2013 COMPLIANCE CHECKLIST

misuse of information, or
services?
1. Is there a procedure
documenting when, and by
whom, contact with relevant
authorities (law enforcement
A.6.1.3 Contact with authorities etc.) will be made?
2. Is there a process which 0%
details how and when contact
is required?
3. Is there a process for routine
contact and intelligence
sharing?
Do relevant individuals within the
A.6.1.4 Contact with special interest groups organization maintain active 0%
membership in relevant special
interest groups?
Information security in Do all projects go through some
A.6.1.5
project management form of information security 0%
assessment?
A.6.2 MOBILE DEVICE AND TELEWORKING

1. Does a mobile device policy

exist?
2. Does the policy have
A.6.2.1 Mobile device policy management approval?
3. Does the policy document and 0%
address additional risks from
using mobile devices (e.g. Theft
of asset, use of open wireless
hotspots etc.)
1. Is there a policy for
teleworking?
2. Does this have management 0%
A.6.2.2 Teleworking approval?
3. Is there a set process for

www.iascertification.com
 ISO 27001 : 2013 COMPLIANCE CHECKLIST

remote workers to get access?

4. Are teleworkers given
the advice and equipment
to protect their assets?
A.7 HUMAN RESOURCES SECURITY

A.7.1 PRIOR TO EMPLOYMENT

1. Are background verification

checks carried out on all new
candidates for employment?
2. Are these checks approved
A.7.1.1 Screening by appropriate management
authority? 0%
3. Are the checks compliant
with relevant laws,
regulations and ethics?
4. Are the level of checks
required supported by business
risk assessments?

1. Are all employees,

contractors and third party
users asked to sign
A.7.1.2 Terms and conditions of confidentiality and non-
employment 0%
disclosure agreements?
2. Do employment / service
contracts specifically cover the
need to protect business
information?
A.7.2 DURING EMPLOYMENT

1. Are managers (of all

levels) engaged in driving
security within the 0%
A.7.2.1 Management responsibilities business?
2. Does management

www.iascertification.com
 ISO 27001 : 2013 COMPLIANCE CHECKLIST

behaviour and policy drive,

and encourage, all employees,
contractors and 3rd party
users to apply security in
accordance with established
policies and procedures?

Do all employees, contractors

and 3rd party users undergo
Information security awareness,
A.7.2.2
education and training regular security awareness 0%
training appropriate to their role
and function within the
organization?
1. Is there a formal disciplinary
process which allows the
organization to take action
A.7.2.3 Disciplinary process against employees who have
0%
committed an information
security breach?
2. Is this communicated to all
employees?
A.7.3 TERMINATION AND CHANGE OF EMPLOYMENT

1. Is there a documented process

for terminating or changing
employment duties?
Termination or change of 2. Are any information security
A.7.3.1 duties which survive
employment responsibilities 0%
employment communicated to
the employee or contractor?
3. Is the organization able
to enforce compliance
with any duties that
survive employment?
A.8 ASSET MANAGEMENT

www.iascertification.com
 ISO 27001 : 2013 COMPLIANCE CHECKLIST

A.8.1 RESPONSIBILITY FOR ASSETS

1. Is there an inventory of all

assets associated with
A.8.1.1 Inventory of assets information and information
0%
processing facilities?
2. Is the inventory accurate
and kept up to date?
All information assets must have a
A.8.1.2 Ownership of assets clearly defined owner who is 0%
aware of their responsibilities.
1. Is there an acceptable use
policy for each class / type of
A.8.1.3 Acceptable use of assets
information asset? 0%
2. Are users made aware of this
policy prior to use?
Is there a process in place to
ensure all employees and external
A.8.1.4 Return of assets
users return the organization's 0%
assets on termination of their
employment, contract or
agreement?
A.8.2 INFORMATION CLASSIFICATION

1. Is there a policy
governing information
A.8.2.1 Classification of information
classification? 0%
2. Is there a process by which
all information can be
appropriately classified?
Is there a process or procedure for
A.8.2.2 Labelling of information ensuring information
classification is appropriately
0%
marked on each asset?
1. Is there a procedure for
handling each information 0%
A.8.2.3 Handling of assets

www.iascertification.com
 ISO 27001 : 2013 COMPLIANCE CHECKLIST

classification?
2. Are users of information assets
made aware of this procedure?
A.8.3 MEDIA HANDLING
1. Is there a policy
governing removable
media?
A.8.3.1 Management of removable media 2. Is there a process covering
how removable media is
0%
managed?
3. Are the policy and
process communicated
to all employees using
removable media?
Is there a formal procedure
A.8.3.2 Disposal of media
governing how removable media 0%
is disposed?

1. Is there a documented policy

and process detailing how
A.8.3.3 Physical media transfer physical media should be
transported? 0%
2. Is media in transport
protected against un
authorized access, misuse or
corruption?
A.9 ACCESS CONTROL

A.9.1 BUSINESS REQUIREMENTS FOR ACCESS CONTROL

1. Is there a documented access

control policy?
A.9.1.1 Access control policy 2. Is the policy
0%
based on business
requirements?
3. Is the policy communicated
appropriately?

www.iascertification.com
 ISO 27001 : 2013 COMPLIANCE CHECKLIST

Are controls in place to ensure

users only have access to the
A.9.1.2 Access to networks and network 0%
network resources they have been
services
specially authorised to use and are
required for their duties?
A.9.2 USER ACCESS MANAGEMENT
Is there a formal user access
A.9.2.1 User registration and de-registration
registration process in place?
0%

Is there a formal user access

A.9.2.2 User access provisioning provisioning process in place to 0%
assign access rights for all user
types and services?
Are privileged access accounts
A.9.2.3 Management of privileged access
rights
separately managed and 0%
controlled?
Is there a formal management
Management of secret authentication
A.9.2.4 process in place to control
information of users 0%
allocation of secret authentication
information?
1. Is there a process for
asset owners to review
A.9.2.5 Review of user access rights
access rights to their assets 0%
on a regular basis?
2. Is this review process verified?
Is there a process to ensure user
A.9.2.6 Removal or adjustment of access access rights are removed on
rights termination of employment or 0%
contract, or adjusted upon change
of role?
A.9.3 USER RESPONSIBILITIES

1. Is there a policy document

covering the organizations 0%
A.9.3.1 Use of secret authentication
practices in how secret
information

www.iascertification.com
 ISO 27001 : 2013 COMPLIANCE CHECKLIST

authentication information must

be handled?
2. Is this communicated to all
users?
A.9.4 SYSTEM AND APPLICATION ACCESS CONTROL

Is access to information and

A.9.4.1 Information access restriction application system functions
restricted in line with the access
0%
control policy?
Where the access control policy
A.9.4.2 Secure log-on procedures requires it, is access controlled by 0%
a secure log-on procedure?
1. Are password systems
A.9.4.3 Password management system interactive?
0%
2. Are complex passwords
required?
Are privilege utility programs
A.9.4.4 Use of privileged utility programs 0%
restricted and monitored?
Is access to the source code of the
A.9.4.5 Access control to program source 0%
Access Control System protected?
code
A.10 CRYPTOGRAPHY

A.10.1 CRYPTOGRAPHIC CONTROLS

Is there a policy on the use of

A.10.1.1 Policy on the use of cryptographic 0%
cryptographic controls?
controls
Is there a policy governing the
A.10.1.2 Key management
whole lifecycle of cryptographic 0%
keys?
A.11 PHYSICAL AND ENVIRONMENTAL SECURITY

A.11.1 SECURE AREAS

1. Is there a designated security

perimeter?
0%
A.11.1.1 Physical security perimeter
2. Are sensitive or critical

www.iascertification.com
 ISO 27001 : 2013 COMPLIANCE CHECKLIST

information areas segregated

and appropriately controlled?
Do secure areas have suitable
A.11.1.2 Physical entry controls entry control systems to ensure
0%
only authorised personnel have
access?

1. Have offices, rooms and

facilities been designed and
A.11.1.3 Securing offices, rooms and
configured with security in mind?
facilities 0%
2. Do processes for
maintaining the security (e.g.
Locking up, clear desks etc.)
exist?
Have physical protection
Protecting against
A.11.1.4 measures to prevent natural
external and 0%
disasters, malicious attack or
environmental threats
accidents been designed in?
1. Do secure areas exist?
2. Where they do exist, do
A.11.1.5 Working in secure areas secure areas have suitable
0%
policies and processes?
3. Are the policies and processes
enforced and monitored?

1. Are there separate delivery /

loading areas?
A.11.1.6 Delivery and loading areas 2. Is access to these areas controls? 0%
3. Is access from loading areas
isolated from information
processing facilities?
A.11.2 EQUIPMENT

1. Are environmental hazards

identified and considered when 0%
A.11.2.1 Equipment siting and protection equipment locations are
selected?

www.iascertification.com
 ISO 27001 : 2013 COMPLIANCE CHECKLIST

2. Are the risks from unauthorised

access / passers-by considered
when siting equipment?

1. Is there a UPS system or backup

A.11.2.2 Supporting utilities generator?
2. Have these been 0%
tested within an
appropriate timescale?
1. Have risk assessments been
conducted over the location of
A.11.2.3 Cabling security power and telecommunications
cables? 0%
2. Are they located to
protect from interference,
interception or damage?
Is there a rigorous equipment
A.11.2.4 Equipment maintenance
maintenance schedule?
0%
1. Is there a process controlling
how assets are removed from
A.11.2.5 Removal of assets
site? 0%
2. Is this process enforced?
3. Are spot checks carried out?
1. Is there a policy covering
Security of equipment and assets
A.11.2.6 security of assets off-site?
off- premises 0%
2. Is this policy widely
communicated?
1. Is there a policy covering
how information assets may be
A.11.2.7 Secure disposal or reuse of
reused?
equipment 0%
2. Where data is wiped, is
this properly verified
before reuse/disposal?
1. Does the organization have a
policy around how unattended
0%
equipment should be protected?
A.11.2.8 Unattended user equipment 2. Are technical controls in

www.iascertification.com
 ISO 27001 : 2013 COMPLIANCE CHECKLIST

place to secure equipment that

has been inadvertently left
unattended?
3.

1. Is there a clear desk / clear

A.11.2.9 Clear desk and clear screen policy 0%
screen policy?
2. Is this well enforced?
A.12 OPERATIONS SECURITY

A.12.1 OPERATIONAL PROCEDURES AND RESPONSIBILITIES

1. Are operating procedures well

A.12.1.1 Documented operating procedures documented?
2. Are the procedures made 0%
available to all users who
need them?
Is there a controlled change
A.12.1.2 Change management
management process in place?
0%
Is there a capacity management
A.12.1.3 Capacity management 0%
process in place?
Does the organization enforce
Separation of development, testing
A.12.1.4 segregation of development, test 0%
and operational environments
and operational environments?
A.12.2 PROTECTION FROM MALWARE
1. Are processes to detect malware
in place?
2. Are processes to
A.12.2.1 Controls against malware prevent malware
spreading in place?
0%
3. Does the organization have a
process and capacity to recover
from a malware Infection.
A.12.3 BACKUP

www.iascertification.com
 ISO 27001 : 2013 COMPLIANCE CHECKLIST

1. Is there an agreed backup

policy?
2. Does the organization's
A.12.3.1 Information backup backup policy comply with
relevant legal frameworks?
0%
3. Are backups made in
accordance with the policy?
4. Are backups tested?

A.12.4 LOGGING AND MONITORING

Are appropriate event logs

A.12.4.1 Event logging
maintained and regularly 0%
reviewed?
Are logging facilities protected
A.12.4.2 Protection of log information
against tampering and 0%
unauthorized access?
Are sys admin / sysop logs
A.12.4.3 Administrator and operator logs
maintained, protected and 0%
regularly reviewed?
A.12.4.4 Clock synchronization Are all clocks within the
organization
0%
A.12.5 CONTROL OF OPERATIONAL SOFTWARE

Is there a process in place

Installation of software on
A.12.5.1 to control the installation of
operational systems 0%
software onto operational
systems?
A.12.6 TECHNICAL VULNERABILITY MANAGEMENT

1. Does the organization have

access to updated and timely
A.12.6.1 Management of technical information on technical
vulnerabilities vulnerabilities? 0%
2. Is there a process to risk assess
and react to any new
vulnerabilities as they are

www.iascertification.com
 ISO 27001 : 2013 COMPLIANCE CHECKLIST

discovered?

Are there processes in place to

A.12.6.2 Restrictions on soft-ware installation
restrict how users install 0%
software?
A.12.7 INFORMATION SYSTEMS AUDIT CONSIDERATIONS
1. Are IS Systems subject to audit?
A.12.7.1 Information systems audit controls 2. Does the audit process
0%
ensure business disruption is
minimised?
A.13 COMMUNICATIONS SECURITY

A.13.1 NETWORK SECURITY MANAGEMENT

Is there a network management
A.13.1.1 Network controls 0%
process in place?

1. Does the organization

implement a risk
management approach which
A.13.1.2 Security of network services identifies all network services
and service agreements?
2. Is security mandated in 0%
agreements and contracts with
service providers (in house and
outsourced).
3. Are security related SLAs
mandated?
0%
Does the network topology
A.13.1.3 Segregation in networks
enforce segregation of networks
for different tasks?
A.13.2 INFORMATION TRANSFER
1. Do organizational
policies govern how
information is transferred? 0%
Information transfer 2. Are procedures for how data
A.13.2.1 should be transferred made
policies and procedures

www.iascertification.com
 ISO 27001 : 2013 COMPLIANCE CHECKLIST

available to all employees?

3. Are relevant technical controls
in place to prevent non-authorised
forms of data transfer?
Do contracts with external
parties and agreements within
A.13.2.2 Agreements on information transfer
the organization detail the 0%
requirements for securing
business information in transfer?
Do security policies cover the use
A.13.2.3 Electronic messaging of information transfer while
0%
using electronic messaging
systems?
1. Do employees, contractors and
agents sign confidentiality or non
disclosure agreements?
Confidentiality or 2. Are these agreements 0%
A.13.2.4
nondisclosure subject to regular review?
agreements 3. Are records of the agreements
maintained?
A.14 SYSTEM ACQUISITION, DEVELOPMENT AND MAINTENANCE

A.14.1 SECURITY REQUIREMENTS OF INFORMATION SYSTEMS

1. Are information security

Information security requirements
A.14.1.1
analysis and specification
Securing application services on
A.14.1.2
public networks
requirements specified when
new systems are introduced?
0%
2. When systems are being
enhanced or upgraded, are
security requirements specified
and addressed?
Do applications which send
information over public networks
0%
appropriately protect the
information against fraudulent
activity, contract dispute,

www.iascertification.com
 ISO 27001 : 2013 COMPLIANCE CHECKLIST

unauthorised discloser and

unauthorised modification?
Are controls in place to prevent
incomplete transmission,
A.14.1.3 Protecting application services misrouting, unauthorised message
0%
transactions alteration, unauthorised
disclosure, unauthorised message
duplication or replay attacks?
A.14.2 SECURITY IN DEVELOPMENT AND SUPPORT PROCESSES

1. Does the organization

develop software or systems?
A.14.2.1 Secure development policy 2. If so, are there policies
0%
mandating the implementation
and assessment of security
controls?
A.14.2.2 System change control procedures Is there a formal change control
process?
0%
Is there a process to ensure a
Technical review of applications
A.14.2.3 technical review is carried out
after operating platform changes 0%
when operating platforms are
changed?
Is there a policy in place
Restrictions on changes to software
A.14.2.4 which mandates when and
packages
how software packages can
0%
be changed or modified?
Does the organization have
A.14.2.5 Secure system engineering documented principles on how
principles
0%
systems must be engineered to
ensure security?

1. Has a secure development

environment been
A.14.2.6 Secure development environment established? 0%
2. Do all projects utilise the
secure development
environment appropriately

www.iascertification.com
 ISO 27001 : 2013 COMPLIANCE CHECKLIST

during the system

development lifecycle?
1. Where development has been
outsourced is this supervised?
A.14.2.7 Outsourced development
2. Is externally developed 0%
code subject to a security
review before deployment?
Where systems or applications are
A.14.2.8 System security testing developed, are they security tested
0%
as part of the development
process?
Is there an established process to
A.14.2.9 System acceptance testing accept new systems / applications, 0%
or upgrades, into production use?
A.14.3 TEST DATA

1. Is there a process for selecting

A.14.3.1 Protection of test data 0%
test data?
2. Is test data suitably protected?
A.15 SUPPLIER RELATIONSHIP

A.15.1 INFORMATION SECURITY IN SUPPLIER RELATIONSHIP

1. Is information security
included in contracts established
Information security policy for with suppliers and service
A.15.1.1 providers?
supplier relationships
2. Is there an 0%
organization-wide risk
management approach
to supplier
relationships?

1. Are suppliers provided with

Addressing security within supplier documented security
A.15.1.2 0%
agreements requirements?
2. Is supplier access to
information assets &

www.iascertification.com
 ISO 27001 : 2013 COMPLIANCE CHECKLIST

infrastructure controlled and

monitored?

Do supplier agreements include

Information and
A.15.1.3 requirements to address 0%
communication
information security within the
technology supply chain
service & product supply chain?
A.15.2 SUPPLIER SERVICE DELIVERY MANAGEMENT

Are suppliers subject to regular

A.15.2.1 Monitoring and review of supplier 0%
review and audit?
services
Are changes to the
A.15.2.2 Managing changes to supplier provision of services
services subject to a management 0%
process which includes
security & risk assessment?
A.16 INFORMATION SECURITY INCIDENT MANAGEMENT

A.16.1 MANAGEMENT OF INFORMATION SECURITY INCIDENTS AND IMPROVEMENTS

Are management responsibilities

A.16.1.1 Responsibilities and procedures clearly identified and documented
0%
in the incident management
processes?

1. Is there a process for timely

reporting of information
A.16.1.2 Reporting information security
security events?
events 0%
2. Is there a process for
reviewing and acting on
reported information security
events?

1. Is there a process for reporting

of identified information security
A.16.1.3 Reporting information security weaknesses? 0%
weaknesses 2. Is this process widely
communicated?
3. Is there a process for

www.iascertification.com
 ISO 27001 : 2013 COMPLIANCE CHECKLIST

reviewing and addressing

reports in a timely
manner?
Is there a process to ensure
Assessment of and decision on
A.16.1.4 information security events are 0%
information security events
properly assessed and classified?
Is there an incident response
A.16.1.5 Response to information security process which reflects the 0%
incidents classification and severity of
information security incidents?
Is there a process or framework
Learning from information which allows the organization to
A.16.1.6 0%
security incidents learn from information security
incidents and reduce the impact /
probability of future events?

1. Is there a forensic readiness

policy?
A.16.1.7 Collection of evidence 2. In the event of an information 0%
security incident is relevant data
collected in a manner which
allows it to be used as evidence?
A.17 INFORMATION SECURITY ASPECTS OF BUSINESS CONTINUITY MANAGEMENT

A.17.1 INFORMATION SECURITY CONTINUITY

Is information security
A.17.1.1 Planning information security
included in the
continuity 0%
organization's continuity
plans?
Does the organization's
Implementing information information security function
A.17.1.2
security continuity have documented, implemented 0%
and maintained processes to
maintain continuity of service
during an adverse situation?

www.iascertification.com
 ISO 27001 : 2013 COMPLIANCE CHECKLIST

Verify, review and evaluate Are continuity plans validated and

A.17.1.3 0%
information security continuity verified at regular intervals?
A.17.2 REDUNDANCIES

Do information processing
Availability of information
A.17.2.1 facilities have sufficient
processing facilities
redundancy to meet the 0%
organizations availability
requirements?
A.18 COMPLAINS

A.18.1 COMPLAINS WITH LEGAL & CONTRACTUAL REQUIREMENTS

1. Has the organization identified

and documented all relevant
Identification of applicable
A.18.1.1 legislative, regulatory or
legislation and contractual 0%
contractual requirements related
requirements
to security?
2. Is compliance documented?
1. Does the organization keep a
record of all intellectual
A.18.1.2 Intellectual property rights property rights and use of
proprietary software products? 0%
2. Does the organization monitor
for the use of unlicensed
software?
Are records protected from loss,
destruction, falsification and
A.18.1.3 Protection of records unauthorised access or release in
0%
accordance with legislative,
regulatory, contractual and
business requirements?
1. Is personal data identified and
Privacy and protection of appropriately classified?
A.18.1.4
personally identifiable 2. Is personal data protected in 0%
information accordance with relevant
legislation?

www.iascertification.com
 ISO 27001 : 2013 COMPLIANCE CHECKLIST

Are cryptographic controls

A.18.1.5 protected in accordance with all
Regulation of cryptographic controls
relevant agreements, legislation
0%
and regulations?
A.18.2 INFORMATION SECURITY REVIEWS

1. Is the organizations approach

to managing information
A.18.2.1 Independent review of information security subject to regular
security independent review? 0%
2. Is the implementation of
security controls subject to
regular independent review?
1. Does the organization instruct
managers to regularly review
Compliance with security policies compliance with policy and
A.18.2.2 procedures within their area of 0%
and standards
responsibility?
2. Are records of these reviews
maintained?
Does the organization regularly
A.18.2.3 Technical compliance review conduct technical compliance
0%
reviews of its information
systems?

www.iascertification.com