Eidgenssisches Departement fr Wirtschaft, Bildung und Forschung WBF Staatssekretariat fr Wirtschaft SECO Schweizerische Akkreditierungsstelle SAS

Checkliste fr die harmonisierte Umsetzung der Anforderungen nach ISO/IEC 27001:2005 basierend auf ISO/IEC 27006:2007 fr akkreditierte ISMS-Zertifizierungsstellen
Dokument Nr. 521.dw Ausgabe Februar 2013, Rev. 01

. 521d

Seite 1 von 11 Seite 1 von 11

SAS:

Checkliste fr die harmonisierte Umsetzung der Anforderungen nach ISO/IEC 27001:2005 basierend auf ISO/IEC 27006:2007 fr akkreditierte ISMS-Zertifizierungsstellen

Zertifizierungsstelle:

Auditor(en):

Experte (n):

Datum des Audits:

521.dw, 2013-02, Rev. 01

521d

Seite 2 von 12

SAS:

Checkliste fr die harmonisierte Umsetzung der Anforderungen nach ISO/IEC 27001:2005 basierend auf ISO/IEC 27006:2007 fr akkreditierte ISMS-Zertifizierungsstellen

Purpose of this document

This document provides guidance for the review of the implementation of controls listed in ISO/IEC 27001:2005, Annex A, and the gathering of audit evidence as to their performance during the initial audit and subsequent surveillance visits. The implementation of all controls selected by the client organization for the ISMS (as per the Statement of Applicability) needs to be reviewed during stage 2 of the initial audit and during surveillance or recertification activities. The guidance table in this document classifies controls into "organizational" vs. "technical" and distinguishes whether a visual inspection or system testing is required to assess the control effectiveness.

How to use this document

Columns Organizational control and Technical control An X in the respective column indicates whether the control is an organizational or a technical control. As some controls are both organizational and technical, entries are in both columns for such controls. Evidence of the performance of organizational controls can be gathered through review of the records of performance of controls, interviews, observation and physical inspection. Evidence of the performance of technical controls can often be gathered through system testing (see below) or through use of specialized audit/reporting tools. Column System testing System testing means direct review of systems (e.g. review of system settings or configuration). The auditors questions could be answered at the system console or by evaluation of the results of testing tools. If the client organization has a computer-based tool in use that is known to the auditor, this can be used to support the audit, or the results of an evaluation performed by the client organization (or their sub-contractors) can be reviewed. We distinguish three categories for the review of technical controls: "possible": "recommended": system testing is possible for the evaluation of control effectiveness, but usually not necessary; system testing is usually necessary and should be carried out, but may be omitted if justified (the reasons for omissions should however be documented by the auditor); and system testing is mandatory.

"required":

Column Visual inspection Visual inspection means that these controls usually require a visual inspection at the location to evaluate their effectiveness. This means that it is not sufficient to review the respective documentation on paper or through interviews the auditor needs to verify the control at the location where it is implemented. Column Audit review guidance Where it might be helpful to have guidance for the audit of a particular control, the Comments column provides possible focus areas for the evaluation of the control, as further guidance for the auditor.

521.dw, 2013-02, Rev. 01

521d

Seite 3 von 12

SAS: Checkliste fr die harmonisierte Umsetzung der Anforderungen nach ISO/IEC 27001:2005 basierend auf ISO/IEC 27006:2007 fr akkreditierte ISMS-Zertifizierungsstellen

Nr.

Controls in ISO/IEC 27001:2005 Annex A

OrganizaSystem Technical tional testing control control (Console) possible recommended required

Visual inspection

Audit review guidance

A.5 A.5.1 A.5.1.1 A.5.1.2 A.6 A.6.1 A.6.1.1 A.6.1.2 A.6.1.3 A.6.1.4 A.6.1.5 A.6.1.6 A.6.1.7 A.6.1.8 A.6.2 A.6.2.1 A.6.2.2 A.6.2.3 A.7 A.7.1 A.7.1.1 A.7.1.2 A.7.1.3

Security Policy Information Security Policy Information security policy document Review of the information security policy Organization of information security Internal organization Management commitment to information security Information security co-ordination Allocation of information security responsibilities Authorization process for information processing facilities Confidentiality agreements Contact with authorities Contact with special interest groups Independent review of information security External parties Identification of risks related to external parties Addressing security when dealing with customers Addressing security in third party agreements Asset management Responsibility for assets Inventory of assets Ownership of assets Acceptable use of assets

X X

management review minutes

X X X X X X X X X X X

management meeting minutes management meeting minutes

check the inventory sample some copies from files

read the reports

test some contract conditions

X X X

identify the assets

521.dw, 2013-02, Rev. 01

521d

Seite 4 von 11

SAS: Checkliste fr die harmonisierte Umsetzung der Anforderungen nach ISO/IEC 27001:2005 basierend auf ISO/IEC 27006:2007 fr akkreditierte ISMS-Zertifizierungsstellen

Nr.

Controls in ISO/IEC 27001:2005 Annex A

OrganizaSystem Technical tional testing control control (Console) possible recommended required

Visual inspection

Audit review guidance

A.7.2 A.7.2.1 A.7.2.2 A.8 A.8.1 A.8.1.1 A.8.1.2 A.8.1.3 A.8.2 A.8.2.1 A.8.2.2 A.8.2.3 A.8.3 A.8.3.1 A.8.3.2 A.8.3.3 A.9 A.9.1 A.9.1.1 A.9.1.2 A.9.1.3 A.9.1.4 A.9.1.5 A.9.1.6

Information classification Classification guidelines Information labeling and handling Human resources security Prior to employment Roles and responsibilities Screening Terms and conditions of employment During employment Management responsibilities Information security awareness, education and training Disciplinary process Termination or change of employment Termination responsibilities Return of assets Removal of access rights Physical and environmental security Secure areas Physical security perimeter Physical entry controls Securing offices, rooms and facilities Protecting against external and environmental threats Working in secure areas Public access, delivery and loading areas

X X naming: Directories, files, printed reports, recorded media (e.g. tapes, disks, CDs), electronic messages and file transfers.

X X X X X X X X X ask staff if they are aware of specific things they should be aware of

recommended

X X X X X X

possible

X X X X X

archiving of access records

521.dw, 2013-02, Rev. 01

521d

Seite 5 von 11

SAS: Checkliste fr die harmonisierte Umsetzung der Anforderungen nach ISO/IEC 27001:2005 basierend auf ISO/IEC 27006:2007 fr akkreditierte ISMS-Zertifizierungsstellen

Nr.

Controls in ISO/IEC 27001:2005 Annex A

OrganizaSystem Technical tional testing control control (Console) possible recommended required

Visual inspection

Audit review guidance

A.9.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.5 A.9.2.6 A.9.2.7 A.10 A.10.1 A.10.1.1 A.10.1.2 A.10.1.3 A.10.1.4 A.10.2 A.10.2.1 A.10.2.2 A.10.2.3 A.10.3 A.10.3.1 A.10.3.2 A.10.4 A.10.4.1 A.10.4.2 A.10.5 A.10.5.1

Equipment security Equipment siting and protection Supporting utilities Cabling security Equipment maintenance Security of equipment off premises Secure disposal or re-use of equipment Removal of property Communications and operations management Operational procedures and responsibilities Documented operating procedures Change management Segregation of duties Separation of development, test and operational facilities Third party service delivery management Service delivery Monitoring and review of third party services Managing changes to third party services System planning and acceptance Capacity management System acceptance Protection against malicious and mobile code Controls against malicious code Controls against mobile code Back -up Information back-up

X X X X X X X

possible possible

X X X portable device encryption X

X X

possible possible

X X X X

recommended

possible

X X X X X X X X

possible

possible

X X X
521d

required possible recommended

sample of servers, desktops, gateways active content try a recovery

Seite 6 von 11

521.dw, 2013-02, Rev. 01

SAS: Checkliste fr die harmonisierte Umsetzung der Anforderungen nach ISO/IEC 27001:2005 basierend auf ISO/IEC 27006:2007 fr akkreditierte ISMS-Zertifizierungsstellen

Nr.

Controls in ISO/IEC 27001:2005 Annex A

OrganizaSystem Technical tional testing control control (Console) possible recommended required

Visual inspection

Audit review guidance

A.10.6 A.10.6.1 A.10.6.2 A.10.7 A.10.7.1 A.10.7.2 A.10.7.3 A.10.7.4 A.10.8 A.10.8.1 A.10.8.2 A.10.8.3 A.10.8.4 A.10.8.5 A.10.9 A.10.9.1 A.10.9.2 A.10.9.3 A.10.10 A.10.10.1 A.10.10.2 A.10.10.3 A.10.10.4 A.10.10.5 A.10.10.6

Network security management Network controls Security of network services Media handling Management of removable media Disposal of media Information handling procedures Security of system documentation Exchange of information Information exchange policies and procedures Exchange agreements Physical media in transit Electronic messaging Business information systems Electronic commerce services Electronic commerce On-line transactions Publicly available information Monitoring Audit logging Monitoring system use Protection of log information Administrator and operator logs Fault logging Clock synchronization

X X X X X X X X X X X X X X X X X X X

possible SLAs, security features

possible

possible

X X

possible possible

encryption or physical protection confirm sample messages conform to policy/procedures

X X X X X X X X

possible recommended possible possible possible possible possible possible

check: integrity, access authorization

on-line or printed

time restricted authentication methods

521.dw, 2013-02, Rev. 01

521d

Seite 7 von 11

SAS: Checkliste fr die harmonisierte Umsetzung der Anforderungen nach ISO/IEC 27001:2005 basierend auf ISO/IEC 27006:2007 fr akkreditierte ISMS-Zertifizierungsstellen

Nr.

Controls in ISO/IEC 27001:2005 Annex A

OrganizaSystem Technical tional testing control control (Console) possible recommended required

Visual inspection

Audit review guidance

A.11 A.11.1 A.11.1.1 A.11.2 A.11.2.1 A.11.2.2 A.11.2.3 A.11.2.4 A.11.3 A.11.3.1 A.11.3.2 A.11.3.3 A.11.4 A.11.4.1 A.11.4.2 A.11.4.3 A.11.4.4 A.11.4.5 A.11.4.6 A.11.4.7 A.11.5 A.11.5.1 A.11.5.2 A.11.5.3 A.11.5.4

Access control Business requirement for access control Access control policy User access management User registration Privilege management User password management Review of user access rights User responsibilities Password use Unattended user equipment Clear desk and clear screen policy Network access control Policy on use of network services User authentication for external connections Equipment identification in networks Remote diagnostic and configuration port protection Segregation in networks Network connection control Network routing control Operating system access control Secure log-on procedures User identification and authentication Password management system Use of system utilities

X X X X X X X X X X X possible sample employees/contractors to authorizations for all access rights to all systems internal transfer of staff

verify guidelines/policy in place for users verify guidelines/policy in place for users X

X X X X X X

required recommended possible recommended required network diagrams: WAN, LAN, VLAN, VPN, network objects, network segments (e.g. DMZ) shared networks not very common Firewalls, Routers/Switches: Rulebase, ACLs, Routing, Access Control Policies

X X X

X X X X

X X X X
521d

recommended recommended recommended recommended

Seite 8 von 11

521.dw, 2013-02, Rev. 01

SAS: Checkliste fr die harmonisierte Umsetzung der Anforderungen nach ISO/IEC 27001:2005 basierend auf ISO/IEC 27006:2007 fr akkreditierte ISMS-Zertifizierungsstellen

Nr.

Controls in ISO/IEC 27001:2005 Annex A

OrganizaSystem Technical tional testing control control (Console) possible recommended required

Visual inspection

Audit review guidance

A.11.5.5 A.11.5.6 A.11.6 A.11.6.1 A.11.6.2 A.11.7 A.11.7.1 A.11.7.2 A.12 A.12.1 A.12.1.1 A.12.2 A.12.2.1

Session time-out Limitation of connection time Application and information access control Information access restriction Sensitive system isolation Mobile computing and teleworking Mobile computing and communications Teleworking Information systems acquisition, development and maintenance Security requirements of information systems Security requirements analysis and specification Correct processing in applications Input data validation

X X X X X X

X X X X X X

possible possible required possible possible possible

X X system settings and configurations

X software development guidelines, SW testing; confirm in sample business applications that controls required by the users exist in practice software development guidelines, SW testing; confirm in sample business applications that controls required by the users exist in practice software development guidelines, SW testing; confirm in sample business applications that controls required by the users exist in practice also check implementation of policy where appropriate

recommended

A.12.2.2 A.12.2.3 A.12.2.4 A.12.3 A.12.3.1 A.12.3.2 A.12.4 A.12.4.1

Control of internal processing Message integrity Output data validation Cryptographic controls Policy on the use of cryptographic controls Key management Security of system files Control of operational software

X X

possible possible possible

X X X

X X X
521d

possible required possible

521.dw, 2013-02, Rev. 01

Seite 9 von 11

SAS: Checkliste fr die harmonisierte Umsetzung der Anforderungen nach ISO/IEC 27001:2005 basierend auf ISO/IEC 27006:2007 fr akkreditierte ISMS-Zertifizierungsstellen

Nr.

Controls in ISO/IEC 27001:2005 Annex A

OrganizaSystem Technical tional testing control control (Console) possible recommended required

Visual inspection

Audit review guidance

A.12.4.2 A.12.4.3 A.12.5 A.12.5.1 A.12.5.2 A.12.5.3 A.12.5.4 A.12.5.5 A.12.6 A.12.6.1 A.13 A.13.1 A.13.1.1 A.13.1.2 A.13.2 A.13.2.1 A.13.2.2 A.13.2.3 A.14 A.14.1 A.14.1.1 A.14.1.2

Protection of system test data Access control to program source code Security in development and support processes Change control procedures Technical review of applications after operating system changes Restrictions on changes to software packages Information leakage Outsourced software development Technical Vulnerability Management Control of technical vulnerabilities Information security incident management Reporting information security events and weaknesses Reporting information security events Reporting security weaknesses Management of information security incidents and improvements Responsibilities and procedures Learning from information security incidents Collection of evidence Business continuity management Information security aspects of business continuity management Including information security in the business continuity management process Business continuity and risk assessment

X X X X X X X X

X X

possible recommended

possible

unknown services

required

patch distribution

X X

X X X

X X

521.dw, 2013-02, Rev. 01

521d

Seite 10 von 11

SAS: Checkliste fr die harmonisierte Umsetzung der Anforderungen nach ISO/IEC 27001:2005 basierend auf ISO/IEC 27006:2007 fr akkreditierte ISMS-Zertifizierungsstellen

Nr.

Controls in ISO/IEC 27001:2005 Annex A

OrganizaSystem Technical tional testing control control (Console) possible recommended required

Visual inspection

Audit review guidance

A.14.1.3 A.14.1.4 A.14.1.5 A.15 A.15.1 A.15.1.1 A.15.1.2 A.15.1.3 A.15.1.4 A.15.1.5 A.15.1.6 A.15.2 A.15.2.1 A.15.2.2 A.15.3 A.15.3.1 A.15.3.2

Developing and implementing continuity plans including information security Business continuity planning framework Testing maintaining and reassessing business continuity plans Compliance Compliance with legal requirements Identification of applicable legislation Intellectual property rights (IPR) Protection of organizational records Data protection and privacy of personal information Prevention of misuse of information processing facilities Regulation of cryptographic controls Compliance with security policies and standards, and technical compliance Compliance with security policies and standards Technical compliance checking Information systems audit considerations Information systems audit controls Protection of information systems audit tools

X X X

possible

DR-Site inspection, distance of DR-site according to risk assessment and applicable legal/regulatory requirements

X X X X X X

X X

possible possible

X X X X

assess process and follow-up

possible

521.dw, 2013-02, Rev. 01

521d

Seite 11 von 11