Scribd
Upload
94 views7 pages

SC ISO 27001 Self Assessment Checklist

ISO 27001 Stage 1 Audit Checklist

Uploaded by

Sanjog
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
94 views7 pages

SC ISO 27001 Self Assessment Checklist

ISO 27001 Stage 1 Audit Checklist

Uploaded by

Sanjog
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

ISMS

Checklist
Preparing your Information Security
Management System for ISO 27001 certification.
ISMS CHECKLIST

Secure your
information assets
Getting certified to ISO 27001:2022 demonstrates your organisation’s
commitment to cyber security and the security of your information assets.

While there are a number of mandatory documented procedures and controls


listed at the end of this document that you will need to have in place, it’s
important to know you can commence Stage 1 of certification without
completing every item in this checklist. Your auditor will identify any gaps that
need to be addressed prior to the Stage 2 certification audit.

This list can be used as a guide to determine if your


Information Security Management System is
ready to be certified to ISO 27001:2022.

CERTIFICATION DIFFERENTLY 2
TM
ISMS CHECKLIST | ISO 27001:2022

ISO/IEC 27001:2022 Checklist


Clause 4 Context of the organisation
• Has your organisation identified internal & external issues that will impact on your Information Yes ☐ No ☐
Security Management System (ISMS), including Climate Change?
• Has your organisation identified interested parties & which stakeholder requirements will be Yes ☐ No ☐
addressed through the ISMS, including requirements relating to Climate Change?
• Has your organisation determined and documented the scope and boundaries of the ISMS? Yes ☐ No ☐
• Has your organisation identified third-party services? Yes ☐ No ☐
• Has your organisation identified and justified exclusions from the scope of the ISMS? Yes ☐ No ☐
Clause 5 Leadership
• Can your organisation demonstrate top management is providing leadership and commitment to Yes ☐ No ☐
the ISMS?
• Has your organisation established and documented an Information Security Policy? Yes ☐ No ☐
• Has management assigned roles and responsibilities for ISMS’s implementation, operation and Yes ☐ No ☐
performance reporting?
Clause 6 Planning
• Has your organisation established a plan to address identified risks and opportunities related to Yes ☐ No ☐
ISMS?
• Has your organisation established a documented risk assessment process that considers Legal, Yes ☐ No ☐
Regulatory and Information Security requirements of organisation?
• Has your organisation determined and assessed the information security risks and opportunities Yes ☐ No ☐
related to the organisation and identified risk owners, and retained the results as documented
information?
• Has your organisation determined an acceptable level of risk? Yes ☐ No ☐
• Has your organisation established and documented a risk treatment plan and Statement of Yes ☐ No ☐
Applicability (SOA)?
• Has your organisation compared the control set to Annex A to ensure any necessary controls are Yes ☐ No ☐
not excluded?
• Has your organisation established and documented measurable information security objectives? Yes ☐ No ☐
• Has your organisation established plans to monitor, measure, communicate and achieve objectives Yes ☐ No ☐
and determined processes for maintaining related records?
• Has your organisation established processes to ensure changes to the ISMS are carried out in a Yes ☐ No ☐
planned manner?
Clause 7 Support
• Has your organisation determined the resources needed to establish, implement, continuously Yes ☐ No ☐
improve and maintain ISMS?
• Has your organisation determined and documented the competencies required by personnel to Yes ☐ No ☐
undertake their roles and responsibilities in compliance with the ISMS?
• Does your organisation retain documented records of education, training experience and Yes ☐ No ☐
qualification?
• Has your organisation established an information security awareness and training program? Yes ☐ No ☐
• Has the organisation established a communication plan, communication channels? Yes ☐ No ☐
• Is ISMS documentation protected from loss of confidentiality, loss of integrity and improper use? Yes ☐ No ☐

V1.2 – MAY 2024 UNCONTROLLED ONCE PRINTED Page 3


ISMS CHECKLIST | ISO 27001:2022

Clause 8 Operation
• Has your organisation established operating procedures, including criteria and implementation of Yes ☐ No ☐
process controls in accordance with criteria, as needed to ensure information security
requirements are met?
• Has your organisation established change management procedures and processes for reviewing Yes ☐ No ☐
the consequences of unintended change?
• Has your organisation determined any/all outsourced processes and established related controls? Yes ☐ No ☐
• Has your organisation determined the documented information to be retained to the extent Yes ☐ No ☐
necessary to have confidence that the processes have been carried out as planned?
Clause 9 Performance evaluation
• Has your organisation established processes and methods for monitoring, measuring, analysing Yes ☐ No ☐
and evaluating ISMS performance and effectiveness i.e., what, when, how, and by whom?
• Has your organisation determined how evidence will be preserved? Yes ☐ No ☐
9.2 Internal audit
• Has your organisation established a documented audit programme that defines timing, Yes ☐ No ☐
responsibilities, reporting, audit criteria and scope?
• Has your organisation established a process to ensure results and evidence of implementation of Yes ☐ No ☐
the internal audit program/process are documented and available?
9.3 Management Review
• Does your organisation conduct and document regular management reviews of the ISMS? Yes ☐ No ☐
10 Nonconformity & Continuous Improvement
• Does your organisation record all nonconformities, including initial correction, root cause and Yes ☐ No ☐
corrective actions?
• Does your organisation continually improve the effectiveness of ISMS using information security Yes ☐ No ☐
policy, audit results, analysis of events, corrective actions and management review?
Mandatory ISMS Documented Information
Does your organisation maintain the following mandatory documentation?
• Documented scope of the ISMS (4.3) Yes ☐ No ☐
• Information Security Policy (5.2) Yes ☐ No ☐
• Organisational roles and responsibilities (5.3) Yes ☐ No ☐
• Statement of Applicability (IS6.1.3d) Yes ☐ No ☐
• Information security risk assessment procedure (6.1.2) Yes ☐ No ☐
• Results of the information security risk assessments (8.2) Yes ☐ No ☐
• Information security risk treatment procedure (plan) (6.1.3) Yes ☐ No ☐
• Decisions regarding information security risk treatments (8.3) Yes ☐ No ☐
• ISMS Objectives, targets and plans to achieve them (6.2) Yes ☐ No ☐
• Competency evidence (7.2) Yes ☐ No ☐
• Operating Procedures (8.1) Yes ☐ No ☐
• Evaluation, Measurement, Analysis and Evaluation results (9.1) i.e., ISMS performance including Yes ☐ No ☐
trends and performance against objectives.
• Internal audit (9.2) i.e., Procedure, Schedule, Internal Audit Reports Yes ☐ No ☐

V1.2 – MAY 2024 UNCONTROLLED ONCE PRINTED Page 4


ISMS CHECKLIST | ISO 27001:2022

• Management Review (9.3) i.e., Agenda and Minutes Yes ☐ No ☐


• Records relating to Incidents, Nonconformance and Corrective Action (10.2) Yes ☐ No ☐
• Evidence of continual improvement (10.3) Yes ☐ No ☐
Annex A Mandatory Documentation
Has your organisation documented the following controls and procedures:
• Information Security threats and results of analysis (A.5.7) Yes ☐ No ☐
• Inventory of information and other associated assets (A.5.9): Yes ☐ No ☐
• Rules for Acceptable use of Assets (A.5.10) Yes ☐ No ☐
• Response to information security incidents – detect and react (A.5.26) Yes ☐ No ☐
• Identification of applicable legislation and contractual requirements (A.5.31) Yes ☐ No ☐
• Operating procedures for information processing facilities (A.5.37) Yes ☐ No ☐
• Confidentiality or nondisclosure agreements. (A.6.6) Yes ☐ No ☐
• Configuration Management Process (A.8.9) Yes ☐ No ☐
• Secure system engineering principles (A.8.27): Yes ☐ No ☐
Checklist Signoff

The ISMS is ready to proceed to the Transition Assessment. Yes ☐ No ☐

ISMS Role: Name: Date:

V1.2 – MAY 2024 UNCONTROLLED ONCE PRINTED Page 5


WHAT’S NEXT?

Your next steps


Whether you have all this in place or have a way to go, it can save substantial
time and effort to speak to an auditor or consultant at the earliest possible
stage.

The Southpac Certifications team is available for a no-obligation call or


meeting to assist with determining where you are at and whether you are ready
to begin the certification process.

CONTACT US

CERTIFICATION DIFFERENTLY 6
TM
CERTIFICATION DIFFERENTLY
TM

Australia | New Zealand


P +61 7 5533 9988 | E admin@southpac.biz
southpaccertifications.com

CONNECT WITH US

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy