ISO 27001 Self Assessment Worksheet

© DQS Inc.
Section Reference Question Status

4.1 Does organization has determined external

and internal issues?
4.2 Does organization has identified interested
Context of the parties and their requirements?
organization 4.3 Does organization has defined scope of
ISMS?
4.4 Does organization has established an
ISMS?
5.1 Does senior management of the
organization demonstrates leadership and
commitment towards ISMS?

Leadership 5.2 Does ISMS policy establishes criteria for

evaluating risks?
5.3 Does organization has defined roles,
responsibilities and authorities for the
personnel?
6.1.1 Does organization has considered the
inputs from 4.1 and 4.2 above while defining
ISMS?
6.1.2 Does organization has defined ISMS risk
Planning assessment process?
6.1.3 Does organization has defined ISMS risk
treatment process?
6.2 Does organization has defined ISMS
objectives?
7.1 Does organization provides adequate
resources for the ISMS?
7.2 Does organization provides trainings to
develop required competencies?
Support 7.3 Does organization creates awareness about
ISMS?
7.4 Does organization provides communication
regarding ISMS?
7.5 Does organization creates and maintains
documentations related to ISMS?
8.1 Does organization plan, implement and
controls the processes related to ISMS?
Operations 8.2 Does organization performs ISMS risk
assessment using the process at 6.1.2?
8.3 Does organization develops risk treatment
plan?
9.1 Does organization measures effectiveness
of ISMS?
9.2 Does organization conducts internal ISMS
Performance
audits?
evaluation
Performance
evaluation
9.3 Does senior management reviews
performance of the ISMS?

10.1 Does organization has formal corrective

action process to resolve nonconformities?
Improvements
10.2 Does organization drives continual
improvement of ISMS?
ksheet

Comments
 ISO 27001 Self Assessment Worksheet
© DQS Inc.

Control objective Control Question Status

Does your organization has an ISMS policy which is

A.5.1 approved by senior management?
Information security
policies Does it get reviewed at planned intervals?
A.5.2

Does ISMS roles and responsibilities defined?

A.6.1.1

Does organization has implemented segregation of

A.6.1.2 duties?
Organization of
information security A.6.1.3, Does organization has appropriate contacts with
A.6.1.4 relevant authorities and special interest groups?
Does organization manages security risks in
A.6.1.5 projects?
Does organization has a mobile device policy?
A.6.2.1
Mobile device and
teleworking Does organization has a teleworking policy?
A.6.2.2

Does organization conducts background screening

A.7.1.1 before hiring?

Does employees acknowledge terms and

A.7.1.2 conditions of employment?

Does organization provides security training to new

A.7.2.2 hires?
HR Security
Does management instructs employees and
A.7.2.1 contractors to comply with ISMS policies?
A.7.2.3 Is there a disciplinary process to deal with policy
violations?

Does organization has a process for managing

A.7.3.1 separation or change of roles?
Does organization has established an asset
A.8.1.1 inventory?
Does asset ownership assigned in the inventory?
A.8.1.2

Does organization has an acceptable use policy?

A.8.1.3

Does organization has a process for recovering

A.8.1.4 assets from the employees during separation?

Asset management Does organization has an information classification

A.8.2.1 policy?
Asset management

A.8.2.2, Does assets are labeled and handled according to

A.8.2.3 the classification?

Does organization controls use of removable media

A.8.3.1 (e.g. USB keys)?

Does organization protects removable media during

A.8.3.3 transit?

Does organization has an access control policy?

A.9.1.1

A.9.1.2 Does organization has a process for creating new

A.9.2.1 user account?
A.9.2.2
Does organization has a process for managing
A.9.2.3 privileged users?

A.9.2.4 Does organization has Password management and

A.9.3.1 user authentication system?
A.9.4.2
A.9.4.3
Access control Does asset owners review user access rights at
A.9.2.5 regular intervals?

Does organization has a process for removal or

A.9.2.6 adjustment of user access rights?

Does organization restricts access to applications ?

A.9.4.1

Does organization restricts use of privileged utility

A.9.4.4 programs?

Does organization restricts access to source code?

A.9.4.5

Does organization has an encryption and key

A.10.1.1 management policy?
Cryptography
A.10.1.2

A.11.1.1 Does organization restricts physical access to its

A.11.1.2 facility? Does office rooms are secured?
A.11.1.3
Does organization has systems to protect against
A.11.1.4 external and environmental threats?

Does organization has defined rules for working

A.11.1.5 inside their facility?

Does organization protect delivery and loading

A.11.1.6 area?

Does organization has a process for equipment

A.11.2.1 installation?

Physical and
environmental
security
 Does organization has support utilities (UPS,
A.11.2.2 generators)?
Physical and
environmental Does organization provides cabling guideline?
A.11.2.3
security
Does organization periodically maintains
A.11.2.4 equipments?

Does organization controls removal of assets from

A.11.2.5 the facility?

Does equipments are secured when taken offsite?

A.11.2.6

Does organization has a process for secure

A.11.2.7 disposal or reuse of equipments?
A.8.3.2

Does organization has clear desk and screen

A.11.2.8 policy? Does idle computer screens locks
A.11.2.9 automatically?

Does organization has documented operating

A.12.1.1 procedures for IT operations?

A.12.1.2 Does organization follows change control process

A.12.6.2 for managing changes to applications and
A.14.2.4 infrastructure?

Does organization monitors and manages capacity

A.12.1.3 of its IT infrastructure?

Does organization has adequate protection against

A.12.2.1 malware?

Operations security Does organization's information system regularly

A.12.3.1 backed up?

A.12.4.1 Does organization collects event logs including

A.12.4.2 system administrator activities?
A.12.4.3
Does organization audits event logs?
A.12.7.1

Does organization synchronized all system clocks

A.12.4.4 with a common source?

Does organization runs periodic scans to identify

A.12.6.1 and remediate vulnerabilities?

Does organization's network adequately protected

A.13.1.1 against external threats? How network services are
A.13.1.2 secured?

Network security
management
 Does organization use network segregation ?
A.13.1.3
Network security
management
Does organization signs information exchange
A.13.2.1 agreements with external parties? This should
A.13.2.2 include software exchange, physical media
A.13.2.3 exchange, electronic messaging.
A.13.2.4

Does organization identify security requirements in

A.14.1.1
the new information systems including protection of
A.14.1.2
communication over public network?
A.14.1.3

Does organization has secure development

A.14.2.1
environment and follows secure system
A.14.2.5
engineering principles?
A.14.2.6
Information system
acquisition, Does organization performs security reviews and
A.14.2.3
development and security testing after application changes?
A.14.2.8
maintenance
A.14.2.9
Does organization monitors outsourced
A.14.2.7 development activities?

Does organization use production data for testing?

A.14.3.1 If yes, does it protects sensitive information in test
data?

Does organization has a security policy on supplier

A,15,1,1 relationship management?

Does supplier agreement contains security

A.15.1.2 requirements including flow down of requirements
Supplier security A.15.1.3 to next level suppliers?
management
Does organization regularly reviews supplier
A.15.2.1 performance?

Does organization manages changes to the

A.15.2.2 suppliers services?

A.16.1.1 Does organization has process for managing

A.16.1.2 security events and responding to security
A.16.1.3 incidents?
A,16.1.4
A.16.1.5
Information security Does organization collects lessons learned from
incident management security incidents?
A.16.1.6

Does organization has a process for collection and

A.16.1.7 preservation of evidence from incidents for potential
legal actions?
 Does organization has plan for continuity of
A.17.1.1 information security during adverse situation?
A.17.1.2
Information security Does organization periodically test or reviews this
aspect of business plan?
continuity A.17.1.3
management
Does organization's infrastructure has sufficient
A,17.1.4 redundancy to meet availability requirements?

A.18.1.1 Does organization ensures compliance with

A.18.1.2 regulatory requirements including privacy and
A.18.1.3 intellectual property?
A.18.1.4
Compliance A.18.1.5
Does organization's ISMS undergoes independent
A.18.2.1 reviews?
A.18.2.2
A.18.2.3
et

Comments