Evidence Product Checklist for ISO/IEC 27001:2013 - Security Requirements (docx)
Download , docx format, 114 pages (also available in .pdf format),
Item No.: RCG058AWSEP, published 2013.
Purpose of this checklist
This checklist list, if used properly, will give an organization the confidence that it has all the documentation required by the ISO/IEC 27001:2013 standard.
This checklist is a tool to become certified to ISO/IEC 27001:2013 by clearly defining the artifacts required, whether your organization is upgrading to the new version or addressing certification to ISO/IEC 27001:2013 for the first time.
Components of the Checklist
• Section 1. Introduction
• Section 2. Composites of all required and suggested “ISO/IEC 27001:2013” artefacts.
• Sections 3-8. Individual checklists for each evidence type.
• Section 9. Additional controls that may be required for an organization (by ISO/IEC 27001:2013 Annex A)
Overview of the base standard
ISO/IEC 27001:2013 provides requirements for organizational information security standards and information security management practices including the selection, implementation, and management of controls; taking into consideration the organization's information security risk environment(s).
It is designed to be used by organizations that intend to:
1. select controls within the process of implementing an Information Security Management System based on ISO/IEC 27001
2. implement commonly accepted information security controls
3. develop their own information security management practices
The requirements included in the ISO/IEC 27001:2013 standard are listed at a high level of detail, with an Annexed reference to ISO 27002:2013 as appropriate guidance to demonstrate compliance with ISO/IEC 27001:2013. If an Organization is interested in testing their compliance with ISO/IEC 27001:2013 this checklist will provide an analysis of the detail in the ISO/IEC 27001 standard. However, if the organization is only interested in the guidance in ISO/IEC 27002:2013 this checklist provides a list of all items suggested in Annex A of ISO/IEC 27001 that are derived from the ISO/IEC 27002 guidelines. They are addressed in detail in the Introduction to the checklist and in section 9.
General Principles of the Checklist for ISO/IEC Standard 27001:2013
This checklist was prepared by analyzing each clause of this document for the key words that signify a:
• Procedure (Including Guidelines)
• Document (Including Manuals, Reports, Scripts and Specifications)
This checklist specifies evidence that is unique. After reviewing the completed document, the second review was conducted from a common sense “reasonable person” approach. If a document or other piece of evidence appeared to be required, but was not called out in the document as required, then it is added with an asterisk (*) after its notation in the checklist. The information was transferred into checklist tables based on the type of product or evidence.
Using the Checklist
When a company is planning to use ISO/IEC 27001:2013 standard, the company should review the evidence checklist. If the company’s present process does not address an ISO/IEC 27001:2013 standard product, then the following question should be asked: “Is the evidence product required for the type of business conducted by the organization?” If, in the view of the organization, the evidence is not required, the rationale should be documented and inserted in the checklist and quality manual. This rationale should pass the “reasonable person” rule, as described above. If the evidence is required, plans should be prepared to address the missing item(s).