Professional Documents
Culture Documents
Gap Assessment Template ISO 27001 ISO 27002
Gap Assessment Template ISO 27001 ISO 27002
Gap Assessment Template ISO 27001 ISO 27002
DCH-07.1 Custodians
IAO-02 Assessments
IAO-03 System Security Plans (SSP)
NET-14.5 Telecommuting
NET-16 Intranets
Developer Configuration
TDA-14
Management
Continuous Vulnerability
VPM-04
Remediation Activities
Mechanisms exist to facilitate the implementation of cybersecurity and Performed Informally [1/5]
privacy governance controls.
Mechanisms exist to establish, maintain and disseminate cybersecurity Performed Informally [1/5]
and privacy policies, standards and procedures.
Mechanisms exist to identify and document appropriate contacts within Performed Informally [1/5]
relevant law enforcement and regulatory bodies.
Mechanisms exist to establish contact with selected groups and
associations within the cybersecurity & privacy communities to:
▪ Facilitate ongoing cybersecurity and privacy education and training for
organizational personnel;
Performed Informally [1.5/5]
▪ Maintain currency with recommended cybersecurity and privacy
practices, techniques and technologies; and
Mechanisms
▪ Share currentexist to inventory system
security-related components
information that:
including threats,
▪ Accurately reflects
vulnerabilities the current system;
and incidents.
▪ Is at the level of granularity deemed necessary for tracking and
reporting; Planned & Tracked [2/5]
▪ Includes organization-defined information deemed necessary to
achieve effective property accountability; and
▪ Is available for review and audit by designated organizational officials.
Mechanisms exist to ensure compliance with software licensing
Planned & Tracked [2.5/5]
restrictions.
Mechanisms exist to provide a security controls oversight function. Performed Informally [1.5/5]
Mechanisms exist to utilize independent assessors at planned intervals or Planned & Tracked [2.5/5]
when the system, service or project undergoes significant changes.
Mechanisms exist to log and review the actions of users and/or services
Planned & Tracked [2/5]
with elevated privileges.
Mechanisms exist to address the exporting of cryptographic technologies Planned & Tracked [2/5]
in compliance with relevant statutory and regulatory requirements.
Cryptographic mechanisms are utilized to protect the confidentiality of Planned & Tracked [2.5/5]
data being transmitted.
Cryptographic mechanisms are utilized to protect the integrity of data Not Performed [0/5]
being transmitted.
Mechanisms exist to utilize a process to assist users in making Not Performed [0/5]
information sharing decisions to ensure data is appropriately protected.
Mechanisms exist to retain media and data in accordance with applicable Performed Informally [1/5]
statutory, regulatory and contractual obligations.
Mechanisms exist to require internal and third-party users to sign Performed Informally [1/5]
appropriate access agreements prior to being granted access.
Mechanisms exist to govern the termination of individual employment. Performed Informally [1.5/5]
Mechanisms exist to securely manage passwords for users and devices. Performed Informally [1/5]
Mechanisms exist to restrict and control privileged access rights for users Planned & Tracked [2.5/5]
and services.
Mechanisms exist to restrict and tightly control utility programs that are
Performed Informally [1/5]
capable of overriding system and application controls.
Mechanisms exist to utilize the concept of least privilege, allowing only
authorized access to processes necessary to accomplish assigned tasks in Performed Informally [1.5/5]
accordance with organizational business functions.
Mechanisms exist to perform digital forensics and maintain the integrity Planned & Tracked [2.5/5]
of the chain of custody.
Mechanisms exist to remotely purge selected information from mobile Performed Informally [1.5/5]
devices.
Mechanisms exist to develop, govern & update procedures to facilitate Planned & Tracked [2/5]
the implementation of network security controls.
Physical access control mechanisms are designed and implemented for Performed Informally [1/5]
offices, rooms and facilities.
Mechanisms exist to conduct a Business Impact Analysis (BIA). Planned & Tracked [2.5/5]
Mechanisms exist to facilitate the implementation of security workforce Planned & Tracked [2.5/5]
development and awareness controls.
Mechanisms exist to limit privileges to change software resident within Planned & Tracked [2.5/5]
software libraries.
Mechanisms exist to identify and correct flaws related to the collection, Performed Informally [1.5/5]
usage, processing or dissemination of Personal Information (PI).
Mechanisms exist to conduct software patching for all deployed Planned & Tracked [2/5]
operating systems, applications, and firmware.
Does the organization establish, maintain and - There is no evidence of a capability to establish,
disseminate cybersecurity and privacy policies, maintain and disseminate cybersecurity and
standards and procedures? privacy policies, standards and procedures.
- There is no evidence of a capability to review
Does the organization review cybersecurity and the cybersecurity and privacy program, including
privacy policies, standards and procedures at
policies, standards and procedures, at planned
planned intervals or if significant changes occur intervals or if significant changes occur to ensure
to ensure their continuing suitability, adequacy
their continuing suitability, adequacy and
and effectiveness?
effectiveness.
Does the organization assign a qualified - There is no evidence of a capability to assign a
individual with the mission and resources to qualified individual with the mission and
centrally-manage coordinate, develop, resources to centrally-manage, coordinate,
implement and maintain an enterprise-wide develop, implement and maintain an enterprise-
cybersecurity and privacy program? wide cybersecurity and privacy program.
Does the organization develop, report and - There is no evidence of a capability to develop,
monitor cybersecurity and privacy program report and monitor cybersecurity and privacy
measures of performance? program measures of performance.
Does the organization identify and document - There is no evidence of a capability to identify
appropriate contacts within relevant lawwith -and
There is no evidence
document of a capability
appropriate to establish
contacts within
Does the organization establish contact
enforcement and regulatory bodies? contact
relevantwith selected groups
law enforcement andand associations
regulatory bodies.
selected groups and associations within the
within the cybersecurity & privacy communities
cybersecurity & privacy communities to:
to:
▪ Facilitate ongoing cybersecurity and privacy ▪ Facilitate ongoing cybersecurity and privacy
education and training for organizational
education and training for organizational
personnel;
Does the organization
▪ Maintain currency with inventory system
recommended personnel;
- There is no evidence of a capability to
components ▪ Maintainsystem
currency with recommended
cybersecuritythat:
and privacy practices, techniques inventory components that:
▪ Accurately reflects cybersecurity and privacy practices, techniques
and technologies; andthe current system; ▪ Accurately reflects the current system;
▪ Is at the level of granularity deemed necessary and technologies;
▪ Is at the level of and
granularity deemed necessary
Share current security-related information
for tracking and reporting; ▪ Share
for current
tracking and security-related
reporting; information
including threats, vulnerabilities and incidents? including threats, vulnerabilities and incidents.
▪ Includes organization-defined information ▪ Includes organization-defined information
deemed necessary to achieve effective property deemed necessary to achieve effective property
accountability; and accountability; and
▪ Is available for review and audit by designated ▪ Is available for review and audit by designated
organizational officials?ensure compliance with
Does the organization organizational officials.of a capability to ensure
- There is no evidence
software licensing restrictions? compliance with software licensing restrictions.
Does the organization conduct tests and/or - There is no evidence of a capability to conduct
exercises to determine the contingency plan's tests and/or exercises to determine the
effectiveness and the organization’s readiness to contingency plan's effectiveness and the
execute the plan? organization’s readiness to execute the plan.
- There is no evidence of a capability to establish
Does the organization establish an alternate
an alternate storage site that includes both the
storage site that includes both the assets and
assets and necessary agreements to permit the
necessary agreements to permit the storage and
storage and recovery of system backup
recovery of system backup information?
information.
- There is no evidence of a capability to establish
Does the organization establish an alternate
an alternate processing site that provides
processing site that provides security measures
security measures equivalent to that of the
equivalent to that of the primary site?
primary site.
Does the organization create recurring backups - There is no evidence of a capability to create
of data, software and system images to ensure recurring backups of data, software and system
the availability of the data? images to ensure the availability of the data.
Does the organization facilitate the - There is no evidence of a capability to facilitate
implementation of capacity management the implementation of capacity management
controls to ensure optimal system performance controls to ensure optimal system performance
for future capacity requirements? for future capacity requirements.
Does the organization test and document - There is no evidence of a capability to test and
proposed changes in a non-production document proposed changes in a non-
environment before changes are implemented in production environment before changes are
a production environment? implemented in a production environment.
Does the organization provide a security controls - There is no evidence of a capability to provide a
oversight function? security controls oversight function.
Does the organization plan audits that minimize - There is no evidence of a capability to plan
the impact of audit activities on business audits that minimize the impact of audit
operations? activities on business operations.
Does the organization log and review the actions - There is no evidence of a capability to log and
of users and/or services with elevated review the actions of users and/or services with
privileges? elevated privileges.
Does the organization protect event logs and - There is no evidence of a capability to protect
audit tools from unauthorized access, event logs and audit tools from unauthorized
modification and deletion? access, modification and deletion.
Does the organization securely dispose of media - There is no evidence of a capability to securely
when it is no longer required, using formal dispose of media when it is no longer required,
procedures? using formal procedures.
Does the organization restrict removable media - There is no evidence of a capability to restrict
in accordance with data handling and acceptable removable media in accordance with data
usage parameters? handling and acceptable usage parameters.
Does the organization retain media and data in - There is no evidence of a capability to retain
accordance with applicable statutory, regulatory media and data in accordance with applicable
and contractual obligations? statutory, regulatory and contractual obligations.
Does the organization prohibit user installation - There is no evidence of a capability to prohibit
of software without explicitly assigned privileged user installation of software without explicitly
status? assigned privileged status.
Does the organization require all employees and - There is no evidence of a capability to require
contractors to apply security and privacy all employees and contractors to apply security
principles in their daily work? and privacy principles in their daily work.
Does the organization define acceptable and - There is no evidence of a capability to define
unacceptable rules of behavior for the use of acceptable and unacceptable rules of behavior
technologies, including consequences for for the use of technologies, including
unacceptable behavior? consequences for unacceptable behavior.
Does the organization require internal and third- - There is no evidence of a capability to require
party users to sign appropriate access internal and third-party users to sign appropriate
agreements prior to being granted access? access agreements prior to being granted access.
Does the organization sanction personnel failing - There is no evidence of a capability to sanction
to comply with established security policies, personnel failing to comply with established
standards and procedures? security policies, standards and procedures.
Does the organization govern the termination of - There is no evidence of a capability to govern
individual employment? the termination of individual employment.
Does the organization revoke user access rights - There is no evidence of a capability to revoke
in a timely manner, upon termination of user access rights in a timely manner, upon
employment or contract? termination of employment or contract.
Does the organization ensure proper user - There is no evidence of a capability to ensure
identification management for non-consumer proper user identification management for non-
users and administrators? consumer users and administrators.
Does the organization compel users to follow - There is no evidence of a capability to compel
accepted practices in the use of authentication users to follow accepted practices in the use of
mechanisms (e.g.?, passwords, passphrases, authentication mechanisms (e.g., passwords,
physical or logical security tokens, smart cards, passphrases, physical or logical security tokens,
certificates, etc.??)? smart cards, certificates, etc.).
Does the organization enforce logical access - There is no evidence of a capability to enforce
permissions through the principle of "least logical access permissions through the principle
privilege?" of "least privilege."
Does the organization restrict and tightly control - There is no evidence of a capability to restrict
and tightly control utility programs that are
utility programs that are capable of overriding capable of overriding system and application
system and application controls?
controls.
Does the organization utilize the concept of least - There is no evidence of a capability to utilize
privilege, allowing only authorized access to the concept of least privilege, allowing only
processes necessary to accomplish assigned authorized access to processes necessary to
tasks in accordance with organizational business accomplish assigned tasks in accordance with
functions? organizational business functions.
Does the organization enforce a limit for - There is no evidence of a capability to enforce a
consecutive invalid login attempts by a user limit for consecutive invalid login attempts by a
during an organization-defined time period and user during an organization-defined time period
automatically locks the account when the and automatically locks the account when the
maximum number of unsuccessful attempts is maximum number of unsuccessful attempts is
exceeded? exceeded.
- There is no evidence of a capability to
implement and govern processes and
Does the organization facilitate the
documentation to facilitate an organization-wide
implementation of incident response controls?
response capability for security and privacy-
related incidents.
- There is no evidence of a capability to cover the
Does the organization's incident handling
preparation, automated detection or intake of
processes cover preparation, detection and
incident reporting, analysis, containment,
analysis, containment, eradication and recovery?
eradication and recovery.
Does the organization maintain and make - There is no evidence of a capability to maintain
available a current and viable Incident Response and make available a current and viable Incident
Plan (IRP) to all stakeholders? Response Plan (IRP) to all stakeholders.
Does the organization remotely purge selected - There is no evidence of a capability to remotely
information from mobile devices? purge selected information from mobile devices.
Does the organization develop, govern & update - There is no evidence of a capability to develop,
procedures to facilitate the implementation of govern & update procedures to facilitate the
network security controls? implementation of network security controls.
Does the organization design, implement and - There is no evidence of a capability to design,
review firewall and router configurations to implement and review firewall and router
restrict connections between untrusted configurations to restrict connections between
networks and internal systems? untrusted networks and internal systems.
- There is no evidence of a capability to configure
Does the organization configure firewall and
firewall and router configurations to deny
router configurations to deny network traffic by
network traffic by default and allow network
default and allow network traffic by exception
traffic by exception (e.g., deny all, permit by
(e.g.?, deny all, permit by exception)?
exception).
Does the organization maintain a current list of - There is no evidence of a capability to maintain
personnel with authorized access to a current list of personnel with authorized access
organizational facilities (except for those areas to organizational facilities (except for those
within the facility officially designated as publicly areas within the facility officially designated as
accessible)? publicly accessible).
- There is no evidence of a capability to enforce
Does the organization enforce physical access
physical access authorizations for all physical
authorizations for all physical access points
(including designated entry/exit points) to access points (including designated entry/exit
facilities (excluding those areas within the facility points) to facilities (excluding those areas within
the facility officially designated as publicly
officially designated as publicly accessible)? accessible).
- There is no evidence of a capability to identify
systems, equipment and respective operating
Are physical access controls designed and environments that require limited physical
implemented for offices, rooms and facilities? access so that appropriate physical access
control are designed and implemented for
offices, rooms and facilities.
- There is no evidence of a capability to allow
Does the organization allow only authorized
only authorized personnel access to secure
personnel access to secure areas?
areas.
Does the organization protect power equipment - There is no evidence of a capability to protect
and power cabling for the system from damage power equipment and power cabling for the
and destruction? system from damage and destruction.
Does the organization identify and document - There is no evidence of a capability to identify
risks, both internal and external? and document risks, both internal and external.
Does the organization identify and assign a risk - There is no evidence of a capability to identify
ranking to newly discovered security and assign a risk ranking to newly discovered
vulnerabilities that is based on industry- security vulnerabilities that is based on industry-
recognized practices? recognized practices.
Does the organization respond to findings from - There is no evidence of a capability to respond
security and privacy assessments, incidents and to findings from security and privacy
audits to ensure proper remediation has been assessments, incidents and audits to ensure
performed? proper remediation has been performed.
Does the organization routinely update risk - There is no evidence of a capability to routinely
assessments and react accordingly upon update risk assessments and react accordingly
identifying new security vulnerabilities, including upon identifying new security vulnerabilities,
using outside sources for security vulnerability including using outside sources for security
information? vulnerability information.
Does the organization conduct a Business Impact - There is no evidence of a capability to conduct
Analysis (BIA)? a Business Impact Analysis (BIA).
Does the organization assess supply chain risks - There is no evidence of a capability to
associated with systems, system components periodically assess supply chain risks associated
and services? with systems, system components and services.
Does the organization conduct a Data Protection - There is no evidence of a capability to conduct
Impact Assessment (DPIA) on systems, a Data Protection Impact Assessment (DPIA) on
applications and services to evaluate privacy systems, applications and services to evaluate
implications? privacy implications.
- There is no evidence of a capability to facilitate
Does the organization facilitate the
the implementation of industry-recognized
implementation of industry-recognized security
and privacy practices in the specification, design, security and privacy practices in the
specification, design, development,
development, implementation and modification
implementation and modification of systems and
of systems and services?
Does the organization develop an enterprise services.
- There is no evidence of a capability to develop
architecture, aligned with industry-recognized an enterprise architecture, aligned with industry-
leading practices, with consideration for recognized leading practices, with consideration
cybersecurity and privacy principles that for cybersecurity and privacy principles that
addresses risk to organizational operations, addresses risk to organizational operations,
assets, individuals, other organizations? assets, individuals, other organizations.
Does the organization utilize a trusted - There is no evidence of a capability to utilize a
communications path between the user and the trusted communications path between the user
security functions of the system? and the security functions of the system.
Does the organization provide all employees and - There is no evidence of a capability to provide
contractors appropriate awareness education all employees and contractors appropriate
and
Doestraining that is relevant
the organization forprotect
obtain, their job
and awareness
- There is noeducation
evidenceand
of atraining that
capability toisobtain,
function?
distribute administrator documentation for relevant
protect andfor distribute
their job function.
administrator
systems that describe: documentation for systems that describe:
▪ Secure configuration, installation and ▪ Secure configuration, installation and
operation of the system; operation of the system;
▪ Effective use and maintenance of security ▪ Effective use and maintenance of security
features/functions; and features/functions; and
▪ Known vulnerabilities regarding configuration ▪ Known vulnerabilities regarding configuration
and use of administrative (e.g.?, privileged) and use of administrative (e.g., privileged)
functions?
Does the organization develop applications functions.
- There is no evidence of a capability to develop
based on secure coding principles? applications based on secure coding principles.
Does the organization maintain a segmented - There is no evidence of a capability to maintain
development network to ensure a secure a segmented development network to ensure a
development environment? secure development environment.
Does the organization manage separate - There is no evidence of a capability to manage
development, testing and operational separate development, testing and operational
environments to reduce
Does the organization the risks
require of
system environments to reduce
- There is no evidence of the risks of to require
a capability
unauthorized
developers/integrators consult withthe
access or changes to unauthorized access or changes
system developers/integrators consult to the with
operational
cybersecurityenvironment
and privacy and to ensure
personnel to: no operational
cybersecurity environment
and privacy and to ensure
personnel to: no
impact to production systems?
▪ Create and implement a Security Test and impact to production systems.
▪ Create and implement a Security Test and
Evaluation (ST&E) plan; Evaluation (ST&E) plan;
▪ Implement a verifiable flaw remediation ▪ Implement a verifiable flaw remediation
process to correct weaknesses and deficiencies process to correct weaknesses and deficiencies
identified during the security testing and identified during the security testing and
evaluation process; and evaluation process; and
▪ Document the results of the security ▪ Document the results of the security
Does the organization
testing/evaluation andapprove, document and
flaw remediation -testing/evaluation
There is no evidence
andof a capability
flaw remediationto approve,
control the use of live data in development and
processes? document
processes. and control the use of live data in
test environments? development and test environments.
Does the organization evaluate security risks - There is no evidence of a capability to evaluate
associated with the services and product supply security risks associated with the services and
chain? product supply chain.
Does the organization mitigate the risks - There is no evidence of a capability to mitigate
associated with third-party access to the the risks associated with third-party access to
organization’s systems and data? the organization’s systems and data.
- There is no evidence of a capability to identify,
Does the organization identify, regularly review
regularly review and document third-party
and document third-party confidentiality, Non-
confidentiality, Non-Disclosure Agreements
Disclosure Agreements (NDAs) and other
(NDAs) and other contracts that reflect the
contracts that reflect the organization’s needs to
organization’s needs to protect systems and
protect systems and data?
data.
Does the organization monitor, regularly review - There is no evidence of a capability to monitor,
and audit supplier service delivery for regularly review and audit supplier service
compliance with established contract delivery for compliance with established
agreements? contract agreements.
Does the organization conduct software patching - There is no evidence of a capability to conduct
for all deployed operating systems, applications software patching for all deployed operating
and firmware? systems, applications and firmware.