Sample Pages

EVIDENCE PRODUCT CHECKLIST
for the standard
ISO/IEC 27002:2005 Information Technology
Standard for Security Techniques - Code of practice for information security management

Introduction
The process of defining what is necessary for compliance with a standard such as “ISO/IEC 27002:2005 for security management of information and related assets is often confusing and laborious because the directions contained in the standards are unclear or ambiguous.  To aid in determining what is actually “recommended” by the document in the way of physical evidence of compliance, the experts at SEPT have produced this checklist.  This checklist is constructed around a classification scheme of physical evidence comprised of policies, procedures, plans, records, documents, audits, and reviews.  There must be an accompanying record of some type when an audit or review has been accomplished.  This record would define the findings of the review or audit and any corrective action to be taken.  For the sake of brevity this checklist does not call out a separate record for each review or audit.  All policies, procedures and records should be reviewed but the checklist does not call out a review for each item unless the standard calls out the review.  In this checklist “manuals, reports, scripts and specifications” are included in the document category.

The Authors have carefully reviewed the document “ISO/IEC 27002:2005 Information technology – Security techniques -- Code of practice for information security management" and defined the physical evidence recommended based upon this classification scheme.  SEPT has conducted a second review of the complete list to ensure that the documents’ producers did not leave out a physical piece of evidence that a “reasonable person” would expect to find.  It could certainly be argued that if the document did not call it out then it is not recommended; however if the document was used by an organization to improve its process, then it would make sense to recognize missing documents.  Therefore, there are documents specified in this checklist that are implied by the standard, though not specifically called out in the document, and they are designated by an asterisk (*) throughout this checklist.  These items are classified as suggested. If a document is called out more than one time, only the first reference is stipulated. 

There are occasional situations in which a procedure or document is not necessarily separate and could be contained within another document or procedure.  For example, the “Equipment Siting and Protection Procedure" could be a part of the “Equipment Security Procedure”.  The authors have called out these individual items separately to ensure that the organization does not overlook any facet of physical evidence.  If the organization does not require a separate document, and an item can be a subset of another document or record, then this fact should be denoted in the detail section of the checklist for that item.  This should be done in the form of a statement reflecting that the information for this document may be found in section XX of Document XYZ.  If the organizational requirements do not call for this physical evidence for a particular project, this should also be denoted with a statement reflecting that this physical evidence is not recommended and why.  The reasons for the evidence not being recommended should be clearly presented in this statement.  Further details on this step are provided in the Detail Steps section of the introduction.  The size of these documents could vary from paragraphs to volumes depending upon the size and complexity of the project or business requirements. 

“ISO/IEC 27002:2005 Information technology – Security techniques 
Code of practice for information security management" Checklist 

This checklist was prepared by analyzing each clause of this document for the key words that signify a:

• ·        Policy

• ·        Procedure

• ·        Plan

• ·        Records

• ·        Document (Including Manuals, Reports, Scripts and Specifications)

• ·        Audit

• ·        Review

 This checklist specifies evidence that is unique and industry best practices.  After reviewing the completed document, the second review was conducted from a common sense “reasonable person” approach.  If a document or other piece of evidence appeared to be recommended, but was not called out in the document, then it is added with an asterisk (*) after its notation in the checklist.  The information was transferred into checklist tables, based on the type of product or evidence.  Recommended items do not have an asterisk (*) after its notation in the checklist.

Using the Checklist
When a company is planning to use the “ISO/IEC 27002:2005 Information technology – Security techniques -- Code of practice for information security management", the company should review the evidence checklist.  If the company’s present process does not address an ISO/IEC 27002:2005 product, then this question should be asked:  Is the evidence product recommended for the type of business of the company?  If in the view of the company the evidence is not recommended, the rationale should be documented and inserted in the checklist and quality control manual.  This rationale should pass “the reasonable person rule.”  If the evidence is recommended, plans should be prepared to address the missing item(s).

Detail Steps
An organization should compare the proposed output of their organization against the checklist.  In doing this, they will find one of five conditions that exist for each item listed in the checklist.  The following five conditions and the actions required by these conditions are listed in the table below.

• Section 1.  Introduction
• Section 2.  Composites of all required and suggested “ISO/IEC 27002:2005 Information Technology - Security Techniques - Code of practice for information security management 
• Sections 3-8.  Individual checklists for each evidence type.
• Section 9.  “About the Authors”

Warranties and Liability
Software Engineering Process Technology (SEPT) makes no warranties implied or stated with respect to this checklist, and it is provided on an “as is” basis.  SEPT will have no liability for any indirect, incidental, special or consequential damages or any loss of revenue or profits arising under, or with respect to the use of this document.
                                

• Risk Assessment Results Document Procedure*

• Risk Assessment Result Document

• Risk Assessment Result Document Review*

• Information Security Document Procedure*
• Information Security Policy
• Information Security Policy Document Procedure*
• Information Security Policy Procedure

• Information Security Document
• Information Security Policy* Document

• Information Security Document Review 
• Information Security Policy Document Review
• Information Security Policy Review

• Information Security Infrastructure Document Procedure*

• Information Security Specialist Adviser Records

•  Information Security Infrastructure Document*

• Information Security Infrastructure Document  Review*

• Information Security Goals Document Procedure*
• Security Awareness Plan Procedure*
• User Security Training Procedure*

• Security Awareness Plan

• Information Security Goals Document

• Information Security Goals Document Review*
• Security Awareness Plan Review*
• User Security Training Procedure Review*

• Asset Responsibility Document Procedure*
• Authorization Level Procedure
• Authorization Process for Implementing Information Security Processing Procedure
• Information Security Responsibility Document Procedure*
• Security Roles and Responsibilities of Information Asset Owners Document Procedure*
• System Asset Document Procedure*
• System Security Process Document Procedure*

• Authorization Level Records

• Asset Responsibility Document *
• Information Security Responsibility Document
• Security Roles and Responsibilities of Information Asset Owners Document
• System Asset Document
• System Security Process Document

• Asset Responsibility Document Review*
• Information Security Responsibility Document Review*
• Security Roles and Responsibilities of Information Asset Owners Document Review*
• System Asset Document Review*
• System Security Process Document Review

• New Information Processing Facilities Authorization Procedure
• Use of (personnel or Privately) Owned Information Processing Facilities and / or Equipment Procedure

• Confidentiality / Non-Disclosure Agreement Document Procedure*
• Confidentiality / Non-Disclosure Agreement Procedure

• Confidentiality / Non-Disclosure Agreement Records*

• Confidentiality / Non-Disclosure Agreement Document

• Confidentiality / Non-Disclosure Agreement Document Review
• Confidentiality / Non-Disclosure Agreement Procedure review
• Confidentiality / Non-Disclosure Agreement Review

• Contact with Authorities Procedure

• Information Security Contact with Authorities Records

• Contact with Special Interest Groups Procedure*
• Information Sharing Agreements Document Procedure*

• Information Sharing Agreements Document

• Information Sharing Agreements Document Review*