ISMS SELF-ASSESSMENT QUESTIONNAIRE FOR ISMS IMPLEMENTATION PROGRAM AS AT MAY 28, 2021

S/ CLAUSE REQUIREMENT YES/NO RECOMMENDATION/REMARKS

N
1. The Have the internal and external YES Signed copy in place
organization issues that are relevant to the
and its ISMS, and that impact on the a. Purpose and Context of the Organization,
context achievement of its expected Organizations Risk and Opportunities
outcome, been determined?

2 Needs and a. Has the organization YES Signed copy is in place

expectations determined the interested
of interested parties that are relevant to
parties the ISMS?
b. Have the requirements of YES
these interested parties
been determined, including
legal, regulatory and
contractual requirements?

3 Scope of the a. Have the boundaries and YES Reviewed and approved ISMS Scope is in place
ISMS applicability of the ISMS
been determined to
establish its scope, taking
into consideration the
external and internal
issues, the requirements of
interested parties and the
interfaces and
dependencies with other
organizations?
YES
b. Is the scope of the ISMS
documented?
4 Leadership Is the organization’s leadership
and commitment to the ISMS
management demonstrated by:
commitment • Establishing the information YES Information Security Policy and Objective is in place and
security policy and objectives, in photo frames available on all floors.
consideration of the strategic
direction of the organization, and
in promotion of continual
improvement? YES Ongoing process
• Ensuring the integration of the
ISMS requirements into its
business processes? YES Funds are available when requested.
• Ensuring resources are available Manpower is available
for the ISMS, and directing and Information Assets are also in place
supporting individuals, including
management, who contribute to
its effectiveness?
YES ISMS Awareness was carried out by the ISMS
• Communicating the importance Consultants, weekly awareness via email, monthly
of effective information security awareness at the General Staff meeting, ISMS
and conformance to ISMS Implementation Refresher Training was conducted and
requirements? ISMS Policies awareness Program was conducted via
KYP.
5 Information a. Is there an established YES Information Security Policy is maintained
security information security policy
policy that is appropriate, gives a
framework for setting
objectives, and
demonstrates commitment
to meeting requirements
and for continual
 improvement?
YES Communicated to all team members
b. Is the policy documented
and communicated to
employees and relevant
interested parties?

6 Roles and Are the roles within the ISMS YES In place
responsibiliti clearly defined and
es communicated? YES As stated in the JD’s
Are the responsibilities and
authorities for conformance and
reporting on ISMS performance
assigned?

7 Risks and a. Have the internal and YES SOP available

opportunities external issues, and the
of ISMS requirements of interested Purpose and Context of the Organization, Organization’s
implementati parties been considered to risk and Opportunities Procedure is in place
on determine the risks and
opportunities that need to
be addressed to ensure
that the ISMS achieves its
outcome, that undesired
effects are prevented or
reduced, and that continual
improvement is achieved?
YES RTP and RTP Monitoring
b. Have actions to address
risks and opportunities
been planned, and
integrated into the ISMS
processes, and are they
 evaluated for
effectiveness?

8 Information a. Has an information security YES As documented in RM Supplementary (ISMS) Process

security risk risk assessment process Manual and Risk Management Process
assessment that establishes the criteria
for performing information
security risk assessments,
including risk acceptance
criteria been defined?
YES Quarterly
b. Is the information security
risk assessment process
repeatable and does it
produce consistent, valid
and comparable results? YES Risk Assessment Report
c. Does the information
security risk assessment
process identify risks
associated with loss of
confidentiality, integrity and
availability for information
within the scope of the
ISMS, and are risk owners
identified? YES
d. Are information security
risks analyzed to assess
the realistic likelihood and
potential consequences
that would result, if they
were to occur, and have
the levels of risk been
determined? YES As documented in RM Supplementary (ISMS) Process
e. Are information security Manual and Risk Management Process
 risks compared to the
established risk criteria and YES
prioritized?
f. Is documented information
about the information
security risk assessment
process available?

9 Information a. Is there an information YES As documented in RM Supplementary (ISMS) Process

security risk security risk treatment Manual and Risk Management Process
treatment process to select
appropriate risk treatment
options for the results of
the information security risk
assessment, and are
controls determined to
implement the risk
treatment option chosen?
b. Have the controls YES
determined, been
compared with ISO/IEC
27001:2013 Annex A to
verify that no necessary
controls have been
missed? YES Last reviewed Feb, 2021
c. Has a Statement of
Applicability been produced
to justify Annex A
exclusions, and inclusions
together with the control YES RTP
implementation status?
d. Has an information security
risk treatment plan been
 formulated and approved
by risk owners, and have
residual information YES As documented in RM Supplementary (ISMS) Process
security risks been Manual and Risk Management Process
authorized by risk owners?
e. Is documented information
about the information
security risk treatment
process available?

10 Information a. Have measurable ISMS YES As documented in ISMS Department Objectives

security objectives and targets been
objectives established, documented
and planning and communicated
to achieve throughout the
them organization?
b. In setting its objectives, has YES In Place and communicate to concerned parties
the organization (Information Security Objective Plan for CBS)
determined what needs to
be done, when and by
whom?

11 ISMS a. Is the ISMS adequately YES Funds are made available when requested
resources resourced? Manpower and information assets are in place
and
competence b. Is there a process defined YES Competence Profile is in place
and documented for
determining competence
for ISMS roles?
c. Are those undertaking YES Competency Profile is in place
ISMS roles competent, and
is this competence
documented appropriately?
12 Awareness a. Is everyone within the YES Still ongoing
and organization’s control
communicati aware of the importance of
on the information security
policy, their contribution to
the effectiveness of the
ISMS and the implications
of not conforming? YES SOP available
b. Has the organization (Communication and Awareness)
determined the need for
internal and external
communications relevant to
the ISMS, including what to
communicate, when, with
whom, and who by, and the
processes by which this is
achieved?

13 Documented a. Has the organization YES

information determined the
documented information
necessary for the
effectiveness of the ISMS?
b. Is the documented
YES Authorization gotten
information in the
appropriate format, and
has it been identified,
reviewed and approved for
suitability?
c. Is the documented YES Appropriate controls in place
information controlled such
that it is available and
adequately protected,
 distributed, stored, retained
and under change control,
including documents of
external origin required by
the organization for the
ISMS?

14 Operational a. Has a programme to YES ISMS Plan and Programme is available

planning and ensure the ISMS achieves
control its outcomes, requirements
and objectives been
developed and
implemented?
b. Is documented evidence YES Monthly Activity report submitted for February 2020
retained to demonstrate
that processes have been
carried out as planned? YES Change document is used
c. Are changes planned and
controlled, and unintended
changes reviewed to
mitigate any adverse
results?
d. Have outsourced YES No outsourced processes
processes been
determined and are they
controlled?
e. Are information security YES Quarterly
risk assessments
performed at planned
intervals or when
significant changes occur,
and is documented
information retained? YES In place
 f. Has the information
security risk treatment plan
been implemented and
documented information
retained?

15 Monitoring, a. Is the information security YES ISMS Management Review Meeting held December 2020
measuremen performance and
t and effectiveness of the ISMS
evaluation evaluated?
b. Has it been determined YES ISO Performance Evaluation and Improvement Procedure
what needs to be ISMS Improvement Plan
monitored and measured,
when, by whom, the
methods to be used, and
when the results will be
evaluated? YES All audit records, Monthly activity report, compliance
c. Is documented information checks reports are maintained
retained as evidence of the
results of monitoring and
measurement?

16 Internal audit 1. Are internal audits YES ISMS Internal Audit held 9th – 11th December 2020
conducted periodically to ISMS Internal Audit held 27th – 28th May 2021
check that the ISMS is
effective and conforms to
both ISO/IEC 27001:2013
and the organization’s
requirements?
2. Are the audits conducted YES
by an appropriate method
and in line with an audit
programme based on the
 results of risk assessments
and previous audits? YES
3. Are results of audits
reported to management,
and is documented
information about the audit
programme and audit
YES
results retained?
4. Where non conformities
are identified, are they
subject to corrective action
(see section 18)?

17 Management a. Do top management YES Conducted in December 2020

review undertake a periodic review
of the ISMS?
b. Does the output from the YES
ISMS management review
identify changes and
improvements?
c. Are the results of the
YES
management review
documented, acted upon
and communicated to
interested parties as
appropriate?

18 Corrective a. Have actions to control, YES ISO Standards Performance and Improvement Procedure
action and correct and deal with the
continual consequences of non-
improvement conformities been
identified?
b. Has the need for action YES
 been evaluated to eliminate
the root cause of non-
conformities to prevent
reoccurrence? YES
c. Have any actions identified
been implemented and
reviewed for effectiveness
and given rise to
improvements to the YES Audit NCAR Form
ISMS?
d. Is documented information
retained as evidence of the
nature of non-conformities,
actions taken and the
results?

19 Security Security controls – as applicable,

controls based on the results of your
information security risk
assessment
a. Are information security YES ISMS Policies
policies that provide
management direction
defined and regularly
reviewed? YES Segregation of duties Guidelines is in place
b. Has a management
framework been
established to control the
implementation and
operation of security within
the organization, including
assignment of
responsibilities and
Courteville Business Solutions Contacts with Interest
 segregation of conflicting YES Groups Inventory
duties?
c. Are appropriate contacts
with authorities and special Risks are looked at during project development
interest groups YES
maintained? Available
d. Is information security YES
addressed in Projects?
e. Is there a mobile device Exclusivity Agreement has been updated to accommodate
YES Information Security.
policy and teleworking
policy in place?
Terms and conditions of employment found in employment
f. Are human resources
letters
subject to screening, and
do they have terms and
conditions of employment a. Know Your Policies Session is ongoing
defining their information YES b. Disciplinary Committee is constituted as and when
security responsibilities? necessary
g. Are employees required to
adhere to the information
security policies and
procedures, provided with
awareness, education and a. Signed Exclusivity Agreement is in place
YES
training, and is there a
disciplinary process?
h. Are the information security
responsibilities and duties
communicated and
enforced for employees a. Information Assets Inventory available with Admin
YES
who terminate or change Department
employment? b. Acceptable Use Policy is in place
i. Is there an inventory of c. Information Assets Management Policy is in place
assets associated with
information and information
 processing, have owners
been assigned, and are YES As documented in the Procedure for the Control of
rules for acceptable use of Documented Information
assets and return of assets
defined?
j. Is information classified
and appropriately labelled,
and have procedures for YES INFORMATION SECURITY TRANSFER POLICY
handling assets in
accordance of their
classification been
defined?
k. Are there procedures for YES Access Control and Password Policy
the removal, disposal and Access is being controlled by IT
transit of media containing
information?
l. Has an access control
policy been defined and
reviewed, and is user YES a. Access rights are removed as soon as notification is
access to the network gotten from HRM
controlled in line with the b. Authorized processors activation and deactivation
policy? requests are in place
m. Is there a formal user
registration process
assigning and revoking
access and access rights
to systems and services, YES In place
and are access rights
regularly reviewed, and Trainings are conducted
removed upon termination
of employment?
n. Are privileged access rights
restricted and controlled, YES
 and is secret authentication Access control is in place to address this.
information controlled, and
users made aware of the
practices for use? YES
o. Is access to information
restricted in line with the Password management is in place with password quality
access control policy, and management enforcement.
YES
is access controlled via a
secure log-on procedure?
p. Are password management Access to source codes are managed by the Head, IT who
systems interactive and do authorized ac
they enforce a quality YES
password?
q. Is the use of utility Encryption Policy
programs and access to YES
program source code
restricted? Physical and Environment Security Policy
r. Is there a policy for the use
of cryptography and key
management?
s. Are there policies and YES
controls to prevent
unauthorized physical Information Asset Management Policy
access and damage to
information and information YES
processing facilities?
t. Are there policies and
Change Management Process
controls in place to prevent
loss, damage, theft or
compromise of assets and
interruptions to operations? YES
u. Are operating procedures
documented and are Projections are made at the budget session
 changes to the
organization, business
processes and information
systems controlled?
v. Are resources monitored
and projections made of
future capacity
requirements?
Funds usage is monitored by ICD to ensure its in line with
YES the approved budget. Extra budgetary approval is sort if
the request exceeds budget.
YES Yes
YES Window defender is in place and supported with firewall

w. Is there separation of
development, testing and Backup arrangement is in place.
YES
operational environments?
x. Is there protection against
malware? YES Log events are in place and accessible.
y. Are information, software
and systems subject to
back up and regular Software installation is controlled and managed by the
testing? domain controller.
z. Are there controls in place
to log events and generate YES
evidence?
a. Is the implementation of
software on operational Vulnerability are evaluated and controlled.
systems controlled, and are
YES
there rules governing the
installation of software by
users?
b. Is information about YES
technical vulnerabilities
obtained and appropriate
measures taken to address YES
risks?
c. Are networks managed,
 segregated when Information Transfer Policy
necessary, and controlled
to protect information YES
systems, and are network
services subject to service
agreements?
d. Are there policies and Firewall is maintain to protect information transport
agreements to maintain the between our network and public network.
security of information
transferred within or YES
outside of the
organization?
e. Are information security
requirements for Yes. Change during development managed by Head IT
information systems and changes after development requires management
defined and is information YES approval.
passing over public
networks and application
service transactions
protected? We have not changed operation system platform since
f. Are systems and rules for ISMS implementation commenced.
the development of YES
software established and
changes to systems within
the development lifecycle
formally controlled? System Acquisition, Development and Maintenance Policy
g. Are business critical There is provision for software testing.
applications reviewed and
tested after changes to
operating system platforms
and are there restrictions to N/A
changes to software
packages?
h. Have secure engineering YES No outsourced development
principles been established (IT’s comment is required)
and are they maintained
and implemented, including
secure development Agreement or MOU have been signed with vendors.
environments, security
testing, the use of test data Information Security for Suppliers Relationships
and system acceptance SLA’s are in place
testing?
i. Is outsourced software YES
development supervised
and monitored?
j. Are there policies and
agreements in place to Situational
protect information assets
that are accessible to
suppliers, and is the
agreed level of information
security and service YES
delivery monitored and
managed, including
changes to provision of
services? Business Continuity Management Policy 2
k. Is there a consistent Crisis Management Policy
approach to the Fire & Safety Policy
management of security Document Management and Business Continuity Policy
incidents and weaknesses, YES
including assignment of
responsibilities, reporting,
assessment, response,
analysis and collection of YES
Not applicable at this time.
evidence?
l. Is information security
 continuity embedded within
the business continuity Legal and Contractual requirement policy
management system, Intellectual Property Right Policy
including determination of Encryption Policy
requirements in adverse
situations, procedures and
controls, and verification of
effectiveness?
m. Are information processing
facilities implemented with
redundancy to meet
availability requirements? YES
n. Have all legislative,
statutory, regulatory and
contractual requirements
and the approach to YES
meeting these C&A commenced department ISMS review.
requirements been defined
for each information ISMS Compliance Check Sheet is in place.
system and the YES
organization, including but
not limited to procedures Ongoing by C&A
for intellectual property
rights, protection of
records, privacy and
protection of personal
information and regulation
of cryptographic controls?
o. Is there an independent
review of information
security?
p. Do managers regularly
review the compliance of
 information processing and
procedures within their
areas of responsibility?
q. Are information systems
regularly reviewed for
technical and compliance
with policies and standards