ISO 27001:2013 Annex A Self-Check List

Purpose
This tool is designed to assess the current situation and capability maturity model (CMM) level of each ISO 27001:2013 An

Instructions
1) Complete the Check List tab with findings, participants, and CMM level.
Note: Please see the Assessment Scale tab for the definition of CMM level.

2) Review the visual result of CMM level on the Summary tab.

vel of each ISO 27001:2013 Annex A control area.
Assessment Scale

0 – Non-existent / Not
1 – Initial / Ad Hoc
applicable

There is evidence that the enterprise

No recognition of the need for process. has recognized that the issues exist
and need to be addressed.

The approach to risk and control

requirements is ad hoc and
The process is not implemented. disorganized, without communication or
monitoring (and tends to be applied on
an individual or case-by-case basis).

There is a high risk of deficiencies and

Deficiencies are not identified.
incidents.

At this level there is little or no evidence

Employees are not aware of their
of any systematic achievement of the
responsibilities.
process purpose.

The implemented process achieves its

purpose and defined outcomes.

If not applicable, indicate the reason Indicate any plan to move forward to
why address the issues
2 – Repeatable but Intuitive 3 – Defined

The process is now implemented but

The process is now implemented using
may not be documented, and is
a defined process that is capable of
typically dependent on the knowledge
achieving its desired outcomes.
and motivation of individuals.

Effectiveness is not adequately Operating effectiveness is evaluated on

evaluated. a periodic basis.

Management is able to deal predictably

Many weaknesses exist and, if not
with most issues, but some
adequately addressed, the impact can
weaknesses persist and impacts could
be severe.
still be severe.

Procedures are mandated to be

Management's actions to resolve
followed; however, it may be unlikely
issues are not prioritized or consistent.
that all deviations are detected.

The process and accompanying

Employees may not be aware of their
procedures have been communicated
responsibilities.
through training.

Provide evidence of documentation,

Implemented but not documented. communicated, process is followed,
and deviations detected
4 – Managed & Measureable 5 – Optimized

The process is continuously improved

The process now operates within to meet relevant current and projected
defined thresholds to achieve its business goals (based on self-
outcomes. assessments and gap and root cause
analysis).

Improvement opportunities derived

A formal documented evaluation of the from new technologies and process
process occurs frequently. concepts are identified, measured, and
acted upon.

Process improvement objectives that

Compliance is monitored and
support the relevant business goals are
appropriate actions taken.
defined.

Quantitative objectives for process Full accountability for process

performance in support of relevant monitoring, risk management, and
business goals are established and compliance enforcement has been
measured. assigned.
Management is likely to detect most
Employees are proactively involved in
issues, but not all issues are routinely
control improvements.
identified.
There is consistent follow-up to address
identified weaknesses.
Automation and tools have been
implemented.

Process exists, documented,

evaluated. Sample are BPR Continuous improvement is evident
Processes.
Check List - Mandatory Requirements

ISO 27001 gap analysis - Man

Clause
4
4.1

4.1

4.2
4.2 (a)
4.2 (b)
4.3

4.3

4.4

4.4

5
5.1

5.1

5.2

5.2

5.3

5.3

6
6.1

6.1.1

6.1.2

6.1.3

6.2

6.2

7
7.1

7.1

7.2

7.2

7.3

7.3

7.4

7.4

7.5

7.5.1
7.5.2

7.5.3

8
8.1
8.1

8.2

8.2

8.3

8.3

9.1

9.1

9.2

9.2

9.3

9.3

10
10.1

10.1

10.2

10.2
Check List - Mandatory Requirements

ISO 27001 gap analysis - Mandatory Re

ISO 27001 requirement Status
Context of the organisation
Organisational context

Determine the aims of your organisation's ISMS and any issues that might affect its effectiveness Initial / Ad Hoc

Interested parties
Identify interested parties including applicable laws, regulations, contracts etc. Defined
Determine those parties' information security-relevant requirements and obligations Defined
ISMS scope

Determine and document the scope of your ISMS Initial / Ad Hoc

ISMS

Establish, implement, maintain and continually improve your ISMS according to the standard Initial / Ad Hoc

Leadership
Leadership and commitment

Top management must demonstrate leadership and commitment to the ISMS Initial / Ad Hoc

Policy

Document the information security policy Defined

Organisational roles, responsibilities and authorities

Repeatable
Assign and communicate information security roles and responsibilities
but Intuitive

Planning
Actions to address risks and opportunities

Repeatable
Design/plan the ISMS to satisfy the requirements, addressing risks and opportunities
but Intuitive

Repeatable
Define and apply an information security risk assessment process
but Intuitive

Repeatable
Document and apply an information security risk treatment process
but Intuitive

Information security objectives and plans

Repeatable
Establish and document the information security objectives and plans
but Intuitive

Support
Resources
Managed &
Determine and allocate necessary resources for the ISMS
Measureable
Competence

Determine, document and make available necessary competences Defined

Awareness

Repeatable
Establish a security awareness program
but Intuitive
Communication

Repeatable
Determine the need for internal and external communications relevant to the ISMS
but Intuitive

Documented information

Provide documentation required by the standard plus that required by the organisation Initial / Ad Hoc
Provide document titles, authors etc., format them consistently, and review and approve them Initial / Ad Hoc

Control the documentation properly Initial / Ad Hoc

Operation
Operational planning and control
Plan, implement, control and document ISMS processes to manage risks (i.e. a risk treatment
Non-existent
plan)
Information security risk assessment

Repeatable
Reassess and document information security risks regularly and on changes
but Intuitive

Information security risk treatment

Repeatable
Implement the risk treatment plan (treat the risks!) and document the results
but Intuitive

Performance evaluation

Monitoring, measurement, analysis and evaluation

Repeatable
Monitor, measure, analyse and evaluate the ISMS and the controls
but Intuitive

Internal audit

Plan and conduct internal audits of the ISMS Initial / Ad Hoc

Management review

Undertake regular management reviews of the ISMS Non-existent

Improvement
Nonconformity and corrective action

Repeatable
Identify, fix and take action to prevent nonconformities from recurring, documenting the actions
but Intuitive

Continual improvement

Continually improve the ISMS Initial / Ad Hoc

Number of requirements 27
ndatory Requirements
Notes Rate
2.5

2
Done, permament process to be formalized 2

4
4
4
2

2
2

3
 3

2.7142857

2
 2

2.3333333

2.5
3

2
Current CMM level of each security control area of ISO 27001:2013 Mandatory Req

4. Context of Organization

10. Improvement 5. Leadership

9. Performance Evaluation 6. Planning

8. Operation 7. Support
13 Mandatory Requirements

5. Leadership

6. Planning

port
 Check List - Anne

Reference Audit Area, Objective, and Question

Standard Section
A.5 Information security policies
A.5.1 Management direction for information security
Objective: To provide management direction and support for information security in accordance with business requirements
regulations.
A.5.1.1 Policies for information
security

A.5.1.2 Review of the policies

for information
security
A.6 Organization of information security
A.6.1 Internal organization
Objective:
A.6.1.1 To establish a management
Information security framework to initiate and control the implementation and operation of information sec
organization. roles and responsibilities
A.6.1.2 Segregation of duties

A.6.1.3 Contact with authorities

A.6.1.4 Contact with special

interest groups

A.6.1.5 Information security

in project management

A.6.2 Mobile devices and teleworking

Objective: To ensure the security of teleworking and use of mobile devices.
A.6.2.1 Mobile device policy

A.6.2.2 Teleworking

A.7 Human resources security

A.7.1 Prior to employment
Objective: To ensure that employees and contractors understand their responsibilities and are suitable for the roles for whic

A.7.1.1 Screening
A.7.1.2 Terms and conditions of
employment

A.7.2 During employment

Objective: To ensure that employees and contractors are aware of and fulfil their information security responsibilities.
A.7.2.1 Management responsibilities

A.7.2.2 Information security

awareness, education, and
training

A.7.2.3 Disciplinary process

A.7.3 Termination and change of employment

Objective: To protect the organization’s interests as part of the process of changing or terminating employment.
A.7.3.1 Termination or change of
employment responsibilities

A.8 Asset management

A.8.1 Responsibility for assets
Objective: To identify organizational assets and define appropriate protection responsibilities.

A.8.1.1 Inventory of assets

A.8.1.2 Ownership of assets

A.8.1.3 Acceptable use of

assets

A.8.1.4 Return of assets

A.8.2 Information classification

Objective: To ensure that information receives an appropriate level of protection in accordance with its importance to the org

A.8.2.1 Classification of information

A.8.2.2 Labelling of information

A.8.2.3 Handling of assets

A.8.3 Media handling

Objective: To prevent unauthorized disclosure, modification, removal, or destruction of information stored on media.
A.8.3.1 Management of removable
media

A.8.3.2 Disposal of media

A.8.3.3 Physical media transfer

A.9 Access control

A.9.1 Business requirements of access control
Objective: To limit access to information and information processing facilities.
A.9.1.1 Access control policy

A.9.1.2 Access to networks

and network services

A.9.2 User access management

Objective: To ensure authorized user access and to prevent unauthorized access to systems and services.

A.9.2.1 User registration and

de-registration

A.9.2.2 User access provisioning

A.9.2.3 Management of privileged

access rights
A.9.2.4 Management of secret
authentication information
of users

A.9.2.5 Review of user access

rights

A.9.2.6 Removal or adjustment

of access rights

A.9.3 User responsibilities

Objective: To make users accountable for safeguarding their authentication information.
A.9.3.1 Use of secret authentication
information

A.9.4 System and application access control

Objective: To prevent unauthorized access to systems and applications.

A.9.4.1 Information access

restriction

A.9.4.2 Secure log-on procedures

A.9.4.3 Password management

system

A.9.4.4 Use of privileged utility

programs

A.9.4.5 Access control to program

source code
A.10 Cryptography
A.10.1 Cryptographic controls
Objective: To ensure proper and effective use of cryptography to protect the confidentiality, authenticity, and/or integrity of in

A.10.1.1 Policy on the use of

cryptographic controls

A.10.1.2 Key management

A.11 Physical and environmental security

A.11.1 Secure areas
Objective: To prevent unauthorized physical access, damage, and interference to the organization’s information and informa

A.11.1.1 Physical security

perimeter

A.11.1.2 Physical entry controls

A.11.1.3 Securing offices,

rooms, and facilities
A.11.1.4 Protecting against
external and environmental
threats
A.11.1.5 Working in secure
areas
A.11.1.6 Delivery and loading
areas

A.11.2 Equipment
Objective: To prevent loss, damage, theft, or compromise of assets and interruption to the organization’s operations.

A.11.2.1 Equipment siting and

protection

A.11.2.2 Supporting utilities

A.11.2.3 Cabling security

A.11.2.4 Equipment maintenance

A.11.2.5 Removal of assets

A.11.2.6 Security of equipment

and assets off-premises

A.11.2.7 Secure disposal or reuse

of equipment

A.11.2.8 Unattended user

equipment
A.11.2.9 Clear desk and clear
screen policy

A.12 Operations security

A.12.1 Operational procedures and responsibilities
Objective: To ensure correct and secure operations of information-processing facilities.

A.12.1.1 Documented operating

procedures
A.12.1.2 Change management

A.12.1.3 Capacity management

A.12.1.4 Separation of development,

testing, and operational
environments
A.12.2 Protection from malware
Objective: To ensure that information and information processing facilities are protected against malware.
A.12.2.1 Controls against malware
A.12.3 Backup
Objective: To protect against loss of data.
A.12.3.1 Information backup

A.12.4 Logging and monitoring

Objective: To record events and generate evidence.
A.12.4.1 Event logging

A.12.4.2 Protection of log information

A.12.4.3 Administrator and

operator logs

A.12.4.4 Clock synchronization

A.12.5 Control of operational software

Objective: To ensure the integrity of operational systems.
A.12.5.1 Installation of software
on operational
systems

A.12.6 Technical vulnerability management

Objective: To prevent exploitation of technical vulnerabilities.
A.12.6.1 Management of technical
vulnerabilities

A.12.6.2 Restrictions on software

installation
A.12.7 Information systems audit considerations
Objective: To minimize the impact of audit activities on operational systems.

A.12.7.1 Information systems

audit controls

A.13 Communications security

A.13.1 Network security management
Objective: To ensure the protection of information in networks and its supporting information processing facilities.

A.13.1.1 Network controls

A.13.1.2 Security of network

services

A.13.1.3 Segregation in networks

A.13.2 Information transfer
Objective: To maintain the security of information transferred within an organization and with any external entity.

A.13.2.1 Information transfer

policies and procedures

A.13.2.2 Agreements on information

transfer

A.13.2.3 Electronic messaging

A.13.2.4 Confidentiality or nondisclosure

agreements

A.14 System acquisition, development, and maintenance

A.14.1 Security requirements of information systems
Objective: To ensure that information security is an integral part of information systems across the entire lifecycle; this also
for information systems that provide services over public networks.

A.14.1.1 Information security

requirements analysis
and specification

A.14.1.2 Securing application

services on public
networks
A.14.1.3 Protecting application
services transactions

A.14.2 Security in development and support processes

Objective: To ensure that information security is designed and implemented within the development lifecycle of information

A.14.2.1 Secure development

policy

A.14.2.2 System change control

procedures

A.14.2.3 Technical review of

applications after
operating platform
changes
A.14.2.4 Restrictions on
changes to software
packages
A.14.2.5 Secure system engineering
principles

A.14.2.6 Secure development

environment

A.14.2.7 Outsourced development

A.14.2.8 System security testing

A.14.2.9 System acceptance

testing

A.14.3 Test data

Objective: To ensure the protection of data used for testing.
A.14.3.1 Protection of test data

A.15 Supplier relationships

A.15.1 Information security in supplier relationships

Objective: To ensure protection of the organization’s assets that are accessible by suppliers.

A.15.1.1 Information security

policy for supplier
relationships

A.15.1.2 Addressing security

within supplier agreements

A.15.1.3 Information and communication

technology
supply chain

A.15.2 Supplier service delivery management

Objective: To maintain an agreed level of information security and service delivery in line with supplier agreements.

A.15.2.1 Monitoring and review

of supplier services
A.15.2.2 Managing changes to supplier
services

A.16 Information security incident management

A.16.1 Management of information security incidents and improvements
Objective: To ensure a consistent and effective approach to the management of information security incidents, including com
events and weaknesses.
A.16.1.1 Responsibilities and
procedures

A.16.1.2 Reporting information

security events
A.16.1.3 Reporting information
security weaknesses

A.16.1.4 Assessment of and

decision on information
security events
A.16.1.5 Response to information
security incidents
A.16.1.6 Learning from
information security
incidents
A.16.1.7 Collection of evidence

A.17 Information security aspects of business continuity management

A.17.1 Information security continuity
Objective: Information security continuity shall be embedded in the organization’s business continuity management systems

A.17.1.1 Planning information

security continuity

A.17.1.2 Implementing information

security continuity

A.17.1.3 Verify, review, and evaluate

information security continuity

A.17.2 Redundancies
Objective: To ensure availability of information processing facilities.
A.17.2.1 Availability of information
processing facilities

A.18 Compliance
A.18.1 Compliance with legal and contractual requirements
Objective: To avoid breaches of legal, statutory, regulatory, or contractual obligations related to information security and of a

A.18.1.1 Identification of applicable

legislation and
contractual requirements

A.18.1.2 Intellectual property

rights

A.18.1.3 Protection of records

A.18.1.4 Privacy and protection
of personally identifiable
information

A.18.1.5 Regulation of cryptographic

controls

A.18.2 Information security reviews

Objective: To ensure that information security is implemented and operated in accordance with the organizational policies a

A.18.2.1 Independent review of

information security

A.18.2.2 Compliance with

security policies and
standards

A.18.2.3 Technical compliance

review
 Check List - Annex A

ective, and Question

mation security
irection and support for information security in accordance with business requirements and relevant laws and
Control
A set of policies for information security shall be defined, approved by management, published, and
communicated to employees and relevant external parties.
Control
The policies for information security shall be reviewed at planned intervals, or if significant changes
occur, to ensure their continuing suitability, adequacy, and effectiveness.
curity

nt frameworkControl
to initiate and control the implementation and operation of information security within the
All information security responsibilities shall be defined and allocated.
Control
Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for
unauthorized or unintentional modification or misuse of the organization’s assets.

Control
Appropriate contacts with relevant authorities shall be maintained.

Control
Appropriate contacts with special interest groups or other specialist security forums and professional
associations shall be maintained.
Control
Information security shall be addressed in project management, regardless of the type of project.

g
eleworking and use of mobile devices.
Control
A policy and supporting security measures shall be adopted to manage the risks introduced by using
mobile devices.

Control
A policy and supporting security measures shall be implemented to protect information accessed,
processed, or stored at teleworking sites.

and contractors understand their responsibilities and are suitable for the roles for which they are considered.

Control
Background verification checks on all candidates for employment shall be carried out in accordance
with relevant laws, regulations, and ethics, and shall be proportional to the business requirements, the
classification of the information to be accessed, and the perceived risks.
 Control
The contractual agreements with employees and contractors shall state their and the organization’s
responsibilities for information security.

and contractors are aware of and fulfil their information security responsibilities.
Control
Management shall require all employees and contractors to apply information security in accordance
with the established policies and procedures of the organization.

Control
All employees of the organization and, where relevant, contractors shall receive appropriate
awareness education and training and regular updates in organizational policies and procedures, as
relevant to their job function.

Control
There shall be a formal and communicated disciplinary process in place to take action against
employees who have committed an information security breach.

ployment
n’s interests as part of the process of changing or terminating employment.
Control
Information security responsibilities and duties that remain valid after termination or change of
employment shall be defined, communicated to the employee or contractor, and enforced.

assets and define appropriate protection responsibilities.

Control
Assets associated with information and information processing facilities shall be identified and an
inventory of these assets shall be drawn up and maintained.
Control
Assets maintained in the inventory shall be owned.
Control
Rules for the acceptable use of information and of assets associated with information and information
processing facilities shall be identified, documented, and implemented.

Control
All employees and external-party users shall return all of the organizational assets in their possession
upon termination of their employment, contract, or agreement.

receives an appropriate level of protection in accordance with its importance to the organization.

Control
Information shall be classified in terms of legal requirements, value, criticality, and sensitivity to
unauthorized disclosure or modification.
Control
An appropriate set of procedures for information labelling shall be developed and implemented in
accordance with the information classification scheme adopted by the organization.
 Control
Procedures for handling assets shall be developed and implemented in accordance with the
information classification scheme adopted by the organization.

isclosure, modification, removal, or destruction of information stored on media.

Control
Procedures shall be implemented for the management of removable media in accordance with the
classification scheme adopted by the organization.

Control
Media shall be disposed of securely when no longer required, using formal procedures.

Control
Media containing information shall be protected against unauthorized access, misuse, or corruption
during transportation.

ss control
ion and information processing facilities.
Control
An access control policy shall be established, documented, and reviewed based on business and
information security requirements.
Control
Users shall only be provided with access to the network and network services that they have been
specifically authorized to use.

access and to prevent unauthorized access to systems and services.

Control
A formal user registration and de-registration process shall be implemented to enable assignment of
access rights.

Control
A formal user access provisioning process shall be implemented to assign or revoke access rights for
all user types to all systems and services.

Control
The allocation and use of privileged access rights shall be restricted and controlled.
Control
The allocation of secret authentication information shall be controlled through a formal management
process.

Control
Asset owners shall review users’ access rights at regular intervals.

Control
The access rights of all employees and external-party users to information and information processing
facilities shall be removed upon termination of their employment, contract, or agreement, or adjusted
upon change.

e for safeguarding their authentication information.

 Control
Users shall be required to follow the organization’s practices in the use of secret authentication
information.

control
ccess to systems and applications.

Control
Access to information and application system functions shall be restricted in accordance with the
access control policy.

Control
Where required by the access control policy, access to systems and applications shall be controlled by
a secure log-on procedure.

Control
Password management systems shall be interactive and shall ensure quality passwords.

Control
The use of utility programs that might be capable of overriding system and application controls shall be
restricted and tightly controlled.

Control
Access to program source code shall be restricted.

ctive use of cryptography to protect the confidentiality, authenticity, and/or integrity of information.

Control
A policy on the use of cryptographic controls for protection of information shall be developed and
implemented.

Control
A policy on the use, protection, and lifetime of cryptographic keys shall be developed and implemented
through their whole lifecycle.

ecurity

hysical access, damage, and interference to the organization’s information and information-processing facilities.

Control
Security perimeters shall be defined and used to protect areas that contain either sensitive or critical
information and information-processing facilities.

Control
Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel
are allowed access.
Control
Physical security for offices, rooms, and facilities shall be designed and applied.
Control
Physical protection against natural disasters, malicious attack, or accidents shall be designed and
applied.
Control
Procedures for working in secure areas shall be designed and applied.
 Control
Access points such as delivery and loading areas, and other points where unauthorized persons could
enter the premises, shall be controlled and, if possible, isolated from information processing facilities to
avoid unauthorized access.

theft, or compromise of assets and interruption to the organization’s operations.

Control
Equipment shall be sited and protected to reduce the risks from environmental threats and hazards,
and opportunities for unauthorized access.
Control
Equipment shall be protected from power failures and other disruptions caused by failures in
supporting utilities.

Control
Power and telecommunications cabling carrying data or supporting information services shall be
protected from interception, interference, or damage.
Control
Equipment shall be correctly maintained to ensure its continued availability and integrity.
Control
Equipment, information, or software shall not be taken off-site without prior authorization.
Control
Security shall be applied to off-site assets, taking into account the different risks of working outside the
organization’s premises.
Control
All items of equipment containing storage media shall be verified to ensure that any sensitive data and
licensed software has been removed or securely overwritten prior to disposal or re-use.
Control
Users shall ensure that unattended equipment has appropriate protection.
Control
A clear desk policy for papers and removable storage media and a clear screen policy for information
processing facilities shall be adopted.

esponsibilities
ure operations of information-processing facilities.

Control
Operating procedures shall be documented and made available to all users who need them.
Control
Changes to the organization, business processes, information-processing facilities, and systems that
affect information security shall be controlled.
Control
The use of resources shall be monitored and tuned, and projections made of future capacity
requirements to ensure the required system performance.
Control
Development, testing, and operational environments shall be separated to reduce the risks of
unauthorized access or changes to the operational environment.

and information processing facilities are protected against malware.

Control
Detection, prevention, and recovery controls to protect against malware shall be implemented,
combined with appropriate user awareness.
data.
Control
Backup copies of information, software, and system images shall be taken and tested regularly in
accordance with an agreed backup policy.

erate evidence.
Control
Event logs recording user activities, exceptions, faults, and information security events shall be
produced, kept, and regularly reviewed.

Control
Logging facilities and log information shall be protected against tampering and unauthorized access.
Control
System administrator and system operator activities shall be logged and the logs protected and
regularly reviewed.

Control
The clocks of all relevant information processing systems within an organization or security domain
shall be synchronized to a single reference time source.
e
operational systems.
Control
Procedures shall be implemented to control the installation of software on operational systems.

ement
technical vulnerabilities.
Control
Information about technical vulnerabilities of information systems being used shall be obtained in a
timely fashion, the organization’s exposure to such vulnerabilities evaluated, and appropriate
measures taken to address the associated risk.

Control
Rules governing the installation of software by users shall be established and implemented.
siderations
audit activities on operational systems.

Control
Audit requirements and activities involving verification of operational systems shall be carefully
planned and agreed on to minimize disruptions to business processes.

t
f information in networks and its supporting information processing facilities.

Control
Networks shall be managed and controlled to protect information in systems and applications.
Control
Security mechanisms, service levels, and management requirements of all network services shall be
identified and included in network services agreements, whether these services are provided in-house
or outsourced.
Control
Groups of information services, users, and information systems shall be segregated on networks.
 information transferred within an organization and with any external entity.

Control
Formal transfer policies, procedures, and controls shall be in place to protect the transfer of
information through the use of all types of communication facilities.

Control
Agreements shall address the secure transfer of business information between the organization and
external parties.

Control
Information involved in electronic messaging shall be appropriately protected.

Control
Requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for
the protection of information shall be identified, regularly reviewed, and documented.

ment, and maintenance

mation systems
security is an integral part of information systems across the entire lifecycle; this also includes the requirements
services over public networks.

Control
The information-security related requirements shall be included in the requirements for new
information systems or enhancements to existing information systems.

Control
Information involved in application services passing over public networks shall be protected from
fraudulent activity, contract dispute, and unauthorized disclosure and modification.
Control
Information involved in application service transactions shall be protected to prevent incomplete
transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized
message duplication, or replay.

support processes
security is designed and implemented within the development lifecycle of information systems.

Control
Rules for the development of software and systems shall be established and applied to developments
within the organization.
Control
Changes to systems within the development lifecycle shall be controlled by the use of formal change
control procedures.
Control
When operating platforms are changed, business critical applications shall be reviewed and tested to
ensure there is no adverse impact on organizational operations or security.

Control
Modifications to software packages shall be discouraged, or limited to necessary changes, and all
changes shall be strictly controlled.
 Control
Principles for engineering secure systems shall be established, documented, maintained, and applied
to any information system implementation efforts.

Control
Organizations shall establish and appropriately protect secure development environments for system
development and integration efforts that cover the entire system development lifecycle.
Control
The organization shall supervise and monitor the activity of outsourced system development.
Control
Testing of security functionality shall be carried out during development.
Control
Acceptance testing programs and related criteria shall be established for new information systems,
upgrades, and new versions.

f data used for testing.

Control
Test data shall be selected carefully, protected, and controlled.

r relationships
e organization’s assets that are accessible by suppliers.

Control
Information security requirements for mitigating the risks associated with supplier’s access to the
organization’s assets shall be agreed upon with the supplier and documented.

Control
All relevant information security requirements shall be established and agreed upon with each supplier
that may access, process, store, communicate, or provide IT infrastructure components for the
organization’s information.
Control
Agreements with suppliers shall include requirements to address the information security risks
associated with information and communications technology services and product supply chain.

agement
el of information security and service delivery in line with supplier agreements.

Control
Organizations shall regularly monitor, review, and audit supplier service delivery.
Control
Changes to the provision of services by suppliers, including maintaining and improving existing
information security policies, procedures, and controls, shall be managed, taking into account the
criticality of business information, systems, and processes involved and re-assessment of risks.
management
ecurity incidents and improvements
d effective approach to the management of information security incidents, including communication on security

Control
Management responsibilities and procedures shall be established to ensure a quick, effective, and
orderly response to information security incidents.
Control
Information security events shall be reported through appropriate management channels as quickly as
possible.
 Control
Employees and contractors using the organization’s information systems and services shall be
required to note and report any observed or suspected information security weaknesses in systems or
services.
Control
Information security events shall be assessed and it shall be decided if they are to be classified as
information security incidents.
Control
Information security incidents shall be responded to in accordance with the documented procedures.
Control
Knowledge gained from analyzing and resolving information security incidents shall be used to reduce
the likelihood or impact of future incidents.
Control
The organization shall define and apply procedures for the identification, collection, acquisition, and
preservation of information, which can serve as evidence.

of business continuity management

uity shall be embedded in the organization’s business continuity management systems.

Control
The organization shall determine its requirements for information security and the continuity of
information security management in adverse situations, e.g. during a crisis or disaster.
Control
The organization shall establish, document, implement, and maintain processes, procedures, and
controls to ensure the required level of continuity for information security during an adverse situation.
Control
The organization shall verify the established and implemented information security continuity controls
at regular intervals in order to ensure that they are valid and effective during adverse situations.

formation processing facilities.

Control
Information processing facilities shall be implemented with redundancy
sufficient to meet availability requirements.

ntractual requirements
, statutory, regulatory, or contractual obligations related to information security and of any security requirements.

Control
All relevant legislative statutory, regulatory, contractual requirements, and the organization’s approach
to meet these requirements shall be explicitly identified, documented, and kept up to date for each
information system and the organization.

Control
Appropriate procedures shall be implemented to ensure compliance with legislative, regulatory, and
contractual requirements related to intellectual property rights and use of proprietary software
products.

Control
Records shall be protected from loss, destruction, falsification, unauthorized access, and unauthorized
release in accordance with legislative, regulatory, contractual, and business requirements.
 Control
Privacy and protection of personally identifiable information shall be ensured as required in relevant
legislation and regulation where applicable.

Control
Cryptographic controls shall be used in compliance with all relevant
agreements, legislation, and regulations.

security is implemented and operated in accordance with the organizational policies and procedures.

Control
The organization’s approach to managing information security and its implementation (e.g. control
objectives, controls, policies, processes, and procedures for information security) shall be reviewed
independently at planned intervals or when significant changes occur.
Control
Managers shall regularly review the compliance of information processing and procedures within their
area of responsibility with the appropriate security policies, standards, and any other security
requirements.
Control
Information systems shall be regularly reviewed for compliance with the organization’s information
security policies and standards.
Results
CMM Level Remarks Control Owner
4

2.3
3.6
3

2.66666666666667

4
 2

1.66666666666667

2.33333333333333

2
 3

1.66666666666667

2.275

2.5

2
 2

1.6

2.33333333333333

2
 1

1.66666666666667

2.5

3
 3

2.5

2.75

3
2.5

1
 1

2.42857142857143

2.42857142857143

3
 3

2.5

2.33333333333333

2
 2

2.66666666666667

2
Current CMM level of each security control area of ISO 27001:20

A.5 Information security policies

A.18 Compliance A.6 Organization of information s
4

A.17 Information security aspects of business continuity management A.7 Human resourc

A.16 Information security incident management A.8 Asset m

A.15 Supplier relationships A.9 Access

A.14 System acquisition, development and maintenance A.10 Cryptography

A.13 Communications security A.11 Physical and environmenta

A.12 Operations security
 ISO 27001:2013 Annex A

A.6 Organization of information security

A.7 Human resource security

A.8 Asset management

A.9 Access control

A.10 Cryptography

A.11 Physical and environmental security

 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

1
2
3
4
5
6
7
Mandatory documents and records required by ISO 27001:2013

(documents from Annex A are mandatory only if there are risks which would require their implementation.)
Scope of the ISMS (clause 4.3)
Information security policy and objectives (clauses 5.2 and 6.2)
Risk assessment and risk treatment methodology (clause 6.1.2)
Statement of Applicability (clause 6.1.3 d)
Risk treatment plan (clauses 6.1.3 e and 6.2)
Risk assessment report (clause 8.2)
Definition of security roles and responsibilities (clauses A.7.1.2 and A.13.2.4)
Inventory of assets (clause A.8.1.1)
Acceptable use of assets (clause A.8.1.3)
Access control policy (clause A.9.1.1)
Operating procedures for IT management (clause A.12.1.1)
Secure system engineering principles (clause A.14.2.5)
Supplier security policy (clause A.15.1.1)
Incident management procedure (clause A.16.1.5)
Business continuity procedures (clause A.17.1.2)
Statutory, regulatory, and contractual requirements (clause A.18.1.1)

Mandatory records:
Records of training, skills, experience and qualifications (clause 7.2)
Monitoring and measurement results (clause 9.1)
Internal audit program (clause 9.2)
Results of internal audits (clause 9.2)
Results of the management review (clause 9.3)
Results of corrective actions (clause 10.1)
Logs of user activities, exceptions, and security events (clauses A.12.4.1 and A.12.4.3)
Status (Existing / Not Existing)