ISO 27001 Security Assessment

Are information security policies established, approved by management, communicated, and reviewed at planned intervals?

Are information security roles and responsibilities defined and allocated?

Is segregation of duties implemented to reduce opportunities for unauthorized or unintentional modification?

Are contacts with relevant authorities maintained?

Are contacts with special interest groups and professional associations maintained?

Is threat intelligence collected and analyzed?

Is information security incorporated in project management?

Is an inventory of information and information-processing facilities maintained?

Is acceptable use of information and assets defined and documented?

Are procedures for the return of organizational assets upon termination established?

Is information classified according to legal, value, criticality, and sensitivity criteria?

Are information labeling procedures developed and implemented?

Are information transfer policies and procedures established?

Are access control policies established, documented, and reviewed?

Is identity management for personnel and entities accessing systems implemented?

Are authentication methods appropriate to access control policy?

Are access rights reviewed at regular intervals?

Is information security addressed in supplier agreements?

Is information security in the ICT supply chain managed?

Are supplier service delivery monitored, reviewed, and audited?

Is information security for use of cloud services defined and implemented?

Is an information security incident management plan established?

Are information security events assessed and classified?

Are information security incidents responded to appropriately?

Is evidence relating to information security events collected and preserved?

Is evidence collection conducted according to procedures?

Is information security addressed during disruption?

Are ICT systems prepared for business continuity?

Are legal, statutory, regulatory, and contractual requirements identified?

Are intellectual property rights protected?

Are records protected from loss, destruction, and falsification?

Are privacy and protection of personally identifiable information ensured?

Is information security independently reviewed at planned intervals?

Are policies and procedures for information security regularly reviewed?

Are documented operating procedures for information security established?

Are background verification checks conducted on all candidates for employment?

Do employment contracts include information security responsibilities?

Are information security awareness, education, and training programs conducted?

Is a disciplinary process for information security violations established?

Are responsibilities defined for termination or change of employment?

Are confidentiality or non-disclosure agreements established?

Is remote working security implemented?

Are information security events reported through appropriate channels?

Are physical security perimeters defined and used?

Are physical entry controls implemented?

Are offices, rooms, and facilities secured?

Is physical security monitoring conducted?

Is protection against physical and environmental threats implemented?

Is work conducted in secure areas?

Are clear desk and clear screen policies enforced?

Is equipment sited and protected appropriately?

Are assets secured off-premises?

Are storage media handled securely?

Are supporting utilities protected from interruption?

Is cabling security implemented?

Is equipment maintenance conducted securely?

Is secure disposal or reuse of equipment implemented?

Are user endpoints protected with appropriate security software?

Is there a formal user access provisioning process?

Are user access rights managed effectively?

Is access to source code restricted?

Is secure authentication implemented?

Is capacity management implemented?

Is protection against malware implemented?

Is management of technical vulnerabilities implemented?

Are configuration management procedures established?

Is information deletion implemented securely?

Is data masking used according to policy?

Is data leakage prevention implemented?

Is information backup conducted regularly?

Is redundancy of information processing facilities implemented?

Is logging of activities implemented?

Are monitoring activities conducted?

Are clocks synchronized to an approved time source?

Is use of privileged utility programs controlled?

Is software installation on operational systems controlled?

Are networks and network services secured?

Is security of network services ensured?

Is network segregation implemented?

Are web filtering controls implemented?

Is use of cryptography planned and managed?

Is the secure development life cycle implemented?

Are application security requirements defined?

Is secure system architecture and engineering principles applied?

Is secure coding practiced?

Is security testing in development and acceptance conducted?

Is outsourced development supervised?

Is separation of development, test, and production environments enforced?

Is change management implemented?

Is test information protected?

Is protection of information systems during audit testing ensured?

Are management responsibilities for information security defined and allocated?

Is information security addressed within supplier agreements?