Professional Documents
Culture Documents
Pran 27001 SOA Compliance Checklist
Pran 27001 SOA Compliance Checklist
A lesser
does not throw the organization into a bad picture, but paves way for the improvement. All "documentation" related ga
from a security perspective shall be closed by the consultant unless specified otherwise.
PS: Majority of the gaps are documentation related and shall be closed as and when the documents are reviewed and
approved once delivered
mation gathering. A lesser score
ocumentation" related gaps
This tool does not constitute a valid assessment and the use of this tool does not confer ISO/IEC
27001:2013 certification. The findings here must be confirmed as part of a formal audit / assessment visit.
Pre-assessment
1. Determine assessment scope. Work with the relevant business stakeholders to
determine what the appropriate scope of the
assessment is.
Assessment
4. Review control areas. Work through the tool kit, reviewing the
evidence for each control and determining how
compliant it is with the requirements.
The toolkit allows for this to be done in 5%
increments.
5. Determine level of compliance. On completion of the review, the tool kit will give
you an overall level of compliance by control area
and by individual controls.
Post Assessment
6. Record areas of weakness Make a note of any areas where compliance is
unsuitable (normally less than 90%)
7. Determine improvement plan For each area of weakness, work with the
relevant business stakeholders to determine how
the control can be improved.
Asset management
www.halkynconsulting.co.uk
Access control
Cryptography
Operations security
Communications security
Supplier relationships
Compliance Status - By Section
A.5 A.6 A.7 A.8 A.9 A.10 A.11 A.12 A.13 A.14 A.15 A.16 A.17 A.18
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
ISO27001:2013 Assessment Status
info@halkynconsulting.co.uk
02/28/2024
Halkyn Consulting Ltd 02/28/2024
www.halkynconsulting.co.uk info@halkynconsulting.co.uk
www.halkynconsulting.co.uk
ISO27001:2013 Compliance info@halkynconsulting.co.uk
Status Report
Page 8 of 39 02/28/2024
www.halkynconsulting.co.uk
ISO 27001:2013 Halkyn Consulting Ltd
Compliance Checklist
Contact with special interest Do relevant individuals within the organisation maintain active
A.6.1.4 Admin
groups membership in relevant special interest groups?
Page 9 of 39 02/28/2024
www.halkynconsulting.co.uk
ISO 27001:2013 Halkyn Consulting Ltd
Compliance Checklist
1. Are managers (of all levels) engaged in driving security within the
business?
A.7.2.1 Management responsibilities 2. Does management behaviour and policy drive, and encourage, HR
all employees, contractors and 3rd party users to apply security in
accordance with established policies and procedures?
Page 10 of 39 02/28/2024
www.halkynconsulting.co.uk
ISO 27001:2013 Halkyn Consulting Ltd
Compliance Checklist
Page 11 of 39 02/28/2024
www.halkynconsulting.co.uk
ISO 27001:2013 Halkyn Consulting Ltd
Compliance Checklist
Page 12 of 39 02/28/2024
www.halkynconsulting.co.uk
ISO 27001:2013 Halkyn Consulting Ltd
Compliance Checklist
Management of privileged
A.9.2.3 Are privileged access accounts separately managed and controlled? IT Ops
access rights
Management of secret
Is there a formal management process in place to control allocation
A.9.2.4 authentication information of IT Ops
of secret authentication information?
users
Page 13 of 39 02/28/2024
www.halkynconsulting.co.uk
ISO 27001:2013 Halkyn Consulting Ltd
Compliance Checklist
A.10 Cryptography
A.10.1 Cryptographic controls
Policy on the use of
A.10.1.1 Is there a policy on the use of cryptographic controls? Core Team
cryptographic controls
Is there a policy governing the whole lifecycle of cryptographic
A.10.1.2 Key management Core Team
keys?
A.11 Physical and environmental security
A.11.1 Secure areas
1. Is there a designated security perimeter?
A.11.1.1 Physical security perimeter 2. Are sensitive or critical information areas segregated and Admin
appropriately controlled?
Do secure areas have suitable entry control systems to ensure only
A.11.1.2 Physical entry controls Admin
authorised personnel have access?
Protecting against external and Have physical protection measures to prevent natural disasters,
A.11.1.4 Admin
environmental threats malicious attack or accidents been designed in?
Page 14 of 39 02/28/2024
www.halkynconsulting.co.uk
ISO 27001:2013 Halkyn Consulting Ltd
Compliance Checklist
Page 15 of 39 02/28/2024
www.halkynconsulting.co.uk
ISO 27001:2013 Halkyn Consulting Ltd
Compliance Checklist
A.12.1.2 Change management Is there a controlled change management process in place? Core Team
Separation of development,
Does the organisation enforce segregation of development, test
A.12.1.4 testing and operational Core Team
and operational environments?
environments
A.12.2 Protection from malware
1. Are processes to detect malware in place?
2. Are processes to prevent malware spreading in place?
A.12.2.1 Controls against malware IT Ops
3. Does the organisation have a process and capacity to recover
from a malware infection.
A.12.3 Backup
Page 16 of 39 02/28/2024
www.halkynconsulting.co.uk
ISO 27001:2013 Halkyn Consulting Ltd
Compliance Checklist
Restrictions on soft-ware
A.12.6.2 Are there processes in place to restrict how users install software? IT Ops
installation
A.12.7 Information systems audit considerations
Page 17 of 39 02/28/2024
www.halkynconsulting.co.uk
ISO 27001:2013 Halkyn Consulting Ltd
Compliance Checklist
1. Is there a network management process in place?
A.13.1.1 Network controls IT Ops
2. Firewall/Gateway configured with necessary controls ?
Page 18 of 39 02/28/2024
www.halkynconsulting.co.uk
ISO 27001:2013 Halkyn Consulting Ltd
Compliance Checklist
Page 19 of 39 02/28/2024
www.halkynconsulting.co.uk
ISO 27001:2013 Halkyn Consulting Ltd
Compliance Checklist
Information and
Do supplier agreements include requirements to address
A.15.1.3 communication technology Admin
information security within the service & product supply chain?
supply chain
A.15.2 Supplier service delivery management
Monitoring and review of
A.15.2.1 Are suppliers subject to regular review and audit? Admin
supplier services
Managing changes to supplier Are changes to the provision of services subject to a management
A.15.2.2 Admin
services process which includes security & risk assessment?
Page 20 of 39 02/28/2024
www.halkynconsulting.co.uk
ISO 27001:2013 Halkyn Consulting Ltd
Compliance Checklist
Are management responsibilities clearly identified and
A.16.1.1 Responsibilities and procedures CISO
documented in the incident management processes?
Assessment of and decision on Is there a process to ensure information security events are
A.16.1.4 CISO
information security events properly assessed and classified?
Page 21 of 39 02/28/2024
www.halkynconsulting.co.uk
ISO 27001:2013 Halkyn Consulting Ltd
Compliance Checklist
A.17.2 Redundancies
A.18 Compliance
A.18.1 Compliance with legal and contractual requirements
1. Has the organisation identified and documented all relevant
Identification of applicable
legislative, regulatory or contractual requirements related to
A.18.1.1 legislation and contractual CISO
security?
requirements
2. Is compliance documented?
Page 22 of 39 02/28/2024
www.halkynconsulting.co.uk
ISO 27001:2013 Halkyn Consulting Ltd
Compliance Checklist
Page 23 of 39 02/28/2024
www.halkynconsulting.co.uk
ISO 27001:2013 Halkyn Consulting Ltd
Compliance Checklist
SOA ISO 27001:2013
Findings / Results % Target Date Remarks / Comments
1. Yes Since established on 5th Aug 23, reviews have not observed as on
2. Yes 100% Dec-23
3. Yes
Page 24 of 39 02/28/2024
www.halkynconsulting.co.uk
ISO 27001:2013 Halkyn Consulting Ltd
Compliance Checklist
Not in use
100%
Page 25 of 39 02/28/2024
www.halkynconsulting.co.uk
ISO 27001:2013 Halkyn Consulting Ltd
Compliance Checklist
Yes, but no policy process document in place
50%
50%
1. Not evidenced for newly joined staff. Tulsi, Mahesh This shall be done by the consultant
2. ISMS awareness training needs to be provided
50%
50%
50%
Page 26 of 39 02/28/2024
www.halkynconsulting.co.uk
ISO 27001:2013 Halkyn Consulting Ltd
Compliance Checklist
1. In place
100%
1. In place
100%
In place
100%
Assets are labelled for all the laptops. Need to document the
process 40%
In place 100%
Page 27 of 39 02/28/2024
www.halkynconsulting.co.uk
ISO 27001:2013 Halkyn Consulting Ltd
Compliance Checklist
1. USBs are not allowed for staff
100%
100%
1. Yes 1.
2. Yes 2.
3. Needs to be created one 3. Access Control Matrix needs to be created & maintained
4. Pending 4. Auditor to send out relevant org level communication
5. Needs to have MFA 50% 5. Super Usr ids are used in Biometric, AD, File server & all consoles
6. Super User/Admin user ids are being used used in organization
1. Yes
100%
Implementation is in place.
100%
Implementation is in place.
100%
Page 28 of 39 02/28/2024
www.halkynconsulting.co.uk
ISO 27001:2013 Halkyn Consulting Ltd
Compliance Checklist
Implementation is in place.
100%
Implementation is in place.
100%
Implementation is in place.
100%
Implementation is in place.
100%
100%
Page 29 of 39 02/28/2024
www.halkynconsulting.co.uk
ISO 27001:2013 Halkyn Consulting Ltd
Compliance Checklist
1. Policy needs to be created as to which all softwares are allowed
within the organization.
2. Regular intervals based reviews not in practice especially for
resigned staff
3. Any delete actions performed needs to be 4 eyes principles 50%
Page 30 of 39 02/28/2024
www.halkynconsulting.co.uk
ISO 27001:2013 Halkyn Consulting Ltd
Compliance Checklist
Yes both IN and OUT are secured by Biometric access.
100%
100%
yes
100%
All the Network and power wires are secured and there is no
interference among the cables.
100%
AMC with Hive, were Hive takes care of them. Contract with Hive
to available 100%
Gatepass for controlling asset moment and gatepass is signed by
department heads
100%
Not applicable as all the assets are inside the office and no off site
requirements are needed 100%
Page 31 of 39 02/28/2024
www.halkynconsulting.co.uk
ISO 27001:2013 Halkyn Consulting Ltd
Compliance Checklist
1. Yearly once scrap material sent out.
2. Manual practice in place
Contract for ewastage supplier to be evidenced + Data wiping
policy needs to be in place along with checklist as well 50%
No policy defined
90%
1. Manually security is taken care - SOP documentation needs to be P&P to be make accessible to all staff and other categoriezed staff
created accordingly
2. To be created
3. To be created 50%
100%
Page 32 of 39 02/28/2024
www.halkynconsulting.co.uk
ISO 27001:2013 Halkyn Consulting Ltd
Compliance Checklist
1. AD Server, File Server & Biometric backups not enabled and if so
not monitored on a set frequency ?
2. Yes inline to legal framework
3. Yes 25%
4. Needs to be tested
1. Needs to be created
2. Not in practice
3. Admin IDs are used for accessing Biometric, AD Server & File
Servers 0%
VAPT done
100%
Page 33 of 39 02/28/2024
www.halkynconsulting.co.uk
ISO 27001:2013 Halkyn Consulting Ltd
Compliance Checklist
wazuh SOC in place, needs policy documenation
100%
1. policy exists
2. security standards cluases available in risk mgmt approach policy
doc
3. same as above 100%
Yes. Co. network controls are followed since the network is being
shared but no topology evidenced 90%
Page 34 of 39 02/28/2024
www.halkynconsulting.co.uk
ISO 27001:2013 Halkyn Consulting Ltd
Compliance Checklist
RHYM has an integrated plattorm were by all modules developed in Needs to have policy document and SOP in place
it are automatically secured however a application security
specialist still performs legitimate framework based verification to
see if newly developed module has any vulnerabilities ? 90%
RHYM does not have any solution which is huge transactional data Shall be deemed based on further inspections
oriented solutions. However, RHYM uses Paas, DbaaS & IaaS
therefore these providers has their own file logs within servers,
were RHYM access them via administration consoles 100%
30%
Page 35 of 39 02/28/2024
www.halkynconsulting.co.uk
ISO 27001:2013 Halkyn Consulting Ltd
Compliance Checklist
Development is done inhouse, as of now no development is being
outsourced
100%
Application Security testing results to be obtained To check with Narayan/Vamsi and obtain App Sec results
30%
Policy needs to be created To check with Narayan/Vamsi and obtain App Sec results
Yet to collect evidence 30%
Policy needs to be created To check with Narayan/Vamsi and obtain App Sec results
Yet to collect evidence 30%
Yes, in place
100%
Yes, in place
100%
Page 36 of 39 02/28/2024
www.halkynconsulting.co.uk
ISO 27001:2013 Halkyn Consulting Ltd
Compliance Checklist
Yes, in place
100%
Yes, in place
100%
Yes, in place
100%
Yes, in place
100%
Yes, in place
100%
Yes, in place
100%
Yes, in place
100%
BC plan not in place from a site perspective, but from a ISP stand
point, failover is available 100%
SOP needs to be prepared
80%
Page 37 of 39 02/28/2024
www.halkynconsulting.co.uk
ISO 27001:2013 Halkyn Consulting Ltd
Compliance Checklist
100%
Yes, in place
100%
100%
Yes, in place
100%
Page 38 of 39 02/28/2024
www.halkynconsulting.co.uk
ISO 27001:2013 Halkyn Consulting Ltd
Compliance Checklist
Yes, in place
100%
Page 39 of 39 02/28/2024