Iso 27001 Business Continuity Checklist

Download as docx, pdf, or txt
Download as docx, pdf, or txt
You are on page 1of 6

ISO 27001 BUSINESS CONTINUITY CHECKLIST

 REQUIREMENT
IN
SECTION/ ASSESSMENT REMARKS
COMPLIANCE?
CATEGORY

5. Information Security Policies    

5.1 Security policies exist?    

5.2 All policies approved by management?    

5.3 Evidence of compliance?    

6. Organization of information security    

6.1 Defined roles and responsibilities?    

6.2 Defined segregation of duties?    

Verification body / authority contacted for


6.3    
compliance verification?

Established contact with special interest


6.4    
groups regarding compliance?

Evidence of information security in


6.5    
project management?

6.6 Defined policy for working remotely?    

7. Human resources security    

Defined policy for screening employees


7.1    
prior to employment?

Defined policy for HR terms and


7.2    
conditions of employment?

Defined policy for management


7.3    
responsibilities?

Defined policy for information security


7.4 awareness, education,    
and training?

Defined policy for disciplinary process


7.5    
regarding information security?

Defined policy for HR termination or


7.6 change-of-employment policy regarding    
information security?
8. Asset management    
8.1 Complete inventory list of assets?    

8.2 Complete ownership list of assets?    

8.3 Defined "acceptable use" of assets policy?    

8.4 Defined return of assets policy?    

Defined policy for classification of


8.5    
information?

8.6 Defined policy for labeling information?    

8.7 Defined policy for handling of assets?    

Defined policy for management of


8.8    
removable media?

8.9 Defined policy for disposal of media?    

Defined policy for physical


8.10    
media transfer?

9. Access control      

9.1 Defined policy for access control policy?    

Defined policy for access to networks and


9.2    
network services?

Defined policy for user asset registration


9.3    
and de-registration?

Defined policy for user access


9.4    
provisioning?

Defined policy for management of


9.5    
privileged access rights?

Defined policy for management


9.6 of secret authentication    
information of users?

Defined policy for review of user access


9.7    
rights?

Defined policy for removal or adjustment


9.8    
of access rights?
Defined policy for use of secret
9.9    
authentication information?

Defined policy for information access


9.10    
restrictions?

Defined policy for secure log-in


9.11    
procedures?

Defined policy for password management


9.12    
systems?

Defined policy for use of privileged utility


9.13    
programs?

Defined policy for access control


9.14    
of program source code?

10. Cryptography    

Defined policy for use of cryptographic


10.1    
controls?

10.2 Defined policy for key management?    

11. Physical and environmental security    

Defined policy for physical security


11.1    
perimeter?

Defined policy for physical entry


11.2    
controls?

Defined policy for securing offices,


11.3    
rooms, and facilities?

Defined policy for protection against


11.4    
external and environmental threats?

Defined policy for working in secure


11.5    
areas?

Defined policy for delivery and loading


11.6    
areas?

Defined policy for equipment siting and


11.7    
protection?

11.8 Defined policy for supporting utilities?    

11.9 Defined policy for cabling security?    

Defined policy for equipment


11.10    
maintenance?
11.11 Defined policy for removal of assets?    

Defined policy for security of equipment


11.12    
and assets off premises?

11.13 Secure disposal or re-use of equipment?    

Defined policy for unattended user


11.14    
equipment?

Defined policy for clear desk and clear


11.15    
screen policy?

12. Operations security    

Defined policy for documented operating


12.1    
procedures?

12.2 Defined policy for change management?    

12.3 Defined policy for capacity management?    

Defined policy for separation of


12.4 development, testing, and operational    
environments?

Defined policy for controls against


12.5    
malware?

12.6 Defined policy for backing up systems?    

12.7 Defined policy for information backup?    

12.8 Defined policy for event logging?    

Defined policy for protection of log


12.9    
information?

Defined policy for administrator and


12.10    
operator log?

12.11 Defined policy for clock synchronization?    

Defined policy for installation of software


12.12    
on operational systems?

Defined policy for management of


12.13    
technical vulnerabilities?
Defined policy for restriction on software
12.14    
installation?

Defined policy for information system


12.15    
audit control?

13. Communication security    

13.1 Defined policy for network controls?    

Defined policy for security of network


13.2    
services?

Defined policy for segregation in


13.3    
networks?

Defined policy for information transfer


13.4    
policies and procedures?

Defined policy for agreements on


13.5    
information transfer?

13.6 Defined policy for electronic messaging?    

Defined policy for confidentiality or non-


13.7    
disclosure agreements?

Defined policy for system acquisition,


13.8    
development, and maintenance?

14. System acquisition, development, and maintenance    

Defined policy for information security


14.1    
requirements analysis and specification?

Defined policy for securing application


14.2    
services on public networks?

Defined policy for protecting application


14.3    
service transactions?

14.4 Defined policy for in-house development?    

15. Supplier relationships    

15.1 Defined policy for supplier relationships?    

16. Information security incident management    

Defined policy for information security


16.1    
management?

17. Information security aspects of business continuity management  


Defined policy for information security
17.1    
continuity?

17.2 Defined policy for redundancies?    

18. Compliance      
Defined policy for identification of
18.1 applicable legislation and contractual    
requirement?

Defined policy for intellectual property


18.2    
rights?

18.3 Defined policy for protection of records?    

Defined policy for privacy and protection


18.4    
of personally identifiable information?

Defined policy for regulation of


18.5    
cryptographic control?

Defined policy for compliance with


18.6    
security policies and standards?

Defined policy for technical compliance


18.7    
review?

You might also like