21RISK - ISO 27001

1 Introduction

Welcome to the audit process for ISO 27001 compliance, the international standard for Information Security Management Systems (ISMS). Your role as the auditor is crucial in assessing organizations' adherence to ISO 27001 requirements, ensuring the protection of information assets.

ISO 27001 provides a systematic approach to managing sensitive information and mitigating information security risks. This audit checklist is designed to evaluate an organization's ISMS effectiveness, covering policies, risk management, staff awareness, access control, incident response, and monitoring.

Your expertise as the auditor will help identify vulnerabilities, provide recommendations, and enhance information security practices. Stay objective, impartial, and maintain confidentiality throughout the process.

Thank you for your commitment to promoting information security and ensuring ISO 27001 compliance. Together, we can strengthen organizations' ability to protect valuable information assets and establish resilient security frameworks.

5 Management direction for information security

5.1

5.1.1 Policies for information security

5.1.1.1

These include policies like the high-level Information Security policy, Third Party Risk management policy, Network Security policy, Secure Software Lifecycle Development policy, and any other policy mentioned throughout the clauses and also that form part of the Annex A list of controls.

Does the organization have Information Security policies?

5.1.1.2

These include formal approval which should reflect in the document version control and revision section.

Have all Information Security policies been approved by management and are reflected in the policy documents?

5.1.1.3

These include posting policies on the company portal (if available) or sending out mailer communications.

Have the Information Security policies been properly communicated to employees?

5.1.2 Review of the policies for information security

5.1.2.1

These include formal approval which should reflect in the document version control and revision section.

Are Information Security policies policies subject to review?

5.1.2.2

This can be a periodic interval determined by the organization but at a minimum, yearly is required.

Are the reviews of the Information Security policies conducted at regular intervals?

5.1.2.3

An example of a major change could be the migration of on-premises servers to a public cloud. An example of a minor change could be the introduction of a new configuration management system that changes the existing workflow.

Are reviews of the Information Security policies conducted when significant changes occur?

6 Organisation of information security

6.1 Internal Organisation

6.1.1 Information security roles and responsibilities

6.1.1.1

Some examples of roles and responsibilities include Chief Information Security Officer (CISO), Security Analyst, Security Engineer, and their daily tasks.

Are responsibilities for the protection of company assets, and for carrying out specific security responsibilities clearly identified, defined and communicated to all relevant stakeholders?

6.1.2 Segregation of duties

6.1.2.1

This is a very important Security concept that aims at ensuring that no single person has power enough to cause havoc. For example, A Firewall Administrator should not be allowed to create his/her own account, assign permissions and also approve them. More information can be found in this article.

Is Segregation of Duties enforced, maintained and monitored, in order to reduce opportunities for unauthorized modification or misuse of information, or services?

6.1.3 Contact with authorities

6.1.3.1

There should be a process in place to report incidents when needed to local authorities including law enforcement. Sometimes these may be required by local laws and regulations. The processes should be documented.

Is there a procedure documenting under what circumstances, and by whom, contact with relevant authorities (law enforcement, special interest groups, etc.) will be made?

6.1.3.2

There should be a process in place to report incidents when needed to local authorities including law enforcement. Sometimes these may be required by local laws and regulations. The processes should be documented.

Is there a process for regular contact and threat intelligence sharing with relevant authorities?

6.1.4 Contact with special interest groups

6.1.4.1

Security Professionals can do so by registering at the local ISC2 or ISACA chapters for example.

Do relevant individuals within the organization maintain active membership in relevant special interest groups?

6.1.5 Information security in project management

6.1.5.1

Think of this as an Information Security Risk Assessment for any new projects. For example, imagine a business team is planning to develop an in-house tool to accomplish a specific business objective, so it becomes important to understand the security risks from a Secure Software Development Lifecycle (SSDLC) perspective and the organization could have standard checklists for these assessments.

Do all projects go through some form of information security risk assessment identifying areas of vulnerabilities and identifying mitigation actions?

6.2 Mobile devices and teleworking

6.2.1 Mobile device policy

6.2.1.1

This is typically applicable to companies issuing handheld devices to employees or allowing employees to bring their own devices and connect to the company network. Device Security becomes an important component then and some solutions that can help with that are Mobile Device Management solutions.

Does the company have a mobile device policy?

6.2.1.2

These include formal approval which should reflect in the document version control and revision section.

Is the mobile device policy approved by management and is reflected in the policy documents?

6.2.2 Teleworking

6.2.2.1

Teleworking refers to working from anywhere which is very prevalent today in the hybrid way of working.

Is there a policy for teleworking/remote working?

6.2.2.2

These include formal approval which should reflect in the document version control and revision section.

Is the teleworking/remote working policy approved by management and reflected in the policy documents?

6.2.2.3

This typically is part of a procedural document as part of the organization's Identity and Access Management (IAM) strategy and should detail how employees are granted access from outside of the organization's network to inside to access corporate or production applications. E.g. Procedures regarding how employees have to log in to a VPN solution in order to access the organization's internal network.

Is there a defined process for teleworkers to get access to company resources?

6.2.2.4

This should form part of a Security Awareness training.

Are teleworkers given sufficient training, tools and techniques to protect their assets?

7 Human resources security

7.1 Prior to employment

7.1.1 Screening

7.1.1.1

Background verification checks include criminal background checks, educational background checks, etc.

Are employee background screening or verification checks carried out on all new candidates prior to employment?

7.1.1.2

Typically this sits within the HR function but organizations are free to appoint appropriate management authority. The 27001 standard gives that flexibility to organizations.

Are these employee background screening or verification checks approved by appropriate management authority, and is reflected as part of a background screening policy?

7.1.1.3

This is more for the Legal department to check the compliance of the background checks. For example, in certain countries, conducting a criminal background check against somebody might not be allowed by local laws.

Are the checks employee background screening or verification checks compliant with relevant laws, regulations and ethics?

7.1.1.4

This can be tied to the business risk of not complying with 27001 which may result in loss of customers, loss of reputation, etc.

Is the level of checks commensurate with what is actually required for mitigating the organization's risks that may originate from the lack of a screening process?

7.1.2 Terms and conditions of employment

7.1.2.1

Are all employees, contractors and third-party users asked to sign confidentiality and non-disclosure agreements detailing all important clauses about protecting company information, maintaining confidentiality, etc.?

7.1.2.2

Do employment/service contracts specifically cover the need to maintain the confidentiality, integrity and availability of the organization's information?

7.2 During employment

7.2.1 Management responsibilities

7.2.1.1

Security is everyone's responsibility. Some organizations make this part of Manager's job responsibilities to drive security-related conversations in everyday work.

Are managers (not limited to Information Security Managers) involved in raising awareness and propagating a security culture within the business?

7.2.1.2

Do senior management behavior and policy motivate and drive all employees, contractors and any other users to follow and apply the Information Security principles and practices in accordance with established policies and procedures?

7.2.2 Information security awareness, education and training

7.2.2.1

Do all employees, contractors and any other users undergo periodic security awareness training appropriate to their roles and functions within the organization?

7.2.3 Disciplinary process

7.2.3.1

Has the organization established a formal disciplinary process that allows the organization to take action against employees who have violated an information security policy (which may or may not result in a breach)?

7.2.3.2

Is this disciplinary process communicated to all employees?

7.3 Termination and change of employment

7.3.1 Termination or change of employment responsibilities

7.3.1.1

This typically is a combination of HR-related processes and Identity and Access Management (IAM) procedures. For e.g.

1) Are User IDs immediately disabled upon termination

2) Are rights and permissions for the existing role removed (if no longer required) if the employee switches roles etc?

Does the organization have a documented process for terminating employees, contractors or any other user and a documented process for change of employment duties (e.g. changing roles within departments)?

7.3.1.2

This can be part of a Non-Disclosure Agreement Clause or an electronic acknowledgment of having read the Information Security Policy.

Are those policies and processes communicated to the employee or contractor?

7.3.1.3

Some examples include automated Identity and Access Management solutions to enforce the principle of least privilege giving employees only the rights they need to perform their jobs.

Does the organization have processes in place to enforce compliance with those policies and processes?

8 Asset management

8.1 Responsibility for assets

8.1.1 Inventory of assets

8.1.1.1

This could be an automated inventory like Service Now or a spreadsheet (which might not work for bigger organizations with lots of assets). Also, assets here refer to all software and hardware assets.

Does the organization have an inventory of all assets used for information processing including hardware, software and any other assets?

8.1.1.2

This could be an automated inventory like Service Now or a spreadsheet (which might not work for bigger organizations with lots of assets). Also, assets here refer to all software and hardware assets.

Are there either manual or automated processes and procedures to keep the asset inventory accurate and up to date?

8.1.2 Ownership of assets

8.1.2.1

Also referred to as an Asset Owner, all Software and Hardware Assets must have ownership. This is important to be able to mitigate any Information Security risks.

Do all information assets have clearly defined ownership and responsibilities?

8.1.3 Acceptable use of assets

8.1.3.1

An Acceptable Use Policy (AUP) typically describes the policies around how an organization's assets should be handled and the DOs and DONTs. Just like any other policies, these could be posted on the company intranet or through internal mailer campaigns.

Does the organization have an Acceptable Use Policy (AUP) that defines how the information assets should be used and handled?

8.1.3.2

An Acceptable Use Policy (AUP) typically describes the policies around how an organization's assets should be handled and the DOs and DONTs. Just like any other policies, these could be posted on the company intranet or through internal mailer campaigns.

Are users made aware of the AUP prior to using the organization's assets?

8.1.4 Return of assets

8.1.4.1

Is there a process in place to ensure all employees and external users return the organization's assets on termination of their employment, contract or agreement?

8.2 Information classification

8.2.1 Classification of information

8.2.1.1

Information Classification is necessary to understand the criticality of data to the organization as data, after human resources, is the most valuable asset for an organization. Appropriate Security controls can be applied only if the classification of data is known. Data classified as "public" might not require the same level of controls as data classified as "confidential".

Does the organization have an Information Classification policy that details how information should be classified based on the sensitivity of that information?

8.2.1.2

This should be a documented policy detailing what are the different types of data processed by the organization and what are their clarification criteria. For example, a Credit Card might be classified as confidential whereas the company careers page might have to be classified as "public".

Does the organization have either automated or manual processes by which all information can be appropriately classified as defined by the policy?

8.2.2 Labelling of information

8.2.2.1

This could be an automated process where software could be utilized to automatically assign labels to files and documents or it can be a manual process where employees assign classification labels based on the company's classification criteria.

Does the organization have processes and procedures for ensuring information classification is appropriately marked on each asset type?

8.2.3 Handling of assets

8.2.3.1

There should be procedures for handling data belonging to different classification types. For example, "confidential data" may mandatorily need encryption controls but data classified as "public" may not.

Does the organization have clearly defined procedures for handling each information type?

8.2.3.2

The policies and procedures around data classification and handling of data should be communicated to all employees and contractors via appropriate means.

Does the organization make its users aware of these procedures?

8.3 Media handling

8.3.1 Management of removable media

8.3.1.1

Removable media refers to things like USB drives, external drives, etc. Since information can be stolen via those media, certain security controls can be made applicable and also policies and procedures can be built around those.

Does the organization have a policy governing removable media like USB sticks, Hard Drives, etc.?

8.3.1.2

This relates to how employees can request access to use certain removable media like USB sticks in company laptops for example. Salespeople might need those from time to time. There should be strict processes on how to govern those including issuance, approval, usage and return.

Does the organization have a process governing how removable media is managed through its lifecycle?

8.3.1.3

The policies and procedures around removable media should be communicated to all employees and contractors via appropriate means.

Has the organization communicated the policies and process(es) to all employees using removable media?

8.3.2 Disposal of media

8.3.2.1

Some procedures include degaussing and shredding and should be performed in an environmentally friendly way and also in a way that residual data cannot be extracted.

Does the organization have a formal procedure governing how removable media is disposed?

8.3.3 Physical media transfer

8.3.3.1

Transportation of media should have policies and procedures around it. For example, only company-approved vendors are allowed to move disks from one data center to another center, if the disks contain data that are labeled "confidential", more stringent security controls like access controls and encryption might apply, etc.

Does the organization have documented policies and processes detailing how physical media should be transported from one location to another?

8.3.3.2

Transportation of media should have policies and procedures around it. For example, only company-approved vendors are allowed to move disks from one data center to another center, if the disks contain data that are labeled "confidential", more stringent security controls like access controls and encryption might apply, etc.

Does the organization have procedures in place for protecting media in transport against unauthorized access, misuse or corruption?

9 Access control

9.1 Business requirements for access control

9.1.1 Access control policy

9.1.1.1

An access control policy defines how an organization provides secure access to its systems for its users. It details the authentication, authorization and auditing (AAA) statements. Additionally, procedures should define how those policy statements are put into action.

Does the organization have a documented access control policy?

9.1.1.2

The policy should be commensurate with business risks i.e. appropriate levels of access controls should be applied based on the classification of systems and the risks they pose to the business.

Has the organization drafted the policy based on measurable business risks to the organization?

9.1.1.3

The policies and procedures around access control should be communicated to all employees and contractors via appropriate means.

Has the organization communicated the policy appropriately to all employees and contractors?

9.1.2 Access to networks and network services

9.1.2.1

Also known as need to know, users or systems or services should only have access to the resources they need to accomplish their job and nothing else. Additional guidance can be found here.

Has the organization ensured that there are controls in place to ensure users only have access to the network resources they have been specially authorized to use and are required for their duties? This is also known as the principle of least privilege.

9.2 User access management

Requirements A.9.2.1 to A.9.2.6 detail having thorough Identity and Access Management procedures in place which should cover how the organization manages a user, a system or a service's IAM lifecycle- from creation all the way to termination (in case of users) or decommissioning (in case of services/systems).

9.2.1 User registration and de-registration

9.2.1.1

Does the organization have a formal user access registration process in place?

9.2.2 User access provisioning

9.2.2.1

Does the organization have a formal user access provisioning process in place to assign access rights for all user types and services?

9.2.3 Management of privileged access rights

9.2.3.1

Does the organization have a process for managing privileged access accounts through a proper Identity and Access Management (IAM) process?

9.2.4 Management of secret authentication information of users

9.2.4.1

Does the organization have a formal management process in place to control and manage the flow of authentication information?

9.2.5 Review of user access rights

9.2.5.1

Does the organization have a process for asset owners to review access rights to their assets on a periodic basis commensurate with the organization's risk appetite? Is there an independent verification process for the access review process?

9.2.6 Removal or adjustment of access rights

9.2.6.1

Does the organization have a process to ensure user access rights are removed on termination of employment or contract, or adjusted upon change of role?

9.3 User responsibilities

9.3.1 Use of secret authentication information

9.3.1.1

Examples of these include sharing root Linux admin passwords for "admins only" and break-glass account passwords. The organization should detail how these are shared with each other- for e.g. through LastPass, etc.

Does the organization have a policy document covering the organization's practices regarding how secret authentication information must be handled?

9.3.1.2

The policies and procedures should be communicated to all employees and contractors via appropriate means.

Is this communicated to all users?

9.4 System and application access control

9.4.1 Information access restriction

9.4.1.1

This is basically the translation of policy statements written in A.9.1.1 into technical, administrative or physical controls.

Does the organization restrict access to information and applications in accordance with the access control policy?

9.4.2 Secure log-on procedures

9.4.2.1

This goes back to how the organization has defined the IAM procedures. The key to this is having a risk-based approach, meaning more sensitive systems might have stricter security requirements than low-sensitive assets.

Is access to sensitive information (as defined by the Information Classification Policy) controlled by secure authentication and authorization procedures?

9.4.3 Password management system

9.4.3.1

Passwords should be complex enough and the organization should follow industry standards like a 12-character password with special characters, numbers, etc.

Are password systems interactive?

9.4.3.2

Passwords should be complex enough and the organization should follow industry standards like a 12-character password with special characters, numbers, etc.

Does the organization mandate the use of complex passwords?

9.4.4 Use of privileged utility programs

9.4.4.1

Privilege Utility Programs are programs that can access systems or services through API calls for example or through service-to-service authentication. These should be tightly controlled using the same IAM principles.

Does the organization restrict the usage of privileged utility programs? Are activities associated with such programs monitored through appropriately defined mechanisms?

9.4.5 Access control to program source code

9.4.5.1

Source Code is the organization's crown jewel and should be protected with the strongest of IAM controls.

Does the organization take appropriate measures to regulate and control access to the source code of the organization's Access Control System or IAM system?

10 Cryptography

10.1 Cryptographic controls

10.1.1 Policy on the use of cryptographic controls

10.1.1.1

The policy should detail the usage of cryptographic controls commensurate with the data classification policy and also should state the usage of industry standards and secure protocols like AES, RSA, etc. The policy should also take into account any compliance regulations. For e.g. if a certain compliance framework doesn't mandate the use of 3DES, it should be used.

Does the organization have a policy on the use of cryptographic protocols for encryption-related purposes?

10.1.2 Key management

10.1.2.1

Key Management is one of the most aspects of cryptography, and there should be policies and procedures governing how keys are generated, maintained and expired.

Does the organization have a policy governing the lifecycle and management of cryptographic keys which includes generation, maintenance and expiration?

11 Physical and environmental security

11.1 Secure areas

11.1.1 Physical security perimeter

11.1.1.1

A perimeter is a security boundary that the organization controls and there should be one with appropriate access controls.

Does the organization have a designated physical security perimeter around all of its physical locations (Data Centers, Corporate Offices, etc.)?

11.1.1.2

Just like Network Segmentation, physical environments can also be segregated based on the sensitivity of data and can be completely isolated. e.g. by using different racks or cages in data centers.

Are sensitive or critical information areas segregated and appropriately controlled?

11.1.2 Physical entry controls

11.1.2.1

There should be designated secure areas where only authorized personnel are allowed to enter. For e.g. Security Personnel or Admins only. These should be well protected by appropriate access control systems and even combined with multi-factor authentication like a badge and a biometrics entry for example.

Does the organization have designated secure areas and do they have suitable entry control systems to ensure only authorized personnel have access on a least privileged principle basis?

11.1.3 Securing offices, rooms and facilities

11.1.3.1

Security should be an integral part of not only systems security but also physical security. Appropriate physical security controls should be put into place.

Are "Security by design" principles followed for all physical locations and facilities?

11.1.3.2

Appropriate processes and procedures should be maintained for physical security. NIST SP 800-12 provides guidance.

Do processes for maintaining security (e.g. Locking up, clear desks, etc.) exist?

11.1.4 Protecting against external and environmental threats

11.1.4.1

Risk Assessments should be conducted on a periodic basis to evaluate risks against those mentioned and appropriate controls should be put into place.

Does the organization have adequate physical protection measures to prevent natural calamities, disasters, malicious physical attacks or other man-made or natural disasters?

11.1.5 Working in secure areas

11.1.5.1

There should be designated secure areas where only authorized personnel are allowed to enter. For e.g. Security Personnel or Admins only. These should be well protected by appropriate access control systems and even combined with multi-factor authentication like a badge and a biometrics entry for example.

Does the organization have designated secure areas?

11.1.5.2

The policies and procedures around physical security should be communicated to all applicable stakeholders.

Do the secure areas have suitable security policies and processes and have they been communicated to appropriate stakeholders?

11.1.5.3

Examples of technical controls include badges and biometrics implementation. Examples of administrative include logging visitors in an entry system, and examples of physical security include bollards, etc.

Are the physical security policies and processes for the secure areas enforced with technical, administrative or physical controls and are they monitored?

11.1.6 Delivery and loading areas

11.1.6.1

Does the organization have separate delivery/loading areas?

11.1.6.2

Again, appropriate technical, administrative and physical security controls should be applied

Does the organization have strict access controls as defined by the physical and logical access control policies in those areas?

11.1.6.3

Segregation remains one of the most important security controls and it is applicable even in this case.

Does the organization have segregation in access between loading areas and information processing facilities? In other words, are those environments isolated?

11.2 Equipment

11.2.1 Equipment siting and protection

11.2.1.1

Locations that are prone to environmental hazards expose the organizations to more risks, which should be considered in the risk assessments. Appropriate backup strategies should be considered, for example, considering a cloud service provider that has access to various geographical regions and availability.

Does the equipment locations selection process include consideration of environmental hazards?

11.2.1.2

This should specifically be part of the physical security risk assessments to satisfy the requirements of the ISO 27001 standard. Appropriate access controls should be established.

Are the risks from unauthorized access/passers-by considered when selecting equipment?

11.2.2 Supporting utilities

11.2.2.1

The organization should make sure that single points of failure are eliminated, be it for power generation, HVAC systems, etc. so the business operations are able to continue in the event of a failure.

Does the organization have a UPS system or backup generator for failover purposes of business continuity?

11.2.2.2

Periodic testing should be conducted. There could be table tops, walkthroughs, simulation drills or full interruption tests.

Has the organization tested these plans using appropriate drill mechanisms (full-scale interruption, tabletop exercise, etc.) within an appropriate timescale?

11.2.3 Cabling security

11.2.3.1

This should be part of the overall physical security risk assessments.

Has the organization performed risk assessments over the location of power and telecommunications cables powering the physical locations and has the organization established appropriate security controls based on the risks?

11.2.3.2

TEMPEST as it is called, is a set of guidelines and requirements, that organizations can use or check to see if the service providers use to help with these set of requirements.

Has the organization established appropriate security controls for protecting the power and telecommunication cables from interference, interception or damage?

11.2.4 Equipment maintenance

11.2.4.1

Rigorous maintenance procedures should be carried for making sure that equipment is still fit for purpose.

Has the organization established a rigorous equipment maintenance schedule?

11.2.5 Removal of assets

11.2.5.1

Asset removal should have its set of procedures and including checks during removal, transportation and offloading.

Has the organization established a process to enforce control and manage how assets are removed from the site?

11.2.5.2

Spot checks should be established to make sure the procedures are carried out in accordance with the policy.

Has the organization established a process for carrying out spot checks?

11.2.6 Security of equipment and assets off-premises

11.2.6.1

Any assets if transferred off-site should be subject to the same level of security controls (as applicable).

Does the organization have a policy covering the security of assets off-site?

11.2.6.2

The policies and procedures around physical security should be communicated to all applicable stakeholders.

Has this policy been communicated to all applicable stakeholders?

11.2.7 Secure disposal or reuse of equipment

11.2.7.1

If the organization decides to reuse assets because of cost or environmental reasons, there should be appropriate policies around it.

Does the organization have a policy that lays out how information assets may be reused for business reasons?

11.2.7.2

More information about degaussing can be found here.

Where data is wiped with appropriate methods like degaussing, is this properly verified before the reuse/disposal of the assets?

11.2.8 Unattended user equipment

11.2.8.1

There should be no unattended equipment and if found should be dealt with by categorizing, finding the owners and placing it in the appropriate secure location as defined by policies and procedures.

Does the organization have a policy around how unattended equipment should be protected?

11.2.8.2

The controls could be a mix of technical, administrative or physical controls. There are even automated tools available in the market nowadays to help identify unattended and rogue devices. Armis is an example.

Does the organization have adequate technical, administrative or physical controls in place to secure equipment that has been inadvertently left unattended?

11.2.9 Clear desk and clear screen policy

11.2.9.1

This is to protect against information exposure as some employees inadvertently leave passwords or sensitive information on notepads at the desks. That's just one example but overall hygiene is necessary to protect against various information exposures.

Does the organization have a clear desk/clear screen policy?

11.2.9.2

Regular enforcement of the policy, spot checks and disciplinary actions should be determined.

Is the policy well enforced and are there regular checks to ensure this is followed and are appropriate remediation actions taken in case of violation?

12 Operations security

12.1 Operational procedures and responsibilities

12.1.1 Documented operating procedures

12.1.1.1

All operational procedures should be documented. These could be the deployment of servers and applications, running code reviews, rolling out upgrades, patches, etc.

Has the organization documented all operating procedures? These could be the deployment of servers and applications, running code reviews, etc.

12.1.1.2

The policies and procedures around operational security should be communicated to all applicable stakeholders.

Has the organization made the procedures available to all users and other stakeholders who need them?

12.1.2 Change management

12.1.2.1

Change Management is one of the most important aspects of Security and has to be integrated into all operations. Any code changes, platform changes, personnel changes, upgrades, etc.- minor or major has to undergo a change management process and have to be approved before the system is deployed to production.

Does the organization have a change management process in place for all of its operations?

12.1.3 Capacity management

12.1.3.1

Capacity Management is also very important for measuring against downtime and should be evaluated and reviewed constantly. Nowadays, with the advent of the cloud, capacity management is built into the cloud and organizations can leverage many Cloud Service Providers providing more scalability and agility.

Does the organization have a capacity management process in place?

12.1.4 Separation of development, testing and operational environments

12.1.4.1

This refers to the segmentation of different environments based on IP addressing schemes and Firewall Access Control Lists. The concept of micro-segmentation is also prevalent now where systems inside of the environments can also be appropriately segmented in order to maintain security levels and follow a Zero Trust approach.

Does the organization enforce segregation/segmentation of development, test/staging and production environments?

12.2 Protection from malware

12.2.1 Controls against malware

12.2.1.1

This includes the use of anti-malware amongst other tools that are available in the market. Extended Detection and Response (EDR) tools are getting popular to combat Ransomware and other malware.

Does the organization have processes to detect malware in place?

12.2.1.2

This includes strong network segmentation controls to prevent the lateral movement of malware.

Does the organization have processes to prevent the spread of malware?

12.2.1.3

This ties back to the controls stated in A.16

Does the organization have incident response plans and playbooks to recover from a malware infection?

12.3 Backup

12.3.1 Information backup

This should be part of the overall business continuity/disaster recovery process. ISO 22301 provides an excellent framework for this. Also, the BCI GPG is a good resource.

12.3.1.1

Does the organization have a backup policy with agreed recovery time objectives (RTO) and recovery point objectives (RPO)?

12.3.1.2

Does the organization's backup policy comply with relevant legal and regulatory frameworks?

12.3.1.3

Does the organization have processes in place to determine that backups are made in accordance with the policy?

12.3.1.4

Does the organization have periodic backups testing procedures in accordance with the schedules and RTOs/RPOs defined by the policy?

12.4 Logging and monitoring

12.4.1 Event logging

12.4.1.1

Various logs need to be generated from systems (applications, databases, servers, etc.) and stored for analysis purposes to hunt for threats or for later forensic analysis purposes. These could be access logs, VPN logs, permissions and rights change logs, etc. The systems storing, processing and transmitting the logs should also be protected with all applicable security controls in order to prevent tampering with the logs.

Does the organization have appropriate event logs generated from applicable infrastructure and applications under the 27001 scope, maintained and regularly reviewed by designated personnel?

12.4.2 Protection of log information

12.4.2.1

Same as above.

Has the organization implemented appropriate mechanisms and controls to protect the logs and logs processing facilities against tampering and unauthorized access?

12.4.3 Administrator and operator logs

12.4.3.1

Same as above.

Does the organization have all relevant admin-related logs maintained, protected and periodically reviewed?

12.4.4 Clock synchronization

12.4.4.1

GitHub has published a list of top 10 public NTP servers.

Does the organization maintain sync between all Network Time Protocol (NTP) servers and is NTP synced with an external publicly reliable source?

12.5 Control of operational software

12.5.1 Installation of software on operational systems

12.5.1.1

There should be appropriate mechanisms in place to restrict users from installing unapproved software. These could be requiring a username and password for authentication before allowing software to be installed or simply whitelisting only approved software.

Does the organization have a process in place to control and manage the installation of software in production systems?

12.6 Technical vulnerability management

12.6.1 Management of technical vulnerabilities

12.6.1.1

https://attack.mitre.org/

Does the organization have access to updated and timely information on technical vulnerabilities from recognized industry sources like MITRE or from standard vulnerability management tools databases?

12.6.1.2

There should be a combination of technical and administrative controls to assess vulnerabilities using scanners like Tenable and then remediating those based on timelines set per the criticality of the asset.

Does the organization have a process to assess risks and respond to new vulnerabilities as they are discovered?

12.6.2 Restrictions on software installation

12.6.2.1

There should be appropriate mechanisms in place to restrict users from installing unapproved software. These could be requiring a username and password for authentication before allowing software to be installed or simply whitelisting only approved software.

Does the organization have processes in place to restrict end users from installing unapproved software?

12.7 Information systems audit considerations

12.7.1 Information systems audit controls

12.7.1.1

Organizations should have an unbiased auditing process with an audit committee that preferably directly reports to the board of directors. And the audits can be time-consuming so that has to be kept in mind.

Are information processing systems subject to regular independent audits?

12.7.1.2

Same as above.

Does the organization have processes in place to ensure that the audit process does not disrupt business operations?

13 Communications security

13.1 Network security management

13.1.1 Network controls

13.1.1.1

This includes a combination of policies and procedures depicting appropriate network management procedures with security in mind. For example using SSH and not Telnet to remote connect to Network Swtiches, following appropriate secure benchmarks for configuration, etc. Center for Internet Security (CIS) provides good guidance on this.

Does the organization have network management processes in place including administration, maintenance and operations?

13.1.2 Security of network services

13.1.2.1

Security Risk Management should be an integral part of the organization's business operations and this is no different. Things like:

1) Is the vendor recognized?

2) Can the vendor's equipment support the organization's secure baseline configurations etc. should be kept in mind.

Is security risk management an integral part while identifying all network services and network service agreements with service providers/vendors etc.?

13.1.2.2

The organization's network security requirements should be made part of the third-party contracts or compensating controls should be established where they cannot be met by the third party.

Are network security requirements mandated in agreements and contracts with service providers?

13.1.2.3

Examples of these include Firewall troubleshooting procedures if the vendor is a Managed Security Service Provider (MSSP).

Are network security-related SLAs mandated within the clauses of the contractual or service agreements?

13.1.3 Segregation in networks

13.1.3.1

This refers to the segmentation of different environments based on IP addressing schemes and Firewall Access Control Lists. The concept of micro-segmentation is also prevalent now where systems inside of the environments can also be appropriately segmented in order to maintain security levels and follow a Zero Trust approach.

Does the network topology enforce segregation of networks for different environments (Development/Testing/Production/Staging) and also for network admin-related tasks like separation of duties between Firewall admins etc.?

13.2 Information transfer

13.2.1 Information transfer policies and procedures

13.2.1.1

This basically refers to using secure channels like SSH, TLS, etc.

Does the organization have policies governing how information should be transferred securely, when necessary?

13.2.1.2

The policies and procedures should be communicated to all employees and contractors via appropriate means.

Have the procedures for how data should be transferred been communicated appropriately to all employees?

13.2.1.3

Access Controls should be implemented with the principle of least privilege in order to prevent abuse of information sharing.

Has the organization implemented technical, administrative or physical controls to prevent non-authorized forms of data transfer?

13.2.2 Agreements on information transfer

13.2.2.1

The contractual agreements with third parties should replicate requirements resulting from A.13.2.1.

Do contracts and agreements with external parties or internal stakeholders within the organization detail the requirements for securing business information in transfer?

13.2.3 Electronic messaging

13.2.3.1

The scope of A.13.2.1 should cover messaging systems like Slack for example, where policies should dictate whether or not sensitive data should be transmitted and if yes, how the data should be transmitted.

Do security policies adequately cover the use of information transfer while using electronic messaging systems?

13.2.4 Confidentiality or nondisclosure agreements

13.2.4.1

This is important from an Information Security and Legal perspective.

Does the organization require employees, contractors and other users to sign confidentiality or non-disclosure agreements commonly known as NDAs?

13.2.4.2

There should be periodic reviews.

Has the organization established regular review processes for these agreements?

13.2.4.3

Records should be maintained which sometimes can also be dictated by regulations.

Are records of these agreements maintained?

14 System acquisition, development and maintenance

14.1 Security requirements of information systems

14.1.1 Information security requirements analysis and specification

14.1.1.1

Appropriate Information Security technical assessments have to be carried out when for example an entire fleet of Linux CentOS 7 servers are updated to CentOS 8. These reviews could include:

1) Do the same baseline configurations apply?

2) Will the new operating platform support the existing malware solution, etc?

Does the organization specify information security requirements when new systems are introduced into the environment?

14.1.1.2

Same as above.

Does the organization ensure information security requirements specified and addressed system configurations are being enhanced or upgraded?

14.1.2 Securing application services on public networks

14.1.2.1

This basically refers to using TLS1.2 or above with secure ciphers which are now the standard encryption protocols for secure web transmissions over the internet.

Do applications that send information over public networks appropriately protect the information for confidentiality and integrity of data?

14.1.3 Protecting application services transactions

14.1.3.1

This basically refers to using appropriate hashing algorithms or other integrity checkers in order to maintain non-repudiation of data.

Does the organization have controls in place to prevent incomplete data modification, unauthorized disclosure or other forms of cyber attacks?

14.2 Security in development and support processes

14.2.1 Secure development policy

14.2.1.1

There are many secure SDLC frameworks that organizations can adopt. Some of them are OpenSAMM, OWASP Secure SDLC, Microsoft SDLC, Cisco SDLC, etc.

Does the organization develop software, applications or other systems?

14.2.1.2

Same as above.

Does the organization have Secure Software/Systems Development Life Cycle policies mandating the implementation and assessment of security controls during the phases?

14.2.2 System change control procedures

14.2.2.1

Change Management is one of the most important aspects of Security and has to be embedded in the SDLC. Any code changes, minor or major have to undergo a change management process and have to be approved before the code is pushed to production. Since a lot of organizations are moving to a DevOps model, many source code management tools like GitLab provide features like Merge Request approvals in order for developers to review other developers' code before pushing those into production.

Does the organization have a formal change management process?

14.2.3 Technical review of applications after operating platform changes

14.2.3.1

Appropriate Information Security technical assessments have to be carried out when for example an entire fleet of Linux CentOS 7 servers are updated to CentOS 8. These reviews could include:

1)Do the same baseline configurations apply?

2) Will the new operating platform support the existing malware solution, etc?

Does the organization have a process to ensure a technical security review is carried out when operating platforms are changed?

14.2.4 Restrictions on changes to software packages

14.2.4.1

This should be part of the Secure SDLC framework that the organization adopts in A.14.2.1.

Does the organization have a policy that mandates when and how software packages can be changed or modified?

14.2.5 Secure system engineering principles

14.2.5.1

This should be part of the Secure SDLC framework that the organization adopts in A.14.2.1. Systems refers to all systems (Applications, Databases, APIs, etc.). So the policy can be a Secure "Systems" Lifecycle Development Policy and can include aspects of "Software" as well.

Does the organization have documented principles on how systems must be engineered to ensure security by design?

14.2.6 Secure development environment

14.2.6.1

The organization has to create separate environments for Development/Testing and Production. These environments should be segregated from each other with appropriate security controls like segregation of duties, etc.

Has the organization established a secure development life cycle environment?

14.2.6.2

The organization has to establish processes to ensure that these environments are used in accordance with the established procedures- The development environment is only used for Development and so forth.

Do all development projects utilize the secure development lifecycle environment appropriately during the development lifecycle?

14.2.7 Outsourced development

14.2.7.1

If Development work has been outsourced, the organization should establish appropriate third-party risk management procedures to monitor. Remember, the "accountability" of shipping secure software still would be like with the organization. This could be part of the Third Party Risk Management policy and procedures defined in A15 below.

Has the organization established procedures to monitor outsourced development work?

14.2.7.2

Tools like Snyk can help with that. This has become prevalent after the solar winds hack but unvetted third-party libraries can introduce vulnerabilities in the organization and have to be part of the overall Secure SDLC strategy.

Does the organization have a security review process for externally developed code including third-party libraries before deployment into production?

14.2.8 System security testing

14.2.8.1

Same as A.14.2.3 but applies to all systems and not only software.

Are Security reviews part of the system development process?

14.2.9 System acceptance testing

14.2.9.1

This should be part of the change management process. A Change Approval Board (CAB) should be established, appropriate change management flows should be defined with a classification of change types and what is that's required before accepting a new change.

Does the organization have an established process to accept new systems/applications, or upgrades, into production use?

14.3 Test data

14.3.1 Protection of test data

14.3.1.1

Test data used in Development should be used from either in-house methods or from recognized industry sources. The organization should develop appropriate access controls with the least privilege principles and other security controls to protect the test data.

Does the organization have a process for selecting test data?

14.3.1.2

Same as above.

Does the organization have processes to adequately protect test data?

15 Supplier relationships

15.1 Information security in supplier relationships

15.1.1 Information security policy for supplier relationships

15.1.1.1

Information Security and Right to Audit clauses should be included as part of the contracts so that appropriate reviews can be carried out on the supplier activities at any given point in time.

Does the organization include information security as a clause in contracts established with third parties?

15.1.1.2

This includes integrating risk management processes throughout the vendor lifecycle, right from onboarding to offboarding of the suppliers. NIST has guidance on supplier risk management.

Has the organization implemented a comprehensive organization-wide supplier risk management process?

15.1.2 Addressing security within supplier agreements

15.1.2.1

Examples include appropriate encryption that has to be implemented while dealing with the organization's data.

Does the organization provide suppliers with documented and clear security requirements?

15.1.2.2

If vendors are provided access to the organization's systems, the access controls should be in line with the organization's access control policy.

Does the organization monitor and control supplier access to the organization's information assets & infrastructure?

15.1.3 Information and communication technology supply chain

15.1.3.1

This is a subset of A.15.1.1

Does the organization include requirements to address information security within the supply chain in the supplier agreements?

15.2 Supplier service delivery management

15.2.1 Monitoring and review of supplier services

15.2.1.1

This is an implementation of A.15.1.1. Companies like Shared Assessments have Standard Information Gathering Questionnaires that can help with this.

Are suppliers subject to regular information security reviews and audits?

15.2.2 Managing changes to supplier services

15.2.2.1

Any changes to contracts should be vetted thoroughly from an Information Security lens to see if any controls are affected.

Has the organization established a process wherein changes to the provision of services are subject to a management process that includes security & risk assessment?

16 Information security incident management

16.1 Management of information security incidents and improvements

16.1.1 Responsibilities and procedures

16.1.1.1

NIST Computer Security Incident Handling Guide provides guidance on the incident management phases. Appropriate Roles and Responsibilities have to be defined for the Incident Management process.

Has the organization clearly identified and documented all roles and responsibilities including management responsibilities in the incident management processes and phases?

16.1.2 Reporting information security events

16.1.2.1

Timely reporting is important from both a containment perspective and also might be required by various regulations.

Has the organization established a process for timely reporting of information security events?

16.1.2.2

Personnel will need to review and act upon incidents according to procedures defined in playbooks.

Has the organization established a process for reviewing and acting on reported information security events?

16.1.3 Reporting information security weaknesses

16.1.3.1

Organizations typically use a Vulnerability Scanning tool (e.g. Tenable) for this.

Has the organization established a process for reporting identified information security weaknesses or more commonly known as vulnerabilities?

16.1.3.2

These should be communicated to all employees and contractors via appropriate means.

Has the organization communicated this process widely to all relevant stakeholders?

16.1.3.3

This has to be in accordance with a Vulnerability Management policy which should be established first, and which should contain details of severity and remediation timelines amongst other things. For example, a high-severity vulnerability with a CVSS score of 8.0-9.0 might have to be remediated within a timeframe of 7 days as compared to a low-severity vulnerability with a CVSS score of 1.0-3.0 that can be remediated within 1 month.

Has the organization established a process for reviewing and addressing vulnerability reports in a timely manner and as defined by mitigation SLAs?

16.1.4 Assessment of and decision on information security events

16.1.4.1

Incidents and events can be classified according to priority levels. Several organizations use P1, P2 and P3 levels depending on the amount of damage an incident can have on the organization's business objectives.

Has the organization established a process to ensure information security events that can adversely affect business objectives are properly assessed and classified?

16.1.5 Response to information security incidents

16.1.5.1

An Incident Response policy and a procedure document have to be established that details all phases starting from incident identification to the retrospective, and appropriate playbooks have to be established for different incident types. The NIST Computer Security Incident handling guide is an excellent resource for this.

Has the organization established an incident response process and documented the classification and severity of information security incidents?

16.1.6 Learning from information security incidents

16.1.6.1

Same as above.

Has the organization established a process that allows the organization to learn from information security incidents, hold retrospective reviews and reduce the impact/probability of future events?

16.1.7 Collection of evidence

16.1.7.1

The organization has to make sure that appropriate forensic procedures are established and followed after an incident occurs, and that also appropriate chain of custody is followed to ensure the validity of the evidence and to be able to support the evidence in a court of law.

Has the organization established a forensics and investigations readiness policy?

16.1.7.2

Same as above.

Has the organization established appropriate chain of custody procedures which allows relevant data collected in a manner that allows it to be used as evidence in the event of an information security incident?

17 Information security aspects of business continuity management

17.1 Information security continuity

17.1.1 Planning information security continuity

17.1.1.1

Examples of this include making sure that the backup systems in the redundant facilities have been implemented with the same level of Security controls.

Does the organization consider information security requirements within the organization's business continuity plans?

17.1.2 Implementing information security continuity

17.1.2.1

An example would be continuity plans to make sure that the Security Operations Center (SOC) personnel are able to still detect and respond to attacks.

Has the organization implemented processes to maintain the continuity of Information Security functions during an adverse situation? Are these processes documented and maintained?

17.1.3 Verify, review and evaluate information security continuity

17.1.3.1

Periodic testing is required in order to validate that the plans will actually work during an adverse situation.

Are continuity plans validated and verified for Information Security requirements periodically?

17.2 Redundancies

17.2.1 Availability of information processing facilities

17.2.1.1

This includes all forms of redundancy like dual power supply, backup systems, backup tapes, cloud services, etc.

Do information processing facilities have sufficient redundancy to meet the organization's availability requirements?

18 Compliance

18.1 Compliance with legal and contractual requirements

18.1.1 Identification of applicable legislation and contractual requirements

18.1.1.1 ^*

This refers to whether the organization has identified applicable compliance regulations like PCI DSS if it stores, processes or transmits credit card data, GDPR if the organization processes data of individuals residing in the EU, etc. An applicable list of compliance requirements has to be well documented.

Has the organization identified and documented all relevant legislative, regulatory or contractual requirements related to information security?

18.1.1.2 ^*

This refers to whether the organization has identified applicable compliance regulations like PCI DSS if it stores, processes or transmits credit card data, GDPR if the organization processes data of individuals residing in the EU, etc. An applicable list of compliance requirements has to be well documented.

Has the organization documented all compliance requirements and how they will meet those?

18.1.2 Intellectual property rights

18.1.2.1 ^*

Several automated tools can help with this, manual efforts might not be scalable. Service Now is one such example.

Does the organization keep a record of all intellectual property rights and use of proprietary software products?

18.1.2.2 ^*

Several automated tools can help with this, manual efforts might not be scalable. Service Now is one such example.

Has the organization established a process for continuously monitoring the usage of unlicensed software?

18.1.3 Protection of records

18.1.3.1 ^*

These refer to having appropriate physical and logical security measures in place which sometimes could be derived directly from different regulations like PCI DSS for example.

Has the organization established a process to protect records from loss, destruction, falsification and unauthorized access or release in accordance with all applicable legislative, regulatory, contractual and business requirements?

18.1.4 Privacy and protection of personally identifiable information

18.1.4.1 ^*

This refers to identifying personal data like GDPR data or any other classification types as required by local laws and regulations. Each regulation has its own set of controls for protecting data so those would have to be applied- for example, some regulations might require personal data to be encrypted with AES-256 while in storage.

Does the organization have a process to identify and appropriately classify personal data?

18.1.4.2 ^*

This refers to identifying personal data like GDPR data or any other classification types as required by local laws and regulations. Each regulation has its own set of controls for protecting data so those would have to be applied- for example, some regulations might require personal data to be encrypted with AES-256 while in storage.

Does the organization have processes in place to protect personal data in accordance with relevant legislation?

18.1.5 Regulation of cryptographic controls

18.1.5.1 ^*

Please refer to the encryption example above.

Does the organization have processes in place to protect security controls involving the use of cryptography in accordance with all relevant agreements, legislation and regulations?

18.2 Information security reviews

18.2.1 Independent review of information security

18.2.1.1 ^*

Independent reviews here refer to both internal and external audits. An external audit can refer to the 27001 audits itself and internal audit functions are also present in most organizations. The word independent refers to the fact that the audit function should report independently to the board (for example) and not to the CISO.

Does the organization conduct regular independent reviews of its Information Security program including all controls and are the practices also subject to independent reviews?

18.2.2 Compliance with security policies and standards

18.2.2.1 ^*

Examples of these include whether their direct reports have completed security awareness training on time, whether Developers have completed Secure SDLC training, etc.

Does the organization require managers to regularly review compliance with policy and procedures within their area of responsibility?

18.2.2.2 ^*

Examples of these include whether their direct reports have completed security awareness training on time, whether Developers have completed Secure SDLC training, etc.

Does the organization maintain records of these reviews?

18.2.3 Technical compliance review

18.2.3.1 ^*

These include regular control monitoring and keeping evidence. For example, patching all critical vulnerabilities within 30 days, and keeping evidence of the logs. Another example could be regular access control reviews for critical rights and permissions.

Does the organization regularly conduct technical compliance reviews of its information systems?

ISO 27001

Details