1

0.9
0.8
0.7
0.6
0.5
0.4
0.3
0.2
0.1
0

A.5
A.6
A.7
A.8

Co mp lia n ce

In fo rma tio n s e cu rity in c id e n t ma n a g e me n t

S ys te m a cq u is itio n , d e ve lo p me n t a n d ma in te n a n ce

Op e ra tio n s s e c u rity

Cryp to g ra p h y

As s e t ma n a g e me n t

Org a n is a tio n o f in fo rma tio n s e c u rity

ISO27001:2013 Assessment

Compliance Status - By Section

1

0.8

0.6

0.4

A.9 A.10 A.11 A.12 A.13 A.14 A.15 A.16 A.17 A.18

0.2
0

013 Assessment Status

Compliance Status - By Control
1
0.8
0.6
0.4
0.2
0

Introduction

This tool is designed to assist a skilled and experienced professional ensure that the relevant contr
of
ISO
/ IEC
27001:2013
haveabeen
This
tool
does
not constitute
validaddressed.
assessment and the use of this tool does not confer ISO/IEC 27
certification. The findings here must be confirmed as part of a formal audit / assessment visit.

Instructions for use

Pre-assessment
1. Determine assessment scope.

2. Collect evidence.

3. Prepare toolkit.

Assessment
4. Review control areas.

5. Determine level of compliance.

Post Assessment
6. Record areas of weakness
7. Determine improvement plan

8. Schedule re-assessment
Lifecycle Review
9. ISMS Review Schedules

troduction

rienced professional ensure that the relevant control areas

and the use of this tool does not confer ISO/IEC 27001:2013
ed as part of a formal audit / assessment visit.

uctions for use

Work with the relevant business stakeholders to
determine what the appropriate scope of the
assessment is.
Identify and centralise as much evidence as
possible. This can include policy documents,
process documents, interview transcripts etc.
Using the assessment scope you can identify what
areas of the tool kit are not appropriate and set
these to 100% to close reporting.
Additionally, where suggested audit questions are
not relevant, these can be replaced with more
suitable ones.

Work through the tool kit, reviewing the evidence

for each control and determining how compliant it
is with the requirements.
The toolkit allows for this to be done in 5%
increments.
On completion of the review, the tool kit will give
you an overall level of compliance by control area
and by individual controls.
Make a note of any areas where compliance is
unsuitable (normally less than 90%)
For each area of weakness, work with the relevant
business stakeholders to determine how the
control can be improved.
Arrange a date to review weak areas to set a
target for improvement plans.
Ensure that the ISMS is re-assessed on a regular
basis, ideally once every 12 months.

Standard
A.5
A.6
A.7
A.8
A.9
A.10
A.11
A.12
A.13
A.14
A.15
A.16
A.17
A.18

Overall Compliance

Compliance per Section

Section
Information Security Policies
Organisation of information security
Human resources security
Asset management
Access control
Cryptography
Physical and environmental security
Operations security
Communications security
System acquisition, development and maintenance
Supplier relationships
Information security incident management
Information security aspects of business continuity management
Compliance

Overall Compliance

Status
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%

0%

Standard
A.5.1
A.6.1
A.6.2
A.7.1
A.7.2
A.7.3
A.8.1
A.8.2
A.8.3
A.9.1
A.9.2
A.9.3
A.9.4
A.10.1
A.11.1
A.11.2
A.12.1
A.12.2
A.12.3
A.12.4
A.12.5
A.12.6
A.12.7
A.13.1
A.13.2
A.14.1
A.14.2
A.14.3
A.15.1
A.15.2
A.16.1
A.17.1
A.17.2
A.18.1
A.18.2

Compliance per Control

Section
Management direction for information security
Internal Organisation
Mobile devices and teleworking
Prior to employment
During employment
Termination and change of employment
Responibility for assets
Information classification
Media handling
Business requirements for access control
User access management
User responsibilities
System and application access control
Crypographic controls
Secure areas
Equipment
Operational procedures and responsibilities
Protection from malware
Backup
Logging and monitoring
Control of operational software
Technical vulnerability management
Information systems audit considerations
Network security management
Information transfer
Security requirements of information systems
Security in development and support processes
Test data
Information security in supplier relationships
Supplier service delivery management
Management of infosec incidents & improvements
Information security continuity
Redundancies
Compliance with legal and contractual requirements
Information security reviews

Status
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%

Reference
Checklist

Standard
A.5
A.5.1
A.5.1.1

A.5.1.2

A.6
A.6.1
A.6.1.1

A.6.1.2

A.6.1.3

A.6.1.4

A.6.1.5

A.6.2
A.6.2.1

A.6.2

A.7
A.7.1
A.7.1.1

A.7.1.2

A.7.2
A.7.2.1

A.7.2.2

A.7.2.3

A.7.3

A.8
A.8.1
A.8.1.1

A.8.1.2

A.8.1.3

A.8.1.4

A.8.2
A.8.2.1

A.8.2.2

A.8.2.3

A.8.3
A.8.3.1

A.8.3.2

A.8.3.3

A.9
A.9.1
A.9.1.1

A.9.1.2

A.9.2
A.9.2.1

A.9.2.2

A.9.2.3

A.9.2.4

A.9.2.5

A.9.2.6

A.9.3
A.9.3.1

A.9.4
A.9.4.1

A.9.4.2

A.9.4.3

A.9.4.4

A.9.4.5

A.10
A.10.1
A.10.1.1

A.10.1.2

A.11
A.11.1
A.11.1.1

A.11.1.2

A.11.1.3

A.11.1.4

A11.1.5

A.11.1.6

A11.2
A11.2.1

A11.2.2

A11.2.3

A11.2.4

A11.2.5

A11.2.6

A11.2.7

A11.2.8

A11.2.9

A.12
A.12.1
A.12.1.1

A12.1.2

A.12.1.3

A.12.1.4

A.12.2
A.12.2.1

A.12.3
A.12.3.1

A.12.4
A.12.4.1

A.12.4.2

A.12.4.3

A.12.4.4

A.12.5
A.12.5.1

A.12.6
A.12.6.1

A.12.6.2

A.12.7
A.12.7.1

A.13
A.13.1
A.13.1.1

A.13.1.2

A.13.1.3

A.13.2
A.13.2.1

A.13.2.2

A.13.2.3

A.13.2.4

A.14
A.14.1
A.14.1.1

A.14.1.2

A.14.1.3

A.14.2
A.14.2.1

A.14.2.2

A.14.2.3

A.14.2.4

A.14.2.5

A.14.2.6

A.12.2.7

A.12.2.8

A.12.2.9

A.14.3
A.14.3.1

A.15
A.15.1

A.15.1.1

A.15.1.2

A.15.1.3

A.15.2
A.15.2.1

A.15.2.2

A.16
A.16.1
A.16.1.1

A.16.1.2

A.16.1.3

A.16.1.4

A.16.1.5

A.16.1.6

A.16.1.7

A.17
A.17.1
A.17.1.1

A.17.1.2

A.17.1.3

A.17.2
A.17.2.1

A.18
A.18.1
A.18.1.1

A.18.1.2

A.18.1.3

A.18.1.4

A.18.1.5

A.18.2
A.18.2.1

A.18.2.2

A.18.2.3

Compliance
Section
Information Security Policies
Management direction for information security
Policies for information security

Review of the policies for information security

Organisation of Information Security

Internal organization
Information security roles and responsibilities

Segregation of duties

Contact with authorities

Contact with special interest groups

Information security in project management

Mobile devices and teleworking

Mobile device policy

Teleworking

Human Resources Security

Prior to employment
Screening

Terms and conditions of employment

During employment
Management responsibilities

Information security awareness, education and

training

Disciplinary process

Termination and change of employment

Asset Management
Responsibility for assets
Inventory of assets

Ownership of assets

Acceptable use of assets

Return of assets

Information classification
Classification of information

Labelling of information

Handling of assets

Media handling
Management of removable media

Disposal of media

Physical media transfer

Access Control
Business requirements for access control
Access control policy

Access to networks and network services

User access management

User registration and de-registration

User access provisioning

Management of privileged access rights

Management of secret authentication information of

users

Review of user access rights

Removal or adjustment of access rights

User responsibilities
Use of secret authentication information

System and application access control

Information access restriction

Secure log-on procedures

Password management system

Use of privileged utility programs

Access control to program source code

Cryptography
Cryptographic controls
Policy on the use of cryptographic controls

Key management

Physical and Environmental Security

Secure areas
Physical security perimeter

Physical entry controls

Securing offices, rooms and facilities

Protecting against external and environmental

threats

Working in secure areas

Delivery and loading areas

Equipment
Equipment siting and protection

Supporting utilities

Cabling security

Equipment maintenance

Removal of assets

Security of equipment and assets off-premises

Secure disposal or reuse of equipment

Unattended user equipment

Clear desk and clear screen policy

Operations Security
Operational procedures and responsibilities
Documented operating procedures

Change management

Capacity management

Separation of development, testing and operational

environments

Protection from malware

Controls against malware

Backup
Information backup

Logging and monitoring

Event Logging

Protection of log information

Administrator and operator logs

Clock synchronisation

Control of operational software

Installation of software on operational systems

Technical vulnerability management

Management of technical vulnerabilities

Restrictions on software installations

IInformation systems audit considerations

Information systems audit controls

Communications Security
Network security management
Network controls

Security of network services

Segregation in networks

Information transfer
Information transfer policies and procedures

Agreements on information transfer

Electronic messaging

Confidentiality or nondisclosure agreements

System Acquisition, Development and

Maintenance
Security requirements of information systems
Information security requirements analysis and
specification

Securing application services on public networks

Protecting application services transactions

Security in development and support processes

Secure development policy

System change control procedures

Technical review of applications after operating

platform changes

Restrictions on changes to software packages

Secure system engineering principles

Secure development environment

Outsourced development

System security testing

System acceptance testing

Test data
Protection of test data

Supplier Relationships
Information security in supplier relationships

Information security policy for supplier relationships

Addressing security within supplier agreements

Information and communication technology supply

chain

Supplier service delivery management

Monitoring and review of supplier services

Managing changes to supplier services

Information Security Incident

Management
Management of information security incidents and
improvements
Responsibilities and procedures

Reporting information security events

Reporting information security weaknesses

Assessment of and decision on information security

events

Response to information security incidents

Learning from information security incidents

Collection of evidence

Information Security Aspects of Business

Continuity Management
Information security continuity
Planning information security continuity

Implementing information security continuity

Verify, review and evaluate information security

continuity

Redundancies
Availability of information processing facilities

Compliance
Compliance with legal and contractual requirements
Identification of applicable legislation and
contractual requirements

Intellectual property rights

Protection of records

Privacy and protection of personally identifiable

information

Regulation of cryptographic controls

Information security reviews

Independent review of information security

Compliance with security policies and standards

Technical compliance review

Assessment

Do Security policies exist?

Are all policies approved by management?
Are policies properly communicated to employees?

Are security policies subject to review?

Are the reviews conducted at regular intervals?
Are reviews conducted when circumstances change?

Are responsibilities for the protection of individual assets, and

for carrying out specific security processes, clearly identified
and defined and communicated to the relevant parties?

Are duties and areas of responsibility separated, in order to

reduce opportunities for unauthorized modification or misuse
of information, or services?

Is there a procedure documenting when, and by whom,

contact with relevant authorities (law enforcement etc.) will be
made?
Is there a process which details how and when contact is
required?
Is there a process for routine contact and intelligence sharing?

Do relevant individuals within the organisation maintain active

membership in relevant special interest groups?

Do all projects go through some form of information security

assessment?

Does a mobile device policy exist?

Does the policy have management approval?
Does the policy document and address additional risks from
using mobile devices (e.g. Theft of asset, use of open wireless
hotspots etc.)

Is there a policy for teleworking?

Does this have management approval?
Is there a set process for remote workers to get access?
Are teleworkers given the advice and equipment to protect
their assets?

Are background verification checks carried out on all new

candidates for employment?
Are these checks approved by appropriate management
authority?
Are the checks compliant with relevant laws, regulations and
ethics?
Are the level of checks required supported by business risk
assessments?

Are all employees, contractors and third party users asked to

sign confidentiality and non-disclosure agreements?
Do employment / service contracts

Are managers (of all levels) engaged in driving security within

the business?
Does management behaviour and policy drive, and
encourage, all employees, contractors and 3rd party users to
apply security in accordance with established policies and
procedures?

Do all employees, contractors and 3rd party users undergo

regular security awareness training appropriate to their role
and function within the organisation?

Is there a formal disciplinary process which allows the

organisation to take action against employees who have
committed an information security breach?
Is this communicated to all employees?

Is there a documented process for terminating or changing

employment duties?
Are any information security duties which survive employment
communicated to the employee or contractor?
Is the organisation able to enforce compliance with any duties
that survive employment?

Is there an inventory of all assets associated with information

and information processing facilities?
Is the inventory accurate and kept up to date?

All information assets must have a clearly defined owner who

is aware of their responsibilities.

Is there an acceptable use policy for each class / type of

information asset?
Are users made aware of this policy prior to use?

Is there a process in place to ensure all employees and

external users return the organisation's assets on termination
of their employment, contract or agreement?

Is there a policy governing information classification?

Is there a process by which all information can be
appropriately classified?

Is there a process or procedure for ensuring information

classification is appropriately marked on each asset?

Is there a procedure for handling each information

classification?
Are users of information assets made aware of this procedure?

Is there a policy governing removable media?

Is there a process covering how removable media is managed?
Are the policy and process(es) communicated to all employees
using removable media?

Is there a formal procedure governing how removable media is

disposed?

Is there a documented policy and process detailing how

physical media should be transported?
Is media in transport protected against unauthorised access,
misuse or corruption?

Is there a documented access control policy?

Is the policy based on business requirements?
Is the policy communicated appropriately?

Are controls in place to ensure users only have access to the

network resources they have been specially authorised to use
and are required for their duties?

Is there a formal user access registration process in place?

Is there a formal user access provisioning process in place to

assign access rights for all user types and services?

Are privileged access accounts separately managed and

controlled?

Is there a formal management process in place to control

allocation of secret authentication information?

Is there a process for asset owners to review access rights to

their assets on a regular basis?
Is this review process verified?

Is there a process to ensure user access rights are removed

on termination of employment or contract, or adjusted upon
change of role?

Is there a policy document covering the organisations

practices in how secret authentication information must be
handled?
Is this communicated to all users?

Is access to information and application system functions

restricted in line with the access control policy?

Where the access control policy requires it, is access

controlled by a secure log-on procedure?

Are password systems interactive?

Are complex passwords required?

Are privilege utility programs restricted and monitored?

Is access to the source code of the Access Control System

protected?

Is there a policy on the use of cryptographic controls?

Is there a policy governing the whole lifecycle of cryptographic

keys?

Is there a designated security perimeter?

Are sensitive or critical information areas segregated and
appropriately controlled?

Do secure areas have suitable entry control systems to ensure

only authorised personnel have access?

Have offices, rooms and facilities been designed and

configured with security in mind?
Do processes for maintaining the security (e.g. Locking up,
clear desks etc.) exist?

Have physical protection measures to prevent natural

disasters, malicious attack or accidents been designed in?

Do secure areas exist?

Where they do exist, do secure areas have suitable policies
and processes?
Are the policies and processes enforced and monitored?

Are there separate delivery / loading areas?

Is access to these areas controls?

Is access from loading areas isolated from information

processing facilities?

Are environmental hazards identified and considered when

equipment locations are selected?
Are the risks from unauthorised access /passers-by considered
when siting equipment?

Is there a UPS system or back up generator?

Have these been tested within an appropriate timescale?

Have risk assessments been conducted over the location of

power and telecommunications cables?
Are they located to protect from interference, interception or
damage?

Is there a rigorous equipment maintenance schedule?

Is there a process controlling how assets are removed from

site?
Is this process enforced?
Are spot checks carried out?

Is there a policy covering security of assets off-site?

Is this policy widely communicated?

Is there a policy covering how information assets may be

reused?
Where data is wiped, is this properly verified before
reuse/disposal?

Does the organisation have a policy around how unattended

equipment should be protected?
Are technical controls in place to secure equipment that has
been inadvertently left unattended?

Is there a clear desk / clear screen policy?

Is this well enforced?

Are operating procedures well documented?

Are the procedures made available to all users who need
them?

Is there a controlled change management process in place?

Is there a capacity management process in place?

Does the organisation enforce segregation of development,

test and operational environments?

Are processes to detect malware in place?

Are processes to prevent malware spreading in place?
Does the organisation have a process and capacity to recover
from a malware infection?

Is there an agreed backup policy?

Does the organisation's backup policy comply with relevant
legal frameworks?
Are backups made in accordance with the policy?
Are backups tested?

Are appropriate event logs maintained and regularly

reviewed?

Are logging facilities protected against tampering and

unauthorised access?

Are sysadmin / sysop logs maintained, protected and regularly

reviewed?

Are all clocks within the organisation synchronized?

Is there a release management process in place to control the

installation of software onto operational systems?

Does the organisation have access to updated and timely

information on technical vulnerabilities?
Is there a process to risk assess and react to any new
vulnerabilities as they are discovered?

Are there processes in place to restrict how users install

software?

Are IS Systems subject to audit?

Does the audit process ensure business disruption is
minimised?

Is there a network management process in place?

Does the organisation implement a risk management

approach which identifies all network services and service
agreements?
Is security mandated in agreements and contracts with service
providers (in house and outsourced)?
Are security related SLAs mandated?

Does the network topology enforce segregation of networks

for different tasks?

Do organisational policies govern how information is

transferred?
Are procedures for how data should be transferred made
available to all employees?
Are relevant technical controls in place to prevent nonauthorised forms of data transfer?

Do contracts with external parties and agreements within the

organisation detail the requirements for securing business
information in transfer?

Do security policies cover the use of information transfer while

using electronic messaging systems?

Do employees, contractors and agents sign confidentiality or

non disclosure agreements?
Are these agreements subject to regular review?
Are records of the agreements maintained?

Are information security requirements specified when new

systems are introduced?
When systems are being enhanced or upgraded, are security
requirements specified and addressed?

Do applications which send information over public networks

appropriately protect the information against fraudulent
activity, contract dispute, unauthorised discloser and
unauthorised modification?

Are controls in place to prevent incomplete transmission,

misrouting, unauthorised message alteration, unauthorised
disclosure, unauthorised message duplication or replay
attacks?

Does the organisation develop software or systems?

If so, are there policies mandating the implementation and

assessment of security controls?

Is there a formal change control process?

Is there a process to ensure a technical review is carried out

when operating platforms are changed?

Is there a policy in place which mandates when and how

software packages can be changed or modified?

Does the organisation have documented principles on how

systems must be engineered to ensure security?

Has a secure development environment been established?

Do all projects utilise the secure development environment
appropriately during the system development lifecycle?

Where development has been outsourced, is this supervised?

Is externally developed code subject to a security review
before deployment?

Where systems or applications are developed, are they

security tested as part of the development process?

Is there an established process to accept new systems /

applications, or upgrades, into production use?

Is there a process for selecting test data?

Is test data suitably protected?

Is information security included in contracts established with

suppliers and service providers?
Is there an organisation-wide risk management approach to
supplier relationships?

Are suppliers provided with documented security

requirements?
Is supplier access to information assets & infrastructure
controlled and monitored?

Do supplier agreements include requirements to address

information security within the service & product supply
chain?

Are suppliers subject to regular review and audit?

Are changes to the provision of services subject to a

management process which includes security & risk
assessment?

Are management responsibilities clearly identified and

documented in the incident management processes?

Is there a process for timely reporting of information security

events?
Is there a process for reviewing and acting on reported
information security events?

Is there a process for reporting of identified information

security weaknesses?
Is this process widely communicated?

Is there a process for reviewing and addressing reports in a

timely manner?

Is there a process to ensure information security events are

properly assessed and classified?

Is there an incident response process which reflects the

classification and severity of information security incidents?

Is there a process or framework which allows the organisation

to learn from information security incidents and reduce the
impact / probability of future events?

Is there a forensic readiness policy?

In the event of an information security incident is relevant
data collected in a manner which allows it to be used as
evidence?

Is information security included in the organisation's continuity

plans?

Does the organisation's information security function have

documented, implemented and maintained processes to
maintain continuity of service during an adverse situation?

Are continuity plans validated and verified at regular

intervals?

Do information processing facilities have sufficient redundancy

to meet the organisations availability requirements?

Has the organisation identified and documented all relevant

legislative, regulatory or contractual requirements related to
security?
Is compliance documented?

Does the organisation keep a record of all intellectual property

rights and use of proprietary software products?
Does the organisation monitor for the use of unlicensed
software?

Are records protected from loss, destruction, falsification and

unauthorised access or release in accordance with legislative,
regulatory, contractual and business requirements?

Is personal data identified and appropriately classified?

Is personal data protected in accordance with relevant
legislation?

Are cryptographic controls protected in accordance with all

relevant agreements, legislation and regulations?

Is the organisations approach to managing information

security subject to regular independent review?
Is the implementation of security controls subject to regular
independent review?

Does the organisation instruct managers to regularly review

compliance with policy and procedures within their area of
responsibility?

Are records of these reviews maintained?

Does the organisation regularly conduct technical compliance

reviews of its information systems?

Results
Findings

Status

0%
0%
0%
0%
0%
0%
0%
0%

0%
0%

0%
0%

0%
0%

0%
0%

0%
0%

0%
0%

0%
0%
0%
0%

0%
0%
0%
0%
0%

0%
0%
0%
0%
0%

0%
0%

0%

0%
0%
0%

0%

0%

0%
0%

0%
0%
0%
0%

0%

0%
0%
0%
0%
0%

0%
0%
0%
0%
0%

0%
0%
0%

0%
0%

0%
0%
0%

0%
0%
0%
0%

0%
0%

0%
0%
0%

0%
0%
0%
0%
0%
0%

0%
0%

0%

0%

0%
0%

0%
0%

0%
0%
0%
0%
0%

0%
0%

0%

0%
0%

0%
0%

0%
0%
0%
0%
0%

0%
0%

0%
0%
0%
0%

0%
0%
0%

0%
0%

0%
0%
0%

0%
0%

0%
0%
0%
0%

0%
0%
0%

0%

0%
0%
0%

0%
0%
0%

0%
0%
0%

0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%

0%
0%
0%

0%
0%

0%

0%
0%
0%

0%
0%

0%
0%
0%
0%

0%
0%
0%
0%

0%
0%
0%
0%

0%
0%

0%
0%

0%
0%

0%
0%

0%
0%

0%
0%
0%

0%
0%

0%
0%
0%

0%
0%
0%
0%

0%

0%
0%
0%

0%

0%
0%
0%

0%
0%

0%
0%

0%
0%
0%
0%

0%
0%
0%

0%
0%

0%
0%

0%
0%

0%

0%
0%
0%
0%

0%
0%

0%
0%

0%
0%
0%

0%
0%
0%

0%
0%

0%
0%

0%
0%
0%

0%
0%
0%

0%
0%
0%

0%
0%

0%
0%
0%
0%

0%
0%

0%
0%
0%

0%
0%
0%

0%
0%

0%
0%

0%
0%

0%
0%
0%

0%
0%

0%
0%

0%
0%

0%
0%

0%
0%

0%
0%
0%

0%

0%
0%

0%
0%
0%

0%
0%

0%
0%

0%

0%
0%

0%
0%
0%