Professional Documents
Culture Documents
ISO IEC 27001 2022 Transition SELF EVALUATION CHECKLIST ISO - IEC 27001 - 2022
ISO IEC 27001 2022 Transition SELF EVALUATION CHECKLIST ISO - IEC 27001 - 2022
ISO IEC 27001 2022 Transition SELF EVALUATION CHECKLIST ISO - IEC 27001 - 2022
ISO/IEC 27001:2022
This document is intended to assist you in the identifying your readiness for becoming 3rd party certified to the globally
recognized standard ISO/IEC 27001:2022 Information Security Management System (ISMS).
When the checklist has been completed, you may contact us to organise a GAP assessment or get started on your Certification
Audit.
Company Name:
Completed by:
Risk Assessment
• Have we conducted a risk assessment to identify the risks and threats to our information assets?
• Have we identified the impact of potential information security incidents on our business operations and reputation?
• Have we identified the risk owners and their responsibilities for managing risks?
• Do we have a risk treatment plan that outlines the measures to be taken to mitigate identified risks?
ISMS Implementation
• Have we identified the information assets that we need to protect?
• Have we established information security objectives and defined metrics to measure their effectiveness?
• Have we defined roles and responsibilities for all personnel involved in the ISMS implementation?
• Have we established procedures for incident management and reporting?
• Have we established access controls and defined procedures for granting and revoking access to information assets?
• Have we established procedures for managing third-party service providers and their access to our information assets?
• Have we established procedures for managing the physical security of our information assets, including the protection of
devices and media containing sensitive information?
• Have we implemented procedures for monitoring and detecting security incidents and breaches?
• Have we established procedures for managing and reporting security incidents and breaches?
ISMS Maintenance
• Do we regularly review and update our Information Security Policy, risk assessments, and risk treatment plan?
• Do we conduct regular internal audits of our ISMS to ensure compliance with ISO 27001 and our own policies and
procedures?
• Do we conduct regular management reviews of the ISMS to ensure its effectiveness and suitability for our organization?
• Do we continually improve our ISMS by identifying areas for improvement and implementing corrective actions?
Leadership
Requirement Your organization Document ref.
5.1 Management provides formal support for the implementation
Top management shall demonstrate and operation of the ISMS
leadership and commitment with IS policy and the IS objectives are established
respect to the ISMS Integration of the ISMS requirements into processes
Communication regarding the ISMS and of conforming to its
requirements
Resources are available.
5.2 Our ISMS Policy;
ISMS Policy Is appropriate & includes objectives
Includes commitment to requirements
Includes commitment to continual improvement
Is documented
Is communicated
Is available
5.3 Responsibility and authority are assigned for;
Top management shall ensure Ensuring that the ISMS conforms to the requirements of the
that the responsibilities and standard
authorities for roles relevant to
information security are assigned Reporting on the performance of the ISMS to top management
and communicated within the
organization
Risk Assessment
Is defined and documented
Includes business IS requirements
Includes legal and statutory requirements
Includes criteria for risk acceptance and acceptable levels of risk
Identifies organisations risks and risk owner
Identifies impacts on confidentiality, integrity and availability
Risks are analysed and evaluated
Realistic likelihood of IS failures have been studied
Risks have been accepted or mitigated as per defined
methodology
Risk Treatment
Is defined and documented
Risk treatment options are selected
Controls are determined
Includes controls from Annex A and a verification that no
necessary controls are omitted
Statement of Applicability
Is defined and documented
Contains controls and justification of inclusion and exclusion of
these
Contains status of selected controls
Contains a formulated risk treatment plan, risk owner and the
owner’s approval of risk treatment plan and acceptance of
residual risk
6.2 Objectives are;
The organization shall establish IS Consistent with IS Policy
objectives at relevant functions and Measurable
levels Taking IS requirements and results from risk assessment/
treatment into account
Monitored
Communicated
Documented
Planned to be achieved
6.3 When need for changes to the ISMS, the changes are carried out
Planning of changes in a planned manner
Operation
Requirement Your organization Document ref.
8.1 Documented information is available to the extent necessary
The organization shall plan, to have confidence that the processes have been carried out as
implement and control the planned
processes needed to meet Planned changes are controlled and consequences of unintended
requirements, and to implement the changes is reviewed
actions determined in Clause 6 Externally provided processes, products or services that are
relevant to ISMS is controlled.
8.2 Risk assessment is performed at planned intervals
IS risk assessment Risk assessment is performed when there are significant
changes
Is documented
8.3 Risk treatment plan is implemented
IS risk treatment Results are documented
Improvement
Requirement Your organization Document ref.
10.2 NC’s are actioned and corrected
Nonconformity and corrective Potential causes to NC’s are identified and eliminated
action Effectiveness of CA’s are evaluated
Are documented
*Note: ISO 27001 documents or records required by Annex A controls are mandatory only if there are risks or
requirements from interested parties that would demand implementing those controls.
ISO 27001 records that are Trainings, skills, experience, and qualifications (Clause 7.2)
mandatory Monitoring and measurement results (9.1)
Internal audit program (9.2)
Results of internal audits (9.2)
Results of the management review (9.3)
Results of corrective actions (10.2)
Logs of user activities, exceptions, and security events (A.8.15*)
*Note: ISO 27001 documents or records required by Annex A controls are mandatory only if there are risks or
requirements from interested parties that would demand implementing those controls.
4.2 Understanding the needs and expectations of interested parties Understanding the needs and expectations of interested parties Y
The organization shall determine: The organization shall determine:
a. interested parties that are relevant to the information security management system; and a. interested parties that are relevant to the information security management system;
b. the requirements of these interested parties relevant to information security b. the relevant requirements of these interested parties;
c. which of these requirements will be addressed through the information security management system.
4.3 Determining the scope of the information security management system Determining the scope of the information security management system N
The organization shall determine the boundaries and applicability of the information security The organization shall determine the boundaries and applicability of the information security management
management system to establish its scope. system to establish its scope.
When determining this scope, the organization shall consider: When determining this scope, the organization shall consider:
a. the external and internal issues referred to in 4.1; a. the external and internal issues referred to in 4.1;
b. the requirements referred to in 4.2; and b. the requirements referred to in 4.2;
c. interfaces and dependencies between activities performed by the organization, and those c. interfaces and dependencies between activities performed by the organization, and those that are
that are performed by other organizations. performed by other organizations.
d. The scope shall be available as documented information. d. The scope shall be available as documented information.
5.3 Organizational roles, responsibilities and authorities Organizational roles, responsibilities and authorities N
Top management shall ensure that the responsibilities and authorities for roles relevant to Top management shall ensure that the responsibilities and authorities for roles relevant to information
information security are assigned and communicated. security are assigned and communicated within the organization.
Top management shall assign the responsibility and authority for: Top management shall assign the responsibility and authority for:
a. ensuring that the information security management system conforms to the requirements a. ensuring that the information security management system conforms to the requirements of this
of this International Standard; and document;
b. reporting on the performance of the information security management system to top b. reporting on the performance of the information security management system to top management.
management.
6.2 Information security objectives and planning to achieve them Information security objectives and planning to achieve them Y
The organization shall establish information security objectives at relevant functions and levels. The organization shall establish information security objectives at relevant functions and levels.
The information security objectives shall: The information security objectives shall:
a. be consistent with the information security policy; a. be consistent with the information security policy;
b. be measurable (if practicable); b. be measurable (if practicable);
c. take into account applicable information security requirements, and results from risk c. take into account applicable information security requirements, and results from risk assessment and risk
assessment and risk treatment; treatment;
d. be communicated; and d. be monitored;
e. be updated as appropriate. e. be communicated;
f. The organization shall retain documented information on the information security objectives. f. be updated as appropriate;
g. When planning how to achieve its information security objectives, the organization shall g. be available as documented information. The organization shall retain documented information on the
determine: information security objectives. When planning how to achieve its information security objectives, the
h. what will be done; organization shall determine:
i. what resources will be required; h. what will be done;
j. who will be responsible; i. what resources will be required;
k. when it will be completed; and j. who will be responsible;
l. how the results will be evaluated. k. when it will be completed; and
l. how the results will be evaluated.
For the control of documented information, the organization shall address the following For the control of documented information, the organization shall address the following activities, as
activities, as applicable: applicable:
c. distribution, access, retrieval and use; c. distribution, access, retrieval and use;
d. storage and preservation, including the preservation of legibility; d. storage and preservation, including the preservation of legibility;
e. control of changes (e.g. version control); and e. control of changes (e.g. version control); and
f. retention and disposition. f. retention and disposition.
Documented information of external origin, determined by the organization to be necessary for Documented information of external origin, determined by the organization to be necessary for the planning
the planning and operation of the information security management system, shall be identified and operation of the information security management system, shall be identified as appropriate, and
as appropriate, and controlled. controlled.
9.1 Monitoring, measurement, analysis and evaluation Monitoring, measurement, analysis and evaluation Y
The organization shall determine: The organization shall determine:
a. what needs to be monitored and measured, including information security processes and a. what needs to be monitored and measured, including information security processes and controls;
controls; b. the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results.
b. the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure The methods selected should produce comparable and reproducible results to be considered valid;
valid results;. c. when the monitoring and measuring shall be performed;
c. when the monitoring and measuring shall be performed; d. who shall monitor and measure;
d. who shall monitor and measure; e. when the results from monitoring and measurement shall be analysed and evaluated;
e. when the results from monitoring and measurement shall be analysed and evaluated; and f. who shall analyse and evaluate these results.
f. who shall analyse and evaluate these results. Documented information shall be available as evidence of the results.
The organization shall retain appropriate documented information as evidence of the monitoring The organization shall evaluate the information security performance and the effectiveness of the
and measurement results. information security management system.
Annex A
Annex A The control objectives and controls listed in Table A.1 are directly derived from and aligned with The information security controls listed in Table A.1 are directly derived from and aligned with those listed in See Annex
those listed in ISO/IEC 27002:2013[1], Clauses 5 to 18 and are to be used in context with ISO/IEC 27002:2022[1], Clauses 5 to 8, and shall be used in context with 6.1.3. A
Clause 6.1.3.
Merged Controls
A.5 Organisational controls
A.5.1 Policies for information security
A.5.8 Information security in project management
A.5.9 Inventory of information and other associated assets
Renamed controls
A.5.16 Identity management
A.5.19 Information security in supplier relationships
A.5.20 Addressing information security within supplier agreements
A.5.21 Managing information security in the ICT supply chain
A.5.24 Information security incident management planning and preparation