mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-11 18:13:43 +03:00
11 KiB
11 KiB
ISO 27001:2022 Implementation Audit Checklist
Organization Information
| Field | Value |
|---|---|
| Organization Name | |
| ISMS Scope | |
| Assessment Date | |
| Assessor Name | |
| Assessment Type | Gap Analysis / Internal Audit / Stage 1 / Stage 2 |
Clause 4: Context of the Organization
4.1 Understanding the Organization and its Context
- Internal issues identified and documented
- External issues identified and documented
- PESTLE analysis completed
- Issues regularly reviewed and updated
- Evidence: _______________
- Status: Conforming / Minor NC / Major NC / Not Assessed
- Notes: _______________
4.2 Understanding the Needs and Expectations of Interested Parties
- Interested parties identified
- Requirements of interested parties documented
- Legal, regulatory, and contractual requirements identified
- Requirements reviewed periodically
- Evidence: _______________
- Status: Conforming / Minor NC / Major NC / Not Assessed
4.3 Determining the Scope of the ISMS
- ISMS scope defined and documented
- Scope considers internal and external issues (4.1)
- Scope considers interested party requirements (4.2)
- Scope considers interfaces and dependencies
- Scope available as documented information
- Evidence: _______________
- Status: Conforming / Minor NC / Major NC / Not Assessed
4.4 Information Security Management System
- ISMS processes established
- ISMS implemented and maintained
- Continual improvement processes in place
- Evidence: _______________
- Status: Conforming / Minor NC / Major NC / Not Assessed
Clause 5: Leadership
5.1 Leadership and Commitment
- Top management demonstrates commitment to the ISMS
- Information security policy and objectives aligned with strategic direction
- ISMS requirements integrated into business processes
- Adequate resources provided
- Importance of information security communicated
- ISMS achieves its intended outcomes
- Persons directed and supported to contribute to ISMS effectiveness
- Continual improvement promoted
- Evidence: _______________
- Status: Conforming / Minor NC / Major NC / Not Assessed
5.2 Information Security Policy
- Policy appropriate to the purpose of the organization
- Policy includes information security objectives or framework for setting objectives
- Policy includes commitment to satisfy applicable requirements
- Policy includes commitment to continual improvement
- Policy available as documented information
- Policy communicated within the organization
- Policy available to interested parties as appropriate
- Evidence: _______________
- Status: Conforming / Minor NC / Major NC / Not Assessed
5.3 Organizational Roles, Responsibilities and Authorities
- Information security roles and responsibilities assigned and communicated
- Responsibility for ISMS conformance assigned
- Responsibility for reporting ISMS performance assigned
- Evidence: _______________
- Status: Conforming / Minor NC / Major NC / Not Assessed
Clause 6: Planning
6.1.1 General (Actions to Address Risks and Opportunities)
- Risks and opportunities considered (referencing 4.1 and 4.2)
- Actions planned to address risks and opportunities
- Plans for integrating actions into ISMS processes
- Plans for evaluating effectiveness of actions
- Evidence: _______________
- Status: Conforming / Minor NC / Major NC / Not Assessed
6.1.2 Information Security Risk Assessment
- Risk assessment process defined and documented
- Risk acceptance criteria established
- Criteria for performing risk assessments defined
- Risk assessment process produces consistent, valid, and comparable results
- Information security risks identified
- Risk owners identified
- Risk likelihood and impact assessed
- Risk levels determined
- Risk assessment results documented
- Evidence: _______________
- Status: Conforming / Minor NC / Major NC / Not Assessed
6.1.3 Information Security Risk Treatment
- Risk treatment options selected (mitigate, accept, avoid, transfer)
- Controls determined for risk treatment
- Controls compared with Annex A
- Statement of Applicability produced
- Risk treatment plan formulated
- Risk owners approve risk treatment plan and residual risks
- Evidence: _______________
- Status: Conforming / Minor NC / Major NC / Not Assessed
6.2 Information Security Objectives and Planning to Achieve Them
- Objectives established at relevant functions and levels
- Objectives consistent with information security policy
- Objectives measurable (where practicable)
- Objectives consider applicable requirements and risk assessment results
- Objectives communicated
- Objectives updated as appropriate
- Plans: what will be done, resources, responsibilities, timelines, evaluation
- Evidence: _______________
- Status: Conforming / Minor NC / Major NC / Not Assessed
6.3 Planning of Changes
- Changes to ISMS carried out in a planned manner
- Evidence: _______________
- Status: Conforming / Minor NC / Major NC / Not Assessed
Clause 7: Support
7.1 Resources
- Resources needed for ISMS determined and provided
- Evidence: _______________
- Status: Conforming / Minor NC / Major NC / Not Assessed
7.2 Competence
- Competence requirements determined for ISMS roles
- Competence ensured through education, training, or experience
- Actions taken to acquire competence where needed
- Evidence of competence retained
- Evidence: _______________
- Status: Conforming / Minor NC / Major NC / Not Assessed
7.3 Awareness
- Persons aware of information security policy
- Persons aware of their contribution to ISMS effectiveness
- Persons aware of implications of not conforming to ISMS requirements
- Evidence: _______________
- Status: Conforming / Minor NC / Major NC / Not Assessed
7.4 Communication
- Internal and external communication needs determined
- What to communicate defined
- When to communicate defined
- With whom to communicate defined
- How to communicate defined
- Evidence: _______________
- Status: Conforming / Minor NC / Major NC / Not Assessed
7.5 Documented Information
- Documented information required by ISO 27001 maintained
- Additional documented information determined by organization maintained
- Appropriate identification and description
- Appropriate format (language, software version, graphics)
- Appropriate review and approval
- Documented information available and suitable for use
- Adequate protection (loss of confidentiality, improper use, integrity loss)
- Distribution, access, retrieval, and use controlled
- Storage and preservation controlled
- Control of changes maintained
- Retention and disposition determined
- Evidence: _______________
- Status: Conforming / Minor NC / Major NC / Not Assessed
Clause 8: Operation
8.1 Operational Planning and Control
- Processes needed to meet ISMS requirements planned, implemented, and controlled
- Criteria for processes established
- Control of processes in accordance with criteria implemented
- Documented information retained to demonstrate processes carried out as planned
- Planned changes controlled
- Unintended changes reviewed and actions taken to mitigate adverse effects
- Outsourced processes controlled
- Evidence: _______________
- Status: Conforming / Minor NC / Major NC / Not Assessed
8.2 Information Security Risk Assessment
- Risk assessments performed at planned intervals
- Risk assessments performed when significant changes occur
- Results of risk assessments documented
- Evidence: _______________
- Status: Conforming / Minor NC / Major NC / Not Assessed
8.3 Information Security Risk Treatment
- Risk treatment plan implemented
- Results of risk treatment documented
- Evidence: _______________
- Status: Conforming / Minor NC / Major NC / Not Assessed
Clause 9: Performance Evaluation
9.1 Monitoring, Measurement, Analysis and Evaluation
- What needs to be monitored and measured determined
- Monitoring and measurement methods determined
- When monitoring and measuring shall be performed determined
- Who shall monitor and measure determined
- When results shall be analysed and evaluated determined
- Who shall analyse and evaluate results determined
- Results of monitoring and measurement documented
- Evidence: _______________
- Status: Conforming / Minor NC / Major NC / Not Assessed
9.2 Internal Audit
- Internal audit programme planned (frequency, methods, responsibilities)
- Audit programme considers importance of processes and previous audit results
- Audit criteria and scope defined for each audit
- Auditors selected to ensure objectivity and impartiality
- Audit results reported to relevant management
- Documented information retained as evidence of audit programme and results
- Evidence: _______________
- Status: Conforming / Minor NC / Major NC / Not Assessed
9.3 Management Review
- Management review conducted at planned intervals
- Review considers status of actions from previous reviews
- Review considers changes in external and internal issues
- Review considers feedback on information security performance
- Review considers feedback from interested parties
- Review considers risk assessment results and treatment plan status
- Review considers opportunities for continual improvement
- Decisions on improvement opportunities documented
- Decisions on changes needed to ISMS documented
- Evidence: _______________
- Status: Conforming / Minor NC / Major NC / Not Assessed
Clause 10: Improvement
10.1 Continual Improvement
- Suitability, adequacy, and effectiveness of ISMS continually improved
- Evidence: _______________
- Status: Conforming / Minor NC / Major NC / Not Assessed
10.2 Nonconformity and Corrective Action
- Nonconformities identified and reacted to
- Actions taken to control and correct nonconformities
- Consequences dealt with
- Need for action to eliminate root cause evaluated
- Corrective actions implemented
- Effectiveness of corrective actions reviewed
- Changes to ISMS made if necessary
- Documented information retained on nature of nonconformities, actions taken, and results
- Evidence: _______________
- Status: Conforming / Minor NC / Major NC / Not Assessed
Summary
| Category | Total Items | Conforming | Minor NC | Major NC | Not Assessed |
|---|---|---|---|---|---|
| Clause 4 | |||||
| Clause 5 | |||||
| Clause 6 | |||||
| Clause 7 | |||||
| Clause 8 | |||||
| Clause 9 | |||||
| Clause 10 | |||||
| Total |
Annex A Control Assessment (attach separately)
- Total Applicable Controls: _____ / 93
- Fully Implemented: _____
- Partially Implemented: _____
- Not Implemented: _____
- Not Applicable: _____
Recommendations
Sign-off
| Role | Name | Signature | Date |
|---|---|---|---|
| Assessor | |||
| ISMS Manager | |||
| Top Management |