Anonymized ISO 27001 Assessment Report
Anonymized ISO 27001 Assessment Report
Anonymized ISO 27001 Assessment Report
for [CLIENT]
September 2018
TABLE OF CONTENTS
Table of contents 1
Executive Summary 3
Our methodology 4
Key stakeholders interviewed 4
Maturity Level for each clause of ISO 27001 5
Conclusions 6
RoadMap 7
Recommendations – ISMS activities 10
Plan stage 11
Do stage 14
Check stage 15
Act stage 16
Recommendations – Annex A controls 17
A.5 Information Security Policies 17
A.6 Organisation of Information Security 18
A.7 Human resources security 20
A.8 Asset management 22
Inventory tools to install (as a recommendation ) 22
A.9 Access control 24
Password managers to install (as a recommendation ) 26
A.10 Cryptography 28
A.11 Physical and environmental security 29
A.12 Operations security 31
Antivirus tools to install (as a recommendation ) 32
Vulnerability management tools to install (as a recommendation ) 35
A.13 Communications security 36
A.14 System acquisition, development and maintenance 38
A.15 Supplier relationships 41
A.16 Information security incident management 43
A.17 Information security aspects of business continuity management 45
A.18 Compliance 47
Summary 50
The objective of the assessment was to document the current state of the ISMS and Annex A controls at
[CLIENT] sites, understand the state, and recommend actions needed to achieve the required state to
prepare for ISO/IEC 27001 certification.
Director of Operations
IT Director
Managing Director
HR Department
Accounting Department
HR Director
DevOps
PMO Director
QA Director
Head of Recruiting
UD Observation Ranking
(Conforms or Major and
Description
Minor non-conformity)
(Conformity Rating)
Significant improvement needed (major non-conformities and/or
Major
significant number of minor non-conformities)
Minor to moderate improvement needed (minor non-conformities
Minor
and/or observations)
Conforms Certification ready
Observation Informational comment not impacting certification readiness
The control cannot be assessed as it has not been neither designed or
Cannot be assessed
implemented and it's applicability to [CLIENT] ISMS is not defined
None of these shortfalls are insurmountable, but addressing them will require management commitment
to establish, implement, maintain and improve a comprehensive ISMS.
The table below shows ISO 27001:2013 controls ordered and prioritized by severity of Maturity Levels.
The table represents step by step guide to start executing improvements on minor non-conformity
clauses and proceed with major non-conformity. It is highly recommended to follow the order, controls,
which marked as Conforms, represent what’s already in place and working well, minor non-conformities
can be resolved by one-time activities(e.g. waterfall methodology), major non-conformities requires
iterative, team-based approach, in order complete all activities, resolve issues effectively and in time.
The table can be treated as a project plan that contents 3 Stages, as presented in the table below, which
represent required steps for successful transition and compliance.
Recommendations - Appendix A
1 Stage 1
2 Stage 2
Cannot be assessed
3 Stage 3
3.5 Monitoring, Review of the ISMS & Effectiveness of Controls Major non-conformity
3.6 ISMS Improvement including Corrective & Preventive Actions Major non-conformity
All activities listed within this section must be completed in advance of the initial certification audit.
Note, each stage of the PDCA cycle requires approach documents to be created (i.e. policy/ procedure
documents). It is up to the discretion of management to determine if these documents should be
created during the Plan stage or if they should be developed during the respective stages in which the
documents will be used.
These recommendations represent typical activities needed to implement and operate an ISMS and to
prepare for ISO 27001 certification. [CLIENT] management will need to ultimately decide what actions to
undertake within their environment.
Scope Definition
Short description The ISMS scope should be defined in terms of characteristics of the business,
the organization, its locations, assets and technologies.
● ISMS scope is not documented and approved by management. The
scope contains the list of the areas, locations, assets, and technologies
UD Observations of the organization controlled by the ISMS. Exclusions from the scope
are not documented and justified.
UD Observation
● Major non-conformity
Ranking
● Document ISMS scope including the list of the areas, locations, assets,
and technologies of the organization.
● Document all exclusions from ISMS scope (e.g., sales representative
offices, software developed by client-facing project teams, etc.), and
Recommendations justification for exclusion from scope.
● Review and re-approve ISMS scope document with management
annually or in cases if significant changes to the environment occur
outside of the annual review cycle (e.g. regulatory changes, inclusion
of new locations, etc.).
Documents
N/a
reviewed
Short description A Risk Assessment approach should be created for the organization.
● The organization has not developed and documented a comprehensive
Risk Management Framework that describes all steps and relevant
methods required to be carried out in terms of risk assessment process,
including:
- Asset Identification
- Threat Identification
- Vulnerability Identification
UD Observations - Control Analysis
- Likelihood Determination
- Impact Analysis
- Risk Determination
- Control Recommendations
- Results Documentation
● The organization has not defined and documented the lists of assets
that are included within ISMS scope.
Short description Select the method for treating risks identified and obtain management
approval for the proposed residual risks.
● A Statement of Applicability (SOA) document is not available at
[CLIENT].
UD Observations ● For the external certification Statement of Applicability is a key
evidence of the steps taken between risk assessment and
implementation of appropriate controls.
UD Observation
Major non-conformity
Ranking
● The SOA document must be derived from the output of the risk
assessment/ risk treatment plan and, if ISO 27001 compliance is to be
achieved, must directly relate the selected controls back to the original
risks they are intended to mitigate.
● For each risk, the options for treatment are must be evaluated (e.g.
Recommendations applying controls, accepting, avoiding or transferring risks) and actions
are performed based on the selected option. Management approval is
needed for each situation where risks are accepted.
● A Statement of Applicability identifies whether each of the controls
defined within Annex A of the ISO 27001 (or other relevant controls)
standard will be applied or not based on the Risk Treatment Plan.
Short description Formulate and implement a Risk Treatment Plan that outlines the management
action, resources, responsibilities and priorities needed to achieve the plan.
● The organization has not documented the requirements for Risk
UD Observations Treatment Plan creation and has not created Risk Treatment Plan
template.
UD Observation
Major non-conformity
Ranking
Documents
N/a
reviewed
● Monitor and review procedures that are executed to detect and act on
errors and security incidents.
● Execute a security managers meeting in which all security related
Recommendations
developments are discussed (e.g. errors and security incidents). Review
the ISMS Policy and objectives, measure the effectiveness of controls
and the Risk Assessment process.
Documents
N/A
reviewed
Short description After the Check phase (including several management reviews and the Internal
Audit), the ISMS should be improved through corrective & preventive actions.
● The organization has not developed a document which describes the
UD Observations activities that should be taken at each stage of ISMS implementation at
[CLIENT], including “Act” stage.
UD Observation
Major non-conformity
Ranking
● [CLIENT] has to document Corrective and Preventive Action procedure
which is aimed to ensure that problems, non-conformities, and
improvements are dealt with in an efficient and effective manner,
minimising the chances of any recurrence.
● Corrective and preventative actions should be documented in a
consolidated repository or document after they are identified and
should include:
- A description of the non-conformity (or potential non-conformity)
- A root-cause analysis of the non-conformity
- The actions needed to prevent recurrence
- The status of the action item - The actions identified should be
Recommendations implemented and the plan should be updated with the current
status of the action
- The target date for implementation
● The corrective and preventative actions and any improvements
undertaken should be communicated to interested or impacted parties
and management should confirm that these improvements/ actions
achieve the intended objectives.
● After the identification of the need for improvements or
non-conformities through management reviews, Internal Audits, and
other reviews, the corrective and preventive action plan should be
updated and regularly reviewed by management.
Documents
N/A
reviewed
Short description To provide management direction and support for information security in
accordance with business requirements and relevant laws and regulations.
Documents [CLIENT]_Quality_Manual
reviewed [CLIENT]_SOP501_Logical_and_Physical_Security
Documents
[CLIENT]_SOP501_Logical_and_Physical_Security.pdf
reviewed
Short description To ensure that employees and contractors understand their responsibilities and
are suitable for the roles for which they are considered.
ISO 27001 Control A.7.1.1 Screening
A.7.1.2 Terms and conditions of employment
● [CLIENT] uses policy with background check procedures.
● Basic prescreening is done before employment - check social networks,
such as linkedin, facebook etc. if these links are submitted in CV
UnderDefense
● Contracts include confidentiality clauses are signed between staff and
Observations contractors. Also, NDAs are signed for Employees prior joining the
company.
● Terms and conditions of employment are documented in Employee
Handbook, Onboarding and Adaptation Procedure.
UnderDefense
Observation Conforms
Ranking
Recommendations N/A
Short description To ensure that employees and contractors are aware of and fulfil their
information security responsibilities.
Documents
N/a
reviewed
Documents [CLIENT]_SOP501_Logical_and_Physical_Security.pdf
reviewed Employee resignation procedure.docx
The are free System and Software inventory tools from ManageEngine to collect
Inventory tools to information about the software and system information in a given computers of
install (as a a Windows Domain. The list of installed software on each domain member can
recommendation be imported in .csv file by one click.
)
You can utilize Nessus Professional (if you use it as a Vulnerability Scanner) as
raw host inventory tool. You can launch Host Discovery scan within your
Documents
[CLIENT]_SOP601_Document_Control.pdf
reviewed
Documents
[CLIENT]_SOP601_Document_Control.pdf
reviewed
Documents
[CLIENT]_SOP501_Logical_and_Physical_Security
reviewed
Short description To ensure authorized user access and to prevent unauthorized access to
systems and services.
ISO 27001 Control A.9.2.1 User registration and de-registration
A.9.2.2 User access provisioning
Short description Users should be required to follow the organization’s practices in the use of
secret authentication information.
Documents
[CLIENT]_SOP501_Logical_and_Physical_Security
reviewed
Documents
N/a
reviewed
Short description To ensure proper and effective use of cryptography to protect the
confidentiality, authenticity and/or integrity of information.
Short description To prevent unauthorized physical access, damage and interference to the
organization’s information and information processing facilities.
A.11.1.1 Physical security perimeter
A.11.1.2 Physical entry controls
ISO 27001 Control A.11.1.3 Securing offices, rooms and facilities
A.11.1.4 Protecting against external and environmental threats
A.11.1.5 Working in secure areas
A.11.1.6 Delivery and loading areas
● There are surveillance CCTV cameras installed on all floors, entrances
and exits.
● Physical access control is implemented. A physical log book is
maintained by receptionist. There is no electronic logging of each
employee.
UnderDefense ● Paper documents are stored in-house in special locked room. There is a
Observations defined group of people who have access to this room.
● Central alert system is configured. Informal procedures for alert of
disaster are present.
● Physical security is outsourced on separate specialized company. There
is a guard on duty at the main entrance. The guard is responsible for
alerting in case of emergency situation or natural disaster. There is a
record of alert message which is played.
UnderDefense
Observation Minor non-conformity
Ranking
● Install an electronic logging of each employee to ensure that only
Recommendations authorized personnel are allowed access to certain organization
premises.
Documents
[CLIENT]_SOP501_Logical_and_Physical_Security.pdf
reviewed
A.11.2 Equipment
Short description To prevent loss, damage, theft or compromise of assets and interruption to the
organization’s operations.
A.11.2.1 Equipment siting and protection
ISO 27001 Control A.11.2.2 Supporting utilities
A.11.2.3 Cabling security
UnderDefense
Observation Minor non-conformity
Ranking
● Create and document capacity projections which describes purchase
plan for the next year.
Recommendations ● Create and document comprehensive description of separation of
development, testing and operational environments.
[CLIENT]_SOP601_Document_Control
[CLIENT]_SOP903_Change Management
[CLIENT]_SOP301_Test_Procedures
Documents
[CLIENT]_SOP402_Unit_Testing
reviewed
Typical Hardware models.xlsx
Workstation.xlsx
[CLIENT]_network_diagram.pdf
Short description To ensure that information and information processing facilities are protected
against malware.
ISO 27001 Control A.12.2.1 Controls against malware
● The organization has adopted Anti-virus procedures which regulates
protection against malicious code execution. It states that all All
UnderDefense
[CLIENT] computers should have standard, supported anti-virus
Observations software. Workstations which run licensed Microsoft Windows 10 have
Windows Defender Antivirus, certain number of workstations run trial
ESET NOD32 Antivirus.
UnderDefense
Observation Major non-conformity
Ranking
● Establishing a formal policy describing protection against malware.
● Install and regular update malware detection and repair software to
scan computers and media as a precautionary control, or on a routine
basis; the scan carried out should include:
1) scan any files received over networks or via any form of storage
Recommendations medium, for malware before use;
2) scan electronic mail attachments and downloads for malware before
use; this scan should be carried out at different places, e.g. at electronic
mail servers, desktop computers and when entering the network of the
organization;
3) scan web pages for malware;
Documents
[CLIENT]_SOP501_Logical_and_Physical_Security
reviewed
A.12.3 Backup
Short description To protect against loss of data
ISO 27001 Control A.12.3.1 Information backup
● Back-up process is regulated by a formal policy which describes
requirements to backup/restore procedures (retention time, backup
frequency, backup method) according to classified types of
information.. Following information is backed-up according to the
policy:
- SQL production and development databases
- Source code, related object files and configuration files
UnderDefense - Software Development Life Cycle documentation
Observations - Issue tracking system
- Contracts, financial files, other mission-critical business
documents
- Server disk images
● Every month there are reviews on inactive projects on GitHub, GitLab,
BitBucket. Inactive projects are archived and backuped.
● The organization has not defined requirements for regular execution of
backup recoverability testing procedures as well as instructions for
their execution.
UnderDefense
Observation Minor non-conformity
Ranking
● Implement and document procedures describing regular testing of
backup media to ensure that they can be relied upon for emergency
Recommendations use when necessary; this should be combined with a test of the
restoration procedures and checked against the restoration time
required.
Documents
[CLIENT]_SOP701_Back-up_and_Storage
reviewed
Documents
N/a
reviewed
Documents
[CLIENT]_SOP501_Logical_and_Physical_Security
reviewed
Recommendations N/a
Documents
N/a
reviewed
Short description To ensure the protection of information in networks and its supporting
information processing facilities
A.13.1.1 Network controls
ISO 27001 Control A.13.1.2 Security of network services
A.13.1.3 Segregation in networks
● A network segmentation is implemented. Network is divided into
separate network domains: DMZ, Guest network, Internal network. Third
party users and contractors work in guest network where access from
other networks is restricted. The segregation is done by using different
logical networks (e.g.virtual private networking).
UnderDefense ● [CLIENT] has established MAC filtering for internal wired and wireless
Observations connections. The process of aggregating MAC-addresses is in form of
Excel file.
● Access between network domains is controlled at the perimeter using a
gateways (e.g. firewall, filtering router)
● Despite the fact that organization has implemented set of network
controls, formal documentation of controls configuration requirements is
not established.
UnderDefense
Observation Minor non-conformity
Ranking
Documents [CLIENT]_network_diagram.pdf
reviewed connections-diagram updated.vsdx
Short description To maintain the security of information transferred within an organization and
with any external entity
A.13.2.1 Information transfer policies and procedures
ISO 27001 Control A.13.2.2 Agreements on information transfer
A.13.2.3 Electronic messaging
A.13.2.4 Confidentiality or nondisclosure agreements
● There are no documented procedures that ensure that information is
protected against unauthorized access, misuse or corruption during
transfer. Neither documented framework nor related to information
UnderDefense
transfer controls were established.
Observations ● There are no documented procedures describing transfer of secret
authentication information, namely passwords.
● [CLIENT] signs nondisclosure agreements with employees, clients and
third parties.
UnderDefense
Observation Major non-conformity
Ranking
● Establish, document and implement policy that lays out the practical
methods that need to be applied in undertaking a transfer of
information.
Recommendations ● Establish and document guidelines for electronic messaging usage
which make users aware of what [CLIENT] deems as acceptable and
unacceptable use of its messaging process.
Documents [CLIENT]_SOP102_Project_Initiation.pdf
reviewed [CLIENT]_SOP903_Change Management.pdf
Short description To ensure that information security is designed and implemented within the
development lifecycle of information systems.
Recommendations N/a
Documents [CLIENT]_SOP301_Test_Procedures.pdf
reviewed [CLIENT]_SOP402_Unit_Testing.pdf
Documents
N/a
reviewed
Short description To maintain an agreed level of information security and service delivery in line
with supplier agreements.
ISO 27001 Control A.15.2.1 Monitoring and review of supplier services
A.15.2.2 Managing changes to supplier services
● Based on the results of assessment, the organization did not identify
UnderDefense
any business need of monitoring, review, managing changes to
Observations supplier services. Consequently neither documented framework nor
related controls were established.
UnderDefense
Observation Cannot be assessed
Ranking
Documents
N/a
reviewed
Documents
N/a
reviewed
Documents
[CLIENT]_SOP902_Business_Continuity_and_Disaster_Recovery
reviewed
A.17.2 Redundancies
Short description To ensure availability of information processing facilities.
ISO 27001 Control A.17.2.1 Availability of information processing facilities
UnderDefense ● Availability of information processing facilities is protected from power
Observations failures and other disruptions by UPS, redundant heating/ventilation
and air-conditioning systems.
UnderDefense
Observation Conforms
Ranking
Documents
N/a
reviewed
Documents [CLIENT]_SOP404_Data_Protection.pdf
reviewed [CLIENT]_SOP601_Document_Control.pdf
Documents
[CLIENT]_SOP404_Data_Protection.pdf
reviewed