Professional Documents
Culture Documents
Isms Certification Readiness Recheck Questionnaire
Isms Certification Readiness Recheck Questionnaire
Isms Certification Readiness Recheck Questionnaire
3 Scope of the a. Have the boundaries and YES Reviewed and approved ISMS Scope is in place
ISMS applicability of the ISMS
been determined to
establish its scope, taking
into consideration the
external and internal
issues, the requirements of
interested parties and the
interfaces and
dependencies with other
organizations?
YES
b. Is the scope of the ISMS
documented?
4 Leadership Is the organization’s leadership
and commitment to the ISMS
management demonstrated by:
commitment • Establishing the information YES Information Security Policy and Objective is in place and
security policy and objectives, in photo frames available on all floors.
consideration of the strategic
direction of the organization, and
in promotion of continual
improvement? YES Ongoing process
• Ensuring the integration of the
ISMS requirements into its
business processes? YES Funds are available when requested.
• Ensuring resources are available Manpower is available
for the ISMS, and directing and Information Assets are also in place
supporting individuals, including
management, who contribute to
its effectiveness?
YES ISMS Awareness was carried out by the ISMS
• Communicating the importance Consultants, weekly awareness via email, monthly
of effective information security awareness at the General Staff meeting, ISMS
and conformance to ISMS Implementation Refresher Training was conducted and
requirements? ISMS Policies awareness Program was conducted via
KYP.
5 Information a. Is there an established YES Information Security Policy is maintained
security information security policy
policy that is appropriate, gives a
framework for setting
objectives, and
demonstrates commitment
to meeting requirements
and for continual
improvement?
YES Communicated to all team members
b. Is the policy documented
and communicated to
employees and relevant
interested parties?
6 Roles and Are the roles within the ISMS YES In place
responsibiliti clearly defined and
es communicated? YES As stated in the JD’s
Are the responsibilities and
authorities for conformance and
reporting on ISMS performance
assigned?
11 ISMS a. Is the ISMS adequately YES Funds are made available when requested
resources resourced? Manpower and information assets are in place
and
competence b. Is there a process defined YES Competence Profile is in place
and documented for
determining competence
for ISMS roles?
c. Are those undertaking YES Competency Profile is in place
ISMS roles competent, and
is this competence
documented appropriately?
12 Awareness a. Is everyone within the YES Still ongoing
and organization’s control
communicati aware of the importance of
on the information security
policy, their contribution to
the effectiveness of the
ISMS and the implications
of not conforming? YES SOP available
b. Has the organization (Communication and Awareness)
determined the need for
internal and external
communications relevant to
the ISMS, including what to
communicate, when, with
whom, and who by, and the
processes by which this is
achieved?
15 Monitoring, a. Is the information security YES ISMS Management Review Meeting held December 2020
measuremen performance and
t and effectiveness of the ISMS
evaluation evaluated?
b. Has it been determined YES ISO Performance Evaluation and Improvement Procedure
what needs to be ISMS Improvement Plan
monitored and measured,
when, by whom, the
methods to be used, and
when the results will be
evaluated? YES All audit records, Monthly activity report, compliance
c. Is documented information checks reports are maintained
retained as evidence of the
results of monitoring and
measurement?
16 Internal audit 1. Are internal audits YES ISMS Internal Audit held 9th – 11th December 2020
conducted periodically to ISMS Internal Audit held 27th – 28th May 2021
check that the ISMS is
effective and conforms to
both ISO/IEC 27001:2013
and the organization’s
requirements?
2. Are the audits conducted YES
by an appropriate method
and in line with an audit
programme based on the
results of risk assessments
and previous audits? YES
3. Are results of audits
reported to management,
and is documented
information about the audit
programme and audit
YES
results retained?
4. Where non conformities
are identified, are they
subject to corrective action
(see section 18)?
18 Corrective a. Have actions to control, YES ISO Standards Performance and Improvement Procedure
action and correct and deal with the
continual consequences of non-
improvement conformities been
identified?
b. Has the need for action YES
been evaluated to eliminate
the root cause of non-
conformities to prevent
reoccurrence? YES
c. Have any actions identified
been implemented and
reviewed for effectiveness
and given rise to
improvements to the YES Audit NCAR Form
ISMS?
d. Is documented information
retained as evidence of the
nature of non-conformities,
actions taken and the
results?
w. Is there separation of
development, testing and Backup arrangement is in place.
YES
operational environments?
x. Is there protection against
malware? YES Log events are in place and accessible.
y. Are information, software
and systems subject to
back up and regular Software installation is controlled and managed by the
testing? domain controller.
z. Are there controls in place
to log events and generate YES
evidence?
a. Is the implementation of
software on operational Vulnerability are evaluated and controlled.
systems controlled, and are
YES
there rules governing the
installation of software by
users?
b. Is information about YES
technical vulnerabilities
obtained and appropriate
measures taken to address YES
risks?
c. Are networks managed,
segregated when Information Transfer Policy
necessary, and controlled
to protect information YES
systems, and are network
services subject to service
agreements?
d. Are there policies and Firewall is maintain to protect information transport
agreements to maintain the between our network and public network.
security of information
transferred within or YES
outside of the
organization?
e. Are information security
requirements for Yes. Change during development managed by Head IT
information systems and changes after development requires management
defined and is information YES approval.
passing over public
networks and application
service transactions
protected? We have not changed operation system platform since
f. Are systems and rules for ISMS implementation commenced.
the development of YES
software established and
changes to systems within
the development lifecycle
formally controlled? System Acquisition, Development and Maintenance Policy
g. Are business critical There is provision for software testing.
applications reviewed and
tested after changes to
operating system platforms
and are there restrictions to N/A
changes to software
packages?
h. Have secure engineering YES No outsourced development
principles been established (IT’s comment is required)
and are they maintained
and implemented, including
secure development Agreement or MOU have been signed with vendors.
environments, security
testing, the use of test data Information Security for Suppliers Relationships
and system acceptance SLA’s are in place
testing?
i. Is outsourced software YES
development supervised
and monitored?
j. Are there policies and
agreements in place to Situational
protect information assets
that are accessible to
suppliers, and is the
agreed level of information
security and service YES
delivery monitored and
managed, including
changes to provision of
services? Business Continuity Management Policy 2
k. Is there a consistent Crisis Management Policy
approach to the Fire & Safety Policy
management of security Document Management and Business Continuity Policy
incidents and weaknesses, YES
including assignment of
responsibilities, reporting,
assessment, response,
analysis and collection of YES
Not applicable at this time.
evidence?
l. Is information security
continuity embedded within
the business continuity Legal and Contractual requirement policy
management system, Intellectual Property Right Policy
including determination of Encryption Policy
requirements in adverse
situations, procedures and
controls, and verification of
effectiveness?
m. Are information processing
facilities implemented with
redundancy to meet
availability requirements? YES
n. Have all legislative,
statutory, regulatory and
contractual requirements
and the approach to YES
meeting these C&A commenced department ISMS review.
requirements been defined
for each information ISMS Compliance Check Sheet is in place.
system and the YES
organization, including but
not limited to procedures Ongoing by C&A
for intellectual property
rights, protection of
records, privacy and
protection of personal
information and regulation
of cryptographic controls?
o. Is there an independent
review of information
security?
p. Do managers regularly
review the compliance of
information processing and
procedures within their
areas of responsibility?
q. Are information systems
regularly reviewed for
technical and compliance
with policies and standards