ISO27001安全遵守情况检查表chs

ISO27001遵从检查表检查表标准Section审计问题FindingsStatus(%)1.15.1WhetherthereexistsanInformationsecuritypolicy,‎whichisapprovedbythemanagement,publishedand‎communicatedasappropriatetoallemployees.Whetherthepolicystatesmanagementcommitment‎andsetsouttheorganizationalapproachtomanaging‎informationsecurity.‎WhethertheInformationSecurityPolicyisreviewedat‎plannedintervals,orifsignificantchangesoccurto‎ensureitscontinuingsuitability,adequacyand‎effectiveness.WhethertheInformationSecuritypolicyhasanowner,‎whohasapprovedmanagementresponsibilityfor‎development,reviewandevaluationofthesecuritypolicy.‎WhetheranydefinedInformationSecurityPolicy‎reviewproceduresexistanddotheyinclude‎requirementsforthemanagementreview.‎Whethertheresultsofthemanagementreviewaretakenintoaccount.‎Whethermanagementapprovalisobtainedforthe‎revisedpolicy.‎2.16.12.116.11ManagementCommitmenttoInformaitonSecurityWhethermanagementdemonstratesactivesupportforsecuritymeasureswithintheorganization.Thiscanbedoneviacleardirection,demonstratedcommitment,explicitassignmentandacknowledgementofinformationsecurityresponsibilities.2.1.26.1.2InformationSecuritycoordinationWhetherinformationsecurityactivitiesarecoordinatedbyrepresentativesfromdiversepartsoftheorganization,withpertinentrolesandresponsibilities参考Auditarea,objectiveandquestionResults安全策略InformationSecurityPolicyOrganizationofInformationSecurity1.1.15.1.1Informationsecuritypolicydocument1.1.25.1.2ReviewofInformationalSecurityPolicyInternalOrganizationHakimKthakimkt@yahoo.comPage12019/8/21ISO27001遵从检查表2.1.36.1.3AllocationofInformationSecurityresponsibilitiesWhetherresponsibilitiesfortheprotectionofindividualassets,andforcarryingoutspecificsecurityprocesses,wereclearlyidentifiedanddefined.2.1.46.1.4AuthorizationprocessforInformationprocessingfacilitiesWhethermanagementauthorizationprocessisdefinedandimplementedforanynewinformationprocessingfacilitywithintheorganization.Whethertheorganization’sneedforConfidentialityor‎Non-DisclosureAgreement(NDA)forprotectionof‎informationisclearlydefinedandregularlyreviewed.Doesthisaddresstherequirementtoprotectthe‎confidentialinformationusinglegalenforceableterms2.1.66.1.6ContactwithAuthoritiesWhetherthereexistsaprocedurethatdescribeswhen,andbywhom:relevantauthoritiessuchasLawenforcement,firedepartmentetc.,shouldbecontacted,andhowtheincidentshouldbereported2.1.76.1.7ContactwithspecialinterestgroupsWhetherappropriatecontactswithspecialinterestgroupsorotherspecialistsecurityforums,andprofessionalassociationsaremaintained.2.1.86.1.8IndependentreviewofInformationSecurityWhethertheorganization’sapproachtomanaginginformationsecurity,anditsimplementation,isreviewedindependentlyatplannedintervals,orwhenmajorchangestosecurityimplementationoccur.2.26.22.2.16.2.1IdentificationofrisksrelatedtoexternalpartiesWhetherriskstotheorganization’sinformationandinformationprocessingfacility,fromaprocessinvolvingexternalpartyaccess,isidentifiedandappropriatecontrolmeasuresimplementedbeforegrantingaccess.2.2.26.2.2AddressingsecuritywhiledealingwithcustomersWhetherallidentifiedsecurityrequirementsarefulfilledbeforegrantingcustomeraccesstotheorganization’sinformationorassets.2.2.36.2.3AddressingsecurityinthirdpartyagreementsWhethertheagreementwiththirdparties,involvingaccessing,processing,communicatingormanagingtheorganization’sinformationorinformationprocessingfacility,orintroducingproductsorservicestoinformationprocessingfacility,complieswithallappropriatesecurityrequirements.3.17.1ExternalParties2.1.56.1.5ConfidentialityAgreementsResponsibilityforassetsAssetManagementHakimKthakimkt@yahoo.comPage22019/8/21ISO27001遵从检查表3.1.17.1.1InventoryofAssetsWhetherallassetsareidentifiedandaninventoryorregisterismaintainedwithalltheimportantassets.3.1.27.1.2OwnershipofAssetsWhethereachassetidentifiedhasanowner,adefinedandagreed-uponsecurityclassification,andaccessrestrictionsthatareperiodicallyreviewed.3.1.37.1.3AcceptableuseofassetsWhetherregulationsforacceptableuseofinformationandassetsassociatedwithaninformationprocessingfacilitywereidentified,documentedandimplemented.3.27.23.2.17.2.1ClassificationguidelinesWhethertheinformationisclassifiedintermsofitsvalue,legalrequirements,sensitivityandcriticalitytotheorganization.3.2.27.2.2InformationlabellingandhandlingWhetheranappropriatesetofproceduresaredefinedforinformationlabellingandhandling,inaccordancewiththeclassificationschemeadoptedbytheorganization.4.18.1Whetheremployeesecurityrolesandresponsibilities,‎contractorsandthirdpartyusersweredefinedand‎documentedinaccordancewiththeorganization’s‎informationsecuritypolicy.Weretherolesandresponsibilitiesdefinedandclearly‎communicatedtojobcandidatesduringthepre-‎employmentprocessWhetherbackgroundverificationchecksforall‎candidatesforemployment,contractors,andthirdparty‎userswerecarriedoutinaccordancetotherelevant‎regulations.Doesthecheckincludecharacterreference,‎confirmationofclaimedacademicandprofessional‎qualificationsandindependentidentitychecksWhetheremployee,contractorsandthirdpartyusers‎areaskedtosignconfidentiali