Start using this Workflow
ISO/IEC 27001 Compliance Checklist
Information Security Policies
Review and establish the scope of the information security management system (ISMS).
Develop, approve, and publish information security policies that align with ISO/IEC 27001 requirements.
Ensure policies are communicated to all employees and relevant external parties.
Organization of Information Security
Define roles and responsibilities for information security management.
Establish a framework for risk assessment and risk treatment.
Implement a process for information security incident management.
Human Resource Security
Screen employees and contractors prior to employment to ensure they meet all security requirements.
Ensure all employees and contractors are aware of and fulfill their information security responsibilities.
Formalize a disciplinary process for security breaches.
Asset Management
Identify and classify information assets to apply appropriate protection.
Define appropriate handling requirements for different types of information assets.
Implement a procedure for the return of assets upon employee termination or change of role.
Access Control
Establish a user registration and de-registration process.
Implement a user access provisioning system.
Control the allocation of privileged access rights.
Cryptography
Determine the requirements for cryptography based on the data protection needs.
Implement strong encryption methods for protecting sensitive information during transmission and at rest.
Manage cryptographic keys throughout their lifecycle.
Physical and Environmental Security
Secure areas to prevent unauthorized physical access, damage, and interference to the organization's information and information processing facilities.
Protect against environmental hazards such as fire, flood, and other disasters.
Manage the secure disposal or reuse of equipment.
Operations Security
Establish and maintain documented operating procedures for information processing and management.
Ensure the protection from malware and monitor its effectiveness.
Implement a process to manage technical vulnerabilities.
Communications Security
Implement network security controls to protect information in networks.
Segregate networks where necessary and control network services.
Manage information transfer policies and procedures.
System Acquisition, Development and Maintenance
Ensure security is integrated into information systems acquisition, development, and maintenance.
Protect applications from threats and vulnerabilities during development.
Manage the security of information systems used for processing or accessing information.
Supplier Relationships
Implement a process to identify and assess the risks associated with suppliers and third-party service providers.
Include information security clauses in contracts with suppliers.
Monitor, review, and audit supplier service delivery.
Information Security Incident Management
Establish an incident response and management procedure.
Report information security events and weaknesses consistently and promptly.
Test and review the incident management process regularly.
Information Security Aspects of Business Continuity Management
Establish and maintain a documented business continuity management process.
Conduct business impact analysis to identify critical business processes and the impact of potential threats.
Develop and implement plans for business continuity and the recovery of information security.
Compliance
Identify relevant legislative, regulatory, and contractual requirements.
Ensure that information security policies and procedures are in compliance with these requirements.
Perform regular information security reviews, audits, and conduct compliance checks.
