This site uses cookies to store information on your computer. Some are essential to make our site work; others help us improve the user experience. By using the site you consent to the placement of these cookies.

Planning For ISO 27001

  • Self-assessment questionnaire
    How ready are you for ISO/IEC 27001:2013?

    This document has been designed to help you assess your company’s readiness for an ISO/IEC 27001 Information Security Management System. By completing this questionnaire your results will allow you to self-assess your organization and identify where you are in the ISO/IEC 27001 process. If you would like us to do this analysis for you, please complete the questionnaire (including your contact details), save and email it to us at BeSecure@ezentria.com
  • ISO/IEC 27001 Information Security Management System – Self-assessment questionnaire

  • Did the organization determine interested parties?
  • Does the list of all of interested parties’ requirements exist?
  • Is the scope documented with clearly defined boundaries and interfaces?
  • Are the general ISMS objectives compatible with the strategic direction?
  • Does management ensure that ISMS achieves its objectives?
  • Is Information Security Policy communicated within the company?
  • Are roles and responsibilities for information security assigned and communicated?
  • Is the risk assessment process documented, including the risk acceptance criteria and criteria for risk assessment?
  • Are the risks identified, their owners, likelihood, consequences, and the level of risk; are these results documented?
  • Is the risk treatment process documented, including the risk treatment options?
  • Are all the unacceptable risks treated using the options and controls from Annex A; are these results documented?
  • Is Statement of Applicability produced with justifications and status for each control?
  • Does Risk treatment plan exist, approved by risk owners?
  • Does Risk treatment plan define who is responsible for implementation of which control, with which resources, what are the deadlines, and what is the evaluation method?
  • Are adequate resources provided for all the elements of ISMS?
  • Are required competences defined, trainings performed, and records of competences maintained?
  • Is the personnel aware of Information security policy, of their role, and consequences of not complying with the rules?
  • Does the process for communication related to information security exist, including the responsibilities and what to communicate?
  • Does the process for managing documents and records exist, including who reviews and approves documents, where and how they are published, stored and protected?
  • Are documents of external origin controlled?
  • Are outsourced processes identified and controlled?
  • Is it defined what needs to be measured, by which method, who is responsible, who will analyze and evaluate the results?
  • Are the results of measurement documented and reported to responsible persons?
  • Does an audit program exist that defines the timing, responsibilities, reporting, audit criteria and scope?
  • Are internal audits performed according to audit program, results reported through the Internal audit report and relevant corrective actions raised?
  • Is management review regularly performed, and are the results documented in minutes of the meeting?
  • Did management decide on all the crucial issues important for the success of the ISMS?
  • Does the organization react to every nonconformity?
  • Does the organization consider eliminating the cause of nonconformity and, where appropriate, take corrective action?
  • Are all nonconformities recorded, together with corrective actions?
  • Are all necessary information security policies approved by management and published?
  • Are all information security policies reviewed and updated?
  • Are all information security responsibilities clearly defined through one or several documents?
  • Are duties and responsibilities defined in such a way to avoid conflict of interest, particularly with the information and systems where high risks are involved?
  • Is it clearly defined who should be in contact with which authorities?
  • Is it clearly defined who should be in contact with special interest groups or professional associations?
  • Are information security rules included in every project?
  • Are there rules for secure handling of mobile devices?
  • Are there rules defining how the company information is protected at teleworking sites?
  • Are background checks performed on candidates for employment or for contractors?
  • Do the agreements with employees and contractors specify the information security responsibilities?
  • Is management actively requiring all employees and contractors to comply with information security rules?
  • Are all relevant employees and contractors being trained to perform their security duties, and do the awareness programs exist?
  • Have all employees who have committed a security breach been subject to a formal disciplinary process?
  • Are information security responsibilities that remain valid after the termination of employment defined in the agreement?
  • Is an Inventory of assets drawn up?
  • Does every asset in Inventory of assets have a designated owner?
  • Are the rules for appropriate handling of information and assets documented?
  • Did all the employees and contractors return all the company assets when their employment was terminated?
  • Is the information classified according to specified criteria?
  • Is the classified information labeled according to the defined procedures?
  • Are there procedures which define how to handle classified information?
  • Are there the procedures which define how to handle removable media in line with the classification rules?
  • Are there formal procedures for disposing of the media?
  • Is the media that contains sensitive information protected during transportation?
  • Is there an Access control policy which defines business and security requirements for access control?
  • Do the users have access only to those networks and services they are specifically authorized for?
  • Are access rights provided via a formal registration process?
  • Is there a formal access control system when logging into information systems?
  • Are privileged access rights managed with special care?
  • Are initial passwords and other secret authentication information provided in a secure way?
  • Do asset owners periodically check all the privileged access rights?
  • Have the access rights to all employees and contractors been removed upon the termination of their contracts?
  • Are there clear rules for users on how to protect passwords and other authentication information?
  • Is the access to databases and applications restricted according to the Access control policy?
  • Is secure log-on required on systems according to the Access control policy?
  • Are the systems that manage passwords interactive, and enable the creation of secure passwords?
  • Is the use of utility tools that can override the security controls of applications and systems strictly controlled and limited to narrow circle of employees?
  • Is the access to source code restricted to authorized persons?
  • Does the policy that regulates encryption and other cryptographic controls exist?
  • Are the cryptographic keys properly protected?
  • Do secure areas that protect sensitive information exist?
  • Is the entrance to secure areas protected with controls that allow only the authorized persons to enter?
  • Are secure areas located in such a way that they are not visible to outsiders, and not easily reached from the outside?
  • Are the alarms, fire-protection, and other systems installed?
  • Are working procedures for secure areas defined and complied with?
  • Are delivery and loading areas controlled in such a way that unauthorized persons cannot enter the company premises?
  • Is the equipment sited in such a way to protect it from unauthorized access, and from environmental threats?
  • Does the equipment have an uninterruptible power supply?
  • Are the power and telecommunication cables adequately protected?
  • Is the equipment maintained regularly according to manufacturers’ specifications and good practice?
  • Is the authorization for information and other assets given each time they are taken out of the company premises?
  • Are the company assets adequately protected when they are not located at the company premises?
  • Are all the information and licensed software removed from media or equipment containing media when disposed of?
  • Are users protecting their equipment when not in physical possession of it?
  • Is there a policy which forces users to remove papers and media when not present, and lock their screens?
  • Have the operating procedures for IT processes been documented?
  • Are all the changes to IT systems, but also to other processes that could affect information security, strictly controlled?
  • Does someone monitor use of resources and project the required capacity?
  • Are development, testing and production environments strictly separated?
  • Are anti-virus software, and other software for malware protection, installed and updated?
  • Is the backup policy developed; is the backup performed according to this policy?
  • Are all user logs, faults and other events from IT systems logged, and does someone check them?
  • Are logs protected in such a way that unauthorized persons cannot change them?
  • Are administrator logs protected in such a way that system administrators cannot change them or delete them; are they regularly checked?
  • Are clocks on all IT systems synchronized with a single source of correct time?
  • Is installation of software strictly controlled; do procedures exist for that purpose?
  • Is there someone in charge of collecting information about vulnerabilities, and are those vulnerabilities promptly resolved?
  • Are there specific rules that define restrictions of software installation by users?
  • Are audits of production systems planned and executed in such a way that they minimize the risk of disruption?
  • Are the networks controlled in such a way that they protect information in systems and applications?
  • Are security requirements for in-house and external network services defined, and included in agreements?
  • Are groups of users, services and systems segregated in different networks?
  • Is the protection of information transfer regulated in formal policies and procedures?
  • Do agreements with third parties exist which regulate the security of information transfer?
  • Are the messages that are exchanged over the networks properly protected?
  • Did the company list all the confidentiality clauses that need to be included in agreements with third parties?
  • Are security requirements defined for new information systems, or for any changes to them?
  • Is the information involved in applications that is transferred through the public networks appropriately protected?
  • Is the information involved in transactions that is transferred through the public networks appropriately protected?
  • Are the rules for the secure development of software and systems defined?
  • Do formal change control procedures exist for making any changes to the new or existing systems?
  • Are critical applications tested after the operating systems have been changed or updated?
  • Are only the changes that are really necessary performed to information systems?
  • Are the principles for engineering secure systems documented and implemented?
  • Is the development environment appropriately secured from unauthorized access and change?
  • Is the outsourced development of systems monitored?
  • Is testing for proper implementation of security requirements performed during the development?
  • Are the criteria for accepting the systems defined?
  • Are the test data carefully selected and protected?
  • Is the policy on how to treat the risks related to suppliers and partners documented?
  • Are all the relevant security requirements included in the agreements with the suppliers and partners?
  • Do the agreements with cloud providers and other suppliers include security requirements for ensuring the reliable delivery of services?
  • Are suppliers regularly monitored for compliance with the security requirements, and audited if appropriate?
  • When making changes to arrangements and contracts with suppliers and partners, are risks and existing processes taken into account?
  • Are procedures and responsibilities for managing incidents clearly defined?
  • Are all information security events reported in a timely manner?
  • Are employees and contractors reporting on security weaknesses?
  • Are all security events assessed and classified?
  • Are procedures on how to respond to incidents documented?
  • Are security incidents analyzed in order to gain knowledge on how to prevent them?
  • Do procedures exist which define how to collect evidence that will be acceptable during the legal process?
  • Are requirements for continuity of information security defined?
  • Do procedures exist that ensure the continuity of information security during a crisis or a disaster?
  • Do procedures exist that ensure the continuity of information security during a crisis or a disaster?
  • Is exercising and testing performed in order to ensure effective response?
  • Does IT infrastructure have redundancy (e.g. secondary location) to fulfill the expectations during disasters?
  • Are all legislative, regulatory, contractual and other security requirements listed and documented?
  • Do procedures exist that ensure the enforcement of intellectual property rights, in particular, the used of licensed software?
  • Are all the records protected according to identified regulatory, contractual and other requirements?
  • Is personally identifiable information protected as required in laws and regulations?
  • Are cryptographic controls used as required in laws and regulations?
  • Is information security regularly reviewed by an independent auditor?
  • Do the managers regularly review if the security policies and procedures are performed properly in their areas of responsibility?
  • Are information systems regularly reviewed to check their compliance with the information security policies and standards?

Call (800) 230-0780 now for a free consultation.

Don't wait to secure your company's vital information assets.

Contact us now to learn more about Planning For ISO 27001.

A security compliance program specifically designed for small and midsize businesses.
LEARN MORE