Pran 27001 SOA Compliance Checklist

** The scores provided are based on interactions with multiple departments as a part of information gathering.
A lesser
does not throw the organization into a bad picture, but paves way for the improvement. All "documentation" related ga
from a security perspective shall be closed by the consultant unless specified otherwise.
PS: Majority of the gaps are documentation related and shall be closed as and when the documents are reviewed and
approved once delivered
mation gathering. A lesser score
ocumentation" related gaps
ments are reviewed and

Overview
This tool is designed to assist a skilled and experienced professional ensure that the relevant control areas
of ISO / IEC 27001:2013 have been addressed.
This tool does not constitute a valid assessment and the use of this tool does not confer ISO/IEC
27001:2013 certification. The findings here must be confirmed as part of a formal audit / assessment visit.
Instructions for use
Pre-assessment
1. Determine assessment scope. Work with the relevant business stakeholders to
determine what the appropriate scope of the
assessment is.
2. Collect evidence. Identify and centralise as much evidence as

possible. This can include policy documents,
process documents, interview transcripts etc.
3. Prepare toolkit. Using the assessment scope you can identify

what areas of the tool kit are not appropriate and
set these to 100% to close reporting.
Additionally, where suggested audit questions
are not relevant, these can be replaced with
more suitable ones.
Assessment
4. Review control areas. Work through the tool kit, reviewing the
evidence for each control and determining how
compliant it is with the requirements.
The toolkit allows for this to be done in 5%
increments.
5. Determine level of compliance. On completion of the review, the tool kit will give
you an overall level of compliance by control area
and by individual controls.
Post Assessment
6. Record areas of weakness Make a note of any areas where compliance is
unsuitable (normally less than 90%)
7. Determine improvement plan For each area of weakness, work with the
relevant business stakeholders to determine how
the control can be improved.
8. Schedule re-assessment Arrange a date to review weak areas to set a

target for improvement plans.
Lifecycle Review
9. ISMS Review Schedules
Ensure that the ISMS is re-assessed on a regular
basis, ideally once every 12 months.
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Information Security Policies
Organisation of information security
Human resources security

Halkyn Consulting Ltd
Asset management
www.halkynconsulting.co.uk
Access control
Cryptography
Physical and environmental security
Operations security
Communications security
System acquisition, development and maintenance
Supplier relationships
Compliance Status - By Section
Information security incident management

Information security aspects of business continuity
management
Compliance
A.5 A.6 A.7 A.8 A.9 A.10 A.11 A.12 A.13 A.14 A.15 A.16 A.17 A.18
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
ISO27001:2013 Assessment Status
Compliance Status - By Control
info@halkynconsulting.co.uk
02/28/2024
Halkyn Consulting Ltd 02/28/2024
Departments Achieved so far #DIV/0!

Admin 84.80 2120% 2500
CISO 91.88% 1470% 1600
Core Team 59.71 1015% 1700
HR 60.00 540% 900
IT Ops 82.87 3895% 4700
Not compliant needs lot of improvement

RED:
Orange: Not compliant needs operational level improvement

Opportunity to improve by next Audit cycle
Yellow:
Green: Okay to lay down and mgmt can decide whether to

improve or sustain till this point
www.halkynconsulting.co.uk info@halkynconsulting.co.uk
ISO27001:2013 Compliance info@halkynconsulting.co.uk
Status Report
Standard Section Status

A.5 Information Security Policies 95%
A.6 Organisation of information security 52%
A.7 Human resources security 50%
A.8 Asset management 86%
A.9 Access control 86%
A.10 Cryptography 100%
A.11 Physical and environmental security 93%
A.12 Operations security 53%
A.13 Communications security 89%
A.14 System acquisition, development and maintenance 73%
A.15 Supplier relationships 86%
A.16 Information security incident management 100%
A.17 Information security aspects of business continuity management 95%
A.18 Compliance 94%
Overall Compliance 82%
02/28/2024 Page 1 of 1 Halkyn Consulting Ltd

ISO27001:2013 Compliance info@halkynconsulting.co.uk
Status Report
Standard Section Status

A.5.1 Management direction for information security 95%
A.6.1 Internal Organisation 45%
A.6.2 Mobile devices and teleworking 70%
A.7.1 Prior to employment 50%
A.7.2 During employment 50%
A.7.3 Termination and change of employment 50%
A.8.1 Responibility for assets 100%
A.8.2 Information classification 60%
A.8.3 Media handling 93%
A.9.1 Business requirements for access control 75%
A.9.2 User access management 100%
A.9.3 User responsibilities 100%
A.9.4 System and application access control 70%
A.10.1 Crypographic controls 100%
A.11.1 Secure areas 100%
A.11.2 Equipment 88%
A.12.1 Operational procedures and responsibilities 38%
A.12.2 Protection from malware 100%
A.12.3 Backup 25%
A.12.4 Logging and monitoring 48%
A.12.5 Control of operational software 0%
A.12.6 Technical vulnerability management 90%
A.12.7 Information systems audit considerations 100%
A.13.1 Network security management 97%
A.13.2 Information transfer 83%
A.14.1 Security requirements of information systems 97%
A.14.2 Security in development and support processes 66%
A.14.3 Test data 30%
A.15.1 Information security in supplier relationships 80%
A.15.2 Supplier service delivery management 95%
A.16.1 Management of infosec incidents & improvements 100%
A.17.1 Information security continuity 93%
A.17.2 Redundancies 100%
A.18.1 Compliance with legal and contractual requirements 90%
A.18.2 Information security reviews 100%
02/28/2024 Page 7 of 39 Halkyn Consulting Ltd

ISO 27001:2013 Halkyn Consulting Ltd
Compliance Checklist
Date: 4-Dec-23
Assessment
Standard Section Initial Assessment Points Area
A.5 Information Security Policies
A.5.1 Management direction for information security
1. Do Security policies exist?
Policies for information
A.5.1.1 2. Are all policies approved by management? CISO
security
3. Are policies properly communicated to employees?
1. Are security policies subject to review?

Review of the policies for
A.5.1.2 2. Are the reviews conducted at regular intervals? CISO
information security
3. Are reviews conducted when circumstances change?
A.6 Organisation of information security
A.6.1 Internal Organisation
1. Are responsibilities for the protection of individual assets, and

for carrying out specific security processes, clearly identified and
Information security roles and
A.6.1.1 defined and communicated to the relevant parties? HR
responsibilities
2. Are JDs updated on a set frequency and such new joinees are
updated in Org Chart ?
Are duties and areas of responsibility separated, in order to reduce

A.6.1.2 Segregation of duties opportunities for unauthorized modification or misuse of IT Ops
information, or services?
1. Is there a procedure documenting when, and by whom, contact

with relevant authorities (law enforcement etc.) will be made?
A.6.1.3 Contact with authorities 2. Is there a process which details how and when contact is Admin
required?
3. Is there a process for routine contact and intelligence sharing?
Page 8 of 39 02/28/2024
Contact with special interest Do relevant individuals within the organisation maintain active
A.6.1.4 Admin
groups membership in relevant special interest groups?
Information security in project Do all projects/services go through some form of information

A.6.1.5 Core Team
management security assessment?
A.6.2 Mobile devices and teleworking
1. Does a mobile device policy exist?

2. Does the policy have management approval?
A.6.2.1 Mobile device policy 3. Does the policy document and address additional risks from Admin
using mobile devices (e.g. Theft of asset, use of open wireless
hotspots etc.)
1. Is there a policy for teleworking?

2. Does this have management approval?
A.6.2.2 Teleworking 3. Is there a set process for remote teleworkers to get access? Admin
4. Are teleworkers given the advice and equipment to protect their
assets?
A.7 Human resources security

A.7.1 Prior to employment
1. BGV policy & procedures doc exits ?

2. Are background verification checks carried out on all new
candidates for employment?
2. Are these checks approved by appropriate management
A.7.1.1 Screening authority? HR
3. Are the checks compliant with relevant laws, regulations and
ethics?
4. Are the level of checks required supported by business risk
assessments?
Page 9 of 39 02/28/2024
1. Are all employees, contractors and third party users asked to

Terms and conditions of sign confidentiality and non-disclosure agreements?
A.7.1.2 HR
employment 2. Do employment / service contracts specifically cover the need to
protect business information?
A.7.2 During employment
1. Are managers (of all levels) engaged in driving security within the
business?
A.7.2.1 Management responsibilities 2. Does management behaviour and policy drive, and encourage, HR
all employees, contractors and 3rd party users to apply security in
accordance with established policies and procedures?
1. Do HR induction takes place for new joiniees ?

Information security
2. Do all employees, contractors and 3rd party users undergo
A.7.2.2 awareness, education and HR
regular security awareness training appropriate to their role and
training
function within the organisation?
1. Is there a formal disciplinary process which allows the

organisation to take action against employees who have committed
A.7.2.3 Disciplinary process HR
an information security breach?
2. Is this communicated to all employees?
Termination and change of
A.7.3
employment
1. Is there a documented process for terminating or changing

employment duties?
Termination or change of 2. Are any information security duties which survive employment
A.7.3.1 HR
employment responsibilities communicated to the employee or contractor?
3. Is the organisation able to enforce compliance with any duties
that survive employment?
A.8 Asset management

A.8.1 Responsibility for assets
Page 10 of 39 02/28/2024
1. Is there an inventory of all assets associated with information

A.8.1.1 Inventory of assets and information processing facilities? IT Ops
2. Software list repository has sufficient information maintained ?
All information assets must have a clearly defined owner who is

A.8.1.2 Ownership of assets IT Ops
aware of their responsibilities.
1. Is there an acceptable use policy for each class / type of
A.8.1.3 Acceptable use of assets information asset? IT Ops
2. Are users made aware of this policy prior to use?
Is there a process in place to ensure all employees and external

A.8.1.4 Return of assets users return the organisation's assets on termination of their IT Ops
employment, contract or agreement?
A.8.2 Information classification
1. Is there a policy governing information classification?

A.8.2.1 Classification of information 2. Is there a process by which all information can be appropriately Admin
classified? E.g. furnished register
Is there a process or procedure for ensuring information

A.8.2.2 Labelling of information Admin
classification is appropriately marked on each asset?
1. Is there a procedure for handling each information classification?

A.8.2.3 Handling of assets Admin
2. Are users of information assets made aware of this procedure?
A.8.3 Media handling
Page 11 of 39 02/28/2024
1. Is there a policy governing removable media?

2. Is there a process covering how removable media is managed?
Management of removable 3. Are the policy and process(es) communicated to all employees
A.8.3.1 IT Ops
media using removable media?
4. Is there a system/tracker to show the history of allowed USBs to
staff ?
Is there a formal procedure governing how removable media is

A.8.3.2 Disposal of media IT Ops
disposed?
1. Is there a documented policy and process detailing how physical

media should be transported?
A.8.3.3 Physical media transfer IT Ops
2. Is media in transport protected against unauthorised access,
misuse or corruption?
A.9 Access control
A.9.1 Business requirements for access control
1. Is there a documented access control policy?

2. Is the policy based on business requirements?
3. Is there a single view report available to see all staff vs provided
A.9.1.1 Access control policy CISO
access to internal/external systems ?
4. Is the policy communicated appropriately?
5. MFA for products/services console logins & on-prem servers
Are controls in place to ensure users only have access to the

Access to networks and
A.9.1.2 network resources they have been specially authorised to use and IT Ops
network services
are required for their duties?
A.9.2 User access management
User registration and de-
A.9.2.1 Is there a formal user access registration process in place? IT Ops
registration
Is there a formal user access provisioning process in place to assign

A.9.2.2 User access provisioning IT Ops
access rights for all user types and services?
Page 12 of 39 02/28/2024
Management of privileged
A.9.2.3 Are privileged access accounts separately managed and controlled? IT Ops
access rights
Management of secret
Is there a formal management process in place to control allocation
A.9.2.4 authentication information of IT Ops
of secret authentication information?
users
1. Is there a process for asset owners to review access rights to

A.9.2.5 Review of user access rights their assets on a regular basis? IT Ops
2. Is this review process verified?
Is there a process to ensure user access rights are removed on

Removal or adjustment of
A.9.2.6 termination of employment or contract, or adjusted upon change IT Ops
access rights
of role?
A.9.3 User responsibilities
1. Is there a policy document covering the organisations practices

Use of secret authentication
A.9.3.1 in how secret authentication information must be handled? IT Ops
information
2. Is this communicated to all users?
A.9.4 System and application access control
1. Is access to information and application system functions

A.9.4.1 Information access restriction restricted in line with the access control policy? IT Ops
2. Named usr accts used for accessing APPS, Consoles, Servers ?
Where the access control policy requires it, is access controlled by

A.9.4.2 Secure log-on procedures IT Ops
a secure log-on procedure?
1. Are password systems interactive?
A.9.4.3 Password management system IT Ops
2. Are complex passwords required?
Page 13 of 39 02/28/2024
Use of privileged utility

A.9.4.4 Are privilege utility programs restricted and monitored? IT Ops
programs
1. Is access to the source code of all products/services protected ?

2. Any MFA or any other usr profile/role based limited access
Access control to program
A.9.4.5 provided to source code consoles ? Dev Team
source code
3. Any fortnight reviews for active and specially considering
resigned staff ?
A.10 Cryptography
A.10.1 Cryptographic controls
Policy on the use of
A.10.1.1 Is there a policy on the use of cryptographic controls? Core Team
cryptographic controls
Is there a policy governing the whole lifecycle of cryptographic
A.10.1.2 Key management Core Team
keys?
A.11 Physical and environmental security
A.11.1 Secure areas
1. Is there a designated security perimeter?
A.11.1.1 Physical security perimeter 2. Are sensitive or critical information areas segregated and Admin
appropriately controlled?
Do secure areas have suitable entry control systems to ensure only
A.11.1.2 Physical entry controls Admin
authorised personnel have access?
1. Have offices, rooms and facilities been designed and configured

Securing offices, rooms and with security in mind?
A.11.1.3 Admin
facilities 2. Do processes for maintaining the security (e.g. Locking up, clear
desks etc.) exist?
Protecting against external and Have physical protection measures to prevent natural disasters,
A.11.1.4 Admin
environmental threats malicious attack or accidents been designed in?
Page 14 of 39 02/28/2024
1. Do secure areas exist?

2. Where they do exist, do secure areas have suitable policies and
A.11.1.5 Working in secure areas Admin
processes?
3. Are the policies and processes enforced and monitored?
1. Are there separate delivery / loading areas?

2. Is access to these areas controls?
A.11.1.6 Delivery and loading areas Admin
3. Is access from loading areas isolated from information
processing facilities?
A.11.2 Equipment
1. Are environmental hazards identified and considered when
Equipment siting and equipment locations are selected?
A.11.2.1 Admin
protection 2. Are the risks from unauthorised access / passers-by considered
when siting equipment?
1. Is there a UPS system or back up generator?

A.11.2.2 Supporting utilities Admin
2. Have these been tested within an appropriate timescale?
1. Have risk assessments been conducted over the location of

power and telecommunications cables?
A.11.2.3 Cabling security Admin
2. Are they located to protect from interference, interception or
damage?
A.11.2.4 Equipment maintenance Is there a rigorous equipment maintenance schedule? Admin
1. Is there a process controlling how assets are removed from site?

A.11.2.5 Removal of assets 2. Is this process enforced? IT Ops
3. Are spot checks carried out?
Security of equipment and 1. Is there a policy covering security of assets off-site?

A.11.2.6 Admin
assets off-premises 2. Is this policy widely communicated?
Page 15 of 39 02/28/2024
1. Is there a policy covering how information assets may be

Secure disposal or reuse of reused?
A.11.2.7 IT Ops
equipment 2. Where data is wiped, is this properly verified before
reuse/disposal?
1. Does the organisation have a policy around how unattended

equipment should be protected?
A.11.2.8 Unattended user equipment Admin
2. Are technical controls in place to secure equipment that has
been inadvertently left unattended?
1. Is there a clear desk / clear screen policy?

Clear desk and clear screen
A.11.2.9 2. Is this well enforced by auto locking the workstation if no activity IT Ops
policy
for certain minutes?
A.12 Operations security
A.12.1 Operational procedures and responsibilities
1. Are operating procedures well documented?

Documented operating 2. Are the procedures made available to all users/mgmt/HR who
A.12.1.1 IT Ops
procedures need them?
3. Policy & Procedures docs access to employee level is in place ?
A.12.1.2 Change management Is there a controlled change management process in place? Core Team
A.12.1.3 Capacity management Is there a capacity management process in place? Admin
Separation of development,
Does the organisation enforce segregation of development, test
A.12.1.4 testing and operational Core Team
and operational environments?
environments
A.12.2 Protection from malware
1. Are processes to detect malware in place?
2. Are processes to prevent malware spreading in place?
A.12.2.1 Controls against malware IT Ops
3. Does the organisation have a process and capacity to recover
from a malware infection.
A.12.3 Backup
Page 16 of 39 02/28/2024
1. Is there an agreed backup policy?

2. Does the organisation's backup policy comply with relevant legal
A.12.3.1 Information backup frameworks? IT Ops
3. Are backups made in accordance with the policy?
4. Are backups tested?
A.12.4 Logging and monitoring

1. Are appropriate event logs maintained ?
A.12.4.1 Event logging IT Ops
2. and regularly reviewed?
Are logging facilities protected against tampering and unauthorised
A.12.4.2 Protection of log information IT Ops
access?
Administrator and operator Are internal applications / sysadmin / sysop logs maintained,
A.12.4.3 IT Ops
logs protected and regularly reviewed?
A.12.4.4 Clock synchronisation Are all clocks within the organisation IT Ops
A.12.5 Control of operational software
1. Is there a policy & process in place to control the installation of

software onto operational systems?
Installation of software on
A.12.5.1 2. Admin IDs are not used and handed over to InfoSec team & IT Ops
operational systems
periodic review register in place ?
3. Named/personell ids are used ?
A.12.6 Technical vulnerability management

1. Does the organisation have access to updated and timely
Management of technical information on technical vulnerabilities?
A.12.6.1 Core Team
vulnerabilities 2. Is there a process to risk assess and react to any new
vulnerabilities as they are discovered?
Restrictions on soft-ware
A.12.6.2 Are there processes in place to restrict how users install software? IT Ops
installation
A.12.7 Information systems audit considerations
Information systems audit 1. Are IS Systems subject to audit?

A.12.7.1 IT Ops
controls 2. Does the audit process ensure business disruption is minimised?
A.13 Communications security

A.13.1 Network security management
Page 17 of 39 02/28/2024
1. Is there a network management process in place?
A.13.1.1 Network controls IT Ops
2. Firewall/Gateway configured with necessary controls ?
1. Does the organisation implement a risk management approach

which identifies all network services and service agreements?
A.13.1.2 Security of network services 2. Is security mandated in agreements and contracts with service IT Ops
providers (in house and outsourced).
3. Are security related SLAs mandated?
Does the network topology enforce segregation of networks for

A.13.1.3 Segregation in networks IT Ops
different tasks?
A.13.2 Information transfer
1. Do organisational policies govern how information is

transferred?
Information transfer policies 2. Are procedures in place, for how data should be transferred
A.13.2.1 IT Ops
and procedures made available to all employees?
3. Are relevant technical controls in place to prevent non-
authorised forms of data transfer?
Do contracts with external parties and agreements within the

Agreements on information
A.13.2.2 organisation detail the requirements for securing business Core Team
transfer
information while transferring them ?
Do security policies cover the use of information transfer while
A.13.2.3 Electronic messaging IT Ops
using electronic messaging systems?
1. Do employees, contractors and agents sign confidentiality or non

Confidentiality or disclosure agreements?
A.13.2.4 HR
nondisclosure agreements 2. Are these agreements subject to regular review?
3. Are records of the agreements maintained?
A.14 System acquisition, development and maintenance
A.14.1 Security requirements of information systems
Page 18 of 39 02/28/2024
1. Are information security requirements specified when new

Information security
systems are introduced?
A.14.1.1 requirements analysis and Core Team
2. When systems are being enhanced or upgraded, are security
specification
requirements specified and addressed?
Do applications which send information over public networks

Securing application services appropriately protect the information against fraudulent activity,
A.14.1.2 Core Team
on public networks contract dispute, unauthorised discloser and unauthorised
modification?
Are controls in place to prevent incomplete transmission,

Protecting application services
A.14.1.3 misrouting, unauthorised message alteration, unauthorised Core Team
transactions
disclosure, unauthorised message duplication or replay attacks?
A.14.2 Security in development and support processes

1. Does the organisation develop software or systems?
A.14.2.1 Secure development policy 2. If so, are there policies mandating the implementation and CISO
assessment of security controls?
System change control
A.14.2.2 Is there a formal change control process? CISO
procedures
Technical review of
Is there a process to ensure a technical review is carried out when
A.14.2.3 applications after operating Core Team
operating platforms are changed?
platform changes
Restrictions on changes to Is there a policy in place which mandates when and how software
A.14.2.4 IT Ops
software packages packages can be changed or modified?
Secure system engineering Does the organisation have documented principles on how systems
A.14.2.5 Core Team
principles must be engineered to ensure security?
1. Has a secure development environment been established?

Secure development
A.14.2.6 2. Do all projects utilise the secure development environment Core Team
environment
appropriately during the system development lifecycle?
Page 19 of 39 02/28/2024
1. Where development has been outsourced is this supervised?

A.14.2.7 Outsourced development 2. Is externally developed code subject to a security review before Core Team
deployment?
Where systems or applications are developed, are they security

A.14.2.8 System security testing Core Team
tested as part of the development process?
Is there an established process to accept new systems /
A.14.2.9 System acceptance testing Core Team
applications, or upgrades, into production use?
A.14.3 Test data
1. Is there a process for selecting test data?
A.14.3.1 Protection of test data Core Team
2. Is test data suitably protected?
A.15 Supplier relationships
A.15.1 Information security in supplier relationships
1. Is information security included in contracts established with
Information security policy for suppliers and service providers?
A.15.1.1 Admin
supplier relationships 2. Is there an organisation-wide risk management approach to
supplier relationships?
1. Are suppliers provided with documented security requirements?

Addressing security within
A.15.1.2 2. Is supplier access to information assets & infrastructure Admin
supplier agreements
controlled and monitored?
Information and
Do supplier agreements include requirements to address
A.15.1.3 communication technology Admin
information security within the service & product supply chain?
supply chain
A.15.2 Supplier service delivery management
Monitoring and review of
A.15.2.1 Are suppliers subject to regular review and audit? Admin
supplier services
Managing changes to supplier Are changes to the provision of services subject to a management
A.15.2.2 Admin
services process which includes security & risk assessment?
A.16 Information security incident management

A.16.1 Management of information security incidents and improvements
Page 20 of 39 02/28/2024
Are management responsibilities clearly identified and
A.16.1.1 Responsibilities and procedures CISO
documented in the incident management processes?
1. Is there a process for timely reporting of information security

Reporting information security events?
A.16.1.2 CISO
events 2. Is there a process for reviewing and acting on reported
information security events?
1. Is there a process for reporting of identified information security

weaknesses?
Reporting information security
A.16.1.3 2. Is this process widely communicated? CISO
weaknesses
3. Is there a process for reviewing and addressing reports in a
timely manner?
Assessment of and decision on Is there a process to ensure information security events are
A.16.1.4 CISO
information security events properly assessed and classified?
Response to information Is there an incident response process which reflects the

A.16.1.5 CISO
security incidents classification and severity of information security incidents?
Is there a process or framework which allows the organisation to

Learning from information
A.16.1.6 learn from information security incidents and reduce the impact / CISO
security incidents
probability of future events?
1. Is there a forensic readiness policy?

A.16.1.7 Collection of evidence 2. In the event of an information security incident is relevant data CISO
collected in a manner which allows it to be used as evidence?
A.17 Information security aspects of business continuity management

A.17.1 Information security continuity
Planning information security Is information security included in the organisation's continuity
A.17.1.1 IT Ops
continuity plans?
Does the organisation's information security function have
Implementing information
A.17.1.2 documented, implemented and maintained processes to maintain IT Ops
security continuity
continuity of service during an adverse situation?
Page 21 of 39 02/28/2024
Verify, review and evaluate

A.17.1.3 Are continuity plans validated and verified at regular intervals? IT Ops
information security continuity
A.17.2 Redundancies
Availability of information Do information processing facilities have sufficient redundancy to

A.17.2.1 IT Ops
processing facilities meet the organisations availability requirements?
A.18 Compliance
A.18.1 Compliance with legal and contractual requirements
1. Has the organisation identified and documented all relevant
Identification of applicable
legislative, regulatory or contractual requirements related to
A.18.1.1 legislation and contractual CISO
security?
requirements
2. Is compliance documented?
1. Does the organisation keep a record of all intellectual property

rights and use of proprietary software products?
A.18.1.2 Intellectual property rights IT Ops
2. Does the organisation monitor for the use of unlicensed
software?
Are records protected from loss, destruction, falsification and

A.18.1.3 Protection of records unauthorised access or release in accordance with legislative, IT Ops
regulatory, contractual and business requirements?
Privacy and protection of 1. Is personal data identified and appropriately classified?

A.18.1.4 personally identifiable 2. Is personal data protected in accordance with relevant HR
information legislation?
Regulation of cryptographic Are cryptographic controls protected in accordance with all
A.18.1.5 IT Ops
controls relevant agreements, legislation and regulations?
A.18.2 Information security reviews
1. Is the organisations approach to managing information security
Independent review of subject to regular independent review?
A.18.2.1 CISO
information security 2. Is the implementation of security controls subject to regular
independent review?
Page 22 of 39 02/28/2024
1. Does the organisation instruct managers to regularly review

Compliance with security compliance with policy and procedures within their area of
A.18.2.2 CISO
policies and standards responsibility?
2. Are records of these reviews maintained?
Does the organisation regularly conduct technical compliance

A.18.2.3 Technical compliance review CISO
reviews of its information systems i.e. VAPT ?
Page 23 of 39 02/28/2024
SOA ISO 27001:2013
Findings / Results % Target Date Remarks / Comments
1. Yes, exists Org announcements by IT Ops

2. Approved by mgmt 90%
3. In progress
1. Yes Since established on 5th Aug 23, reviews have not observed as on
2. Yes 100% Dec-23
3. Yes
1. Policy to be created to review the JDs on a defined time-frame

2. Roles are defined but needs to be updated across various
departments only quaterly basis
3. Update & review org. chart 40%
1. Policy document needs to be updated to accommodate for

below finding.
2. In place for staff except for HR, Admin, IT Ops & Production 80%
accessible portals
1. Contact with authorities not available & policy documentation

40%
needs to be in place
Page 24 of 39 02/28/2024
1. Admin needs to maintain the history of list of vendors in a

system/tracker
40%
2. And needs to evidence its subsequent contracts existing in place
or not ?
No such process being followed Mgmt to advise on next steps, whether an internal audit to be
25% performed or not.
1. Policy needs to be created To be discussed with mgmt

2. Depends on point # 1
3.
40%
Not in use
100%
0. BGV policy & procedures to be created

1. BGVs for all employees, consultants, trainee to be collected and
submit for mgmt approval
2. Needs to carry out BGVs for all candidates
3. Needs to be created
4. Needs to be vetted 50%
Page 25 of 39 02/28/2024
Yes, but no policy process document in place
50%
50%
1. Not evidenced for newly joined staff. Tulsi, Mahesh This shall be done by the consultant
2. ISMS awareness training needs to be provided
50%
50%
50%
Page 26 of 39 02/28/2024
1. In place
100%
1. In place
100%
Policy, practice and awareness via campaign in place 100%
In place
100%
1. Asset classification policy doc needs to be prepared

2. Furniture also needs to be maintained in asset register
40%
Assets are labelled for all the laptops. Need to document the
process 40%
In place 100%
Page 27 of 39 02/28/2024
1. USBs are not allowed for staff
100%
Need to define the SOP

80%
Please refer to A.8.3.1
100%
1. Yes 1.
2. Yes 2.
3. Needs to be created one 3. Access Control Matrix needs to be created & maintained
4. Pending 4. Auditor to send out relevant org level communication
5. Needs to have MFA 50% 5. Super Usr ids are used in Biometric, AD, File server & all consoles
6. Super User/Admin user ids are being used used in organization
1. Yes
100%
Implementation is in place.
100%
100%
Page 28 of 39 02/28/2024
100%
100%
100%
100%
1. Password policy doc in place

2. Assets have passwords in place.
3. Self email acct pwds resets for email accts evidenced 100%
4. Self AD pwds resets evidenced
1. Yes, inline to policy
100%
No such critical tier systems in org as on Dec-23

100%
In place
100%
Page 29 of 39 02/28/2024
1. Policy needs to be created as to which all softwares are allowed
within the organization.
2. Regular intervals based reviews not in practice especially for
resigned staff
3. Any delete actions performed needs to be 4 eyes principles 50%
1. Policy doc needs to be created

2. Not in practice by IT Ops
3. Not in practice by IT Ops
0%

100%
100%
Yes we have 2 security guards at the main entrance and 2

receptionists at office entrance. 100%
We have Biometric enabled only for authorized persons

100%
Finance/Accounts, Admin Stock/Facilities, HR & Audit rooms are
secured . Were other employees can not enter with out
authorization. 100%
Fire extinguishers are in place. Need to document these in Physical

security policy 100%
Page 30 of 39 02/28/2024
Yes both IN and OUT are secured by Biometric access.
100%
Yes in place as part of Hive administration
100%
yes
100%
yes, ( 2 UPS capacity of 20KV and 15 KV, Backup for floor is 30

minutes)
(Diesiel Generator with 265KV of Backup generator, 300 hours non- 100%
stop)
All the Network and power wires are secured and there is no
interference among the cables.
100%
AMC with Hive, were Hive takes care of them. Contract with Hive
to available 100%
Gatepass for controlling asset moment and gatepass is signed by
department heads
100%
Not applicable as all the assets are inside the office and no off site
requirements are needed 100%
Page 31 of 39 02/28/2024
1. Yearly once scrap material sent out.
2. Manual practice in place
Contract for ewastage supplier to be evidenced + Data wiping
policy needs to be in place along with checklist as well 50%
No policy defined
90%
1. Policy document needs to be created

2. Idle time out screen lockout 50%
3. Not enforced via group policy
1. Manually security is taken care - SOP documentation needs to be P&P to be make accessible to all staff and other categoriezed staff
created accordingly
2. To be created
3. To be created 50%
1. Policy document to be created

2. Process is being followed but documentation is not being 0%
followed
Capacity managrement practice in place for non-human assets 100%
No test environment, mgmt to advise on this
0%
Wazuh agents in place for all workstations
100%
Page 32 of 39 02/28/2024
1. AD Server, File Server & Biometric backups not enabled and if so
not monitored on a set frequency ?
2. Yes inline to legal framework
3. Yes 25%
4. Needs to be tested
1. Logs are being downloaded manually.

2. No actions are taken on the alerts/mishaps. 0%
Only authorized persons are allowed to login
100%
Not in place
90%
Clock synchronization in AD server not evidenced 0%
1. Needs to be created
2. Not in practice
3. Admin IDs are used for accessing Biometric, AD Server & File
Servers 0%
VAPT done
100%
Yes but SOP documentation needs to be in place

80%
1. As of on date, IS is taken care manually by using spreadsheets,

therefore no system in place for Audits 100%
2. Yes, policy and procedures in place
Page 33 of 39 02/28/2024
wazuh SOC in place, needs policy documenation
100%
1. policy exists
2. security standards cluases available in risk mgmt approach policy
doc
3. same as above 100%
Yes. Co. network controls are followed since the network is being
shared but no topology evidenced 90%
1. Needs documentation in place

2. Done
3. yes, wazuh SOC in place
80%
Policy needs to be created

Yet to collect evidence 50%
Policy exisits SOP needs to be created

100%
1. Yes, in place
2. Yes, in place
3. Yes, in place 100%
Page 34 of 39 02/28/2024
RHYM has an integrated plattorm were by all modules developed in Needs to have policy document and SOP in place
it are automatically secured however a application security
specialist still performs legitimate framework based verification to
see if newly developed module has any vulnerabilities ? 90%
1. RHYM uses PaaS, DbaaS, IaaS therefore these service providers

are already secured part of rendering their services.
2. MFA needs to be in place 100%
RHYM does not have any solution which is huge transactional data Shall be deemed based on further inspections
oriented solutions. However, RHYM uses Paas, DbaaS & IaaS
therefore these providers has their own file logs within servers,
were RHYM access them via administration consoles 100%
1. Software Needs to prepare policy doc

2. Yes 90%
Yes, in place Needs to prepare policy doc

90%
PaaS is taking care of such OS level patches/upgrades Need to see the alerts/notifications and peform a high level
80% scrutiny
Practice in place Needs to have policy document and SOP in place

90%
Practice in place Needs to have policy document framing about security standards
50% guiding a developer
Need to verify Need to spend time with developers and gather information
30%
Page 35 of 39 02/28/2024
Development is done inhouse, as of now no development is being
outsourced
100%
Application Security testing results to be obtained To check with Narayan/Vamsi and obtain App Sec results
30%
Policy needs to be created To check with Narayan/Vamsi and obtain App Sec results
Policy needs to be created To check with Narayan/Vamsi and obtain App Sec results
1. To vet the contracts

2. To ensure this clause is part of policy document of 3rd
party/supplier document 40%
Yes, in place
100%
Yes, in place
100%
3rd party supplier agreements must be maintained in a tracker

90%
Yes, in place
100%
Page 36 of 39 02/28/2024
Yes, in place
100%
Yes, in place
100%
Yes, in place
100%
Yes, in place
100%
Yes, in place
100%
Yes, in place
100%
Yes, in place
100%
BC plan not in place from a site perspective, but from a ISP stand
point, failover is available 100%
SOP needs to be prepared
80%
Page 37 of 39 02/28/2024
100%
Redundancy is not in place

100%
Regulations are identifed, but are not docmented and maintained

as a list
50%
Yes, in place
100%
wazuh SOC in place, needs policy documenation
100%
1. Policy and practice in place (such documents are safeguarded in

locked cupboards) 100%
2. Yes, in place
Not applicable as on date no such softwares being used within

organization to have cryptographic measures 100%
Yes, in place
100%
Page 38 of 39 02/28/2024
Yes, in place
100%
VAPT once in year

100%
Page 39 of 39 02/28/2024

Pran 27001 SOA Compliance Checklist

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Pran 27001 SOA Compliance Checklist

Uploaded by

Copyright:

Available Formats

** The scores provided are based on interactions with multiple departments as a part of information gathering.

ments are reviewed and

Instructions for use

2. Collect evidence. Identify and centralise as much evidence as

3. Prepare toolkit. Using the assessment scope you can identify

8. Schedule re-assessment Arrange a date to review weak areas to set a

Organisation of information security

Human resources security

Physical and environmental security

System acquisition, development and maintenance

Information security incident management

Compliance Status - By Control

Departments Achieved so far #DIV/0!

Not compliant needs lot of improvement

Orange: Not compliant needs operational level improvement

Green: Okay to lay down and mgmt can decide whether to

Standard Section Status

Overall Compliance 82%

02/28/2024 Page 1 of 1 Halkyn Consulting Ltd

Standard Section Status

02/28/2024 Page 7 of 39 Halkyn Consulting Ltd

1. Are security policies subject to review?

1. Are responsibilities for the protection of individual assets, and

Are duties and areas of responsibility separated, in order to reduce

1. Is there a procedure documenting when, and by whom, contact

Information security in project Do all projects/services go through some form of information

1. Does a mobile device policy exist?

1. Is there a policy for teleworking?

A.7 Human resources security

1. BGV policy & procedures doc exits ?

1. Are all employees, contractors and third party users asked to

A.7.2 During employment

1. Do HR induction takes place for new joiniees ?

1. Is there a formal disciplinary process which allows the

1. Is there a documented process for terminating or changing

A.8 Asset management

1. Is there an inventory of all assets associated with information

All information assets must have a clearly defined owner who is

Is there a process in place to ensure all employees and external

A.8.2 Information classification

1. Is there a policy governing information classification?

Is there a process or procedure for ensuring information

1. Is there a procedure for handling each information classification?

A.8.3 Media handling

1. Is there a policy governing removable media?

Is there a formal procedure governing how removable media is

1. Is there a documented policy and process detailing how physical

1. Is there a documented access control policy?

Are controls in place to ensure users only have access to the

Is there a formal user access provisioning process in place to assign

1. Is there a process for asset owners to review access rights to

Is there a process to ensure user access rights are removed on

1. Is there a policy document covering the organisations practices

A.9.4 System and application access control

1. Is access to information and application system functions

Where the access control policy requires it, is access controlled by

Use of privileged utility

1. Is access to the source code of all products/services protected ?

1. Have offices, rooms and facilities been designed and configured

1. Do secure areas exist?

1. Are there separate delivery / loading areas?

1. Is there a UPS system or back up generator?

1. Have risk assessments been conducted over the location of