ISMS Mandatory Documentation

Clause# Description Required Doc Clause# Description Required Doc

Scope of the ISMS Operational planning Measurement of Effectiveness of Controls

4.3 Scope Document 8.1
and control Report

Information security Results of the

5.2 policy IS Policy Manual 8.2 information security
risk assessments

Information security Results of the

6.1.2 risk assessment 8.3 information security Risk Management Report
process risk treatment
Risk Management
Framework
Information security Evidence of the
6.1.3 risk treatment 9.1 monitoring and
process measurement results

Statement of Evidence of the audit

6.1.3 d) Applicability SOA 9.2 g) programme(s) and the Internal Audit Plan and Report
audit results

Information security Evidence of the results

6.2 objectives IS Objective Plan 9.3 of management Management Review Meeting and MOM
reviews
 Evidence of Evidence of the nature
competence of the nonconformities
7.2 d) Skill Matrix 10.1 f)
and any subsequent
actions taken

Documented Evidence of the results

information of any corrective
determined by the MEF Report and action
7.5.1 b) organization as associated reports 10.1 g) Corrective Action Record
being necessary for and records
the effectiveness of
the ISMS
Measurement of Effectiveness of ISMS Controls
Measurement Process Associated Audit, Reports or Records

Check records for employees who have read and

Attendance Sheet
signed adherence to [ORGANIZATION]'s
Email Record
information security policy

Check whether the information security policy is

Document Review Report
reviewed according to the defined schedule

Check for the status of the risk treatment report

for number of the high risks mitigated / number
of total high risks
Risk Management and status Report
Check for the status of the risk treatment report
for number of the High Risks to client/customer
data mitigated / number of total high risks

Check for the number of times the ISMF meets

MRM Presentation and MOM records
to review ISMS

Check for the number of departments/systems

out of the total number of departments/systems
that maintain inventory of all information assets
Inventory of Asset record
Check for the number of times asset inventory is
reviewed and updated
 Audit a sample of assets and check if these
Classification Audit Report
assets are classified and labeled

Audit sample of assets and check if these are

Sample Audit for Asset kept under lock and key
kept under lock and key

Check with system administrator if access rights

for users have been removed after termination Access Rights Review Report
of service

Check records for the number of employees who

have read and signed the terms and conditions HR Contract Record
of employment

Check for the security roles and responsibilities Skill Matrix

for security teams Job Description for Security Teams

Check records for exit/ clearance forms Records of Clearance form

Check the no of attendees and the total no of

Awareness Attendance Record
employees expected in the awareness sessions

Check the number of awareness emails sent

Emails Record
across in the past 12 months
Check for the number of times fire suppression # of Sample Audit record of fire suppression
systems were tested system

Review physical and environmental training Fire Drills

calendar/schedule BCP Testing Schedule and test results

Audit sample of desktops and servers for latest

Audit Record for latest virus signatures
virus signatures

Check service level agreements signed with

SLA copies
service providers

Audit a sample of workstations to see whether

they are in [ORGANIZATION]'s domain
Inventory and Domain System report cross check
Exceptions/Waivers can be left out of the
sample.

Check sample systems clocks of desktops and NTP Sync test of Sample Physical security
servers equipment , desktop and servers

Check for the number of times user access rights

# of Access Rights Review Report
are reviewed
 Audit a random number of unattended
machines to ascertain the number found Sample Audit for unattended machines
unlocked

Audit and check if users have kept all important Sample Audit for users have kept all important
assets under lock and key assets under lock and key

Audit a sample of systems to see whether they

are in compliance to [ORGANIZATION]'s
Password Policy Audit at Domain
Password Policy. Exceptions/Waivers can be left
out of the sample.

Audit sample desktops and check if software

Audit Approved list with random Desktop
used are licensed or not

Check the number of genuine incidents reported

Incident Statistic
and the total number of incidents reported

Check the number of incidents which have been

# Closed Incident Reports
closed

Check the percentage of critical functions which # of BCP doc against critical process and test of
have a documented BCP plans reports
 Check for the number of times fire drills are
# of Fire Drills Record
carried out

Check for the number of times BCP plans are

BCP Testing Record
tested

Design an awareness questionnaire and get it

Quiz Results
filled by employees

Check for the percentage of systems that do no

Sample Audit of Login Banner
have login banners

Check for the number of times Compliance

Officer reviews department's compliance with Policy Compliance Review
the security policy

Check for the number of times VA and PT were
carried out in a year
Check for the number of systems having
unauthorized software
# VA and PT carried out and mitigation status
report
Sample Audit for Approved Software list