Professional Documents
Culture Documents
ISO 27001:2013 Gap Analysis
ISO 27001:2013 Gap Analysis
Ask yourselves the following questions to assess your progress towards achieving ISO
27001:2013
Do we have and maintain the following documentation and records?
These are the mandatory documents:
Scope of the ISMS (clause 4.3)
Information security policy and objectives (clauses 5.2 and 6.2)
Risk assessment and risk treatment methodology (clause 6.1.2)
Statement of Applicability (clause 6.1.3 d)
Risk treatment plan (clauses 6.1.3 e and 6.2)
Risk assessment report (clause 8.2)
Definition of security roles and responsibilities (clauses A.7.1.2 and A.13.2.4)
Inventory of assets (clause A.8.1.1)
Acceptable use of assets (clause A.8.1.3)
Access control policy (clause A.9.1.1)
Operating procedures for IT management (clause A.12.1.1)
Secure system engineering principles (clause A.14.2.5)
Supplier security policy (clause A.15.1.1)
Incident management procedure (clause A.16.1.5)
Business continuity procedures (clause A.17.1.2)
Statutory, regulatory, and contractual requirements (clause A.18.1.1)
And here are the mandatory records:
Records of training, skills, experience and qualifications (clause 7.2)
Monitoring and measurement results (clause 9.1)
Internal audit program (clause 9.2)
Results of internal audits (clause 9.2)
Results of the management review (clause 9.3)
Results of corrective actions (clause 10.1)
Logs of user activities, exceptions, and security events (clauses A.12.4.1 and
A.12.4.3)
Do we comply? Y/N
20. Is appropriate competence assessed, and training provided where needed, for personnel doing
tasks that can affect the information security? Are records of competences maintained?
7.3 Awareness
21. Is the personnel aware of the Information Security Policy, of their role, and consequences of not
complying with the rules?
22. Is there a process for communication related to information security, including the
responsibilities and what to communicate, to whom and when?
7.5 Documented Information
23. Does the documentation of the ISMS include the Information Security Policy, objectives &
targets, the scope of the ISMS, the main elements and their interaction, documents and records of
ISO 27001 and those identified by the company?
24. Is it ensured that managing of documents and records exists, including who reviews and
approves documents, and where and how they are published, stored, and protected?
25. Is documented information of external origin controlled?
8.0 OPERATIONS
8.1 Operational Planning And Control
26. Does the organisation have the necessary documented information to be confident that its
processes are being carried out as planned?
27. Are planned changes controlled? Are consequences of unplanned changes reviewed to identify
mitigation actions if necessary?
28. Are outsourced processes identified and controlled?
8.2 Information Security Risk Assessment
29. Are the risks, their owners, likelihood, consequences, and the level of risk identified? Are these
results documented?
8.3 Information Risk Treatment
30. Does a risk treatment plan exist, approved by risk owners?
31. Is there a documented list with all controls deemed as necessary, with proper justification and
implementation status?
9.0 PERFORMANCE EVALUATION
9.1 Monitoring, Measurement, Analysis And Evaluation
32. Is it defined what needs to be measured, by which method, who is responsible, who will
analyse and evaluate the results?
33. Are the results of measurement documented, analysed, and evaluated by responsible persons?
9.2 INTERNAL AUDIT
34. Does an audit program exist that defines the timing, responsibilities, reporting, audit criteria,
and scope?
35. Are internal audits performed according to an audit program, results reported through an
internal audit report, and relevant corrective actions raised?
ISO 27001:2013 Gap Analysis
Do we comply? Y/N
36. Is management review regularly performed, and are the results documented in minutes of the
meeting?
37. Did management decide on all the crucial issues important for the success of the ISMS?
10.0 IMPROVEMENT
10.1 Nonconformity And Corrective Action
38. Does the organisation react to every nonconformity?
39. Does the organisation consider eliminating the cause of the nonconformity and, where
appropriate, take corrective action?
40. Are all nonconformities recorded, together with corrective actions?
10.2 Continual Improvement
41. Is the ISMS continuously adjusted to maintain its suitability, adequacy, and effectiveness?
ANNEX A.
(Note: only the controls marked as applicable in the Statement of Applicability need to be
implemented.)
A.5 INFORMATION SECURITY POLICIES
42. Are there published policies, approved by management, to support information security ?
43. Are information security policies reviewed and updated?
A.6 ORGANISATION OF INFORMATION SECURITY
44. Are all information security responsibilities defined?
45. Are duties and responsibilities properly segregated considering situations of conflict of interest?
46. Are contacts with relevant authorities defined?
47. Are contacts with special interest groups or professional associations defined?
48. Do projects consider information security aspects?
49. Are rules for secure handling of mobile devices defined?
50. Are there rules defining how the organisation's information is protected considering teleworking
sites?
A.7 HUMAN RESOURCES SECURITY
51. Does the organisation perform background checks on candidates for employment or for
contractors?
52. Are there agreements with employees and contractors that specify information security
responsibilities?
53. Is management actively requiring all employees and contractors to comply with information
security rules?
54. Do employees and contractors attend trainings to better perform their security duties, and do
the awareness programs exist?
55. Does the organisation have a formal disciplinary process?
56. Are there agreements covering information security responsibilities that remain valid after the
ISO 27001:2013 Gap Analysis
Do we comply? Y/N
termination of employment?
A.8 ASSET MANAGEMENT
57. Does an inventory of assets exist?
58. Does every asset in the inventory of assets have a designated owner?
59. Are rules for handling of information and assets defined?
60. Are company assets returned by employees and contractors when their employment is
terminated?
62. Are there procedures which define how to label and handle classified information?
63. Are there procedures which define how to handle assets?
64. Are there procedures which define how to handle removable media in line with the classification
rules?
65. Are there formal procedures for disposing of the media?
66. Is the media that contains sensitive information protected during transportation?
A.9 ACCESS CONTROL
67. Is there an access control policy?
68. Do the users have access only to the resources they are allowed to?
69. Are access rights provided via a formal registration process?
70. Is there a formal access control system when logging into information systems?
71. Are privileged access rights managed with special care?
72. Are passwords and other secret authentication information provided in a secure way?
73. Do asset owners periodically check all the privileged access rights?
74. Are access rights updated when there is a change in the user situation (e.g.: organisational
change or termination)?
75. Are there rules for users on how to protect passwords and other authentication information?
76. Is the access to information in systems restricted according to the access control policy?
77. Is secure log-on required on systems according to the Access Control Policy?
78. Do the password management systems used by the organisation help users to securely
manage their authentication information?
79. Is the use of utility tools controlled and limited to specific employees?
80. Is the access to source code restricted to authorised persons?
A.10 CRYPTOGRAPHY
81. Do a policy to regulate encryption and other cryptographic controls exist?
82. Are the cryptographic keys properly protected?
A.11 PHYSICAL AND ENVIRONMENTAL SECURITY
83. Do secure areas that protect sensitive information exist?
ISO 27001:2013 Gap Analysis
Do we comply? Y/N
117. Are the messages that are exchanged over the networks properly protected?
118. Does the organization list all the confidentiality clauses that need to be included in agreements
with third parties?
A.14 SYSTEM ACQUISITION, DEVELOPMENT AND MAINTENANCE
119. Are security requirements defined for new information systems, or for any changes to them?
120. Is application information transferred through public networks appropriately protected?
121. Is transaction information transferred through the public networks appropriately protected?
122. Are rules for the secure development of software and systems defined?
123. Are changes to new or existing systems properly controlled?
124. Are critical applications properly tested after changes made in operating systems?
125. Are only necessary changes performed to information systems?
126. Are principles for engineering secure systems applied to the organization system's
development process?
127. Is the development environment properly secured?
128. Is the outsourced development of systems monitored?
129. Are security requirements implementation tested during system development?
130. Are criteria for accepting the systems defined?
131. Are test data carefully selected and protected?
A.15 SUPPLIER RELATIONSHIPS
132. Is there a policy on how to treat the risks related to suppliers and partners?
133. Are relevant security requirements included in the agreements with the suppliers and
partners?
134. Do the agreements with providers and suppliers include security requirements?
135. Are suppliers regularly monitored?
136. Are changes involving arrangements and contracts with suppliers and partners taking into
account risks and existing processes?
A.16 INFORMATION SECURITY INCIDENT MANAGEMENT
137. Are incidents managed properly?
138. Are information security events reported in properly?
139. Are employees and contractors reporting on security weaknesses?
140. Are security events assessed and classified properly?
141. Are procedures on how to respond to incidents documented?
142. Are security incidents analyzed properly?
143. Do procedures exist which define how to collect evidence?
A.17. INFORMATION SECURITY ASPECTS OF BUSINESS CONTINUITY MANAGEMENT
ISO 27001:2013 Gap Analysis
Do we comply? Y/N