mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-19 22:19:39 +03:00
302 lines
11 KiB
Markdown
302 lines
11 KiB
Markdown
# ISO 27001:2022 Implementation Audit Checklist
|
|
|
|
## Organization Information
|
|
| Field | Value |
|
|
|-------|-------|
|
|
| Organization Name | |
|
|
| ISMS Scope | |
|
|
| Assessment Date | |
|
|
| Assessor Name | |
|
|
| Assessment Type | Gap Analysis / Internal Audit / Stage 1 / Stage 2 |
|
|
|
|
---
|
|
|
|
## Clause 4: Context of the Organization
|
|
|
|
### 4.1 Understanding the Organization and its Context
|
|
- [ ] Internal issues identified and documented
|
|
- [ ] External issues identified and documented
|
|
- [ ] PESTLE analysis completed
|
|
- [ ] Issues regularly reviewed and updated
|
|
- **Evidence**: _______________
|
|
- **Status**: Conforming / Minor NC / Major NC / Not Assessed
|
|
- **Notes**: _______________
|
|
|
|
### 4.2 Understanding the Needs and Expectations of Interested Parties
|
|
- [ ] Interested parties identified
|
|
- [ ] Requirements of interested parties documented
|
|
- [ ] Legal, regulatory, and contractual requirements identified
|
|
- [ ] Requirements reviewed periodically
|
|
- **Evidence**: _______________
|
|
- **Status**: Conforming / Minor NC / Major NC / Not Assessed
|
|
|
|
### 4.3 Determining the Scope of the ISMS
|
|
- [ ] ISMS scope defined and documented
|
|
- [ ] Scope considers internal and external issues (4.1)
|
|
- [ ] Scope considers interested party requirements (4.2)
|
|
- [ ] Scope considers interfaces and dependencies
|
|
- [ ] Scope available as documented information
|
|
- **Evidence**: _______________
|
|
- **Status**: Conforming / Minor NC / Major NC / Not Assessed
|
|
|
|
### 4.4 Information Security Management System
|
|
- [ ] ISMS processes established
|
|
- [ ] ISMS implemented and maintained
|
|
- [ ] Continual improvement processes in place
|
|
- **Evidence**: _______________
|
|
- **Status**: Conforming / Minor NC / Major NC / Not Assessed
|
|
|
|
---
|
|
|
|
## Clause 5: Leadership
|
|
|
|
### 5.1 Leadership and Commitment
|
|
- [ ] Top management demonstrates commitment to the ISMS
|
|
- [ ] Information security policy and objectives aligned with strategic direction
|
|
- [ ] ISMS requirements integrated into business processes
|
|
- [ ] Adequate resources provided
|
|
- [ ] Importance of information security communicated
|
|
- [ ] ISMS achieves its intended outcomes
|
|
- [ ] Persons directed and supported to contribute to ISMS effectiveness
|
|
- [ ] Continual improvement promoted
|
|
- **Evidence**: _______________
|
|
- **Status**: Conforming / Minor NC / Major NC / Not Assessed
|
|
|
|
### 5.2 Information Security Policy
|
|
- [ ] Policy appropriate to the purpose of the organization
|
|
- [ ] Policy includes information security objectives or framework for setting objectives
|
|
- [ ] Policy includes commitment to satisfy applicable requirements
|
|
- [ ] Policy includes commitment to continual improvement
|
|
- [ ] Policy available as documented information
|
|
- [ ] Policy communicated within the organization
|
|
- [ ] Policy available to interested parties as appropriate
|
|
- **Evidence**: _______________
|
|
- **Status**: Conforming / Minor NC / Major NC / Not Assessed
|
|
|
|
### 5.3 Organizational Roles, Responsibilities and Authorities
|
|
- [ ] Information security roles and responsibilities assigned and communicated
|
|
- [ ] Responsibility for ISMS conformance assigned
|
|
- [ ] Responsibility for reporting ISMS performance assigned
|
|
- **Evidence**: _______________
|
|
- **Status**: Conforming / Minor NC / Major NC / Not Assessed
|
|
|
|
---
|
|
|
|
## Clause 6: Planning
|
|
|
|
### 6.1.1 General (Actions to Address Risks and Opportunities)
|
|
- [ ] Risks and opportunities considered (referencing 4.1 and 4.2)
|
|
- [ ] Actions planned to address risks and opportunities
|
|
- [ ] Plans for integrating actions into ISMS processes
|
|
- [ ] Plans for evaluating effectiveness of actions
|
|
- **Evidence**: _______________
|
|
- **Status**: Conforming / Minor NC / Major NC / Not Assessed
|
|
|
|
### 6.1.2 Information Security Risk Assessment
|
|
- [ ] Risk assessment process defined and documented
|
|
- [ ] Risk acceptance criteria established
|
|
- [ ] Criteria for performing risk assessments defined
|
|
- [ ] Risk assessment process produces consistent, valid, and comparable results
|
|
- [ ] Information security risks identified
|
|
- [ ] Risk owners identified
|
|
- [ ] Risk likelihood and impact assessed
|
|
- [ ] Risk levels determined
|
|
- [ ] Risk assessment results documented
|
|
- **Evidence**: _______________
|
|
- **Status**: Conforming / Minor NC / Major NC / Not Assessed
|
|
|
|
### 6.1.3 Information Security Risk Treatment
|
|
- [ ] Risk treatment options selected (mitigate, accept, avoid, transfer)
|
|
- [ ] Controls determined for risk treatment
|
|
- [ ] Controls compared with Annex A
|
|
- [ ] Statement of Applicability produced
|
|
- [ ] Risk treatment plan formulated
|
|
- [ ] Risk owners approve risk treatment plan and residual risks
|
|
- **Evidence**: _______________
|
|
- **Status**: Conforming / Minor NC / Major NC / Not Assessed
|
|
|
|
### 6.2 Information Security Objectives and Planning to Achieve Them
|
|
- [ ] Objectives established at relevant functions and levels
|
|
- [ ] Objectives consistent with information security policy
|
|
- [ ] Objectives measurable (where practicable)
|
|
- [ ] Objectives consider applicable requirements and risk assessment results
|
|
- [ ] Objectives communicated
|
|
- [ ] Objectives updated as appropriate
|
|
- [ ] Plans: what will be done, resources, responsibilities, timelines, evaluation
|
|
- **Evidence**: _______________
|
|
- **Status**: Conforming / Minor NC / Major NC / Not Assessed
|
|
|
|
### 6.3 Planning of Changes
|
|
- [ ] Changes to ISMS carried out in a planned manner
|
|
- **Evidence**: _______________
|
|
- **Status**: Conforming / Minor NC / Major NC / Not Assessed
|
|
|
|
---
|
|
|
|
## Clause 7: Support
|
|
|
|
### 7.1 Resources
|
|
- [ ] Resources needed for ISMS determined and provided
|
|
- **Evidence**: _______________
|
|
- **Status**: Conforming / Minor NC / Major NC / Not Assessed
|
|
|
|
### 7.2 Competence
|
|
- [ ] Competence requirements determined for ISMS roles
|
|
- [ ] Competence ensured through education, training, or experience
|
|
- [ ] Actions taken to acquire competence where needed
|
|
- [ ] Evidence of competence retained
|
|
- **Evidence**: _______________
|
|
- **Status**: Conforming / Minor NC / Major NC / Not Assessed
|
|
|
|
### 7.3 Awareness
|
|
- [ ] Persons aware of information security policy
|
|
- [ ] Persons aware of their contribution to ISMS effectiveness
|
|
- [ ] Persons aware of implications of not conforming to ISMS requirements
|
|
- **Evidence**: _______________
|
|
- **Status**: Conforming / Minor NC / Major NC / Not Assessed
|
|
|
|
### 7.4 Communication
|
|
- [ ] Internal and external communication needs determined
|
|
- [ ] What to communicate defined
|
|
- [ ] When to communicate defined
|
|
- [ ] With whom to communicate defined
|
|
- [ ] How to communicate defined
|
|
- **Evidence**: _______________
|
|
- **Status**: Conforming / Minor NC / Major NC / Not Assessed
|
|
|
|
### 7.5 Documented Information
|
|
- [ ] Documented information required by ISO 27001 maintained
|
|
- [ ] Additional documented information determined by organization maintained
|
|
- [ ] Appropriate identification and description
|
|
- [ ] Appropriate format (language, software version, graphics)
|
|
- [ ] Appropriate review and approval
|
|
- [ ] Documented information available and suitable for use
|
|
- [ ] Adequate protection (loss of confidentiality, improper use, integrity loss)
|
|
- [ ] Distribution, access, retrieval, and use controlled
|
|
- [ ] Storage and preservation controlled
|
|
- [ ] Control of changes maintained
|
|
- [ ] Retention and disposition determined
|
|
- **Evidence**: _______________
|
|
- **Status**: Conforming / Minor NC / Major NC / Not Assessed
|
|
|
|
---
|
|
|
|
## Clause 8: Operation
|
|
|
|
### 8.1 Operational Planning and Control
|
|
- [ ] Processes needed to meet ISMS requirements planned, implemented, and controlled
|
|
- [ ] Criteria for processes established
|
|
- [ ] Control of processes in accordance with criteria implemented
|
|
- [ ] Documented information retained to demonstrate processes carried out as planned
|
|
- [ ] Planned changes controlled
|
|
- [ ] Unintended changes reviewed and actions taken to mitigate adverse effects
|
|
- [ ] Outsourced processes controlled
|
|
- **Evidence**: _______________
|
|
- **Status**: Conforming / Minor NC / Major NC / Not Assessed
|
|
|
|
### 8.2 Information Security Risk Assessment
|
|
- [ ] Risk assessments performed at planned intervals
|
|
- [ ] Risk assessments performed when significant changes occur
|
|
- [ ] Results of risk assessments documented
|
|
- **Evidence**: _______________
|
|
- **Status**: Conforming / Minor NC / Major NC / Not Assessed
|
|
|
|
### 8.3 Information Security Risk Treatment
|
|
- [ ] Risk treatment plan implemented
|
|
- [ ] Results of risk treatment documented
|
|
- **Evidence**: _______________
|
|
- **Status**: Conforming / Minor NC / Major NC / Not Assessed
|
|
|
|
---
|
|
|
|
## Clause 9: Performance Evaluation
|
|
|
|
### 9.1 Monitoring, Measurement, Analysis and Evaluation
|
|
- [ ] What needs to be monitored and measured determined
|
|
- [ ] Monitoring and measurement methods determined
|
|
- [ ] When monitoring and measuring shall be performed determined
|
|
- [ ] Who shall monitor and measure determined
|
|
- [ ] When results shall be analysed and evaluated determined
|
|
- [ ] Who shall analyse and evaluate results determined
|
|
- [ ] Results of monitoring and measurement documented
|
|
- **Evidence**: _______________
|
|
- **Status**: Conforming / Minor NC / Major NC / Not Assessed
|
|
|
|
### 9.2 Internal Audit
|
|
- [ ] Internal audit programme planned (frequency, methods, responsibilities)
|
|
- [ ] Audit programme considers importance of processes and previous audit results
|
|
- [ ] Audit criteria and scope defined for each audit
|
|
- [ ] Auditors selected to ensure objectivity and impartiality
|
|
- [ ] Audit results reported to relevant management
|
|
- [ ] Documented information retained as evidence of audit programme and results
|
|
- **Evidence**: _______________
|
|
- **Status**: Conforming / Minor NC / Major NC / Not Assessed
|
|
|
|
### 9.3 Management Review
|
|
- [ ] Management review conducted at planned intervals
|
|
- [ ] Review considers status of actions from previous reviews
|
|
- [ ] Review considers changes in external and internal issues
|
|
- [ ] Review considers feedback on information security performance
|
|
- [ ] Review considers feedback from interested parties
|
|
- [ ] Review considers risk assessment results and treatment plan status
|
|
- [ ] Review considers opportunities for continual improvement
|
|
- [ ] Decisions on improvement opportunities documented
|
|
- [ ] Decisions on changes needed to ISMS documented
|
|
- **Evidence**: _______________
|
|
- **Status**: Conforming / Minor NC / Major NC / Not Assessed
|
|
|
|
---
|
|
|
|
## Clause 10: Improvement
|
|
|
|
### 10.1 Continual Improvement
|
|
- [ ] Suitability, adequacy, and effectiveness of ISMS continually improved
|
|
- **Evidence**: _______________
|
|
- **Status**: Conforming / Minor NC / Major NC / Not Assessed
|
|
|
|
### 10.2 Nonconformity and Corrective Action
|
|
- [ ] Nonconformities identified and reacted to
|
|
- [ ] Actions taken to control and correct nonconformities
|
|
- [ ] Consequences dealt with
|
|
- [ ] Need for action to eliminate root cause evaluated
|
|
- [ ] Corrective actions implemented
|
|
- [ ] Effectiveness of corrective actions reviewed
|
|
- [ ] Changes to ISMS made if necessary
|
|
- [ ] Documented information retained on nature of nonconformities, actions taken, and results
|
|
- **Evidence**: _______________
|
|
- **Status**: Conforming / Minor NC / Major NC / Not Assessed
|
|
|
|
---
|
|
|
|
## Summary
|
|
|
|
| Category | Total Items | Conforming | Minor NC | Major NC | Not Assessed |
|
|
|----------|-------------|------------|----------|----------|--------------|
|
|
| Clause 4 | | | | | |
|
|
| Clause 5 | | | | | |
|
|
| Clause 6 | | | | | |
|
|
| Clause 7 | | | | | |
|
|
| Clause 8 | | | | | |
|
|
| Clause 9 | | | | | |
|
|
| Clause 10 | | | | | |
|
|
| **Total** | | | | | |
|
|
|
|
## Annex A Control Assessment (attach separately)
|
|
- Total Applicable Controls: _____ / 93
|
|
- Fully Implemented: _____
|
|
- Partially Implemented: _____
|
|
- Not Implemented: _____
|
|
- Not Applicable: _____
|
|
|
|
## Recommendations
|
|
1. _______________
|
|
2. _______________
|
|
3. _______________
|
|
|
|
## Sign-off
|
|
| Role | Name | Signature | Date |
|
|
|------|------|-----------|------|
|
|
| Assessor | | | |
|
|
| ISMS Manager | | | |
|
|
| Top Management | | | |
|