Client Name
*
First Name
Last Name
Email
*
1.) Identification of interested parties relevant to the ISMS - including relevant requirements which will be addressed by the ISMS
Phase: Identify
Clause(s): 4.2.a.b.c
New Requirement: A more explicit requirement for validating that interested parties, their needs and expectations relevant to the ISMS have been identified.
How has it been demonstrated that this clause is met?
Yes
No
Comments if required
2.) Planning for the ISMS has determined organizational processes and interactions with the ISMS?
Phase: Identify
Clause(s) 4.4
New Requirement: New explicit requirement for the adoption of a process approach
How has it been demonstrated that this clause is met?
Yes
No
Comments if required
3.) Executive management has established and supported a way for communicating responsibilities and authorities for roles relevant to IS within the organization?
Phase: Action
Clause(s) 5.3
New Requirement: Explicit requirement for top management to ensure that IS roles, responsibilities and authorities are communicated within the organization.
How has it been demonstrated that this clause is met?
Yes
No
Comments if required
4.) Establishment of IS objectives are monitored including responsibility
Phase: Assess
Clause(s) 6.2.d)
New Requirement: IS objectives are to be monitored.
How has it been demonstrated that this clause is met?
Yes
No
Comments if required
5.) There is an established process for managing changes to the ISMS and these changes are authorised
Phase: Plan
Clause(s) 6.3
Changes to the ISMS are to be planned.
How has it been demonstrated that this clause is met?
Yes
No
Comments if required
6.) Are the needs and expectations of interested parties relevant to the ISMS reviewed during the management review?
Phase: Action
Clause(s) 9.3.2.c)
Changes in the needs and expectations of interested parties are to addressed during management review.
How has it been demonstrated that this clause is met?
Yes
No
Comments if required
7.) Identified threat intelligence requirements based upon a risk assessment of information, information storage and information processing assets - what information is recieved, who is analysing this, etc
Phase: Plan
Clause(s) 5.7
Threat intelligence
How has it been demonstrated that this clause is met?
Yes
No
Comments if required
8.) Cloud assessment are made based on organizational requirements, determining which model is best. It is known what controls are in place to monitor the performance/effectiveness of the CSP? Lifecycle (deregistration) are taking into account via a process.
Phase: Plan
Clause(s) 5.23
Security considerations and controls for cloud services.
How has it been demonstrated that this clause is met?
Yes
No
Comments if required
9.) BCP include requirements to ensure the CIA of information in BC. IT requirements for BC are tested. RTO/RPOs for your IT in BC situations established and documented.
Phase: Plan
Clause(s) 5.30
Business continuity and IT readiness
How has it been demonstrated that this clause is met?
Yes
No
Comments if required
10.) Physical premises are continuously monitored for unauthorised access
Phase: Action
Clause(s) 7.4
Physical security monitoring
How has it been demonstrated that this clause is met?
Yes
No
Comments if required
11.) Process for configuring/hardening system in place. It is ensure that this process is being followed and that system configuration is monitored and reviewed?
Phase: Action
Clause(s) 8.9
Configuration management
How has it been demonstrated that this clause is met?
Yes
No
Comments if required
12.) Information identified, rules established governing date retention and deletion. When information is no longer required it is deleted from information systems, devices or other storage media.
Phase: Plan, Action
Clause(s) 8.10, 8.10
Information deletion
How has it been demonstrated that this clause is met?
Yes
No
Comments if required
13.) Sensitive data has been identified, rules established governing the need to mask this data. Access to raw, sensitive data is controlled. There is a process for masking data. Applicable legislation regarding data and data masking?
Phase: Plan, Plan, Action, Plan
Clause(s) 8.11, 8.11, 8.11, 8.11
Data masking
How has it been demonstrated that this clause is met?
Yes
No
Comments if required
14.) Sensitive information is identified - information that is stored, processed and/or transmitted. Systems, apps, tools that are used to store, process and/or transmit this sensitive information are identified. DLP risks assessed. There are processes/tools in place to prevent data leakage
Phase: Action
Clause(s) 8.12
Data leakage prevention
How has it been demonstrated that this clause is met?
Yes
No
Comments if required
15.) Networks monitored for anomalous behaviour. Upon detection, the anomalous behaviour is evaluated and reported
Phase: Action, Plan
Clause(s) 8.16, 8.16
Monitoring activities
How has it been demonstrated that this clause is met?
(Assessor to complete)
Yes
No
Comments if required
16.) Access to external websites have reduced exposure to malicious content. Employees are aware of the information security risks that unmanaged web browsing poses.
Phase: Action
Clause(s) 8.23
Web filtering
How has it been demonstrated that this clause is met?
Yes
No
Comments if required
17.) Secure coding principles and practices are implemented. The competence of developers are assessed.
Phase: Plan
Clause(s) 8.28
Secure coding
How has it been demonstrated that this clause is met?
Yes
No
Comments if required
18.) No change: External and internal issues relevant to and affect the ISMS are identified
4.1 Understanding the organization and its context
How has it been demonstrated that this clause is met?
Yes
No
Comments if required
19.) External and internal issues and interested parties are identified. Interfaces and dependencies are identified and considered
4.3 Determining the scope of the quality of the ISMS
How has it been demonstrated that this clause is met?
Yes
No
Comments if required
20.) Can top management display their degree of leadership and commitment to the ISMS.
5.1 Leadership and commitment
How has it been demonstrated that the requirements of this clause are met?
Yes
No
Comments if required
21.) Is an information security policy available and appropriate to the purpose and context of the organization and does it support the strategic direction of the company?
5.2 Policy
How has it been demonstrated that this clause is met?
Yes
No
Comments if required
22.) 6.1.2 There is a risk assessment process. Risk assessments of information and information storage/ processing assets are made. 6.1.3 Have you created a Statement of Applicability (SOA) and is it aligned to the new control groups and numbering system? Is the SOA version controlled and dated?
6.1 Actions to address risks and opportunities
How has it been demonstrated that this clause is met?
Yes
No
Comments if required
23.) Have resource needs to the ISMS been identified?
7.1 Resources
How has it been demonstrated that this clause is met?
Yes
No
Comments if required
24.) 7.4.d) Have you determined how to communicate the ISMS?
7.4 Communication
How has it been demonstrated that this clause is met?
Yes
No
Comments if required
25.) Have criteria been set for the processes identified in Clause 6 and implemented control of those processes? There processes and controls are documented.
8.1 Operational planning and control
How has it been demonstrated that this clause is met?
Yes
No
Comments if required
26.) Monitoring and measuring produces valid, comparable and reproductive results. The ISMS information security performance and the effectiveness must also be evaluated.
9.1 Monitoring, measurement, analysis and evaluation
How has it been demonstrated that this clause is met?
Yes
No
Comments if required
27.) This is broken into sub clauses though no significant change to requirements.
9.2 Internal audit
How has it been demonstrated that this clause is met?
Yes
No
Comments if required
28.) Merging of 5.1.1 and 5.1.2 – no big change.
5.1 Policies for information security
How has it been demonstrated that this clause is met?
Yes
No
Comments if required
29.) Merging of 6.1.5 and 14.1.1 - more detailed requirement added.
5.8 Information security in project management
How has it been demonstrated that the requirements of this clause are met?
Yes
No
Comments if required
30.) Merging of 8.1.1 and 8.1.2 - No big change.
5.9 Inventory of information and other associated assets
How has it been demonstrated that this clause is met?
Yes
No
Comments if required
31.) Merging of 8.1.3 and 8.2.3 highlights on procedures for managing information and other assets.
5.10 Acceptable use of information and other associated assets
How has it been demonstrated that this clause is met?
Yes
No
Comments if required
32.) 8.2.1 – The update introduces ‘transfer facilities’
5.14 Information transfer
How has it been demonstrated that this clause is met?
Yes
No
Comments if required
33.) Merging of 9.1.1 and 9.1.2 - no need for an Access Control Policy, but rules governing access must be established and implemented.
5.15 Access control
How has it been demonstrated that this clause is met?
Yes
No
Comments if required
34.) 9.2.1 – Now details states ‘full lifecycle’ and includes registration, de-registration and change.
5.16 Identity management
How has it been demonstrated that this clause is met?
Yes
No
Comments if required
35.) Merging of 9.2.4, 9.3.1, 9.4.3 has a reference to handling authentication information by employees.
5.17 Authentication information
How has it been demonstrated that this clause is met?
Yes
No
Comments if required
36.) Merging 9.2.2, 9.2.5, 9.2.6 – No big change.
5.18 Access rights
How has it been demonstrated that this clause is met?
Yes
No
Comments if required
37.) 15.1.1 – Centers on the organization’s use of suppliers’ products/services and access to organizational assets including information.
5.19 Information security in supplier relationships
How has it been demonstrated that this clause is met?
Yes
No
Comments if required
38.) Merging of 15.2.1 and 15.2.2 – No big change.
5.22 Monitoring, review and change management of supplier services
How has it been demonstrated that this clause is met?
Yes
No
Comments if required
39.) 16.1.6 – Focus is now on enhancing and optimizing IS controls.
5.27 Learning from information security incidents
How has it been demonstrated that this clause is met?
Yes
No
Comments if required
40.) Merging of 17.1.1, 17.1.2, 17.1.3 – Clarifies previous requirements.
5.29 Information security during disruption
How has it been demonstrated that this clause is met?
Yes
No
Comments if required
41.) Merging of 18.1.1 and 18.1.5 – No big change.
5.31 Legal, statutory, regulatory and contractual requirements
How has it been demonstrated that this clause is met?
Yes
No
Comments if required
42.) Merging of 18.2.2 and 18.2.3 – No big change.
5.36 Compliance with policies, rules and standards for information security
How has it been demonstrated that this clause is met?
Yes
No
Comments if required
43.) 7.2.3 – Emphasis on IS violation and not just breach.
6.4 Disciplinary process
How has it been demonstrated that this clause is met?
Yes
No
Comments if required
44.) 13.2.4 – It is required that NDAs and CAs are signed.
6.6 Confidentiality or non-disclosure agreements (NDAs)
How has it been demonstrated that this clause is met?
Yes
No
Comments if required
45.) 16.2.2 – Focuses on remote workers.
6.7 Remote working
How has it been demonstrated that this clause is met?
Yes
No
Comments if required
46.) 16.1.2 and 16.1.3 – No difference between events and weaknesses - events either observed or suspected are reported.
6.8 Information security event reporting
How has it been demonstrated that this clause is met?
Yes
No
Comments if required
47.) Merging of 11.1.2 and 11.1.6 – No big change.
7.2 Physical entry
How has it been demonstrated that this clause is met?
Yes
No
Comments if required
48.) 8.3.1, 8.3.2, 8.3.3, 11.2.5 – Lifecycle management must be introduced
7.10 Storage media
How has it been demonstrated that this clause is met?
Yes
No
Comments if required
49.) 11.2.3 – Cables carrying power (but not data) are mentioned.
7.12 Cabling security
How has it been demonstrated that this clause is met?
Yes
No
Comments if required
50.) 11.2.8 – The emphasis is now on protection of information uccessible by the user end-point.
8.1 User end point devices
How has it been demonstrated that this clause is met?
Yes
No
Comments if required
51.) 9.4.5 – Includes development tools and software/coding libraries.
8.4 Access to source code
How has it been demonstrated that this clause is met?
Yes
No
Comments if required
52.) Merging of 12.4.1, 12.4.2, 12.4.3 – No big change.
8.15 Logging
How has it been demonstrated that this clause is met?
Yes
No
Comments if required
53.) Merging of 10.1.1 and 10.1.2 – No big change.
8.24 Use of cryptography
How has it been demonstrated that this clause is met?
Yes
No
Comments if required
54.) Merging of 14.1.2 and 14.1.3 – Simplification of the existing controls.
8.26 Application security requirements
How has it been demonstrated that this clause is met?
Yes
No
Comments if required
55.) 14.2.5 – Introduces the requirement for secure system architecture.
8.27 Secure system architecture and engineering principles
How has it been demonstrated that this clause is met?
Yes
No
Comments if required
56.) Merging of 14.2.8 and 14.2.9 – No big change.
8.29 Security testing in development and acceptance
How has it been demonstrated that this clause is met?
Yes
No
Comments if required
57.) 12.1.2, 14.2.2, 14.2.3, 14.2.4 – The combinations of these controls are less prescriptive.
8.32 Change management
How has it been demonstrated that this clause is met?
Yes
No
Comments if required
Areas for further investigation: