ISMS AUDIT CHECKLIST

Transcription

1 4.1 REQUIREMENT REFER TO BS ISO / IEC : 2005 Has the organisation developed a documented ISMS based on the PDCA model? Checked at Stage 1 for development and Stage 2/surveillance for implementation, maintenance and improvement Stage 1 Stage 2/ Surv. Comment/ Report Ref. Is it implemented, monitored and continuously improved? Has the organisation: a) defined the scope of the ISMS? b) defined an ISMS policy that: 1) includes a framework for objectives? 2) takes account of business, legal and contractual security obligations? 3) aligns with the organization / risk management for ISMS? 4) establishes criteria for risk evaluation and risk assessment? 5) has been approved by management? c) identified a suitable risk assessment method? develop criteria for accepting risk and identifying acceptable levels of risk? d) identified the: 1) assets within the ISMS Scope and their owners? 2) threats to these assets? 3) vulnerabilities from the threats? 4) impacts on the assets? e) analysed and evaluated the: 1) potential harm from a security failure? 2) likelihood of a security failure occurring? 3) estimated the levels of risks? 4) determined if the risk is acceptable using the method in (c)? f) identified and evaluated risk treatment options? g) selected control objectives and controls for the treatment of risks? Form F252 (ISMS)/Rev 3 (Revised 30 October 2006) Page 1 of 9

2 h) obtained management approval of residual risks and operation of the ISMS? i) obtained management authorization to implement and maintain the ISMS? j) prepared a documented Statement of Applicability with reasons for selection of control objectives and controls? and those controls and objectives currently implemented? Has the organisation: a) formulated a risk treatment plan? b) implemented the risk treatment plan? c) implemented selected controls? d) defined measurement effectiveness of selected controls? e) managed its operations? f) managed its resources? g) implemented procedures for detection and response to security incidents? Does the organisation: a) use monitoring procedures and controls to promptly: 1) detect errors in processing? 2) identify both failed and successful security breaches and incidents? 3) enable management to determine whether security activities are performing as expected? 4) introduced indicators to help prevent security incidents? 5) determined the effectiveness of any actions taken? b) undertake regular reviews of the ISMS? c) measure the effectiveness of controls? d) review the level of residual risk? Does the review take into account changes to: Form F252 (ISMS)/Rev 3 (Revised 30 October 2006) Page 2 of 9

3 1) the organisation? 2) technology? 3) business objectives and processes? 4) identified threats? 5) effectiveness of the implemented controls? 6) external events including regulatory and social climate? e) conduct internal ISMS audits at planned intervals? f) undertake a management review of the ISMS at least annually? Are management review improvement decisions and change requirements promptly implemented? g) update security plans following monitoring and reviewing activities? h) record events that could impact on the ISMS? Does the organisation:- a) implement identified ISMS improvements? b) take appropriate corrective and preventive actions? Does this include applying lessons from other organisations? c) communicate actions and improvements and agree to all interested parties? and on how to proceed? d) ensure that improvements achieve objectives? Does the ISMS documentation include:- a) statements of the security policy and control objectives? b) the scope of the ISMS? c) procedures and controls? d) a description of the risk assessment methodology? Form F252 (ISMS)/Rev 3 (Revised 30 October 2006) Page 3 of 9

4 e) risk assessment report? f) the risk treatment plan? g) procedures for effective planning, operation, control and measurement of the ISMS? h) records required by this standard? i) statement of applicability? Is documentation made available as required by the ISMS policy? Are documents required by the ISMS protected and controlled? Is there a documented procedure to:- a) approve documents prior to issue? b) review, update and re-approve documents? c) identify changes to documents and current revision status? d) ensure latest versions of documents are available at points of use? e) ensure documents are legible and identified? f) ensure documents are transferred, stored and disposed of according to their classification? g) ensure external documents are identified? h) ensure distribution is controlled? i) prevent use of obsolete documents? j) apply identification to retained obsolete documents? Are records available to demonstrate conformity and effective operation of this ISMS? Are the records protected and controlled? Do records include relevant legal and regulatory requirements? Form F252 (ISMS)/Rev 3 (Revised 30 October 2006) Page 4 of 9

5 Are records legible, identifiable and retrievable? Are there documented controls for identification, storage, protection, retrieval, retention time and disposition? Is there a management process for determining the need for and extent of records? Are records kept of the performance of the process and security incidents? 5.1 Has management demonstrated its commitment to establishing, implementing operation, monitoring, reviewing, maintaining and improving the ISMS by:- a) establishing an IS policy? b) establishing IS plans and objectives? c) establishing IS roles and responsibilities? d) communicating IS objectives, IS policy, legal responsibilities and need for continued improvement? e) providing resources to establish, develop, implement, operate, monitor, review, maintain and improve the ISMS? f) deciding the criteria for acceptable risk? g) ensuring that internal ISMS audits are conducted? h) conducting management reviews? Has the organisation determined and provided resources to:- a) establish, implement, operate, maintain, monitor and improve the ISMS? b) ensure IS procedures support business requirements? c) identify and address legal and constant use security obligations? Form F252 (ISMS)/Rev 3 (Revised 30 October 2006) Page 5 of 9

6 d) maintain security by correct application of controls? e) carry out reviews and react to results? f) improve ISMS effectiveness? _ Does the organisation ensure that all personnel with assigned ISMS responsibilities are competent to perform their tasks, by:- a) determining competences needed? b) providing training and employing competent personnel? c) evaluating the effectiveness of training provided? d) maintaining records of education, training, skills, experience and qualifications? Does the organisation ensure that relevant personnel are aware of the relevance and importance of their activities? 6.0 Does the organisation conduct internal ISMS audits at planned intervals, to determine whether the control objectives, controls, processes and procedures: a) conform to the requirements of this standard, legislation or regulations? b) conform to the identified information security requirements? c) are effectively implemented? d) perform as expected? Is the audit programme planned on the basis of the status and importance of the processes and areas audited and results of previous audits? Are the audit criteria, scope, frequency and methods defined? Are auditors selected to ensure objectivity and impartiality including not auditing their own work? Is there a procedure for planning, conducting and Form F252 (ISMS)/Rev 3 (Revised 30 October 2006) Page 6 of 9

7 reporting audits and maintaining audit records? Are actions by management taken in a prompt manner to eliminate non-conformities and their causes? Are follow up actions verified and their effectiveness reported? 7.1 Does the organisation review the ISMS at planned intervals to ensure continuing suitability, adequacy and effectiveness? Does the review assess opportunities for improvement and the need for changes, including to policy and objectives? Are the results of reviews documented and records maintained? 7.2 Does the input to management review include:- a) results of ISMS audits and reviews? b) feedback from interested parties? c) techniques, products or procedures which could improve ISMS performance and effectiveness? d) status of preventive and corrective actions? e) vulnerabilities from risk assessment? f) results from effectiveness measurements? g) follow-up actions from previous MR? h) any changes affecting the ISMS? i) recommendations for improvement? 7.3 Does the output from management review include decisions and actions related to:- a) improvement of the effectiveness of the ISMS? b) update of the risk assessment and risk Form F252 (ISMS)/Rev 3 (Revised 30 October 2006) Page 7 of 9

8 treatment plan? c) modification of procedures that affect IS in order to respond to internal or external events as necessary, including:- 1) business requirements? 2) security requirements? 3) business processes? 4) regulatory environment? 5) contractual obligations? 6) risk and / or acceptance of risk? d) resource needs? Does the organisation continually improve the effectiveness of the ISMS through use of the ISMS policy, objectives, audit results, analysis of monitored events, corrective and preventive action and management review? Does the organisation eliminate the cause of non conformities? Does the procedure for corrective action define requirements for:- a) identifying non conformities? b) determining their cause? c) evaluating the need for actions to prevent recurrence? d) determining and implementing corrective action needed? e) recording results of action? f) reviewing corrective action? Does the organisation determine action to guard against future non conformities to prevent their occurrence? Does the procedure for preventive action define requirements for:- a) identifying potential non conformities and their cause? b) evaluating the need for action to prevent occurrence of nonconformities? c) determining and implementing preventive action needed? d) recording results of action? e) reviewing of preventive action? identifying changed risks and focusing Form F252 (ISMS)/Rev 3 (Revised 30 October 2006) Page 8 of 9

9 preventive action on those risks significantly changed? Does the organisation determine the priority for preventive action based on the results of risk assessment? Form F252 (ISMS)/Rev 3 (Revised 30 October 2006) Page 9 of 9