ISMS Audit Check List

ISMS – AUDIT CHECKLIST

REQUIREMENT – REFER TO BS ISO / IEC 27001 : 2005

4.1

Has the organisation developed a documented ISMS based on the PDCA model? Is it implemented, monitored and continuously improved?

4.2.1

Checked at Stage 1 for development and Stage 2/surveillance for implementation, maintenance and improvement Stage 1 Stage 2/ Surv.

Has the organisation: a) defined the scope of the ISMS? b) defined an ISMS policy that: 1) includes a framework for objectives? 2) takes account of business, legal and contractual security obligations? 3) aligns with the organization / risk management for ISMS? 4) establishes criteria for risk evaluation and risk assessment? 5) has been approved by management? c) identified a suitable risk assessment method? develop criteria for accepting risk and identifying acceptable levels of risk? d) identified the: 1) assets within the ISMS Scope and their owners? 2) threats to these assets? 3) vulnerabilities from the threats? 4) impacts on the assets? e) analysed and evaluated the: 1) potential harm from a security failure? 2) likelihood of a security failure occurring? 3) estimated the levels of risks? 4) determined if the risk is acceptable using the method in 4.2.1 (c)? f) identified and evaluated risk treatment options? g) selected control objectives and controls for the treatment of risks ?

Form F252 (ISMS)/Rev 3 (Revised 30 October 2006) Page 1 of 9

_____

_____

_____

_____ _____ _____ _____ _____ _____ _____

_____ _____ _____ _____

_____ _____ _____ _____

_____ _____

Comment/ Report Ref.

ISMS – AUDIT CHECKLIST _____ h) obtained management approval of residual risks and operation of the ISMS? _____ i) obtained management authorization to implement and maintain the ISMS? j) prepared a documented ‘Statement of Applicability’ with reasons for selection of control objectives and controls? and those controls and objectives currently implemented?

4.2.2

4.2.3

_____

Has the organisation: a) formulated a risk treatment plan?

_____

b) implemented the risk treatment plan?

_____

c) implemented selected controls?

_____

d) defined measurement effectiveness of selected controls?

_____

e) managed its operations?

_____

f) managed its resources?

_____

g) implemented procedures for detection and response to security incidents?

_____

Does the organisation: a) use monitoring procedures and controls to promptly: 1) detect errors in processing? 2) identify both failed and successful security breaches and incidents? 3) enable management to determine whether security activities are performing as expected? 4) introduced indicators to help prevent security incidents? 5) determined the effectiveness of any actions taken?

_____

b) undertake regular reviews of the ISMS?

_____

c) measure the effectiveness of controls?

_____

d) review the level of residual risk? Does the review take into account changes to: Form F252 (ISMS)/Rev 3 (Revised 30 October 2006) Page 2 of 9

_____ _____

_____ _____

ISMS – AUDIT CHECKLIST 1) 2) 3) 4) 5)

the organisation? technology? business objectives and processes? identified threats? effectiveness of the implemented controls? 6) external events including regulatory and social climate? e) conduct internal ISMS audits at planned intervals? f) undertake a management review of the ISMS at least annually? Are management review improvement decisions and change requirements promptly implemented?

_____ _____ _____ _____ _____ _____

_____

_____

_____

g) update security plans following monitoring and reviewing activities?

_____

h) record events that could impact on the ISMS?

_____ _____

4.2.4

Does the organisation:a) implement identified ISMS improvements? b) take appropriate corrective and preventive actions? Does this include applying lessons from other organisations?

_____

c) communicate actions and improvements and agree to all interested parties? and on how to proceed?

_____

_____ d) ensure that improvements achieve objectives?

4.3.1

Does the ISMS documentation include:a) statements of the security policy and control objectives?

_____

b) the scope of the ISMS?

_____

_____

c) procedures and controls? _____ d) a description of the risk assessment methodology?

Form F252 (ISMS)/Rev 3 (Revised 30 October 2006) Page 3 of 9

_____

ISMS – AUDIT CHECKLIST _____

e) risk assessment report? f) the risk treatment plan?

_____ g) procedures for effective planning, operation, control and measurement of the ISMS?

_____

h) records required by this standard?

_____

i) statement of applicability? _____ 4.3.2

Is documentation made available as required by the ISMS policy? Are documents required by the ISMS protected and controlled?

4.3.3

Is there a documented procedure to:a) approve documents prior to issue?

_____

b) review, update and re-approve documents?

_____

c) identify changes to documents and current revision status?

_____

d) ensure latest versions of documents are available at points of use?

_____

e) ensure documents are legible and identified?

_____

f) ensure documents are transferred, stored and disposed of according to their classification?

_____

g) ensure external documents are identified?

_____

h) ensure distribution is controlled?

_____

i) prevent use of obsolete documents?

_____

j) apply identification to retained obsolete documents?

_____

Are records available to demonstrate conformity and effective operation of this ISMS?

_____

Are the records protected and controlled? _____ Do records include relevant legal and regulatory requirements? Form F252 (ISMS)/Rev 3 (Revised 30 October 2006) Page 4 of 9

_____

ISMS – AUDIT CHECKLIST

Are records legible, identifiable and retrievable? _____

Are there documented controls for identification, storage, protection, retrieval, retention time and disposition?

_____ Is there a management process for determining the need for and extent of records? _____ Are records kept of the performance of the process and security incidents?

5.1

5.2.1

Has management demonstrated its commitment to establishing, implementing operation, monitoring, reviewing, maintaining and improving the ISMS by:a) establishing an IS policy?

_____

b) establishing IS plans and objectives?

_____

c) establishing IS roles and responsibilities?

_____

d) communicating IS objectives, IS policy, legal responsibilities and need for continued improvement?

_____

e) providing resources to establish, develop, implement, operate, monitor, review, maintain and improve the ISMS?

_____

f) deciding the criteria for acceptable risk?

_____

g) ensuring that internal ISMS audits are conducted?

_____

h) conducting management reviews?

_____

Has the organisation determined and provided resources to:a) establish, implement, operate, maintain, monitor and improve the ISMS?

_____

b) ensure IS procedures support business requirements?

_____

c) identify and address legal and constant use security obligations?

_____

Form F252 (ISMS)/Rev 3 (Revised 30 October 2006) Page 5 of 9

ISMS – AUDIT CHECKLIST

5.2.2

6.0

d) maintain security by correct application of controls?

______

e) carry out reviews and react to results?

_____

f) improve ISMS effectiveness?

_____

Does the organisation ensure that all personnel with assigned ISMS responsibilities are competent to perform their tasks, by:a) determining competences needed?

_____

b) providing training and employing competent personnel?

_____

c) evaluating the effectiveness of training provided?

_____

d) maintaining records of education, training, skills, experience and qualifications?

_____

Does the organisation ensure that relevant personnel are aware of the relevance and importance of their activities?

_____

Does the organisation conduct internal ISMS audits at planned intervals, to determine whether the control objectives, controls, processes and procedures: _____ a) conform to the requirements of this standard, legislation or regulations? b) conform to the identified information security requirements? c) are effectively implemented? d) perform as expected? Is the audit programme planned on the basis of the status and importance of the processes and areas audited and results of previous audits?

_____ _____ _____

_____

_____ Are the audit criteria, scope, frequency and methods defined? Are auditors selected to ensure objectivity and impartiality including not auditing their own work?

_____

_____ Is there a procedure for planning, conducting and Form F252 (ISMS)/Rev 3 (Revised 30 October 2006) Page 6 of 9

ISMS – AUDIT CHECKLIST reporting audits and maintaining audit records? Are actions by management taken in a prompt manner to eliminate non-conformities and their causes?

_____

_____ Are follow up actions verified and their effectiveness reported?

7.1

7.2

7.3

Does the organisation review the ISMS at planned intervals to ensure continuing suitability, adequacy and effectiveness?

_____

Does the review assess opportunities for improvement and the need for changes, including to policy and objectives?

_____

Are the results of reviews documented and records maintained?

_____

Does the input to management review include:a) results of ISMS audits and reviews?

_____

b) feedback from interested parties?

_____

c) techniques, products or procedures which could improve ISMS performance and effectiveness?

_____

d) status of preventive and corrective actions?

_____

e) vulnerabilities from risk assessment?

_____

f) results from effectiveness measurements?

_____

g) follow-up actions from previous MR?

_____

h) any changes affecting the ISMS?

_____

i) recommendations for improvement?

_____

Does the output from management review include decisions and actions related to:a) improvement of the effectiveness of the ISMS? b) update of the risk assessment and risk

Form F252 (ISMS)/Rev 3 (Revised 30 October 2006) Page 7 of 9

_____ _____

ISMS – AUDIT CHECKLIST treatment plan?

_____

c) modification of procedures that affect IS in order to respond to internal or external events as necessary, including:1) business requirements? 2) security requirements? 3) business processes? 4) regulatory environment? 5) contractual obligations? 6) risk and / or acceptance of risk?

_____ _____ _____ _____ _____ _____ _____

d) resource needs?

8.1

8.2

Does the organisation continually improve the effectiveness of the ISMS through use of the ISMS policy, objectives, audit results, analysis of monitored events, corrective and preventive action and management review?

_____

Does the organisation eliminate the cause of non conformities?

_____

Does the procedure for corrective action define requirements for:a) identifying non conformities? b) determining their cause? c) evaluating the need for actions to prevent recurrence? d) determining and implementing corrective action needed? e) recording results of action? f) reviewing corrective action? Does the organisation determine action to guard against future non conformities to prevent their occurrence?

8.3

Does the procedure for preventive action define requirements for:a) identifying potential non conformities and their cause? b) evaluating the need for action to prevent occurrence of nonconformities? c) determining and implementing preventive action needed? d) recording results of action? e) reviewing of preventive action? identifying changed risks and focusing

Form F252 (ISMS)/Rev 3 (Revised 30 October 2006) Page 8 of 9

_____ _____ _____ _____ _____ _____

_____

_____ _____ _____ _____ _____

ISMS – AUDIT CHECKLIST preventive action on those risks significantly changed?

_____

Does the organisation determine the priority for preventive action based on the results of risk assessment?

_____

Form F252 (ISMS)/Rev 3 (Revised 30 October 2006) Page 9 of 9