Whether an appropriate set of procedures are defined for information labelling and handling, in accordance with the classification scheme adopted by the organization.Īcceptable use of assets Information Classification Whether the information is classified in terms of its value, legal requirements, sensitivity and criticality to the organization. Whether regulations for acceptable use of information and assets associated with an information processing facility were identified, documented and implemented. Whether each asset identified has an owner, a defined and agreed-upon security classification, and access restrictions that are periodically reviewed. Whether all assets are identified and an inventory or register is maintained with all the important assets. Whether the agreement with third parties, involving accessing, processing, communicating or managing the organizations information or information processing Addressing security in third party facility, or introducing products or services to agreements information processing facility, complies with all appropriate security requirements. Whether all identified security requirements are Addressing security while dealing with fulfilled before granting customer access to the customers organizations information or assets. Whether risks to the organizations information and information processing facility, from a process Identification of risks related to external involving external party access, is identified and parties appropriate control measures implemented before granting access.
Whether the organizations approach to managing information security, and its implementation, is reviewed independently at planned intervals, or when major changes to security implementation occur.
#ISO 27002 CHECKLIST AND POLICY PROFESSIONAL#
Does this address the requirement to protect the c onfidential information using legal enforceable terms Whether there exists a procedure that describes when, and by whom: relevant authorities such as Law enforcement, fire department etc., should be contacted, and how the incident should be reported Whether appropriate contacts with special interest groups or other specialist security forums, and professional associations are maintained. Whether the organizations need for Confidentiality or N on-Disclosure Agreement (NDA) for protection of i nformation is clearly defined and regularly reviewed. Whether management authorization process is defined and implemented for any new information processing facility within the organization.
Whether responsibilities for the protection of individual assets, and for carrying out specific security processes, were clearly identified and defined. Independent review of Information Security External Parties Management Commitment to Informaiton SecurityĪllocation of Information Security responsibilities Authorization process for Information processing facilities Organization of Information Security2.1 6.1 Whether information security activities are coordinated by representatives from diverse parts of the organization, with pertinent roles and responsibilities This can be done via clear direction, demonstrated commitment, explicit assignment and acknowledgement of information security responsibilities. Internal Organization Whether management demonstrates active support for security measures within the organization.
Whether management approval is obtained for the r evised policy. Whether the results of the management review are taken into account. Whether any defined Information Security Policy r eview procedures exist and do they include r equirements for the management review. Whether the Information Security policy has an owner, w ho has approved management responsibility for d evelopment, review and evaluation of the security Review of Informational Security Policy policy. Whether the Information Security Policy is reviewed at p lanned intervals, or if significant changes occur to e nsure its continuing suitability, adequacy and e ffectiveness. Information security policy document Whether the policy states management commitment a nd sets out the organizational approach to managing i nformation security. Audit area, objective and questionSectionInformation Security Policy Whether there exists an Information security policy, w hich is approved by the management, published and c ommunicated as appropriate to all employees.