ISO 27001 CHECKLIST TEMPLATE

IN
ISO 27001 IMPLEMENTATION
TASKS COMPLIANCE NOTES
CONTROL PHASES
?

5 Information security policies

5.1 Management direction for information security

    Security policies exist?  

5.1.1
Policies for information All policies approved by
 
security management?

  NO   Evidence of compliance?  
NO
YES
UNKNOWN
YES

6 Organization of information security

6.1 information security roles and responsibilities

Security roles and Roles and responsibilities

6.1.1  
responsibilities defined?

6.1.2 Segregation of duties Segregation of duties defined?  

Verification body / authority

6.1.3 Contact with authorities contacted for compliance  
verification?

Establish contact with special

Contact with special interest
6.1.4 interest groups regarding  
groups
compliance?

Evidence of information
Information security in project
6.1.5 security in project  
management
management?

6.2 Mobile devices and teleworking

6.2.1
Defined policy for mobile
Mobile device policy  
devices?

Defined policy for working

6.2.2 Teleworking  
NO remotely?
YES
UNKNOWN
YES
7 Human resources security

7.1 Prior to employment

Defined policy for screening

7.1.1 Screening employees prior to  
employment?

Defined policy for HR terms

Terms and conditions of
7.1.2 and conditions of  
employment
employment?

7.2 During employment

Defined policy for

7.2.1 Management responsibilities  
management responsibilities?

Defined policy for

Information security
information security
7.2.2 awareness, education, and  
awareness, education,
training
and training?
Defined policy for
7.2.3 Disciplinary process disciplinary process regarding  
information security?
7.3
Termination and change of employment
Defined policy for HR
Termination or change-of- termination or change-of-
7.3.1  
employment
NO
YES responsibilities employment policy regarding
UNKNOWN
YES information security?
8 Asset management

8.1 Responsibilities for assets

Complete inventory list of

8.1.1 Inventory of assets  
assets?

Complete ownership list of

8.1.2 Ownership of assets  
assets

Defined acceptable use of

8.1.3 Acceptable use of assets  
assets policy

Defined return of assets

8.1.4 Return of assets  
policy?

8.2 Information classification

Defined policy for

8.2.1 Classification of information classification  
of information?

Defined policy for labeling of

8.2.2 Labeling of information  
information?
 Defined policy for handling
8.2.3 Handling of assets  
of assets?

8.3 Media handling

Defined policy for

Management of removable
8.3.1 management  
media
of removable media?
8.3.2
Defined policy for disposal
Disposal of media  
of media?

YES
NO
UNKNOWN
Defined policy for physical
8.3.3. Physical media transfer  
media transfer?

9 Access control

9.1 Responsibilities for assets

Defined policy for access

9.1.1 Access control policy  
control?

Defined policy for access to

Access to networks and
9.1.2 networks and network  
network services
services?

9.2 Responsibilities for assets

Defined policy for user asset

User asset registration and de-
9.2.1 registration and de-  
registration
registration?

Defined policy for user access

9.2.2 User access provisioning  
provisioning?

Defined policy for

Management of privileged
9.2.3 management  
access rights
of privileged access rights?
Defined policy for
Management of secret
management
9.2.4 authentication information of  
of secret authentication
users
information of users?

Defined policy for review of

9.2.5 Review of user access rights  
user access rights?

Removal or adjustment Defined policy for removal or

9.2.6  
of access rights adjustment of access rights?

9.3 User responsibilities

Defined policy for use of

Use of secret authentication
9.3.1 secret authentication  
information
information?
9.4 System and application access control

Defined policy for

Information access
9.4.1 information access  
restrictions
restrictions?

Defined policy for secure log-

9.4.2 Secure log-in procedures  
in procedures?

Password management Defined policy for password

9.4.3  
systems management systems?

9.4.4
Use of privileged utility Defined policy for use of
 
programs privileged utility programs?

YES
NO
UNKNOWN Defined policy for access
Access control to program
9.4.5 control  
source code
to program source code?

10 Cryptography

10.1 Cryptographic controls

10.1.1
Policy for the use of Defined policy for use of
 
cryptographic controls cryptographic controls?

YES
NO
UNKNOWN
Defined policy for key
10.1.2 Key management  
management?

11 Physical and environmental security

11.1 Secure areas

Defined policy for physical

11.1.1 Physical security perimeter  
security perimeter?

Defined policy for physical

11.1.2 Physical entry controls  
entry controls?

Securing offices, rooms, and Defined policy for securing

11.1.3  
facilities offices, rooms, and facilities?

Defined policy for protection

Protection against external
11.1.4 against external and  
and environmental threats
environmental threats?

Defined policy for working in

11.1.5 Working in secure areas  
secure areas?

Defined policy for delivery

11.1.6 Delivery and loading areas  
and loading areas?
11.2 Equipment

Equipment siting and Defined policy for equipment

11.2.1  
protection siting and protection?

Defined policy for supporting

11.2.2 Supporting utilities  
utilities?

Defined policy for cabling

11.2.3 Cabling security  
security?

Defined policy for equipment

11.2.4 Equipment maintenance  
maintenance?

Defined policy for removal of

11.2.5 Removal of assets  
assets?

Defined policy for security of

Security of equipment and
11.2.6 equipment and assets off-  
assets off-premises
premises?

Secure disposal or re-use of Secure disposal or re-use of

11.2.7  
equipment equipment?

11.2.8
Defined policy for unattended
Unattended user equipment  
user equipment?

YES
NO
UNKNOWN
Clear desk and clear screen Defined policy for clear desk
11.2.9  
policy and clear screen policy?

12 Operations security

12.1 Operational procedures and responsibilities

Defined policy for

Documented operating
12.1.1 documented operating  
procedures
procedures?

Defined policy for change

12.1.2 Change management  
management?

Defined policy for capacity

12.1.3 Capacity management  
management?

Separation of development, Defined policy for separation

12.1.4 testing, and operational of development, testing, and  
environments operational environments?

12.2 Protection from malware

 Defined policy for controls
12.2.1 Controls against malware  
against malware?

12.3 System backup

Defined policy for backing up

12.3.1 Backup  
systems?

Defined policy for

12.3.2 Information Backup  
information backup?

12.4 Logging and monitoring

Defined policy for event

12.4.1 Event logging  
logging?

Defined policy for protection

12.4.2 Protection of log information of  
log information?

Defined policy for

Administrator and operator
12.4.3 administrator and operator  
log
log?

Defined policy for clock

12.4.4 Clock synchronization  
synchronization?

12.5 Control of operational software

Defined policy for installation

Installation of software on
12.5.1 of software on operational  
operational systems
systems?

12.6 Technical vulnerability management

Defined policy for

Management of technical
12.6.1 management of technical  
vulnerabilities
vulnerabilities?

Restriction on software Defined policy for restriction

12.6.2  
installation on software installation?

12.7
Information systems audit considerations

Defined policy for

Information system audit
12.7.1 information system audit  
NO
YES control
UNKNOWN
YES control?

13 Communication security

13.1 Network security management

Defined policy for network

13.1.1 Network controls  
controls?
 Defined policy for security of
13.1.2 Security of network services  
network services?

Defined policy for segregation

13.1.3 Segregation in networks  
in networks?

13.2 Information transfer

Defined policy for

Information transfer policies
13.2.1 information transfer policies  
and procedures
and procedures?

Agreements on information Defined policy for agreements

13.2.2  
transfer on information transfer?

Defined policy for electronic

13.2.3 Electronic messaging  
messaging?

13.2.4
Defined policy for
Confidentiality or non-
confidentiality or non-  
disclosure agreements
disclosure agreements?

System acquisition, Defined policy for system

13.2.5 development, and acquisition, development, and  
NO
YES
maintenance maintenance?
UNKNOWN
YES

14 System acquisition, development, and maintenance

14.1 Security requirements of information systems

Defined policy for
Information security
information security
14.1.1 requirements analysis and  
requirements analysis and
specification
specification?
Defined policy for securing
Securing application services
14.1.2 application services on public  
on public networks
networks?

Defined policy for protecting

Protecting application service
14.1.3 application service  
transactions
transactions?
14.2
Security in development and support processes

Defined policy for in-house

14.2.1 In-house development  
NO
YES development?
UNKNOWN
YES

15 Supplier relationships

Defined policy for supplier

15.1.1 Supplier relationships  
NO relationships?
YES
UNKNOWN
YES

16 Information security incident management

YES
NO
UNKNOWN
 Defined policy for
Information security
16.1.1 information security  
management
management?

17 Information security aspects of business continuity management

17.1 Information security continuity

Defined policy for

Information security
17.1.1 information security  
continuity
continuity?
17.2
Redundancies

Defined policy for

17.2.1 Redundancies  
NO
YES redundancies?
UNKNOWN
YES

18 Compliance

18.1 Compliance with legal and contractual requirements

Defined policy for
Identification of applicable
identification of applicable
18.1.1 legislation and contractual  
legislation and contractual
requirement
requirement?

Defined policy for intellectual

18.1.2 Intellectual property rights  
property rights?

Defined policy for protection

18.1.3 Protection of records  
of records?

Privacy and protection of Defined policy for privacy

18.1.4 personally identifiable and protection of personally  
information identifiable information?

Regulation of cryptographic Defined policy for regulation

18.1.5  
control of cryptographic control?

18.1 Independent review of information security

Defined policy for compliance

Compliance with security
18.1.1 with security policies and  
policies and standards
standards?

Defined policy for technical

18.1.2 Technical compliance review  
compliance review?

DISCLAIMER

Any articles, templates, or information provided by Smartsheet on the website are for reference only. While we strive
to keep the information up to date and correct, we make no representations or warranties of any kind, express or
implied, about the completeness, accuracy, reliability, suitability, or availability with respect to the website or the
information, articles, templates, or related graphics contained on the website. Any reliance you place on such
information is therefore strictly at your own risk.