ISO 27001 Checklist

The ISO 27001 Audit Checklist helps you follow information security management systems policies through checks of networking assets, human resources, and more.​

ISO 27001 Checklist



Information Security Continuity

1. Is there a defined policy for information security continuity?


Photo Comment
Redundancies

1. Is there a defined policy for redundancies?


Photo Comment
Compliance With Legal And Contractual Requirements

1. Identification of Applicable Legislation and Contractual Requirement: Is there a defined policy for the identification of applicable legislation and contractual requirements?


Photo Comment

2. Intellectual Property Rights: Is there a defined policy for intellectual property rights?


Photo Comment

3. Protection of Records: Is there a defined policy for the protection of records?


Photo Comment

4. Privacy and Protection of Personally Identifiable Information: Is there a defined policy for the privacy and protection of personally identifiable information?


Photo Comment

5. Regulation of Cryptographic Control: Is there a defined policy for the regulation of cryptographic control?


Photo Comment
Independent Review Of Information Security

1. Compliance with Security Policies and Standards: Is there a defined policy for compliance with security policies and standards?


Photo Comment

2. Technical Compliance Review: Is there a defined policy for technical compliance review?


Photo Comment
Management Direction For Information Security

1. Do security policies exist?


Photo Comment

2. Are all policies approved by management?


Photo Comment

3. Is there evidence of compliance?


Photo Comment
Information Security Roles And Responsibilities

1. Security roles and responsibilities: Are roles and responsibilities defined?


Photo Comment

2. Segregation of duties: Is segregation of duties defined?


Photo Comment

3. Contact with authorities: Is the verification body/authority contacted for compliance verification?


Photo Comment

4. Contact with special interest groups: Has contact been established with special interest groups regarding compliance?


Photo Comment

5. Information security in project management: Is there evidence of information security in project management?


Photo Comment
Mobile Devices And Teleworking

1. Mobile device policy: Is there a defined policy for mobile devices?


Photo Comment

2. Teleworking: Is there a defined policy for working remotely?


Photo Comment
Prior To Employment

1. Screening: Is there a defined policy for screening employees prior to employment?


Photo Comment

2. Terms and conditions of employment: Is there a defined policy for HR terms and conditions of employment?


Photo Comment
During Employment

1. Management responsibilities: Is there a defined policy for management responsibilities?


Photo Comment

2. Information security awareness, education, and training: Is there a defined policy for information security awareness, education, and training?


Photo Comment

3. Disciplinary process: Is there a defined policy for disciplinary processes regarding information security?


Photo Comment
Termination And Change Of Employment

1. Termination or change of employment responsibilities: Is there a defined policy for HR termination or change-of-employment policy regarding information security?


Photo Comment
Responsibilities For Assets

1. Inventory of assets: Is there a complete inventory list of assets?


Photo Comment

2. Ownership of assets: Is there a complete ownership list of assets?


Photo Comment

3. Acceptable use of assets: Is there a defined "acceptable use" of assets policy?


Photo Comment

4. Return of assets: Is there a defined return of assets policy?


Photo Comment
Information Classification

1. Classification of Information: Is there a defined policy for classification information?


Photo Comment

2. Labeling of Information: Is there a defined policy for labeling information?


Photo Comment

3. Handling of Assets: Is there a defined policy for handling of assets?


Photo Comment
Media Handling

1. Management of removable media: Is there a defined policy for the management of removable media?


Photo Comment

2. Disposal of media: Is there a defined policy for the disposal of media?


Photo Comment

3. Physical media transfer: Is there a defined policy for physical media transfer?


Photo Comment
Responsibilities For Assets

1. Access policy control: Is there a defined policy for access control policy?


Photo Comment

2. Access to networks and network services: Is there a defined policy for access to networks and network services?


Photo Comment

3. User Registration and Deregistration: Is there a defined policy for user asset registration and de-registration?


Photo Comment

4. User Access Provisioning: Is there a defined policy for user access provisioning?


Photo Comment

5. Management of Privileged Access Rights: Is there a defined policy for the management of privileged access rights?


Photo Comment

6. Management of Secret Authentication Information of Users: Is there a defined policy for the management of secret authentication information of users?


Photo Comment

7. Review of User Access Rights: Is there a defined policy for the review of user access rights?


Photo Comment

8. Removal or Adjustment of Access Rights: Is there a defined policy for the removal or adjustment of access rights?


Photo Comment
User Responsibilities

1. Use of Secret Authentication Information: Is there a defined policy for the use of secret authentication information?


Photo Comment
System And Application Access Control

1. Information Access Restrictions: Is there a defined policy for information access restrictions?


Photo Comment

2. Secure Log-On Procedures: Is there a defined policy for secure log-in procedures?


Photo Comment

3. Password Management System: Is there a defined policy for password management systems?


Photo Comment

4. Use of Privileged Utility Programs: Is there a defined policy for the use of privileged utility programs?


Photo Comment

5. Access Control to Program Source Code: Is there a defined policy for access control to program source code?


Photo Comment
Cryptographic Controls

1. Policy on the use of cryptographic controls: Is there a defined policy for the use of cryptographic controls?


Photo Comment

2. Key management: Is there a defined policy for key management?


Photo Comment
Secure Areas

1. Physical Security Perimeter: Is there a defined policy for physical security perimeter?


Photo Comment

2. Physical Entry Controls: Is there a defined policy for physical entry controls?


Photo Comment

3. Securing Offices, Rooms, and Facilities: Is there a defined policy for securing offices, rooms, and facilities?


Photo Comment

4. Protection against External and Environmental Threats: Is there a defined policy for protection against external and environmental threats?


Photo Comment

5. Working in Secure Areas: Is there a defined policy for working in secure areas?


Photo Comment

6. Delivery and Loading Areas: Is there a defined policy for delivery and loading areas?


Photo Comment
Equipment

1. Equipment siting and protection: Is there a defined policy for equipment siting and protection?


Photo Comment

2. Supporting utilities: Is there a defined policy for supporting utilities?


Photo Comment

3. Cabling security: Is there a defined policy for cabling security?


Photo Comment

4. Equipment maintenance: Is there a defined policy for equipment maintenance?


Photo Comment

5. Removal of assets: Is there a defined policy for the removal of assets?


Photo Comment

6. Security of equipment and assets off-premises: Is there a defined policy for the security of equipment and assets off-premises?


Photo Comment

7. Secure disposal or reuse of equipment: Was there secure disposal or reuse of equipment?


Photo Comment

8. Unattended user equipment: Is there a defined policy for unattended user equipment?


Photo Comment

9. Clear desk and clear screen policy: Is there a defined policy for clear desk and clear screen policy?


Photo Comment
Operational Procedures And Responsibilities

1. Documented operating procedures: Is there a defined policy for documented operating procedures?


Photo Comment

2. Change management: Is there a defined policy for change management?


Photo Comment

3. Capacity management: Is there a defined policy for capacity management?


Photo Comment

4. Separation of development, testing, and operational environments: Is there a defined policy for the separation of development, testing, and operational environments?


Photo Comment
Protection From Malware

1. Controls against malware: Is there a defined policy for controls against malware?


Photo Comment
System Backup

1. Backup: Is there a defined policy for backing up systems?


Photo Comment

2. Information Backup: Is there a defined policy for information backup?


Photo Comment
Logging And Monitoring

1. Event logging: Is there a defined policy for event logging?


Photo Comment

2. Protection of log information: Is there a defined policy for the protection of log information?


Photo Comment

3. Clock synchronization: Is there a defined policy for clock synchronization?


Photo Comment

4. Administrator and operator log: Is there a defined policy for administrator and operator logs?


Photo Comment
Control Of Operational Software

1. Installation of software on operational systems: Is there a defined policy for the installation of software on operational systems?


Photo Comment
Technical Vulnerability Management

1. Restriction on Software Installation: Is there a defined policy for restrictions on software installation?


Photo Comment

2. Management of Technical Vulnerabilities: Is there a defined policy for the management of technical vulnerabilities?


Photo Comment
Information Systems Audit Considerations

1. Information System Audit Control: Is there a defined policy for information system audit control?


Photo Comment
Network Security Management

1. Network controls: Is there a defined policy for network controls?


Photo Comment

2. Security of network services: Is there a defined policy for the security of network services?


Photo Comment

3. Segregation in networks: Is there a defined policy for segregation in networks?


Photo Comment
Information Transfer

1. Information transfer policies and procedures: Is there a defined policy for information transfer policies and procedures?


Photo Comment

2. Agreements on information transfer: Is there a defined policy for agreements on information transfer?


Photo Comment

3. Electronic messaging: Is there a defined policy for electronic messaging?


Photo Comment

4. Confidentiality or non-disclosure agreements: Is there a defined policy for confidentiality or non-disclosure agreements?


Photo Comment

5. System acquisition, development and maintenance: Is there a defined policy for system acquisition, development, and maintenance?


Photo Comment
Security Requirements Of Information Systems

1. Information security requirements analysis and specification: Is there a defined policy for information security requirements analysis and specification?


Photo Comment

2. Securing application services on public networks: Is there a defined policy for securing application services on public networks?


Photo Comment

3. Protecting application service transactions: Is there a defined policy for protecting application service transactions?


Photo Comment
Security In Development And Support Processes

1. In-house development: Is there a defined policy for in-house development?


Photo Comment
Suppliers Relationships

1. Is there a defined policy for supplier relationships?


Photo Comment
Information Security Management

1. Is there a defined policy for information security management?


Photo Comment

Is this sample what you are looking for?
Sign up to use & customise this template, or create your own custom checklist:

Checklist by GoAudits.com – Please note that this checklist is intended as an example. We do not guarantee compliance with the laws applicable to your territory or industry. You should seek professional advice to determine how this checklist should be adapted to your workplace or jurisdiction.

Seeing is Believing

Get a live demo customized to your unique needs, or get started with a 14-day FREE trial.