Checklist ISO 28000

Table of Contents:

4.1 General Requirements

4.2 Security Management Policy
4.3.1 Security Risk Assessment
4.3.2 Legal, Statutory and other Security Regulatory Requirements
4.3.3 Security Management Objectives
4.3.4 Security Management Targets
4.3.5 Security Management Programme
4.4.1 Structure, Authority and Responsibilities
4.4.2 Competence Training & Awareness
4.4.3 Communication
4.4.4 Documentation
4.4.5 Data and Document Control
4.4.6 Operational Control
4.4.7 Emergency Preparedness, Response and Security Recovery
4.5.1 Security Performance Measuring and Monitoring
4.5.2 Systems Evaluation
4.5.3 Security-related failures, incidents, non-conformances and corrective and preventive action
4.5.4 Control of Records
4.5.5 Audits
4.6 Management Review and Continual Improvement

Rev 1.0 - 2008-01-06 Page 1/30

Checklist ISO 28000

No. Reguirements yes no Remarks Guidance, ISO 28001/4 reference

4.1 General requirements
Does the organization establish, document, implement, See also Section 4.4.4 a)
maintain and continually improve an effective security
management system?

Does the organization continually improve its See also Section 4.6.
effectiveness?

Does the organization define the scope of its security See also Section 4.4.4 b) and ISO 28001,
ch 4.1 Statement of application
management system?

Does the organization outsource security relevant
processes? In case of outsourced processes, does the
organization ensure that such processes are controlled?
Are the necessary controls and responsibilities identified
within the security management system?
Note: may require auditing of those outsourced
processes and their documentation. At least the
organiszation has to ensure control of
outsourced processes.

4.2 Security management policy

Does the organizations top management implement a Note: Does the organization have a detailed
security management policy for internal use and
security management policy? a summarized version for dissemination to its
stakeholders and other interested parties? Split
of the policy in those two parts is not mandatory
but recommended.

a) Is the policy consistent with other organizational policies? See ISO 28004 4.2 c) Evidence documentation
see Section 4.4.4 c). Note: review policies and
objectives relevant to the organisations
business a whole.

Rev 1.0 - 2008-01-06 Page 2/30

Checklist ISO 28000

No. Reguirements yes no Remarks Guidance, ISO 28001/4 reference

b) Does the security policy provide the alignment of a
framework for security management objectives, targets and
programmes?

c) Is the policy consistent with the organizations overall
security threat and risk management framework?
d) Is the policy appropriate to the threats to the organization
and the nature and scale of its operations?
e) Does the policy clearly state the overall/broad security
management objectives?
Note: are the measures described therein
adequate for addressing the security risks that
have been identified? Is the policy effective?
This may have to be revisited once Sections
4.3, and 4.5.1-3 have provided sufficient
evidence.
Note: are the measures described therein
adequate for addressing the security risks that
have been identified? Is the policy effective?
This may have to be revisited once Sections
4.3, and 4.5.1-3 have provided sufficient
evidence.
See also Section 4.4.4 a)

f) Does the policy include a commitment to continual See Section 4.4.1 and 4.6 for evidence.
improvement of the security management process?

g) Does the policy include a commitment to comply with See also Section 4.3.2 for evidence of
compliance.
current applicable legislation, regulatory and statutory
requirements and with other requirements to which the
organization subscribes?

h) Is the policy visibly endorsed by top management?

Rev 1.0 - 2008-01-06 Page 3/30

Checklist ISO 28000

No. Reguirements yes no Remarks Guidance, ISO 28001/4 reference

i) Is the policy documented, implemented and maintained? See Section 4.4.1 for evidence.

j) Is the policy communicated to all relevant employees and See also Section 4.4.3
third parties including contractors and visitors?

k) Is the policy available to stakeholders where appropriate? See also Section 4.4.3

l) Does the policy provide for its review in case of the See also Section 4.4.2.
acquisition of, or merger with other organizations, or other
change to the business scope of the organization which
may affect the continuity or relevance of the security
management system?
4.3.1 Security risk assessment
Does the organization have procedures for the ongoing See also ISO 28001,
chapter 5.2 Identification of the scope of
identification and assessment of security threats and security assessment,
security management related threats and risks and the chapter 5.3 Conduction of the security
identification and implementation of necessary assessment specifically:
management control measures? Qualified assessment personnel
A documented assessment process
Are the methods for security threats and risk identification, See also Statement of Application ISO 28001
ch 4.1 and Section 4.1 above.
assessment and control appropriate to the nature and scale
of the operations?

Does the assessment consider the likelihood of an event Risk Assessment process ISO 28001 Annex B.
Note: consider different approaches to RA may
and all of its consequences? be acceptable if they take into account the
nature of security-specific risks

Rev 1.0 - 2008-01-06 Page 4/30

Checklist ISO 28000

No. Reguirements yes no Remarks Guidance, ISO 28001/4 reference

Does the assessment include:

a) Physical failure threats and risks, such as functional failure, ISO 28001 Annex B 2. Note: evidence are
selection of applicable and relevant scenarios
incidental damage, malicious damage or terrorist or for risk assessments.
criminal action?

b) Operational threats and risks, including the control of the ISO 28001 Annex B 2. Note: evidence are
selection of applicable and relevant scenarios
security, human factors and other activities which affect the for risk assessments.
organizations performance, condition or safety?

c) Natural environmental events (storm, floods, etc.), which ISO 28001 Annex B 2. Note: evidence are
selection of applicable and relevant scenarios
may render security measures? for risk assessments.

d) Factors outside of the organizations control, such as ISO 28001 Annex B 2. Note: evidence are
selection of applicable and relevant scenarios
failures in externally supplied equipment and services? for risk assessments.

e) Stakeholder threats and risks such as failure to meet ISO 28001 Annex B 2. Note: evidence are
selection of applicable and relevant scenarios
regulatory requirements or damage to reputation or brand? for risk assessments.

f) Design and installation of security equipment including ISO 28001 Annex B 2. Note: evidence are
selection of applicable and relevant scenarios
replacement, maintenance, etc.? for risk assessments.

g) Information and data management and communications? ISO 28001 Annex B 2. Note: evidence are
selection of applicable and relevant scenarios
for risk assessments.

Rev 1.0 - 2008-01-06 Page 5/30

Checklist ISO 28000

No. Reguirements yes no Remarks Guidance, ISO 28001/4 reference

h) A threat to continuity of operations? ISO 28001 Annex B 2. Note: evidence are
selection of applicable and relevant scenarios
for risk assessments.

Does the organization ensure that the results of these ISO 28001 Annex B 7-10. Note: Evidence may
be found in system evaluation (Section 4.5.2
assessments and the effects of these controls are below) and management review & continual
considered? improvement (Section 4.6 below) Other
evidence may include:
Contingency Plans
Business Continuity Plans
Recovery & Business Resumption
Plans
Exercises and Exercise Evaluations
See also: ISO 28004 ch 4.3.1 for detailed
process. Outputs may be:
Description of risks and control
measures
Identification of training &
competency requirements
Assessment results provide input to...
a) Security management objectives and targets? Note: ensure understanding of distinction
between objectives and targets. Targets should
be measurable.

b) Security management programmes? ISO 28004 ch 4.3.5 c) and Section 4.3.5 below.
Note: security management programmes
should be derived from the targets and shall
mention responsibilities, means (how they are
achieved) and time-scale.

c) Determination of requirements for the design, specification Note: Requirements may be subjected cost-
benefit analyses, ALARP determination, legal or
and installation? regulatory restrictions.

Rev 1.0 - 2008-01-06 Page 6/30

Checklist ISO 28000

No. Reguirements yes no Remarks Guidance, ISO 28001/4 reference

d) Identification of adequate resources including staffing See Section 4.4.1 below for adequate
resources. See Section 4.5.1 (Security
levels? Performance) for an indication of adequacy of
resources.

e) Identification of training needs and skills? ISO 28004 ch 4.3.1 e). See also Section 4.4.2
below.

f) Development of operational controls? ISO 28004 ch 4.3.1 e) see also Section 4.4.6
below.

g) The organizations overall threat and risk management Note: if applicable.

framework?

Does the organization document and keep the above Note: are performance reviews carried out
regularly? Are there exercises and exercise
mentioned information up to date? evaluations? Is there a continual improvement
process which includes Risk Assessment?

Does the organizations methodology for threat and risk

identification and assessment..:

a) Provide for a definition with respect to its scope, nature and
timing to ensure it is proactive rather than reactive?
Note: for example does it seek to identify
emerging risks and are results factored into
response, continuity and recovery plans? Or
does it rely on incident response alone? Does if
focus on physical security or is it holistic?

Rev 1.0 - 2008-01-06 Page 7/30

Checklist ISO 28000

No. Reguirements yes no Remarks Guidance, ISO 28001/4 reference

b) include the collection of information related to security ISO 28004 ch 4.3.1 b): For an organisation with
no previous (documented) security
threats and risks? management system the following information
should be considered:
Legislative and regulatory
requirements
Identification of security threats, eg
from policing and intelligence
organisations (or commercial
providers of such information)
Examination of vulnerabilities (eg
through a performance review or
security survey)
Evaluation of previous incidents and
emergencies.
c) provide for the classification of threats and risks and ISO 28001 Annex B 5. Note: other forms of
classification are acceptable. Risk matrices may
identification of those that are to be avoided, be useful for detailed for better differentiation.
eliminated or controlled?

d) provide for the monitoring of actions to ensure ISO 28001 Annex B 7 and ISO 28004 4.3.1. d)
iii. See also Section 4.5.1.
effectiveness and the timeliness of their
implementation?

4.3.2 Legal, statutory and other security regulatory

requirements
Does the organization establish, implement and maintain a
procedure....

Rev 1.0 - 2008-01-06 Page 8/30

Checklist ISO 28000

No. Reguirements yes no Remarks Guidance, ISO 28001/4 reference

a) to identify and have access to the applicable legal
requirements and other requirements
which the organization subscribes related to its security
threat and risks?

b) to determine how these requirements apply to its security Note: Risk mitigation and prevention (counter
measures, response plans and detection
threats and risks? methods) shall not only be derived from results
of risk assessment but also from legal, statutory
and other security requirements. That process
shall be done through identification of
objectives, targets and programmes.
Does the organization keep this information up-to-date?

Does the organization communicate relevant information

on legal and other requirements to its employees and other
relevant third parties including contractors?

4.3.3 Security management objectives

Does the organization establish, implement, and maintain
documented security management objectives at relevant
functions and levels within the organization?
ISO 28004 4.3.3 b) Ensure the organisation has
measurable security objectives consistent with
the security policy. Need to be communicated
(see section 4.4.2 and deployed through the
security management programme (4.3.4)

When establishing and reviewing its objectives did the

organization take following points into account?

Rev 1.0 - 2008-01-06 Page 9/30

Checklist ISO 28000

No. Reguirements yes no Remarks Guidance, ISO 28001/4 reference

a) Legal, statutory and other security regulatory See also section 4.3.2
requirements?

b) Security related threats and risks? See also section 4.3.1

c) Technological and other options? Note: often evidenced through maintenance

and calibration records, but may also include
more purposefully:
cost-benefit analyses
best practice considerations

d) Financial, operational and business requirements? Such requirements might be:

confidentiality of customer information
defined risk management objectives
business partner requirements

e) Views of appropriate stakeholders? See also section 4.4.3

Are the security management objectives.....

a) consistent with the organizations commitment to continual See also section 4.6. Note: refer to quality
management system if it existing.
improvement?

Rev 1.0 - 2008-01-06 Page 10/30

Checklist ISO 28000
No. Reguirements
b) quantified (where practicable)?
c) communicated to all relevant employees and third parties,
including contractors, with the intent that
these persons are made aware of their individual
obligations?
d) reviewed periodically to ensure that they remain relevant
and consistent with the security management policy? Does
security management objectives has been amended where
necessary accordingly?
4.3.4
Security management targets
Does the organization establish, implement and maintain
documented security management targets appropriate to
the needs of the organization?
Does the targets derive from and are they consistent with
the security management objectives?
Rev 1.0 - 2008-01-06
yes no Remarks Guidance, ISO 28001/4 reference
See also section 4.4.3
See also 4.6. Note: reviews may be achieved
through audits, exercises, repetitive risk
assessment and up-to-date identification of
legal and other requirements.
Targets should be the result of, and consistent
with, the security policy (see sections 4.2 and
4.3.1). See ISO 28004 for security target
requirements. Examples of security targets
include:
risk reduction within a given time
frame
introduction of new technologies
within a given time frame
the elimination or reduction in
frequency of particular undesired
events.
See 4.3.3
Page 11/30
Checklist ISO 28000

No. Reguirements yes no Remarks Guidance, ISO 28001/4 reference

Are these targets....
a) to an appropriate level of detail? Note: the targets should specify at least:
threat or vulnerability that is being
addressed
type of measurement and indicators

b) specific, measurable, achievable, relevant and time-based See above and ISO 28004 ch 4.3.4 d)
(where practicable)?

c) communicated to all relevant employees and third parties See also sections 4.4.2 and 4.4.3
including contractors with the intent that
these persons are made aware of their individual
obligations?

d) reviewed periodically to ensure that they remain relevant See also section 4.3.5 should be specified in
security management programmes.
and consistent with the security management objectives?
Where necessary the targets shall be amended
accordingly. Do the targets have been amended
accordingly where necessary?
4.3.5
Security management programmes
Does the organization establish, implement and maintain
security management programmes for achieving its
objectives and targets?

Have the programmes been optimized and then prioritized?

Does the organization provide the efficient and cost
effective implementation of these programmes?

Rev 1.0 - 2008-01-06 Page 12/30

Checklist ISO 28000

No. Reguirements yes no Remarks Guidance, ISO 28001/4 reference

Does the documentation describe...

a) designated responsibility and authority for achieving

security management objectives and targets?

b) the means and time-scale by which security management

objectives and targets are to be achieved?

Have the security management programmes been

reviewed periodically to ensure that they remain effective
and consistent with the objectives and targets? Have the
programmes been amended accordingly where necessary?

Structure, authority and responsibilities for security

4.4.1
management
Does the organization establish and maintain an ISO 28004 ch 4.4.1 b) Only security cleared
staff should be used for security critical tasks.
organizational structure of roles, responsibilities and
authorities?

Have these roles, responsibilities and authorities been ISO 28004 ch 4.4.1 d): Define:
defined, documented and communicated to the individuals Top management responsibility
Management representative
responsible for implementation and maintenance? responsibility
Line management responsibility
Document:
Security management manuals
Work procedures
Job descriptions
Induction/awareness training
Is the Top management able to provide evidence of its
commitment to the development and implementation of the
security management system (processes) and continually
improving its effectiveness by:

Rev 1.0 - 2008-01-06 Page 13/30

Checklist ISO 28000

No. Reguirements yes no Remarks Guidance, ISO 28001/4 reference

a) appointing a member of top management who, irrespective Note: One member of top-management must be
appointed as being OVERALL responsible for
of other responsibilities, shall be responsible for the overall the security management system
design, maintenance, documentation and improvement of
the organizations security management system?

b) appointing (a) member(s) of management with the Note: Further to above one or more
management personnel need to be appointed
necessary authority to ensure that the objectives and given the authority to achieve identified
and targets are implemented? objectives and targets. Within each programme
further responsibilities are expected to be
defined in a large organization.
c) identifying and monitoring the requirements and Note: definition of stakeholder according ISO
28000: person or entity having a vested
expectations of the organizations stakeholders and interest in the organizations performance,
taking appropriate and timely action to manage these success or the impact of its
expectations? Activities, e.g. customers, shareholders,
financiers, insurers, regulators, statutory bodies,
employees, contractors, suppliers, labour
organizations, or society.
.
d) ensuring the availability of adequate resources? ISO 28004 ch. 4.4.1 d 7): Resources can be
considered adequate, if they are sufficient to
carry out security programmes and activities,
including performance measurement and
monitoring. For organisations with established
security management systems, the adequacy
can be at least partially evaluated by comparing
the planned achievement of security objectives
with actual results.
e) considering the adverse impact that the security Note: eg cost-benefit analyses, business impact
analyses and change management tools.
management policy; objectives, targets, programmes,
etc. may have on other aspects of the organization?

f) ensuring any security programmes generated from other See Section 4.4.4 c) for evidence. Note.
Consider interrelationship with AEO and ISO
parts of the organization complement the 20850 (ISPS-Code), C-TPAT and maybe
security management system? security programmes derived from a quality
management system.

Rev 1.0 - 2008-01-06 Page 14/30

Checklist ISO 28000

No. Reguirements yes no Remarks Guidance, ISO 28001/4 reference

g) communicating to the organization the importance of See Section 4.4.3 for evidence.
Note: This is about security awareness of staff.
meeting its security management requirements
in order to comply with its policy?

h) ensuring security-related threats and risks are evaluated Risk assessment process in place as per ISO
28001 Annex A.1-A.3. Are performance reviews
and included in organizational threat and risk being carried out? (Annex A.3)
assessments, as appropriate?

i) ensuring the viability of the security management See Section 4.6 for evidence.
objectives, targets and programmes?

4.4.2
Competence, training and awareness
Does the organization ensure that personnel responsible ISO 28004 ch 4.4.2: evidence may include:
for the design, operation and management of security Analysis of training needs
Training programmes/plans
equipment and processes are suitably qualified in terms of Training courses
education, training and/or experience? Training records/evaluations
Security awareness programme
Security awareness evaluation
Does the organization establish and maintain procedures to ISO 28004 ch 4.4.2: to include contractors,
temporary workers and visitors. See also
make persons working for it or on its behalf aware of: Section 4.2 j).

a) the importance of compliance with the security ISO 28004 ch 4.4.2 d)

Note: This is about security awareness.
management policy and procedures, and to the
requirements of the security management system?

b) their roles and responsibilities in achieving compliance with ISO 28004 ch 4.4.2 d)
Note: This is about specific task to be complied
the security management policy and with by personnel and persons working on
procedures and with the requirements of the security behalf of the organization (training,
management system, including emergency familiarization etc).
preparedness and response requirements?

Rev 1.0 - 2008-01-06 Page 15/30

Checklist ISO 28000

No. Reguirements yes no Remarks Guidance, ISO 28001/4 reference

c) the potential consequences to the organizations security ISO 28004 ch 4.4.2 d)
Note: This is about making personnel aware of
by departing from specified operating the consequences if security tasks and
procedures? procedures are not complied with.

Are records of competence and training kept? ISO 28004 ch 4.4.2 e)

4.4.3
Communication
Does the organization have procedures for ensuring that See ISO 28004 ch 4.3.3, information can be
communicated through:
pertinent security management information is
management and employee
communicated to and from relevant employees, contractors consultations/councils
and other stakeholders? employee involvement
improvement schemes
security briefings
notice boards
email or print newsletters
Does the organization give because of the sensitive nature
of certain security related information, due consideration to
the sensitivity of information prior to dissemination?

4.4.4
Documentation
Does the organization establish and maintain a security
management documentation system that includes,
but is not limited to the following:

a) the security policy, objectives and targets?

Rev 1.0 - 2008-01-06 Page 16/30

Checklist ISO 28000

No. Reguirements yes no Remarks Guidance, ISO 28001/4 reference

b) description of the scope of the security management
system?

c) description of the main elements of the security

management system and their interaction, and
reference to related documents?

d) documents, including records, required by this International

Standard?

e) determination by the organization to be necessary to

ensure the effective planning, operation and
control of processes that relate to its significant security
threats and risks?

Does the organization determine the security sensitivity of

information and took steps to prevent
unauthorized access?

4.4.5
Document and data control
Does the organization establish and maintain procedures
for controlling all documents, data and information required
by Clause 4 of this Specification to ensure that:

a) these documents, data and information can be located and Authorised Personnel: see ISO 28001 ch 5.8.
Note: evidence authorisation procedure if
accessed only by authorized individuals? necessary. For example:
Is there an ID system tied to the
authorisation procedure?
Does possession of a (fraudulent) ID
confer authorisation?
Is data access logged and fraudulent

Rev 1.0 - 2008-01-06 Page 17/30

Checklist ISO 28000

No. Reguirements yes no Remarks Guidance, ISO 28001/4 reference

access flagged?

b) these documents, data and information are periodically Note: For example regular change of
passwords, exchange of ID systems etc.
reviewed, revised as necessary, and
approved for adequacy by authorized personnel?

c) current versions of relevant documents, data and

information are available at all locations where
operations essential to the effective functioning of the
security management system are performed?

d) obsolete documents, data and information are promptly Note: consider procedures and enforcement for
deletion for data:
removed from all points of issue and points of use, or
confidential waste baskets,
otherwise assured against unintended use? shredding,
electronic purging.

e) archival documents, data and information retained for legal ISO 28004 ch 4.4.5 e) document control
procedures, master lists, indexes, archival
or knowledge preservation purposes orboth are suitably location?
identified?

f) these documents, data and information are secure, and if in See also ISO 28001,
chapter 5.8 Protection of the security
electronic form are adequately backed up information
and can be recovered?

4.4.6
Operational control

Rev 1.0 - 2008-01-06 Page 18/30

Checklist ISO 28000

No. Reguirements yes no Remarks Guidance, ISO 28001/4 reference

Does the organization identify those operations and
activities that are necessary for achieving:

a) its security management policy?

b) the control of identified security threats and risks?

c) compliance with legal, statutory and other regulatory

security requirements?

d) its security management objectives?

e) the delivery of its security management programmes?

f) the required level of supply chain security?

Rev 1.0 - 2008-01-06 Page 19/30

Checklist ISO 28000

No. Reguirements yes no Remarks Guidance, ISO 28001/4 reference

Does the organization ensure these operations and
activities are carried out under specified conditions by:

a) establishing, implementing and maintaining documented See also ISO 28001,

chapter 5.4 Development of the supply chain
procedures to control situations where their security plan
absence could lead to failure to achieve the operations and
activities listed in 4.4.6 a) to f) above?

b) evaluating any threats posed from upstream supply chain
activities and applying controls to mitigate
theses impacts to the organization and other downstream
supply chain operators?
Note: these threats should have been evaluated
within the risk assessment and the result
adequately been considered when developing
objectives, targets, programmes and counter
measures.

c) establishing and maintaining the requirements for goods or See also ISO 28001,
chapter 4.2 4.5 Business partners - Security
services which impact on security and reviews of business partners
communicating these to suppliers and contractors?

Do the procedures include controls for the design,

installation, operation, refurbishment, and modification
of security related items of equipment, instrumentation,
etc., as appropriate?

Does the organization consider the associated security
threats and risks where existing arrangements are
revised or new arrangements introduced, that could impact
on security management operations and activities, before
their implementation?
Note: When existing arrangements are revised
or new arrangement are introduced, this should
be only done when the security impact (change
of threats and risks) has been evaluated.

Do the new or revised arrangements to be considered

include:

a) revised organizational structure, roles or responsibilities?

Rev 1.0 - 2008-01-06 Page 20/30

Checklist ISO 28000

No. Reguirements yes no Remarks Guidance, ISO 28001/4 reference

b) revised security management policy, objectives, targets or
programmes?

c) revised processes and procedures?

d) the introduction of new infrastructure, security equipment or

technology, which may include hardware
and/or software?

e) the introduction of new contractors, suppliers or personnel,

as appropriate?

Emergency preparedness, response and security

4.4.7
recovery
Does the organization establish, implement and maintain See section 4.3.1. Identification of the threat to
appropriate plans and procedures to identify the business continuity through risk assessment.
potential for, and responses to, security incidents and
emergency situations, and for preventing and mitigating
the likely consequences that can be associated with them?

Do the plans and procedures include information

on the provision and maintenance of any identified
equipment, facilities or services that can be required during
or after incidents or emergency situations?

Does the organization periodically review the effectiveness Also the adequacy, eg through risk
assessments. See section 4.3.1.
of its emergency preparedness, response and security Note: Effectiveness may be reviewed after drills
recovery plans and procedures, in particular after the and exercises and must be reviewed after
occurrence of incidents or emergency situations incidents or emergency situations:
caused by security breaches and threats?

Rev 1.0 - 2008-01-06 Page 21/30

Checklist ISO 28000

No. Reguirements yes no Remarks Guidance, ISO 28001/4 reference

Does the organization periodically test these procedures Note: This is about drills and exercises.
where practicable?

4.5.1
Security performance measurement and monitoring
Does the organization establish and maintain procedures to ISO 28004 ch. 4.5.1 d)
monitor and measure the performance of its Proactive monitoring, eg audits,
inspections, exercises, reviews.
security management system? Reactive monitoring, eg incident
investigation and analysis.

Does the organization establish and maintain procedures to ISO 28004 ch 4.5.1 d) 2), e.g.
- Security inspections
monitor and measure the security performance? - Behaviour sampling
- Benchmarking against other security
practises
- Stakeholders feedback
Does the organization consider the associated security Note: this is part of the risk assessment.
Deterioration mechanisms may be corrosion
threats and risks, including potential deterioration (fences and equipment housings), low visibility
mechanisms and their consequences, when setting the (for CCTV), wildlife (for motion detectors),
frequency for measuring and monitoring the key power cuts (for lighting), computer malfunctions
performance parameters? (for DVS or RFID readers)

Do these procedures provide for:

a) both qualitative and quantitative measurements, ISO 28004 ch 4.5.1 b) and d) 2). Note:
measurements should be identified and
appropriate to the needs of the organization? specified. Measurements could be:
frequency of undesirable events
(specified in the risk assessment or
sec. management programme)
defined exercise results (scores)
Equipment down-times

Rev 1.0 - 2008-01-06 Page 22/30

Checklist ISO 28000

No. Reguirements yes no Remarks Guidance, ISO 28001/4 reference

b) monitoring the extent to which the organizations security ISO 28004 ch 4.5.1 d)
management policy, objectives and targets
are met?

c) proactive measures of performance that monitor ISO 28004 ch 4.5.1 d) 2)

Systematic security
compliance with the security management programs, inspections/surveys
operational control criteria and applicable legislation, Pattern analysis
statutory, and other security regulatory reviewing personnel qualifications
requirements? and effectiveness in fitness reports
benchmarking against good security
practices
stakeholder feedback
d) reactive measures of performance to monitor security- ISO 28004 ch 4.5.1 d) 3)
Note: consider also documentation of reactions
related deteriorations, failures, incidents, nonconformances to false alerts and identification of equipment
(including near misses and false alarms) and other that is unfit for its intended purpose.
historical evidence of deficient security management Consideration should also be given to the
system performance? functionality of equipment under adverse
conditions.
ISO 28004 ch. 4.5.1 d) 5)
Contractor equipment/documentation should be
subjected to the same controls as in-house
equipment.
e) recording data and results of monitoring and measurement
sufficient to facilitate subsequent corrective and
preventative action analysis?
If monitoring equipment is required for performance
and/or measurement and monitoring, does the organization
require the establishment and maintenance of procedures
for the calibration and maintenance of such equipment?

Are records of calibration and maintenance activities and

results retained for sufficient time to comply with
legislation and the organizations policy?

Rev 1.0 - 2008-01-06 Page 23/30

Checklist ISO 28000

No. Reguirements yes no Remarks Guidance, ISO 28001/4 reference

4.5.2 System evaluation
Does the organization evaluate security management
plans, procedures, and capabilities through periodic
reviews, testing, post-incident reports, lessons learned,
performance evaluations, and exercises?

Are significant changes in these factors reflected See also ISO 28000 ch 4.5.2 e) Note: evidence
may be:
immediately in the procedure(s)?
reduced non-conformities or incidents
better legal compliance
evaluation reports

Does the organization periodically evaluate compliance Consult sections 4.2, 4.3.2 and 4.3.3.
with relevant legislation and regulations, industry best
practices, and conformance with its own policy and
objectives?

Security-related failures, incidents, non-conformances

4.5.3
and corrective and preventive action
Does the organization establish, implement and maintain
procedures for defining responsibility and authority for

a) evaluating and initiating preventive actions to identify See also ISO 28001,
chapter 5.7 Actions required after a security
potential failures of security in order that that incident
may be prevented from occurring?

b) the investigation of security-related See also ISO 28001, ch 5.7 a) Guidance

provided in: ISO 28004 ch 4.5.3 d) iv). Note:
establish also who carries out the investigations
and to which standard.
i) failures including near misses and false alarms?

Rev 1.0 - 2008-01-06 Page 24/30

Checklist ISO 28000

No. Reguirements yes no Remarks Guidance, ISO 28001/4 reference

ii) incidents and emergency situations?

iii) non-conformances?

c) taking action to mitigate any consequences arising from See also section 4.4.7 or any other contingency
planning or emergency preparedness
such failures, incidents or non-conformances? measures.

d) the initiation and completion of corrective actions? See also ISO 28001, ch 5.7 a)

e) the confirmation of the effectiveness of corrective actions See also ISO 28001, ch 5.7 b) on the
assessment of security recovery measures. See
taken? also section 4.6 on management review.

Do these procedures require that all proposed corrective Note: proportionality of the reaction to the
security incident. Security measures should not
and preventive actions are reviewed through the infringe safety or civil liberties.
security threat and risk assessment process prior to
implementation unless immediate implementation
forestalls imminent exposures to life or public safety?
Are any corrective or preventive actions taken to eliminate Note: Focus of new measures should not be
solely on preventing the incident that just
the causes of actual and potential non-conformances happened but on the root causes identified by
appropriate to the magnitude of the problems and the investigation and corroborated by the risk
commensurate with the security management related assessment.
threats and risks likely to be encountered?
Does the organization implement and record any changes Note: May be required by regulators. See also
sections 4.3.2 and 4.5.4. for reference.
in the documented procedures resulting from corrective
and preventive action and does it include the required
training where necessary?

4.5.4 Control of Records

Rev 1.0 - 2008-01-06 Page 25/30

Checklist ISO 28000

No. Reguirements yes no Remarks Guidance, ISO 28001/4 reference

Does the organization establish and maintain records as See ISO 28004 ch 4.5.4 c). Security records
might include:
necessary to demonstrate conformity to the requirements
training and competency records
of its security management system and of this standard, security inspection reports
and the results achieved? security non-conformances
security incident reports
security logs (IT and physical)
security meeting notes
exercise and drill logs
management reviews
risk assessment and related
documents
security surveys and audits
Does the organization establish, implement and maintain Note: digitally stored data too needs physical
protection.
(a) procedure(s) for the identification, storage, protection,
retrieval, retention and disposal of records?

Are the records, and do they remain, legible, identifiable

and traceable?

Does electronic and digital documentation render tamper See also ISO 28001,
chapter 5.8 Protection of the security
proof, securely backed-up and accessible only to information.
authorized personnel? Note: digitally stored data too needs physical
protection.

4.5.5 Audit
Does the organization establish, implement and maintain a
security management audit program?

Does the organization insure that audits of the security Note: Planned intervals are to be understood as
being annually.
management system are carried out at planned intervals, in
order to:

Rev 1.0 - 2008-01-06 Page 26/30

Checklist ISO 28000

No. Reguirements yes no Remarks Guidance, ISO 28001/4 reference

a) determine whether or not the security management
system...
i) conforms to planned arrangements for security
management including the requirements of
the whole of Clause 4 of this specification?

ii) has been properly implemented and maintained?

iii) is (are) effective in meeting the organizations security

management policy and objectives?

b) review the results of previous audits and the actions taken

to rectify non-conformances?

c) provides information on the results of audits to

management?

d) verifies that the security equipment and personnel are

appropriately deployed?

Does the audit program include any schedule, based on

the results of threat and risk assessments of the
organizations activities, and the results of previous audits?

Rev 1.0 - 2008-01-06 Page 27/30

Checklist ISO 28000

No. Reguirements yes no Remarks Guidance, ISO 28001/4 reference

Do the audit procedures cover the scope,
frequency, methodologies and competencies, as well as the
responsibilities and requirements for conducting
audits and reporting results?

Are the audits conducted by personnel independent of

those having direct responsibility for the activity being
examined?

4.6
Management review and continual improvement
Does the Top management review the organization's Note: Planned intervals are to be understood as
being annually.
security management system, at planned intervals, to
ensure its continuing suitability, adequacy and
effectiveness?

Do reviews include assessing opportunities See also ISO 28001,

chapter 5.6.2 Continual improvement
for improvement and the need for changes to the security
management system, including the security policy
and security objectives and threats and risks.

Are records of the management reviews retained? See section 4.5.4.

Does input to management reviews include:

a) results of audits and evaluations of compliance with legal
requirements and with other requirements to
which the organization subscribes?

b) communication(s) from external interested parties,

including complaints?

Rev 1.0 - 2008-01-06 Page 28/30

Checklist ISO 28000

No. Reguirements yes no Remarks Guidance, ISO 28001/4 reference

c) the security performance of the organization?

d) the extent to which objectives and targets have been met?

e) status of corrective and preventive actions?

f) follow-up actions from previous management reviews?

g) changing circumstances, including developments in legal See also section 4.3.1 security risk assessment
and 4.3.2 legal requirements.
and other requirements related to its security
aspects?

h) recommendations for improvement?

Do the outputs from management reviews include any See also ISO 28004 ch 4.6 e). Outputs include:
decisions and actions related to possible changes to meeting minutes
revisions of security policies and
security policy, objectives, targets and other elements of objectives; amendments of
the security management system, consistent with the programmes
commitment to continual improvement? specific corrective actions with target
dates
specific improvement actions with
responsibilities and target dates.
date for review of corrective actions
new risk appreciation

Rev 1.0 - 2008-01-06 Page 29/30

Checklist ISO 28000

No. Reguirements yes no Remarks Guidance, ISO 28001/4 reference

new areas of emphasis

Rev 1.0 - 2008-01-06 Page 30/30