Annex
Checklist of ISO 27001:2022 standard.
| Clause | Name | Description | Control |
|---|---|---|---|
| 5.01 | Information security policies | Continuously ensure the relevance, adequacy and effectiveness of management's orientations and its support for information security according to business, legal, statutory, regulatory and contractual. | Check the existence of all security policies, their validation, their dissemination and communication to employees and third parties concerned. |
| 5.02 | Information Security Duties and Responsibilities | Establish a defined, approved, and understood structure for the implementation, operation, and management of information security within the organization. | Control the definition and assignment of functions and responsibilities related to information security according to the needs of the organization. |
| 5.03 | Segregation of duties | Reduce the risk of fraud, error and circumvention of information security measures. | Ensure that incompatible duties and areas of responsibility are segregated |
| 5.04 | Management Responsibilities | Ensure that management understands its role in information security and takes actions to ensure that all personnel are aware of their information security responsibilities. information and carries them out. | Check that there is communication from management on the importance of information security. |
| 5.05 | Relations with authorities | Ensure the proper flow of information security information between the organization and the relevant legal, regulatory and supervisory authorities. | Procedure and inventory are up to date there is evidence of relationship with the authorities |
| 5.06 | Relations with specialized working groups | Ensure the adequate circulation of information in terms of information security. | The procedure and inventory of specialist groups are up to date. There is evidence of a relationship with specialist groups. |
| 5.07 | Threat Intelligence | Provide knowledge of the organization's threat environment so that appropriate mitigating actions can be taken. | There are sources of information and evidence of analysis |
| 5.08 | Information security in project management | Ensure that information security risks relating to projects and deliverables are effectively addressed in project management, throughout the project life cycle. | Control consideration of information security in project management. |
| 5.09 | Inventory of information and other related assets | Identify the organization's information and other related assets to maintain their security and assign ownership appropriately. | Control that an inventory of information and other related assets associated assets, including their owners and maintained and updated |
| 5.10 | Proper use of information and other associated assets | Ensure that information and other associated assets are protected, used and handled appropriately. | Check existence of rules Compare date of publication to date of check |
| 5.11 | Return of assets | Protect the organization's assets in the process of changing or terminating their employment, contract or agreement. | Control the list of employees who have left the organization and proof of return of assets to the organization. |
| 5.12 | Classification of information | Ensure the identification and understanding of information protection needs according to its importance for the organization. | Check the existence and updating of the procedure and its content given the context of the organization |
| 5.13 | Marking of information | Facilitate the communication of information classification and support the automation of information management and processing. | Monitor the marking procedure and its implementation on a sample of information from the organization. |
| 5.14 | Transfer of information | Maintain the security of information transferred within the organization and to any external interested parties | Monitor the implementation of rules, procedures or agreements for the transfer of information, the inventory of the agreements concerned and the terms of the agreements. |
| 5.15 | Access control | Ensure authorized access and prevent unauthorized access to information and other related assets. | Control the definition and implementation of policies to manage physical and logical access to information and other associated assets based on business and information security requirements. |
| 5.16 | Identity management | Enable unique identification of people and systems accessing information and other associated assets of the organization, and to enable the appropriate assignment of access rights. | Control the management of the full lifecycle of identities. |
| 5.17 | Authentication information | Ensure correct authentication of the entity and avoid failures of authentication processes. | Check the existence and application of the process for managing the allocation of secret authentication information |
| 5.18 | Access rights | Ensure that access to information and other associated assets is defined and authorized in accordance with business requirements | Check the existence of the user access management control process, the validity of proof of application of the process and review of access rights |
| 5.19 | Information security in supplier relationships | Maintain the agreed level of information security in supplier relationships. | Check that requirements are documented and updated and that measures are accepted by suppliers |
| 5.20 | Consideration of information security in supplier agreements | Maintain the agreed level of information security in supplier relationships. | Check that requirements are documented and updated and requirements are agreed with suppliers |
| 5.21 | Management of information security in the ICT supply chain | Maintain the agreed level of information security in relations with suppliers. | Check that the requirements are documented and that the agreements made contain the requirements |
| 5.22 | Monitoring, reviewing and change management of supplier services | Maintain an agreed level of information security and service delivery, in accordance with agreements with suppliers. | Check that the organization regularly monitors, reviewing, evaluating and managing changes in supplier information security and service delivery practices. |
| 5.23 | Information security in the use of cloud services | Specify and manage information security in the use of cloud services. | Control that the processes of acquisition, use, management and termination of cloud services are defined in accordance with the organization's information security requirements. |
| 5.24 | Information security incident management planning and preparation | Ensuring a timely, effective, consistent and orderly response to information security incidents, including communication of security events information. | Check that incident management responsibilities are defined Check that the incident management procedure exists and is up to date |
| 5.25 | Assessment of information security events and decision-making | Ensure effective categorization and prioritization of information security events. | Check that the selection process is applied |
| 5.26 | Response to information security incidents | Ensure an efficient and effective response to information security incidents. | Check that the procedure exists and is up to date Check that the procedure is followed |
| 5.27 | Draw lessons from information security incidents | Reduce the likelihood or consequences of future incidents. | Check for existence of improvement in procedure Check for evidence of improvement |
| 5.28 | Evidence gathering | Ensuring consistent and effective management of evidence relating to information security incidents for the purposes of legal or disciplinary action. | Controlling the documentation of evidence gathering in the procedure Controlling the application of evidence collection |
| 5.29 | Security of information during a disruption | Protect information and other associated assets during a disruption. | Check existence and updating of procedure Check security and continuity requirements |
| 5.30 | Preparing ICT for business continuity | Ensuring the availability of information and other associated assets of the organization during a disruption. | Checking the identification of systems and their security objectives Checking the performance of continuity tests |
| 5.31 | Identification of legal, statutory, regulatory and contractual requirements | Ensure compliance with legal, statutory, regulatory and contractual requirements relating to information security. | Check that the inventory is up to date and that the approach is documented |
| 5.32 | Intellectual property rights | Ensuring compliance with legal, statutory, regulatory and contractual requirements relating to intellectual property rights and the use of proprietary products. | Check the existence of the procedure and its updating and proof of application of the procedure |
| 5.33 | Protection of records | Ensure compliance with legal, statutory, regulatory, and contractual requirements, as well as company or community expectations relating to the protection and availability of records. | - Verify that measures comply with the requirements. - Control the evidence of application of the measures - Control the update of the inventory of the sources of key information - Control the deletion of information |
| 5.34 | Privacy and protection of personal data | Ensure compliance with legal, statutory, regulatory and contractual requirements relating to aspects of information security relating to the protection of personal data. | Check the existence and updating of the privacy policy and the application of protection measures |
| 5.35 | Independent review of information security | Ensure that the organisation's approach to managing information security is continuously appropriate, adequate and effective. | Check that independent reviews of the approach retained by the organization to manage and implement the security of information, including people, processes and technologies are carried out at defined intervals or when significant changes have occurred. |
| 5.36 | Compliance with information security policies and standards | Ensure that information security is implemented and operating in accordance with the information security policy, topic-specific policies, rules and standards of the organization. | Ensure that compliance with the information security policy, topic policies, and standards of the organization is reviewed regularly. |
| 5.37 | Documented operating procedures | Ensure the correct and secure operation of information processing resources. | Check the existence and updating of operating procedures and the provision of procedures to users concerned |
| 6.01 | Screening | Ensure that all staff members are eligible and suitable to perform the functions for which they are nominated, and that they remain so throughout their employment. | Check the existence of a procedure up-to-date and the existence of proof of execution of the selection process. |
| 6.02 | General conditions of employment | Ensure that personnel understand their responsibilities in terms of information security within the framework of the functions that the organization intends to entrust to them. | Check the existence of the terms and proof of presence of the terms agreements |
| 6.03 | Information security awareness, learning and training | Ensure that staff and relevant interested parties are aware of and fulfill their information security responsibilities. | Check existence of a plan awareness raising and staff participation in training |
| 6.04 | Disciplinary process | Ensure that staff and other relevant interested parties understand the consequences of violations of the information security policy, prevent such breaches, and treat staff and other parties appropriately who have committed violations. | Ensure that a disciplinary process for taking action against staff and other interested parties who have committed a violation of the information security policy is formalized and communicated. |
| 6.05 | Responsibilities upon termination or modification of employment contract | To protect the interests of the organization in the process of changing or terminating a job or contract. | Existence of terms and proof of application |
| 6.06 | Confidentiality or non-disclosure covenants | Ensuring the confidentiality of information accessed by staff or external parties. | Ensure that requirements are identified and documented |
| 6.07 | Remote work | Ensure information security when staff work remotely. | Check the existence and updating of additional security measures and proof of application of these measures |
| 6.08 | Reporting of information security events | Enable the reporting of information security events that can be identified by personnel, in a timely, consistent and efficient manner. | Check the existence of the procedure , its application and its update |
| 7.01 | Perimeter Physical Security | Prevent unauthorized physical access to, damage to, or interference with information and other associated assets of the organization. | Control only perimeter security used to protect areas that contain information sensitive or critical e and other associated assets are defined. |
| 7.02 | Physical access controls | Ensure that only authorized physical access to information and other related assets of the organization is possible. | Verify that secure areas are protected by adequate entry controls to ensure that only authorized personnel are admitted. |
| 7.03 | Securing offices, rooms and equipment | Prevent unauthorized physical access, damage and interference to information and other associated assets of the organization in offices, rooms and facilities. | Control inventory , security measures and the application of measures. |
| 7.04 | Physical security monitoring | Detect and deter unauthorized physical access. | Enforce continuous site surveillance measures |
| 7.05 | Protection against physical and environmental threats | Prevent or reduce the consequences of events resulting from physical or environmental threats. | Control the inventory and the application of measures. Count the number of anomalies. |
| 7.06 | Working in secure areas | Protect information and other associated assets in secure areas from damage and unauthorized interference by personnel working in such areas. | Check that inventories exist and are up-to-date. |
| 7.07 | Clean desktop and blank screen | Reduce the risk of unauthorized access to, loss of, and damage to information on desktops, screens, and other accessible locations during and outside normal working hours. | Control that clean desk rules for paper documents and removable storage media, and clean screen rules for information processing facilities are defined and enforced. |
| 7.08 | Equipment location and protection | Reduce risks from physical and environmental threats, and unauthorized access and damage. | Control inventory of affected equipment and their locations. Check the application of protection measures. |
| 7.09 | Security of off-premises assets | Prevent loss, damage, theft or compromise of off-premises terminals and disruption of business operations. | Enforce security measures |
| 7.10 | Storage media | Ensure that only authorized disclosure, modification, removal or destruction of organization information on storage media is performed. | - Check that procedures for managing removable media are implemented operates in accordance with the classification plan adopted by the organization. - Check that media that is no longer needed is safely disposed of following formal procedures. - Check that the media containing information are protected against unauthorized access, user errors and alteration during transport. |
| 7.11 | General Services | Prevent loss, damage, or compromise of information and other related assets, or disruption of business operations, caused by support service failures and disruptions. | Control inventory equipment and the application of protective measures. |
| 7.12 | Cable Security | Prevent loss, damage, theft, or compromise of information and other associated assets and disruption to the organization's business related to electrical and communications cabling. | Control inventory of wiring and application of measures |
| 7.13 | Hardware maintenance | Prevent loss, damage, theft or compromise of information and other related assets and disruption of business operations caused by lack of maintenance. | Control hardware inventory concerned, the maintenance measures and the application of the |
| 7.14 | Safe disposal or recycling of materials | Prevent information leakage from materials for disposal or reuse. | Check that inventory is up-to-date. Check the presence of evidence of data erasure |
| 8.01 | User endpoints | Protect information against the risks associated with the use of user endpoint devices. | Control that any information stored on an end user endpoint device, processed by or accessed through such a device, is protected. |
| 8.02 | Access privileges | Ensuring that only authorized users, software components, and services are granted privileged access rights. | Checking the existence of privilege access rights restrictions and the allocation of privileges Privileged Access |
| 8.03 | Restriction of access to information | Ensure only authorized access and prevent unauthorized access to information and other related assets. | Monitor restrictions on access to information and the application of these restrictions in accordance compliance with the policy on the subject of access control. |
| 8.04 | Access to source code | Prevent the introduction of unauthorized functionality, prevent unintentional or malicious modifications, and preserve the confidentiality of important intellectual property. | Monitor the effectiveness of restricting access to code program source. |
| 8.05 | Secure authentication | Ensuring that a user or entity is securely authenticated when granted access to systems, applications and services. | Enforce secure login procedures |
| 8.06 | Dimensioning | Ensuring needs in terms of information processing resources, human resources, offices and other facilities. | Checking the inventory of monitored resources, evidence of monitoring and projections made |
| 8.07 | Protection against malware | Ensuring that information and other related assets are protected against malware. | Monitoring the existence and updating of operating procedures and the availability of procedures to users concerned |
| 8.08 | Management of technical vulnerabilities | Prevent the exploitation of technical vulnerabilities. | Check that the inventory is relevant, that there is verification evidence of the measures taken |
| 8.09 | Configuration management | Ensuring that hardware, software, services and networks are operating properly with required security settings, and that the configuration is not altered by unauthorized or incorrect changes. | Check that the inventory of the systems concerned is complete, the configuration documentation and that checks are carried out |
| 8.10 | Deletion of information | Prevent unnecessary exposure of sensitive information and comply with legal, statutory, regulatory, and contractual requirements for deletion of information. | Control inventory of requirements, affected information, and evidence deletion |
| 8.11 | Data masking | Limit the exposure of sensitive data, including personal data, and comply with legal, statutory, regulatory and contractual requirements. | Check the existence and updating of the masking procedure, the relevance of the data concerned and the application of the masking |
| 8.12 | Prevention of data leaks | Detect and prevent the unauthorized disclosure and extraction of information by persons or systems. | - Check the existence and date of the procedure - Check the data concerned - Check application of measures |
| 8.13 | Backup of information | Allow recovery in the event of loss of data or systems. | - Check the existence and updating of the backup policy - Existence of backup copies - Tests of backup copies |
| 8.14 | Redundancy of information processing resources | Ensure the continuous operation of information processing resources. | Check that the inventory is up to date, the availability requirements and the existence of proof of redundancy |
| 8.15 | Logging | Record events, generate evidence, ensure integrity of logging information, prevent unauthorized access, identify information security events that may lead to an information security incident and assist the investigations. | Check that the logs exist and are up to date, the measures for protecting the logs, the storage capacities and the analysis carried out on these logs. |
| 8.16 | Monitoring activities | Detect abnormal behavior and possible information security incidents. | Monitor the inventory of the networks, systems and applications concerned, the detection measures put in place and that assessments are carried out or incidents generated |
| 8.17 | Synchronization of clocks | Allow the correlation and analysis of security events and other recorded data, assist in the investigation of information security incidents. | Control the inventory of clocks, the unique time source used and the synchronization of the clocks on the source |
| 8.18 | Use of privileged utility programs | Ensure that the use of utility programs does not compromise the information security measures of systems and applications. | Enforce controls on program use utilities |
| 8.19 | Installation of software on operating systems | Ensuring the integrity of operating systems and preventing the exploitation of technical vulnerabilities. | Checking the effectiveness of the installation control procedure |
| 8.20 | Measures related to networks | Protect information in networks and means of processing supporting information against compromise via the network. | Control r that controls are in place and that these controls are effective |
| 8.21 | Security of network services | Ensure security when using network services. | Check that the inventory of relevant network services is complete and up-to-date, that the security mechanisms of service levels and the requirements are identified and incorporated into service agreements |
| 8.22 | Internet filtering | Divide the network into security perimeters and control traffic between them based on business needs. | Control external website access rules and blocking. |
| 8.23 | Segregation of networks | Protect systems from compromise by malicious programs and prevent access to unauthorized web resources. | Control inventory of groups of information services, users, and information systems and the implementation of network partitioning measures |
| 8.24 | Use of cryptography | Ensure the correct and effective use of cryptography to protect the confidentiality, authenticity or integrity of information in accordance with business and information security requirements, and taking into account legal, statutory, regulatory and contractual requirements relating to cryptography. | Controls the rules for the use of cryptography measures, their development and implementation as well as the cryptographic keys and algorithms used. |
| 8.25 | Secure development lifecycle | Ensure that information security is designed and implemented during the secure development lifecycle of software and systems. | Check the existence of development rules , their update and the application of development rules |
| 8.26 | Application security requirements | Ensure that all information security requirements are identified and addressed when developing or acquiring applications. | Monitor network service inventory and effectiveness safeguards against fraudulent activity, contractual disputes, and unauthorized disclosure and modification. |
| 8.27 | Principles of secure system engineering and architecture | Ensuring that information systems are designed, implemented, and operated securely throughout the development life cycle. | Check that the principles of engineering are established and maintained and that these principles are applied in information systems implementation work |
| 8.28 | Secure coding | Ensuring that software is developed in a secure manner in order to reduce the number of possible information security vulnerabilities in software. | Controlling the inventory of developments carried out and the application of rules coding |
| 8.29 | Security testing in development and acceptance | Validate compliance with information security requirements when applications or code are deployed into the environment. | Check that testing is performed on new systems, when updating on new versions |
| 8.30 | Outsourced development | Ensure that the information security measures required by the organization are implemented within the framework of the outsourced development of the systems. | Check that controls are carried out on the outsourced developments. |
| 8.31 | Separation of development, test, and production environments | Protect the operational environment and related data from compromises that may arise from development and test activities. | Control the presence of environments for each application and the effectiveness of the separation of environments |
| 8.32 | Change management | Preserving information security when executing changes. | Control the change management procedure, its updating and the changes made follow the procedure |
| 8.33 | Testing information | Ensuring appropriateness of testing and protection of operational information used for testing. | Monitoring the application of protective measures to test data |
| 8.34 | Protection of information systems under audit and test | Minimize the impact of audit and other assurance activities on operational systems and business processes. | Control requirements, forecasting, and the validation of activities and the existence of disturbances caused by these verifications |