Beruflich Dokumente
Kultur Dokumente
This assessment tool was created to evaluate the maturity of information security programs using as a framework the Inter
Technology Security Techniques. Code of Practice for Information Security Management." This tool was intended for use by
also use it to help determine the maturity of its individual information security program. The assessment should be perform
familiar with the environment. There are a total of 101 questions and it takes on average about 4 hours to complete the ass
The self-assessment has been designed to be completed annually or at the frequency the organization feels is appropriate t
21827:2008 framework for scoring maturity, which scales from 0 to 5, with 5 being the highest level of maturity:
0. Not Performed
1. Performed Informally
2. Planned
3. Well Defined
4. Quantitatively Controlled
5. Continuously Improving
The organization can achieve the same maturity rating by substituting CMMI, NIST, COBIT, or another maturity framework t
Definitions for the ISO 21827:2008 maturity levels and the other ratings can be found on the "Scoring" tab of the spreadshe
current as well as desired level of maturity, from 0 through 5. Each ISO section will be added up, then averaged to provide a
The copyright in parts of this document belong to ISO/IEC. They own the standards! We are reliant on the fair use provision
of their content here, encouraging widespread adoption of the ISO27k standards.
Brought to You by the ISO27k Forum, EDUCAUSE Cybersecurity Program, and the Higher Education Information Security
This assessment tool is a fork contributed to the ISO27k toolkit based on HEISCJuly2018 (Information Security Program Asse
and created by volunteers from the Higher Education Information Security Council (HEISC). The Cybersecurity Program supp
governance, compliance, data protection, and privacy programs. HEISC is a volunteer effort open to all higher education inf
view additional resources at https://educause.edu/security. For any feedback related to the tool, send an email to security-
Revision History
11/15/2018. Initial release, contributed by Bachir Benyammi and revised by Valerie Vogel
of their content here, encouraging widespread adoption of the ISO27k standards.
Brought to You by the ISO27k Forum, EDUCAUSE Cybersecurity Program, and the Higher Education Information Security
This assessment tool is a fork contributed to the ISO27k toolkit based on HEISCJuly2018 (Information Security Program Asse
and created by volunteers from the Higher Education Information Security Council (HEISC). The Cybersecurity Program supp
governance, compliance, data protection, and privacy programs. HEISC is a volunteer effort open to all higher education inf
view additional resources at https://educause.edu/security. For any feedback related to the tool, send an email to security-
Revision History
11/15/2018. Initial release, contributed by Bachir Benyammi and revised by Valerie Vogel
ecurity Program Assessment Tool
using as a framework the International Organization for Standardization (ISO) 27002:2013 "Information
s tool was intended for use by any organization as a whole, although a unit within an organization may
assessment should be performed by an information security officer, consultant, auditor, or equivalent,
out 4 hours to complete the assessment.
ganization feels is appropriate to track its security maturity. The assessment tool uses the ISO
st level of maturity:
another maturity framework that may be more familiar, with the same numeric 0 through 5 score.
"Scoring" tab of the spreadsheet. Each question should be answered by selecting the appropriate
up, then averaged to provide a maturity assessment for the given section.
uring that all employees are qualified for and understand their roles and responsibilities of their job
clude ways to identify, track, classify, and assign ownership for the most important assets to ensure they
ecurity features to manage how users and systems communicate and interact with other information
dequately secure the information and technology resources that third parties access, process, and
ecurity incident management program. An effective program will ensure personnel are trained and
nization's business continuity management. A mature institution has a managed, organized method for
ircumstances including the maintenance of measures to ensure the privacy and security of its
eliant on the fair use provisions of copyright law and the goodwill of ISO/IEC to reproduce a small part
Non-existent Non-existent
Policies Initial/Ad-hoc
Integration Optimized
INSTITUTION NAME GOES HERE 12/11/2019 7
ID Questions
No.
Risk Management (ISO 27005:2011)
1 Does the organization have a person or group has the role and responsibility for an ongoing process of
evaluating the probability that known threats will exploit vulnerabilities and the resulting the impact on
valuable assets. Risk management also assigns relative priorities for mitigation plans and implementation.
2 Does the organization have a process for identifying and assessing reasonably foreseeable internal and
external risks to the security, confidentiality, and/or integrity of any electronic, paper, or other records
containing sensitive information?
3 Does the organization conduct routine risk assessments to identify the key objectives that need to be
supported by the information security program?
4 Does the organization have an information security policy that has been approved by management?
5 Has the security policy been published and communicated to all relevant parties?
6 Does the organization review the security policy at defined intervals to encompass significant change and
monitor for compliance?
7 Does the information security function have the authority it needs to manage and ensure compliance with
the information security program?
8 Does the organization have an individual with enterprise-wide information security responsibility and
authority written in their job description, or equivalent?
9 Is responsibility clearly assigned for all areas of the information security architecture, compliance,
processes, and audits?
10 Is there a formal process for having the individual with information security responsibility assess and sign off
on appropriate hardware, software, and services, ensuring they follow security policies and requirements?
12 Does the organization participate with local, national or international security groups, associations and
agencies?
13 Does the organization have independent security reviews completed at planned intervals or when significant
changes to the environment occur?
14 Do all individuals interacting with the organization information system receive information security
awareness training?
16 Do the information security programs clearly state responsibilities, liabilities, and consequences?
INSTITUTION NAME GOES HERE 12/11/2019 9
17 Does the organization have a process for revoking system and building access and returning assigned assets?
18 Does the organization have a process for revoking system access when there is a position change or when
responsibilities change?
19 Has the organization identified critical information assets and the functions that rely on them?
20 Does the organization classify information to indicate the appropriate levels of information security?
21 Does the organization have an access control policy for authorizing and revoking access rights to information
systems?
22 Does the organization have a process in place for granting and revoking appropriate user access?
23 Does the organization have a password management program that follows current security standards?
24 Does the organization have procedures to regularly review users' access to ensure only needed privileges
are applied?
25 Does the organization employ specific measures to secure remote access services?
26 Does the organization employ technologies to block or restrict unencrypted sensitive information from
traveling to untrusted networks?
INSTITUTION NAME GOES HERE 12/11/2019 10
27 Does the organization have mechanisms in place to manage digital identities (accounts, keys, tokens)
throughout their life cycle, from registration through termination?
29 Does the organization prohibit use of generic accounts with privileged access to systems?
30 Does the organization have an authentication system in place that applies higher levels of authentication to
protect resources with higher levels of sensitivity?
31 Does the organization have an authorization system that enforces time limits lockout on login failure and
defaults to minimum privileges?
32 Does the organization have standards for isolating sensitive data and procedures and technologies in place
to protect it from unauthorized access and tampering?
33 Does the organization have usage guidance established for mobile computing devices (regardless of
ownership) that store, process, or transmit organizational data?
34 Does the organization require encryption on mobile (i.e., laptops, tablets, etc.) computing devices?
35 Does the organization have a telework (remote work) policy that addresses multifactor access and security
requirements for the endpoint used?
36 Does the organization use appropriate or vetted encryption methods to protect sensitive data in transit?
INSTITUTION NAME GOES HERE 12/11/2019 11
37 Do the policies indicate when encryption should be used (e.g., at rest, in transit, with sensitive or
confidential data, etc.)?
39 Does the organization's data centers include controls to ensure that only authorized parties are allowed
physical access?
40 Does the organization have preventative measures in place to protect critical hardware and wiring from
natural and man-made threats?
41 Does the organization have a process for issuing keys, codes, and/or cards that require appropriate
authorization and background checks for access to these sensitive facilities?
43 Does the organization have a media-sanitization process that is applied to equipment prior to disposal,
reuse, or release?
44 Are there processes in place to detect the unauthorized removal of equipment, information, or software?
45 Does the organization maintain security configuration standards for information systems and applications?
INSTITUTION NAME GOES HERE 12/11/2019 12
48 Are production systems separated from other stages of the development life cycle?
49 Does the organization have processes in place to monitor the utilization of key system resources and to
mitigate the risk of system downtime?
50 Are methods used to detect, quarantine, and eradicate known malicious code on information systems
including workstations, servers, and mobile computing devices?
51 Are methods used to detect and eradicate known malicious code transported by electronic mail, the web, or
removable media?
52 Is the data backup process frequency consistent with the availability requirements of the organization?
53 Does the organization have a process for posture checking, such as current antivirus software, firewall
enabled, OS patch level, etc., of devices as they connect to your network?
54 Does the organization have a segmented network architecture to provide different levels of security based
on the information's classification?
55 Are Internet-accessible servers protected by more than one security layer (firewalls, network IDS, host IDS,
application IDS)?
56 Are controls in place to protect, track, and report status of media that has been removed from secure
organization sites?
57 Does the organization have a process in place to ensure data related to electronic commerce (e-commerce)
traversing public networks is protected from fraudulent activity, unauthorized disclosure, or modification?
INSTITUTION NAME GOES HERE 12/11/2019 13
58 Are security-related activities such as hardware configuration changes, software configuration changes,
access attempts, and authorization and privilege assignments automatically logged?
59 Does the organization have a process for routinely monitoring logs to detect unauthorized and anomalous
activities?
61 Are steps taken to secure log data to prevent unauthorized access and tampering?
62 Does the organization regularly review administrative and operative access to audit logs?
63 Are file-integrity monitoring tools used to alert personnel to unauthorized modification of critical system
files, configuration files, or content files and to configure the software to perform critical file comparisons at
least weekly?
64 Does the organization have a process to ensure synchronization of system clocks with an authoritative
source (e.g., via NTP) on a periodic basis commensurate with the potential risks?
65 Does the organization require the use of confidentiality or nondisclosure agreements for employees and
third parties?
67 Does the organization continuously monitor your wired and wireless networks for unauthorized access?
68 Does the organization have policies and procedures in place to protect exchanged information (within the
organization and in third-party agreements) from interception, copying, modification, misrouting, and
destruction?
INSTITUTION NAME GOES HERE 12/11/2019 14
69 Does the organization ensure that user access to diagnostic and configuration ports is restricted to
authorized individuals and applications?
70 Does the organization employ specific measures to prevent and detect rogue access points for all of your
wireless LANs?
71 Does the organization have a process for validating the security of purchased software products and
services?
72 Are new information systems or enhancements to existing information systems validated against defined
security requirements?
73 Have standards been established that address secure coding practices (e.g., input validation, proper error
handling, session management, etc.), and take into consideration common application security
vulnerabilities (e.g., CSRF, XSS, code injection, etc.)?
74 Are validation checks incorporated into applications to detect any corruption of information through
processing errors or deliberate acts?
76 Incorrect output may occur, even in tested systems. Does the organization have validation checks to ensure
data output is as expected?
77 Does the organization establishes procedures for maintaining source code during the development life cycle
and while in production to reduce the risk of software corruption?
INSTITUTION NAME GOES HERE 12/11/2019 15
78 Does the organization applies the same security standards for sensitive test data that applies to sensitive
production data as well?
79 Does the organization restrict and monitor access to source code libraries to reduce the risk of corruption?
80 Does the organization have a configuration-management process in place to ensure that changes to critical
systems are for valid business reasons and have received proper authorization?
81 Are reviews and tests performed to ensure that changes made to production systems do not have an
adverse impact on security or operations?
82 Does the organization implemented tools and procedures to monitor for and prevent loss of sensitive data?
84 Does the organization have a patch management strategy in place and responsibilities assigned for
monitoring and promptly responding to patch releases, security bulletins, and vulnerability reports?
INSTITUTION NAME GOES HERE 12/11/2019 16
85 Does the organization specify security requirements in contracts with external entities (third party) before
granting access to sensitive organizational information assets?
86 Are requirements addressed and remediated prior to granting access to data, assets, and information
systems?
87 Do agreements for external information system services specify appropriate security requirements?
88 Does the organization have a process in place for assessing that external information system providers
comply with appropriate security requirements?
89 Is external information system services provider compliance with security controls monitored?
90 Are external information system service agreements executed and routinely reviewed to ensure security
requirements are current?
91 Are incident-handling procedures in place to report and respond to security events throughout the incident
life cycle, including the definition of roles and responsibilities?
92 Are the incident response staff aware of legal or compliance requirements surrounding evidence collection?
93 Does the organization have a documented business continuity plan for information technology that is based
on a business impact analysis, is periodically tested, and has been reviewed and approved by senior staff or
the board of trustees?
94 Does the organization have a records management or data governance policy that addresses the life cycle of
both paper and electronic records at your organization?
95 Does the organization have an enforceable data protection policy that covers personally identifiable
information (PII)?
96 Does the organization have an Acceptable Use Policy that defines misuse?
97 Does the organization provide guidance for the community on export control laws?
98 Are standard operating procedures periodically evaluated for compliance with the organization's security
policies, standards, and procedures?
99 Does the organization perform periodic application and network layer vulnerability testing or penetration
testing against critical information systems?
100 Does the organization performs independent audits on information systems to identify strengths and
weaknesses?
101 Are audit tools properly separated from development and operational system environments to prevent any
misuse or compromise?
Current Current
Description
Maturity Level Score
0.00
Not Performed 0
Not Performed 0
Not Performed 0
0.00
Is it freely available on a website, handbook, or is shared with employees when they are first
hired? Not Performed 0
Is the policy being audited as well as audited against it during a defined interval?
Not Performed 0
0.00
INSTITUTION NAME GOES HERE 12/11/2019 19
Does the individual or group responsible for information security have the necessary buy-in and
support from the rest of the organization to fulfill its function, including setting policy, issuing
sanctions, prioritizing funding, etc.? Not Performed 0
Is there a dedicated, established role (e.g., CIO, CISO, CSO, or other) for information security
across the organization? Someplace where the 'buck stops'? Not Performed 0
Information security comprises many different functional areas. Have resources been formally
designated to cover each of the areas mentioned? Not Performed 0
Is information security assessment a formal part of the life cycle when bringing in new equipment,
software, and/or services? Not Performed 0
e.g., local law enforcement bodies (police, security agencies, district attorney's office, etc.)
Not Performed 0
0.00
Online, in person, or a combination of events, newsletters, e-mails, etc., with security awareness
training. Threshold is defined by organization and compliance requirements. Not Performed 0
For example, HIPAA for staff in the counseling center or PCI training for cashiers.
Not Performed 0
Identity and access management system that automates revocation or a manual process that
processes employment or role changes and produces auditable records of any changes. Not Performed 0
0.00
This question is looking at whether a formal or informal business impact analysis has occurred. Has
anyone in the organization identified information assets that are considered essential to the
business and the systems that support them, for continuity or otherwise? Not Performed 0
Agreed-upon classifications (for example, confidential, official-use only, and unrestricted) are
defined and applied. Not Performed 0
0.00
Not Performed 0
Not Performed 0
A password management program enforces secure password attributes such as password length,
maximum age, character requirements, and uniqueness (history). Not Performed 0
Not Performed 0
Specific measures might include allowed methods, usage restrictions, monitoring, authorization,
and enforcement. Not Performed 0
Not Performed 0
INSTITUTION NAME GOES HERE 12/11/2019 21
Digital identities should be managed from the time they are issued, upon any privilege changes,
and through termination. Management includes things like issuing unique accounts should be
unique for each user maintaining the minimum privileges needed to perform job duties. Not Performed 0
Not Performed 0
A generic account is one that is shared by multiple individuals. There are certain situations in
which generic accounts cannot be avoided (e.g., root for Linux or Administrator for Windows). In
these cases compensating controls should be put in place, such as logging. Not Performed 0
Having more secure authentication mechanisms such as more complex passwords or multifactor
authentication. Not Performed 0
What is the length of time the account is locked before it is 'automatically' unlocked?
Not Performed 0
Not Performed 0
Not Performed 0
Authentication factors include something you know, something you have, or something you are.
Not Performed 0
0.00
Some encryption algorithms are deprecated due to weaknesses. Some algorithms are
inappropriate in selected situations. Do you review these details? Not Performed 0
INSTITUTION NAME GOES HERE 12/11/2019 22
Are there any published security standards in place that dictate appropriate security controls
based on data sensitivity or classification? Do those standards include encryption controls? Not Performed 0
Are there any specific required algorithms in place for encryption and digital signing? Are there any
standards in place for symmetric and asymmetric key sizes ? Are encryption keys required to be
periodically changed? Are there any procedures for revoking encryption keys? Not Performed 0
0.00
such as redundancy and backup plans, procedures, and technology that are in place to restore
operations in case of disaster" Not Performed 0
Documentation and staff are assigned responsibility for authorizing, facilitating, or performing
background checks and issuing devices or codes that provide access once authorization is received.
Evidence that process has been followed and is routinely audited against.
Not Performed 0
Documented process that describes how media is sanitized through contract or assigned staff use
approved methods. In some cases verified or certified disposal may be appropriate. Not Performed 0
Routine review of inventories, staff assigned to respond to alarms, staff visually monitoring,
cameras being reviewed. Not Performed 0
0.00
How mature are the 'hardening' standards for various platforms to provide stronger security
settings than provided as-shipped? Not Performed 0
INSTITUTION NAME GOES HERE 12/11/2019 23
Is there any change control process in place for production systems such that changes are simply
not made 'on the fly' by programmers, system administrators, DBAs, or others ? Not Performed 0
How good is the separation of duties? Do developers have access to production? DBAs unaudited
access to production databases? Not Performed 0
For example, monitoring CPU utilization and free disk space across a range of production systems.
Not Performed 0
Antivirus and similar. Note that malicious code includes 'logic bombs' planted by malicious insiders.
Not Performed 0
If the data has to be restore, is it backed up frequently enough that nothing important would be
lost? Not Performed 0
Is the removal of media from the site documented in a log? Note that this is for 'secure sites', so it
covers taking tapes from a data center, not thumb drives from an office. Not Performed 0
This includes both logging by the operating system/software and other logging, such as in a
ticketing system or knowledgebase. Not Performed 0
Not Performed 0
Not Performed 0
0.00
Not Performed 0
Backups sometimes fail, and staff sometimes aren't familiar with restore procedures in a crisis.
Testing mitigates these issues. Not Performed 0
By unauthorized users and for unauthorized fake access points or devices manipulating traffic.
Not Performed 0
Data 'feeds' between systems and organizations are frequently a weak point. How strongly does
such all feeds are being secured and monitored?
Not Performed 0
INSTITUTION NAME GOES HERE 12/11/2019 25
Not Performed 0
Not Performed 0
0.00
Not Performed 0
Do applications filter input (i.e., input validation) to ensure only expected characters are processed
(e.g., only numbers are entered into a zip code field)? Do applications check size and format of
data (e.g., does an SSN appear as ###-##-####)? Not Performed 0
Integrity controls are often employed inline with encryption controls for sensitive data
transmission. Are there any published security standards in place that dictate appropriate security
controls based on data sensitivity or classification? Do those standards include integrity controls
(e.g., digital signing)? Not Performed 0
Do applications perform checks to ensure output is reasonable and expected (i.e., output
validation)? Is sensitive data redacted in output (e.g., replace first five of SSN with asterisks). Not Performed 0
Does the organization maintains a source code repository? Does the repository maintain a history?
Are checksums for source code maintained? Not Performed 0
INSTITUTION NAME GOES HERE 12/11/2019 26
Data should be safeguarded based on its classification or level of sensitivity, not based on the type
of environment that is storing and/or processing the data. Does the organization have a data
classification scheme? Are safeguards prescribed based on data classification?
Not Performed 0
Does the organization maintains a source code repository? Does this source code repository
require authentication? Is access to source code based on the rule of least privilege? Is access to
source code audited? Not Performed 0
Are changes to critical systems documented? Does this documentation include a business case?
Are changes reviewed and approved by management prior to implementation? Are changes
accepted by the system or application owner? Not Performed 0
Are changes evaluated for impact on existing security controls? Are vulnerability scans performed
after a change has been implemented? Is more thorough testing performed on an annual basis?
Are business continuity and disaster recovery plans updated as appropriate? Not Performed 0
Tools and procedures may include IDS/IPS, network flow monitoring tools (e.g., NetFlow, Argus,
etc.), data loss prevention or content monitoring solutions for Internet and/or e-mail gateways,
masking of sensitive data where there is not a business need, multifactor authentication to
systems that store sensitive data, physical access controls for facilities that store sensitive data, etc. Not Performed 0
Is it required for source code to be escrowed? Do the right to audit the quality and security of
source code is reserved? Do the ownership of intellectual property is established? Is the notice of
security breaches required? Not Performed 0
Is there any accurate inventory of software systems in place? Are there any alert mechanisms
established for newly discovered vulnerabilities in these software systems? Are there any
processes in place for evaluating the criticality of newly released security patches? Are there any
maintenance schedules and exception procedures established for critical security patches? Are Not Performed 0
there any regular system scans for vulnerabilities and report findings to system and/or application
owners?
INSTITUTION NAME GOES HERE 12/11/2019 27
0.00
How does much the organization formalized outsider access to its resources (e.g., networks,
systems, data) is secured? Not Performed 0
e.g., Does the organization have controls in place that detect failure to meet minimum
requirements and block access until such deficiencies are corrected? Not Performed 0
Does the organization performs risk assessments or reviews of external vendors prior to working
with them? Not Performed 0
Does the organization audits or otherwise monitors the security of external vendors over time?
Not Performed 0
0.00
Not Performed 0
Not Performed 0
0.00
INSTITUTION NAME GOES HERE 12/11/2019 28
Is there any well-defined IT disaster recovery plan in place, supporting business continuity plan,
and/or incident response plan? Is it being tested on a regular basis, either by holding table top
exercises or through an actual working exercise that involves recovering data according to the
published plan? Has this plan been vetted by business partners and/or trustees by validating the Not Performed 0
results of a business impact analysis?
0.00
Does the organization defined data classes, such as confidential, secure, protected, etc.? Are there
well-defined policies around these data types noting how the data should be stored and used?
Not Performed 0
Are these policies published on a website or handbook? Is there a well-known subject matter
expert who can be consulted if questions arise? Not Performed 0
Are there any checks for departments' procedures against the latest organization policies to make
sure they do not introduce exposures to their data or risk into their environment? Not Performed 0
Is there any regular penetration testing that is being perform? Are there any tools that check for
vulnerabilities are being used on a regular basis? Not Performed 0
Are there any outside auditors or firms being called to validate data security?
Not Performed 0
Are audit tools being kept away from unauthorized personnel so they can't find out about where
the vulnerabilities may be and how to exploit them? Not Performed 0
0.00
Not Performed 0
Not Performed 0
Not Performed 0
0.00
Not Performed 0
Not Performed 0
Not Performed 0
0.00
INSTITUTION NAME GOES HERE 12/11/2019 30
Not Performed 0
Not Performed 0
Not Performed 0
Not Performed 0
Not Performed 0
Not Performed 0
Not Performed 0
0.00
Not Performed 0
Not Performed 0
Not Performed 0
INSTITUTION NAME GOES HERE 12/11/2019 31
Not Performed 0
Not Performed 0
0.00
Not Performed 0
Not Performed 0
0.00
Not Performed 0
Not Performed 0
Not Performed 0
Not Performed 0
Not Performed 0
Not Performed 0
INSTITUTION NAME GOES HERE 12/11/2019 32
Not Performed 0
Not Performed 0
Not Performed 0
Not Performed 0
Not Performed 0
Not Performed 0
Not Performed 0
Not Performed 0
Not Performed 0
0.00
Not Performed 0
INSTITUTION NAME GOES HERE 12/11/2019 33
Not Performed 0
Not Performed 0
0.00
Not Performed 0
Not Performed 0
Not Performed 0
Not Performed 0
Not Performed 0
Not Performed 0
0.00
Not Performed 0
INSTITUTION NAME GOES HERE 12/11/2019 34
Not Performed 0
Not Performed 0
Not Performed 0
Not Performed 0
Not Performed 0
Not Performed 0
Not Performed 0
Not Performed 0
Not Performed 0
Not Performed 0
Not Performed 0
Not Performed 0
INSTITUTION NAME GOES HERE 12/11/2019 35
Not Performed 0
Not Performed 0
Not Performed 0
Not Performed 0
Not Performed 0
Not Performed 0
Not Performed 0
0.00
Not Performed 0
Not Performed 0
Not Performed 0
Not Performed 0
INSTITUTION NAME GOES HERE 12/11/2019 36
Not Performed 0
Not Performed 0
0.00
Not Performed 0
Not Performed 0
Not Performed 0
Not Performed 0
Not Performed 0
Not Performed 0
Not Performed 0
INSTITUTION NAME GOES HERE 12/11/2019 37
Not Performed 0
Not Performed 0
Not Performed 0
Not Performed 0
Not Performed 0
Not Performed 0
Not Performed 0
INSTITUTION NAME GOES HERE 12/11/2019 38
0.00
Not Performed 0
Not Performed 0
Not Performed 0
Not Performed 0
Not Performed 0
Not Performed 0
0.00
Not Performed 0
Not Performed 0
0.00
INSTITUTION NAME GOES HERE 12/11/2019 39
Not Performed 0
0.00
Not Performed 0
Not Performed 0
Not Performed 0
Not Performed 0
Not Performed 0
Not Performed 0
Not Performed 0
Not Performed 0
8 Deleted from ISO 27002:2013 CP-2, CP-4, IR-4, PL-1, PL-2, PM-2, SA-
2;SP 800-39, SP 800-37
9 6.1.1 Information security roles and responsibilities AC-5, AC-6, CM-9, PM-2; SP 800-39, SP
800-37
10 Deleted from ISO 27002:2013 CA-1, CA-6, PM-10; SP 800-37
11 6.1.3 Contact with authorities Multiple controls with contact reference
(e.g.,IR-6, SI-5), SP 800-39; SP 800-37
20 8.1.2 Ownership of assets CM-8, CM-9, PM-5, AC-16, AC-20, PL-4, 3.4.1
RA-2, MP-2, MP-3, SC-16
Access Control (ISO 9)
21 9.1 Business requirements of access control AC-1 3.1
22 9.1.1 Access control policy AC-1, AC-3, AC-5, AC-6, AC-7, AC-9, AC- 3.1.1; 3.1.2; 3.1.4; 3.1.5
9.2 User access management 17, AC-18, AC-19, CM-5, MP-1, SI-9
23 9.2.1 User registration and deregistration AC-1, AC-2, AC-6, AC-21, IA-5, PE-1, PE-2, 3.1.1; 3.1.2; 3.1.4; 3.1.5
9.2.2 User access provisioning SI-9
9.2.3 Management of privileged access rights
24 9.2.4 Management of secret authentication AC-6, IA-5
information of users
25 9.2.5 Review of user access rights AC-1, AC-2, AC-5, AC-6, AC-11, AC-17, 3.1.1; 3.1.2; 3.1.4; 3.1.5
9.3 User responsibilities AC-18, AC-20, IA-2, IA-5m PE-2 PE-3, PE-
9.3.1 Use of secret authentication information 5, PE-18, SC-10, MP-4
11.2.8 Unattended user equipment
11.2.9 Clear desk and clear screen policy
13. Communications security
9.1.2 Access to networks and network services
57 14.1.2 Securing application services on public AU-10, IA-8, SC-3, SC-7, SC-8, SC-9, SC-3,
networks SC-14
14.1.3 Protecting application services transactions
58 12.4.1 Event logging AU-1, AU-2, AU-3, AU-4, AU-5, AU-8, AU- 3.3
11, AU-12
59 12.4.2 Protection of log information AU-1, AU-6, AU-7, AU-9, PE-6, PE-8, SC-7, 3.3.3; 3.3.5
SI-4
60 12.4.1 Event logging AU-12 3.3.1; 3.3.2
12.4.3 Administrator and operator logs
61 12.4.1 Event logging AU-8, AU-9, AU-11 3.3.8
12.4.2 Protection of log information
62 12.4.3 Administrator and operator logs AU-2, AU-12 3.3.1; 3.3.2
63 14.2.2 System change control procedures SA-13 3.14.3
12.4.1 Event logging
64 12.4.1 Event logging AU-2, AU-12, SI-2 3.3.1; 3.3.7
12.4.4 Clock synchronization
Communications Security (ISO 13)
65 13.2.4 Confidentiality or nondisclosure agreements PL-4, PS-6, SA-9
73 14.1.1 Information security requirements analysis and PL-7, PL-8, SA-1, SA-3, SA-4
specification
14.1.2 Securing application services on public
networks
82 14.2.2 System change control procedures CM-1, CM-3, CM-4, CM-5, CM-9, SA-10, SI-2
14.2.3 Technical review of applications after operating
platform changes
14.2.4 Restrictions on changes to software packages
89 15.1.1 Information security policy for supplier AC-1, AT-1, AU-1, CA-1, CM-1, CP-1, IA-1,
relationships IA-7, IR-1, MA-1, MP-1, PE-1, PL-1, PM-1,
15.1.2 Addressing security within supplier PS-1, RA-1, RA-2, SA-1, SA-6, SC-1, SC-13,
agreements SI-1
90 15.1.1 Information security policy for supplier AC-1, AT-1, AU-1, CA-1, CM-1, CP-1, IA-1,
relationships IA-7, IR-1, MA-1, MP-1, PE-1, PL-1, PM-1,
15.1.2 Addressing security within supplier PS-1, RA-1, RA-2, SA-1, SA-6, SC-1, SC-13,
agreements SI-1
ID.RM-1
ID.RM-1
ID.RM-1, ID.GV-4
ID.GV-1
ID.GV-1
ID.GV-1
ID.AM-6; ID.GV-2
ID.AM-6
DE.DP-4, RS.CO-3, RS.CO-5
RS.CO-5
PR.AT-1 CSC 17
PR.AC-1, PR.AC-4
PR.AC-1, PR.AC-4 CSC 5, CSC 16
PR.AC-4 CSC 5
PR.AC-3 CSC 3
PR.DS-5
PR.DS-6 CSC 5, CSC 16
CSC 16
CSC 5
CSC 16
CSC 13
CSC 14
PR.AC-3
PR.DS-2 CSC 14
PR.DS-1, PR.DS-2, CSC 14
PR.DS-6
PR.PT-3, PR.AC-2
PR.IP-5, PR.DS-4
PR.IP-5, PR.PT-3
PR.MA-1
PR.IP-6
PR.DS-3, PR.DS-5
PR.IP-1 CSC 3
PR.IP-2, PR.IP-3
PR.AC-4
PR.DS-8
DE.AE-1, PR.DS-4
DE.CM-4, RS.MI-1, RS.MI-2 CSC 4, CSC 8
CSC 11
PR.PT-2, PR.IP-6 CSC 13
CSC 6
PR.IP-11
PR.IP-4 CSC 10
DE.CM-1 CSC 15
CSC 12
DE.CM-7 CSC 15
ID.AM-4 CSC 3
CSC 3
PR.IP-12 CSC 18
PR.DS-7
CSC 18
PR.DS-8
CSC 18
PR.IP-3
PR.IP-3
PR.DS-5
ID.AM-6
PR.IP-12 CSC 4
ID.AM-4
ID.AM-4
ID.AM-4
ID.AM-4
ID.AM-4
PR.IP-9 CSC 10
ID.GV-2
ID.GV-3
PR.IP-12, DE.CM-8
PR.IP-7
Description Value
Not Performed 0
Performed Informally 1
Planned 2
Well Defined 3
Quantitatively Controlled 4
Continuously Improving 5
Not Applicable