Gap analysis: status of ISO/IEC 27001 implementation

Gap analysis: status of ISO/IEC 27001 implementation
ISO /IEC 27001 clause Mandatory requirement for the ISMS Status
4 Information Security Management System  
4.1 General requirements  
4.1 The organization shall establish, implement, operate, monitor, review, maintain and improve a documented ISMS Not implemented
4.2 Establishing and managing the ISMS  
4.2.1 Establish the ISMS  
4.2.1 (a) Define the scope and boundaries of the ISMS Partially implemented
4.2.1 (b) Define an ISMS policy Fully implemented
4.2.1 (c) Define the risk assessment approach  Not implemented
4.2.1 (d) Identify the risks Not implemented
4.2.1 (e) Analyse and evaluate the risks Not implemented
4.2.1 (f) Identify and evaluate options for the treatment of risks Not implemented
4.2.1 (g) Select control objectives and controls for the treatment of risks Not implemented
4.2.1 (h) Obtain management approval of the proposed residual risks Not implemented
4.2.1 (i) Obtain management authorization to implement and operate the ISMS Not implemented
4.2.1 (j) Prepare a Statement of Applicability [see the SoA spreadsheet] Not implemented
4.2.2 Implement the ISMS  
4.2.2 (a) Formulate a risk treatment plan Not implemented
4.2.2 (b) Implement the risk treatment plan in order to achieve the identified control objectives Not implemented
4.2.2 (c) Implement controls selected in 4.2.1g to meet the control objectives Not implemented
4.2.2 (d) Define how to measure the effectiveness of the selected controls or groups of controls and specify how these measurements are to be used to assess control effectiveness to produce comparable and reproducible results (see 4.2.3c) Not implemented
4.2.2 (e) Implement training and awareness programmes (see 5.2.2) Not implemented
4.2.2 (f) Manage operation of the ISMS Not implemented
4.2.2 (g) Manage resources for the ISMS (see 5.2) Not implemented
4.2.2 (h) Implement procedures and other controls capable of enabling prompt detection of security events and response to security incidents (see 4.2.3a) Not implemented
4.2.3 Monitor and review the ISMS  
4.2.3 (a) Execute monitoring and reviewing procedures and other controls Not implemented
4.2.3 (b) Undertake regular reviews of the effectiveness of the ISMS Not implemented
4.2.3 (c) Measure the effectiveness of controls to verify that security requirements have been met. Not implemented
4.2.3 (d) Review risk assessments at planned intervals and review the residual risks and the identified acceptable levels of risks Not implemented
4.2.3 (e) Conduct internal ISMS audits at planned intervals (see 6) Not implemented
4.2.3 (f) Undertake a management review of the ISMS on a regular basis (see 7.1) Not implemented
4.2.3 (g) Update security plans to take into account the findings of monitoring and reviewing activities Not implemented
4.2.3 (h) Record actions and events that could have an impact on the effectiveness or performance of the ISMS (see 4.3.3) Not implemented
4.2.4 Maintain and improve the ISMS  
4.2.4 (a) Implement the identified improvements in the ISMS. Not implemented
4.2.4 (b) Take appropriate corrective and preventive actions in accordance with 8.2 and 8.3 Not implemented
4.2.4 (c) Communicate the actions and improvements to all interested parties Not implemented
4.2.4 (d) Ensure that the improvements achieve their intended objectives Not implemented
4.3 Documentation requirements  
4.3.1 General ISMS documentation   
4.3.1 (a) Documented statements of the ISMS policy (see 4.2.1b) and objectives Not implemented
4.3.1 (b) Scope of the ISMS (see 4.2.1a) Not implemented
4.3.1 (c) Procedures and controls in support of the ISMS Not implemented
4.3.1 (d) Description of the risk assessment methodology (see 4.2.1c) Not implemented
4.3.1 (e) Risk assessment report (see 4.2.1c to 4.2.1g) Not implemented
4.3.1 (f) Risk treatment plan (see 4.2.2b) Not implemented
4.3.1 (g) Procedures needed by the organization to ensure the effective planning, operation and control of its information security processes and describe how to measure the effectiveness of controls (see 4.2.3c) Not implemented
4.3.1 (h) Records required by this International Standard (see 4.3.3) Not implemented
4.3.1 (i) Statement of Applicability Not implemented
4.3.2 Control of documents  
4.3.2 Documents required by the ISMS shall be protected and controlled. A documented procedure shall be established to define the management actions needed to: Not implemented
4.3.2 (a) Approve documents for adequacy prior to issue Not implemented
4.3.2 (b) Review and update documents as necessary and re-approve documents Not implemented
4.3.2 (c) Ensure that changes and the current revision status of documents are identified Not implemented
4.3.2 (d) Ensure that relevant versions of applicable documents are available at points of use Not implemented
4.3.2 (e) Ensure that documents remain legible and readily identifiable Not implemented
4.3.2 (f) Ensure that documents are available to those who need them, and are transferred, stored and ultimately disposed of in accordance with the procedures applicable to their classification Not implemented
4.3.2 (g) Ensure that documents of external origin are identified Not implemented
4.3.2 (h) Ensure that the distribution of documents is controlled Not implemented
4.3.2 (i) Prevent the unintended use of obsolete documents Not implemented
4.3.2 (j) Apply suitable identification to documents if they are retained for any purpose Not implemented
4.3.3 Control of records  
4.3.3 Records shall be established and maintained to provide evidence of conformity to requirements and the effective operation of the ISMS … Not implemented
4.3.3 Records shall be protected and controlled.  Not implemented
4.3.3 The ISMS shall take account of any relevant legal or regulatory requirements and contractual obligations.  Not implemented
4.3.3 Records shall remain legible, readily identifiable and retrievable. Not implemented
4.3.3 The controls needed for the identification, storage, protection, retrieval, retention time and disposition of records shall be documented and implemented. Not implemented
4.3.3 Records shall be kept of the performance of the process as outlined in 4.2 and of all occurrences of significant security incidents related to the ISMS. Not implemented
5 Management responsibility  
5.1 Management commitment  
5.1 Management shall provide evidence of its commitment to the establishment, implementation, operation, monitoring, review, maintenance and improvement of the ISMS by: Not implemented
5.1 (a) Establishing an ISMS policy Not implemented
5.1 (b) Ensuring that ISMS objectives and plans are established Not implemented
5.1 (c) Establishing roles and responsibilities for information security Not implemented
5.1 (d) Communicating to the organization the importance of meeting information security objectives and conforming to the information security policy, its responsibilities under the law and the need for continual improvement Not implemented
5.1 (e) Providing sufficient resources to establish, implement, operate, monitor, review, maintain and improve the ISMS (see 5.2.1) Not implemented
5.1 (f) Deciding the criteria for accepting risks and the acceptable levels of risk Not implemented
5.1 (g) Ensuring that internal ISMS audits are conducted (see 6) Not implemented
5.1 (h) Conducting management reviews of the ISMS (see 7) Not implemented
5.2 Resource management  
5.2.1 Provision of resources  
5.2.1 The organization shall determine and provide the resources needed to: Not implemented
5.2.1 (a) Establish, implement, operate, monitor, review, maintain and improve an ISMS Not implemented
5.2.1 (b) Ensure that information security procedures support the business requirements Not implemented
5.2.1 (c) Identify and address legal and regulatory requirements and contractual security obligations Not implemented
5.2.1 (d) Maintain adequate security by correct application of all implemented controls Not implemented
5.2.1 (e) Carry out reviews when necessary, and to react appropriately to the results of these reviews Not implemented
5.2.1 (f) Where required, improve the effectiveness of the ISMS Not implemented
5.2.2 Training, awareness and competence  
5.2.2 The organization shall ensure that all personnel who are assigned responsibilities defined in the ISMS are competent to perform the required tasks by: Not implemented
5.2.2 (a) Determining the necessary competencies for personnel performing work effecting the ISMS Not implemented
5.2.2 (b) Providing training or taking other actions (e.g. employing competent personnel) to satisfy these needs Not implemented
5.2.2 (c) Evaluating the effectiveness of the actions taken Not implemented
5.2.2 (d) Maintaining records of education, training, skills, experience and qualifications (see 4.3.3) Not implemented
5.2.2 The organization shall also ensure that all relevant personnel are aware of the relevance and importance of their information security activities and how they contribute to the achievement of the ISMS objectives. Not implemented
6 Internal ISMS audit  
6 The organization shall conduct internal ISMS audits at planned intervals to determine whether the control objectives, controls, processes and procedures of its ISMS: Not implemented
6 (a) Conform to the requirements of this International Standard and relevant legislation or regulations Not implemented
6 (b) Conform to the identified information security requirements Not implemented
6 (c) Are effectively implemented and maintained Not implemented
6 (d) Perform as expected. Not implemented
6 An audit programme shall be planned Not implemented
6 The management responsible for the area being audited shall ensure that actions are taken without undue delay to eliminate detected nonconformities and their causes. Follow-up activities shall include the verification of the actions taken and the reporting of verification results (see 8). Not implemented
7 Management review of the ISMS  
7.1 General  
7.1 Management shall review the organization’s ISMS at planned intervals (at least once a year) to ensure its continuing suitability, adequacy and effectiveness Not implemented
7.2 Review input  
7.2 The input to a management review shall include: Not implemented
7.2 (a) Rsults of ISMS audits and reviews Not implemented
7.2 (b) Feedback from interested parties Not implemented
7.2 (c) Techniques, products or procedures, which could be used in the organization to improve the ISMS performance and effectiveness Not implemented
7.2 (d) Status of preventive and corrective actions Not implemented
7.2 (e) Vulnerabilities or threats not adequately addressed in the previous risk assessment Not implemented
7.2 (f) Results from effectiveness measurements Not implemented
7.2 (g) Follow-up actions from previous management reviews Not implemented
7.2 (h) Any changes that could affect the ISMS Not implemented
7.2 (i) Recommendations for improvement Not implemented
7.3 Review output  
7.3 The output from the management review shall include any decisions and actions related to the following: Not implemented
7.3 (a) Improvement of the effectiveness of the ISMS Not implemented
7.3 (b) Update of the risk assessment and risk treatment plan Not implemented
7.3 (c) Modification of procedures and controls that effect information security, as necessary, to respond to internal or external events that may impact on the ISMS Not implemented
7.3 (d) Resource needs Not implemented
7.3 (e) Improvement to how the effectiveness of controls is being measured Not implemented
8 ISMS improvement  
8.1 Continual improvement  
8.1 The organization shall continually improve the effectiveness of the ISMS through the use of the information security policy, information security objectives, audit results, analysis of monitored events, corrective and preventive actions and management review (see 7). Not implemented
8.2 Corrective action  
8.2 The organization shall take action to eliminate the cause of nonconformities with the ISMS requirements in order to prevent recurrence.  The documented procedure for corrective action shall define requirements for: Not implemented
8.2 (a) Identifying nonconformities Not implemented
8.2 (b) Determining the causes of nonconformities Not implemented
8.2 (c) Evaluating the need for actions to ensure that nonconformities do not recur Not implemented
8.2 (d) Determining and implementing the corrective action needed Not implemented
8.2 (e) Recording results of action taken (see 4.3.3) Not implemented
8.2 (f) Reviewing of corrective action taken Not implemented
8.3 Preventive action  
8.3 The organization shall determine action to eliminate the cause of potential nonconformities with the ISMS requirements in order to prevent their occurrence.  Preventive actions taken shall be appropriate to the impact of the potential problems. The documented procedure for preventive action shall define requirements for: Not implemented
8.3 (a) Identifying potential nonconformities and their causes Not implemented
8.3 (b) Evaluating the need for action to prevent occurrence of nonconformities Not implemented
8.3 (c) Determining and implementing preventive action needed Not implemented
8.3 (d) Recording results of action taken (see 4.3.3) Not implemented
8.3 (e) Reviewing of preventive action taken Not implemented
8.3 The organization shall identify changed risks and identify preventive action requirements focusing attention on significantly changed risks Not implemented
Back to top