This is an example of a completed ISMS plan for ISO 27001:2022. This is only guidance and you should review the example language before including it in your own ISMS plan.
A downloadable version of this template can be found at the bottom of this article.
Information Security Management System Plan (ISO/IEC 27001:2022)
Example Corporation
____________________________________________________________________
Table of Contents:
Purpose
Background and Objectives
ISMS Plan
4. Context of the organization
4.1. Understanding the organizations and its context
4.2. Understanding the needs and expectations of interested parties
4.3. Determining the scope of the ISMS
5. Leadership
5.1. Leadership and commitment
5.2. Policies
5.3. Organizational roles, responsibilities and authorities
6./8.1 Planning
6.1. Actions to address risks and opportunities
6.1.1. General; 6.1.2 / 8.2. Information security risk assessment
6.1.3 / 8.3. Information security risk treatment
SOA REVISION HISTORY
6.2 Information security objectives and planning to achieve them
6.3 Planning of changes
7. Support
7.1. Resources and 7.2 Competence
7.3. Awareness
7.4. Communication
7.5. Documented Information
7.5.1. General
7.5.2. Creating and updating
7.5.3. Control of documented information
9. Performance Evaluation / 10. Improvement
9.1. Monitoring, measurement, analysis and evaluation
9.2. Internal audit
9.3. Management review / 10.1. Continual improvement / 10.2. Nonconformity and corrective action
APPENDIX A
APPENDIX B
APPENDIX C
Purpose
This Information Security Management System (ISMS) Plan aims to define the principles, requirements, and basic rules for the establishment, implementation and operation of the Information Security Management System.
Background and Objectives
The ISMS Plan lays the foundation of the company’s Information Security Management System, and identifies the roadmap for the establishment, implementation and operation of the ISMS and its continued efficacy. This document is supplemented by security policies and procedures that enable the treatment of risks to the organization.
Key objectives of the ISMS Plan are to:
Define the context of the organization
Define the scope of the ISMS
Provide guidance for the implementation of risk assessment findings into a Statement of Applicability
Provide proper steps and timelines for the implementation and maintenance of the ISMS
Outline the internal audit process, audit reviews, and remedial actions
Identify all necessary documents and records
Continual improvement of the ISMS
ISMS Plan
4. Context of the organization
4.1. Understanding the organizations and its context
To establish an effective ISMS, have a better understanding of relevant information security issues, develop successful strategies, and allocate appropriate resources to garner optimal results, Example Corporation will define its internal and external context as they pertain to information security.
Internal and external issues are those factors relevant to Example Corporation’s purpose and that affect Example Corporation’s ability to achieve the intended outcomes of its ISMS.
Internal issues include, but are not limited to:
Governance, organizational structure, (see Organization Chart) and roles and responsibilities for the ISMS (see Skills Matrix)
Policies, objectives and the strategies in place achieve them
Company culture, values, mission, and vision (see Information Security Policy)
Flow of information and the decision-making process (see Information Security Policy)
Capabilities, (e.g. capital, time, people, processes, systems and technology)
Form and extent of contractual relationships (see Vendor Management Policy)
External issues include, but are not limited to:
Information Security laws and regulations that are applicable to the company (see below)
Social and cultural
Interested parties (see below) and their cultures
Market trends and customer preferences
Political, public policy, and economic changes
Technological trends that could impact implemented security controls
4.2. Understanding the needs and expectations of interested parties
| APPLICABLE LAWS AND REGULATIONS (EXTERNAL) | Requirements / Notes | Responsible Party |
International | GDPR | Security provisions of GDPR include data protection which ISO 27001 helps demonstrate. | Example Corporation |
Federal | HIPAA | Security provisions of HIPAA include controls which ISO 27001 helps demonstrate. | Example Corporation |
State | CCPA | Security provisions of CCPA include controls which ISO 27001 helps demonstrate. | Example Corporation |
Local | N/A | N/A | N/A |
| CONTRACTUAL REQUIREMENTS (EXTERNAL) | Requirements / Notes | Responsible Party |
JP Morgan | JP Morgan Chase requires an ISO 27001 as part of the MSA signed between Example Corporation and JP Morgan Chase Bank in 2022. | ISO 27001 Certification | Example Corporation |
Amazon | Amazon requires evidence that Example Corporation is effectively managing the security of data provided to Example Corporation within the MSA signed in 2021 and management of Example Corporation has agreed that an ISO 27001 certification fulfills this requirement. | Any Independent Audit report fulfills agreement | Example Corporation |
Technology Customers | Example Corporation provides a provision in all contracts between Example Corporation and customers operating in the technology industry that an ISO 27001 will be provided for their review. | ISO 27001 Certification | Example Corporation |
| INTERESTED PARTIES (INTERNAL/EXTERNAL) | Requirements / Notes | Responsible Party |
Customers | Customers who signed our DPA are interested in gaining assurance that Example Corporation protects data provided to them. | Evidence that client data is protected. ISO 27001 certification | Example Corporation |
Suppliers | Suppliers are interested in gaining assurance that Example Corporation protects data provided to them | Evidence that client data is protected. ISO 27001 certification | Example Corporation |
Regulators | European Data Protection Authorities | Evidence that demonstrates Example Corporation has a strategy for protecting Personal Data | Example Corporation |
Contracts | See “Contractual Requirements (External)” | See “Contractual Requirements (External)” | See “Contractual Requirements (External)” |
Shareholders/Owners/Investors | Example Corporation’s Board of Directors | Assurance that Example Corporation is continually improving its product offering and ISMS | Example Corporation |
Management | Example Corporation’s Management is interested in providing its clients assurance that client data provided are adequately and reasonably protected | Evidence that client data is protected. ISO 27001 certification | Example Corporation |
| DEPARTMENTS & BUSINESS UNITS (INTERNAL) | Requirements / Notes | Responsible Party |
IT & Engineering | Management of Example Corporation has determined that a structured approach to implementing security control is needed for the software development process at Example Corporation. Management of Example Corporation agrees that Annex A 5.8 of ISO 27001 meets the business requirements to fulfill this. | A more structured approach to implementing security controls. | IT & Engineering |
HR | Management of Example Corporation has determined that additional controls related to onboarding and terminations are required at Example Corporation within the Human Resources department. Management of Example Corporation has determined that Annex A 6.0 of ISO 27001 will fulfill the need for these controls. | More formalized onboarding/offboarding process. | Human Resources |
Security | Management of Example Corporation has determined, with input from the Security team, that an organized approach is needed to reduce the time that the Security team spends selecting security controls to implement. Management and Security have determined that ISO 27001 provides an organized framework for the management of Information Security within an organization which meets the needs of Example Corporation. | Reduced time spent selecting security controls for implementation. | Information Security |
4.3. Determining the scope of the ISMS
This document provides a clear definition for the Information Security Management System (ISMS) boundaries of Example Corporation, and applies to all matters related to the ISMS, to include documentation and activities.
This document will be used by:
Example Corporation Management
Members responsible for implementation of the ISMS
Example Corporation Employees
Through this document, Example Corporation will define the boundaries of its ISMS by outlining information that needs to be protected. This information is under the direct responsibility of Example Corporation and will be safeguarded regardless of it being additionally stored, processed or transferred in or out of the ISMS scope. In the event of the transfer of information out of the ISMS, the responsibility of applying security measures will be transferred to the external party responsible for its management.
The following items will establish the ISMS boundaries of Example Corporation, within the context of legal, regulatory, contractual, interested parties, and other stated requirements:
Organizational Units
Example Corporation Management
Information Security
Information Technology & Engineering
Human Resources
Legal
Networks and IT Infrastructure
Amazon Web Services (AWS)
GitHub
Slack
Jira
Processes and Services
Example Corporation Web Application (app.examplecorp.com)
Example Corporation Mobile Application (iOS & Android)
Locations
Not Applicable as Example Corporation has no physical locations in scope
[For companies with office locations in scope, list the appropriate address (e.g. 123 Fake Street, Fakeville, CA 91001) and/or the broad general location (e.g. Example Corporation Southeast Asia Office)]
EXCLUSIONS. The following items are explicitly excluded from the ISMS scope of Example Corporation:
Business Units:
Sales
Marketing
Finance
Vendor Dependencies:
Amazon Web Services (AWS) - Data Center & Physical Security Controls
5. Leadership
5.1. Leadership and commitment
To ensure the success of the Information Security Management System (ISMS), the management team of Example Corporation must be fully aware and appropriately engaged in matters involving the ISMS. Management must provide proper resources (e.g., personnel, funding, etc.) for the establishment, implementation, and maintenance of the ISMS.
Top Management shall demonstrate its leadership and commitment through:
Establishing an information security policy
Ensuring ISMS, roles, responsibilities and authorities are assigned
Communicating the importance of effective information security management
Management commitment can be demonstrated, for example, by:
Motivating & empowering persons to contribute to the effectiveness of the ISMS
Reinforcing organizational accountability for information security management results
Creating and maintaining an internal environment in which persons can become fully involved in achieving the organization’s information security objectives
5.2. Policies
In addition to this plan, the information security plans, processes and procedures of Example Corporation will be outlined in a series of policies that define the vision and mission of Example Corporation’s management as to what needs to be achieved to ensure the protection of information, and how that will be accomplished. These policies will include:
Information Security Policy
Acceptable Use Policy
Asset Management Policy
Backup Policy
Business Continuity/Disaster Recovery Plans
Code of Conduct
Data Classification, Retention, and Protection Policies
Encryption and Password Policies
Incident Response Plan
Physical Security Policy
Responsible Disclosure Policy
Risk Assessment Policy
Software Development Life Cycle Policy
System Access Management Policy
Vendor Management Policy
Vulnerability Management Policy
5.3. Organizational roles, responsibilities and authorities
The CISO and GRC Manager are responsible for:
The design, development, maintenance, dissemination, and enforcement of the items contained in this policy and associated policies.
Ensuring that the information security management system conforms to the requirements of ISO/IEC 27001:2022 (Clause 5.2c and Clause 5.3a).
Reporting on the performance of the information security program to top management to identify areas for continuous improvement (Clause 5.2d and Clause 5.3b).
The objectives and measures outlined by this plan and associated policies shall be maintained and enforced by the roles and responsibilities specified in each policy and the company Skills Matrix (see below).
SKILLS MATRIX
Role Title | Job Description | ISMS Responsibilities | Required Skills & Competence | Current Member | Fully Competent (Y/N) | Competency Plan
(if not fully competent)
| Proof of Competency |
CISO | Responsible for establishing and maintaining a comprehensive corporate-wide information security management program based on industry-accepted information security and risk management frameworks. | a) The design, development, maintenance, dissemination, and enforcement of the items contained in this policy and other ISP policies. b) Ensuring that the information security management system conforms to the requirements of ISO/IEC 27001:2022. c) Reporting on the performance of the information security program to top management to identify areas for continuous improvement (5.2d, 5.3b). |
| John Smith | N |
|
|
Manager, GRC | Leads the development and maintenance of the company’s compliance program to support the alignment of security architectures, plans, controls, processes, policies, and procedures with security standards and operational goals. | a) The design, development, maintenance, dissemination, and enforcement of the items contained in this policy and other ISP policies. b) Ensuring that the information security management system conforms to the requirements of ISO/IEC 27001:2022. c) Reporting on the performance of the information security program to top management to identify areas for continuous improvement (5.2d, 5.3b. |
| Jane Doe | Y |
|
|
Internal Auditor | Leads in performing a full audit cycle including risk management and control management over operations’ effectiveness, financial reliability, and compliance with all applicable directives, standards, and regulations. | a) Conduct annual Internal Audits to drive Continuous Improvement across the Drata ISMS. |
| Benedict Arnold | Y |
|
|
6./8.1 Planning
6.1. Actions to address risks and opportunities
6.1.1. General; 6.1.2 / 8.2. Information security risk assessment
Methodology. Example Corporation will establish a well-defined methodology for risk assessment tailored to the company’s circumstances and needs, which will include the method of defining the following (see Risk Assessment Policy):
Risks that could cause the loss of confidentiality, integrity, and/or availability of information
Identity of risk owners
Assessment consequences and the likelihood of the risk
Risk calculation
Risk acceptance
The risk methodology will ensure that the risk assessment results are consistent across all relevant sectors of the company with comparable results.
Performance. Example Corporation will conduct a risk assessment as outlined in its Risk Assessment Policy, and will produce a Risk Assessment Report.
6.1.3 / 8.3. Information security risk treatment
Risk Treatment Plan. The Risk Treatment Plan is a crucial part of the ISMS implementation. Example Corporation will have a well-defined Risk Treatment Plan, which will outline how the controls from the Statement of Applicability will be implemented, to include responsible parties, timing and intervals, and allocated resources/budges.
Evaluation of Effectiveness. Example Corporation will measure and evaluate the fulfillment and effectiveness of the controls in place and other ISMS objectives in place, as set forth in the Risk Treatment Plan
Statement of Applicability. The Statement of Applicability (SOA) links Example Corporation’s risk assessment and treatment with the implementation of the ISMS. It provides the company with an overview of what needs to be done in information security, why, and how.
The SOA will list all Annex A controls that are applicable and those that are not. Each control decision will have a justification as to whether they were implemented, why and where (see below).
SOA REVISION HISTORY
Version | Date | Editor | Description of Changes |
1.0 | 12/21/22 | Jane Doe | Initial Creation |
STATEMENT OF APPLICABILITY
* LR: Legal Requirement, CO: Contractual Obligation, BR/BP: Business Requirement/Best Practice, RRA: Results of Risk Assessment |
|
|
|
|
|
|
|
|
|
CONTROL | OBJECTIVE & DESCRIPTION | STATUS
(Applicable/NA)
| LR | CO | BR/ BP | RRA | IMPLEMENTATION
(Yes/No)
| REMARKS | RESPONSIBLE ENTITY (Dept/Role) |
A.5 | INFORMATION SECURITY POLICIES |
|
|
|
|
|
|
|
|
A.5.1 | Policies for information security Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur. | Applicable |
|
| Y |
| Yes | None | Management
Information Security
|
A.5.2 | Information security roles and responsibilities Information security roles and responsibilities should be defined and allocated according to the organization needs. | Applicable |
|
| Y |
| Yes | None | Management
Information Security
|
A.5.3 | Segregation of duties Conflicting duties and conflicting areas of responsibility should be segregated. | Applicable |
|
| Y |
| Yes | None | Management
Information Security
|
A.5.4 | Management responsibilities Management should require all personnel to apply information security in accordance with the established information security policy, topic-specific policies and procedures of the organization. | Applicable |
|
| Y |
| Yes | None | Management |
A.5.5 | Contact with authorities The organization should establish and maintain contact with relevant authorities. | Applicable | Y |
|
|
| Yes | None | Management
Information Security
Legal
|
A.5.6 | Contact with special interest groups The organization should establish and maintain contact with special interest groups or other specialist security forums and professional associations. | Applicable |
|
| Y |
| Yes | None | Management
Information Technology
|
A.5.7 | Threat intelligence Information relating to information security threats should be collected and analyzed to produce threat intelligence. | Applicable |
|
| Y |
| Yes | None | Information Security |
A.5.8 | Information security in project management Information security should be integrated into project management. | Applicable |
| Y | Y |
| Yes | None | Information Technology Information Security |
A.5.9 | Inventory of information and other associated assets An inventory of information and other associated assets, including owners, should be developed and maintained. | Applicable |
|
| Y |
| Yes | None | Information Technology |
A.5.10 | Acceptable use of information and other associated assets Rules for the acceptable use and procedures for handling information and other associated assets should be identified, documented and implemented. | Applicable |
|
| Y |
| Yes | None | Management
Information Technology
Human Resources
|
A.5.11 | Return of assets Personnel and other interested parties as appropriate should return all the organization’s assets in their possession upon change or termination of their employment, contract or agreement. | Applicable |
|
| Y |
| Yes | None | Management
Information Technology
Human Resources
|
A.5.12 | Classification of information Information should be classified according to the information security needs of the organization based on confidentiality, integrity, availability and relevant interested party requirements. | Applicable |
|
| Y |
| Yes | None | Management
Information Security
|
A.5.13 | Labeling of information An appropriate set of procedures for information labeling should be developed and implemented in accordance with the information classification scheme adopted by the organization. | Applicable |
|
| Y | Y | Yes | None | Management
Information Security
|
A.5.14 | Information transfer Information transfer rules, procedures, or agreements should be in place for all types of transfer facilities within the organization and between the organization and other parties. | Applicable |
| Y | Y |
| Yes | None | Management
Information Security
Information Technology
|
A.5.15 | Access control Rules to control physical and logical access to information and other associated assets should be established and implemented based on business and information security requirements. | Applicable |
| Y | Y |
| Yes | None | Information Security
Information Technology
|
A.5.16 | Identity management The full life cycle of identities should be managed. | Applicable |
|
| Y |
| Yes | None | Information Technology |
A.5.17 | Authentication information Allocation and management of authentication information should be controlled by a management process, including advising personnel on the appropriate handling of authentication information. | Applicable |
| Y | Y |
| Yes | None | Information Technology |
A.5.18 | Access rights Access rights to information and other associated assets should be provisioned, reviewed, modified and removed in accordance with the organization’s topic-specific policy on and rules for access control. | Applicable |
| Y | Y |
| Yes | None | Information Technology |
A.5.19 | Information security in supplier relationships Processes and procedures should be defined and implemented to manage the information security risks associated with the use of supplier’s products or services. | Applicable | Y |
| Y |
| Yes | None | Management
Information Security
|
A.5.20 | Addressing information security within supplier agreements Relevant information security requirements should be established and agreed with each supplier based on the type of supplier relationship. | Applicable | Y |
| Y |
| Yes | None | Management
Information Security
|
A.5.21 | Managing information security in the ICT supply chain Processes and procedures should be defined and implemented to manage the information security risks associated with the ICT products and services supply chain. | Applicable |
|
| Y |
| Yes | None | Information Security |
A.5.22 | Monitoring, review and change management of supplier services The organization should regularly monitor, review, evaluate and manage change in supplier information security practices and service delivery. | Applicable | Y |
| Y | Y | Yes | None | Management
Information Security
|
A.5.23 | Information security for use of cloud services Processes for acquisition, use, management and exit from cloud services should be established in accordance with the organization’s information security requirements. | Applicable | Y |
| Y |
| Yes | None | Management
Information Security
|
A.5.24 | Information security incident management planning and preparation The organization should plan and prepare for managing information security incidents by defining, establishing and communicating information security incident management processes, roles and responsibilities. | Applicable | Y | Y | Y |
| Yes | None | Information Security |
A.5.25 | Assessment and decision on information security events The organization should assess information security events and decide if they are to be categorized as information security incidents. | Applicable | Y | Y | Y |
| Yes | None | Management
Information Security
|
A.5.26 | Response to information security incidents Information security incidents should be responded to in accordance with the documented procedures. | Applicable | Y | Y | Y |
| Yes | None | Information Security
|
A.5.27 | Learning from information security incidents Knowledge gained from information security incidents should be used to strengthen and improve the information security controls. | Applicable |
|
| Y |
| Yes | None | Information Security |
A.5.28 | Collection of evidence The organization should establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events. | Applicable | Y | Y | Y |
| Yes | None | Information Security |
A.5.29 | Information security during disruption The organization should plan how to maintain information security at an appropriate level during disruption. | Applicable |
|
| Y |
| Yes | None | Management
Information Security
|
A.5.30 | ICT readiness for business continuity ICT readiness should be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements. | Applicable |
|
| Y |
| Yes | None | Management
Information Security
|
A.5.31 | Legal, statutory, regulatory and contractual requirements Legal, statutory, regulatory and contractual requirements relevant to information security and the organization’s approach to meet these requirements should be identified, documented and kept up to date. | Applicable | Y |
| Y |
| Yes | None | Management
Information Security
Legal
|
A.5.32 | Intellectual property rights The organization should implement appropriate procedures to protect intellectual property rights. | Applicable | Y |
| Y |
| Yes | None | Management
Information Security
Legal
|
A.5.33 | Protection of records Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release. | Applicable | Y |
| Y |
| Yes | None | Management
Information Security
Legal
|
A.5.34 | Privacy and protection of PII The organization should identify and meet the requirements regarding the preservation of privacy and protection of PII according to applicable laws and regulations and contractual requirements. | Applicable | Y | Y | Y |
| Yes | None | Management
Information Security
Legal
|
A.5.35 | Independent review of information security The organization’s approach to managing information security and its implementation including people, processes and technologies should be reviewed independently at planned intervals, or when significant changes occur. | Applicable | Y | Y | Y |
| Yes | None | Management
Information Security
|
A.5.36 | Compliance with policies, rules and standards for information security Compliance with the organization’s information security policy, topic-specific policies, rules and standards should be regularly reviewed. | Applicable | Y | Y | Y |
| Yes | None | Management
Information Security
|
A.5.37 | Documented operating procedures Operating procedures for information processing facilities should be documented and made available to personnel who need them. | Applicable | Y | Y | Y |
| Yes | None | Management
Information Security
|
A.6 | PEOPLE CONTROLS |
|
|
|
|
|
|
|
|
A.6.1 | Screening Background verification checks on all candidates to become personnel should be carried out prior to joining the organization and on an ongoing basis taking into consideration applicable laws, regulations and ethics and be proportional to the business requirements, the classification of the information to be accessed and the perceived risks. | Applicable | Y | Y | Y |
| Yes | None | Human Resources |
A.6.2 | Terms and conditions of employment The employment contractual agreements should state the personnel’s and the organization’s responsibilities for information security. | Applicable | Y |
| Y |
| Yes | None | Management
Human Resources
|
A.6.3 | Information security awareness, education and training Personnel of the organization and relevant interested parties should receive appropriate information security awareness, education and training and regular updates of the organization's information security policy, topic-specific policies and procedures, as relevant for their job function. | Applicable | Y |
| Y |
| Yes | None | Human Resources
Information Security
|
A.6.4 | Disciplinary process A disciplinary process should be formalized and communicated to take actions against personnel and other relevant interested parties who have committed an information security policy violation. | Applicable | Y |
| Y |
| Yes | None | Management
Human Resources
|
A.6.5 | Responsibilities after termination or change of employment Information security responsibilities and duties that remain valid after termination or change of employment should be defined, enforced and communicated to relevant personnel and other interested parties. | Applicable | Y |
| Y |
| Yes | None | Management
Human Resources
Information Security
|
A.6.6 | Confidentiality or non-disclosure agreements Confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information should be identified, documented, regularly reviewed and signed by personnel and other relevant interested parties. | Applicable |
| Y | Y |
| Yes | None | Management
Human Resources
Legal
|
A.6.7 | Remote working Security measures should be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organization’s premises. | Applicable |
|
| Y |
| Yes | None | Management
Information Technology
|
A.6.8 | Information security event reporting The organization should provide a mechanism for personnel to report observed or suspected information security events through appropriate channels in a timely manner. | Applicable |
|
| Y |
| Yes | None | Management
Information Security
All Users |
A.7 | PHYSICAL CONTROLS |
|
|
|
|
|
|
|
|
A.7.1 | Physical security perimeters Security perimeters should be defined and used to protect areas that contain information and other associated assets. | Not Applicable | N/A | N/A | N/A | N/A | No | Example Corporation does not have a physical location in scope for the ISMS Plan. | N/A |
A.7.2 | Physical entry Secure areas should be protected by appropriate entry controls and access points. | Not Applicable | N/A | N/A | N/A | N/A | No | Example Corporation does not have a physical location in scope for the ISMS Plan. | N/A |
A.7.3 | Securing offices, rooms and facilities Physical security for offices, rooms and facilities should be designed and implemented. | Not Applicable | N/A | N/A | N/A | N/A | No | Example Corporation does not have a physical location in scope for the ISMS Plan. | N/A |
A.7.4 | Physical security monitoring Premises should be continuously monitored for unauthorized physical access. | Not Applicable | N/A | N/A | N/A | N/A | No | Example Corporation does not have a physical location in scope for the ISMS Plan. | N/A |
A.7.5 | Protecting against physical and environmental threats Protection against physical and environmental threats, such as natural disasters and other intentional or unintentional physical threats to infrastructure should be designed and implemented. | Not Applicable | N/A | N/A | N/A | N/A | No | Example Corporation does not have a physical location in scope for the ISMS Plan. | N/A |
A.7.6 | Working in secure areas Security measures for working in secure areas should be designed and implemented. | Not Applicable | N/A | N/A | N/A | N/A | No | Owned by Cloud Service Provider | Cloud Service Provider |
A.7.7 | Clear desk and clear screen Clear desk rules for papers and removable storage media and clear screen rules for information processing facilities should be defined and appropriately enforced. | Not Applicable | N/A | N/A | N/A | N/A | No | Example Corporation does not have a physical location in scope for the ISMS Plan. | N/A |
A.7.8 | Equipment siting and protection Equipment should be sited securely and protected. | Not Applicable | N/A | N/A | N/A | N/A | No | Owned by Cloud Service Provider | Cloud Service Provider |
A.7.9 | Security of assets off-premises Off-site assets should be protected. | Not Applicable | N/A | N/A | N/A | N/A | No | Owned by Cloud Service Provider | Cloud Service Provider |
A.7.10 | Storage media Storage media should be managed through their life cycle of acquisition, use, transportation and disposal in accordance with the organization’s classification scheme and handling requirements. | Not Applicable | N/A | N/A | N/A | N/A | No | Example Corporation does not have a physical location in scope for the ISMS Plan. | N/A |
A.7.11 | Supporting utilities Information processing facilities should be protected from power failures and other disruptions caused by failures in supporting utilities. | Not Applicable | N/A | N/A | N/A | N/A | No | Owned by Cloud Service Provider | Cloud Service Provider |
A.7.12 | Cabling security Cables carrying power, data or supporting information services should be protected from interception, interference or damage. | Not Applicable | N/A | N/A | N/A | N/A | No | Owned by Cloud Service Provider | Cloud Service Provider |
A.7.13 | Equipment maintenance Equipment should be maintained correctly to ensure availability, integrity and confidentiality of information. | Not Applicable | N/A | N/A | N/A | N/A | No | Owned by Cloud Service Provider | Cloud Service Provider |
A.7.14 | Secure disposal or re-use of equipment Items of equipment containing storage media should be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use. | Applicable |
|
| Y |
| Yes | None | Information Technology |
A.8 | TECHNICAL CONTROLS |
|
|
|
|
|
|
|
|
A.8.1 | User endpoint devices Information stored on, processed by or accessible via user endpoint devices should be protected. | Applicable |
|
| Y |
| Yes | None | Information Technology |
A.8.2 | Privileged access rights The allocation and use of privileged access rights should be restricted and managed. | Applicable |
|
| Y |
| Yes | None | Information Technology Information Security |
A.8.3 | Information access restriction Access to information and other associated assets should be restricted in accordance with the established topic-specific policy on access control. | Applicable |
| Y | Y |
| Yes | None | Information Technology Information Security |
A.8.4 | Access to source code Read and write access to source code, development tools and software libraries should be appropriately managed. | Applicable |
| Y | Y |
| Yes | None | Information Technology Information Security |
A.8.5 | Secure authentication Secure authentication technologies and procedures should be implemented based on information access restrictions and the topic-specific policy on access control. | Applicable |
| Y | Y |
| Yes | None | Information Technology Information Security |
A.8.6 | Capacity management The use of resources should be monitored and adjusted in line with current and expected capacity requirements. | Applicable |
|
| Y |
| Yes | None | Information Technology |
A.8.7 | Protection against malware Protection against malware should be implemented and supported by appropriate user awareness. | Applicable |
| Y | Y |
| Yes | None | Information Security |
A.8.8 | Management of technical vulnerabilities Information about technical vulnerabilities of information systems in use should be obtained, the organization’s exposure to such vulnerabilities should be evaluated and appropriate measures should be taken. | Applicable |
| Y | Y |
| Yes | None | Information Security |
A.8.9 | Configuration management Configurations, including security configurations, of hardware, software, services and networks should be established, documented, implemented, monitored and reviewed. | Applicable |
|
| Y |
| Yes | None | Information Technology |
A.8.10 | Information deletion Information stored in information systems, devices or in any other storage media should be deleted when no longer required. | Applicable | Y | Y | Y |
| Yes | None | Information Security |
A.8.11 | Data masking Data masking should be used in accordance with the organization’s topic-specific policy on access control and other related topic-specific policies, and business requirements, taking applicable legislation into consideration. | Applicable | Y | Y | Y |
| Yes | None | Information Security |
A.8.12 | Data leakage prevention Data leakage prevention measures should be applied to systems, networks and any other devices that process, store or transmit sensitive information. | Applicable | Y | Y | Y |
| Yes | None | Information Security |
A.8.13 | Information backup Backup copies of information, software and systems should be maintained and regularly tested in accordance with the agreed topic-specific policy on backup. | Applicable |
|
| Y |
| Yes | None | Information Technology Information Security |
A.8.14 | Redundancy of information processing facilities Information processing facilities should be implemented with redundancy sufficient to meet availability requirements. | Applicable |
|
| Y |
| Yes | None | Information Technology |
A.8.15 | Logging Logs that record activities, exceptions, faults and other relevant events should be produced, stored, protected and analyzed. | Applicable | Y | Y | Y |
| Yes | None | Information Security |
A.8.16 | Monitoring activities Networks, systems and applications should be monitored for anomalous behavior and appropriate actions taken to evaluate potential information security incidents. | Applicable |
|
| Y |
| Yes | None | Information Security |
A.8.17 | Clock synchronization The clocks of information processing systems used by the organization should be synchronized to approved time sources. | Applicable |
|
| Y |
| Yes | None | Information Technology |
A.8.18 | Use of privileged utility programs The use of utility programs that can be capable of overriding system and application controls should be restricted and tightly controlled. | Applicable |
|
| Y |
| Yes | None | Information Security |
A.8.19 | Installation of software on operational systems Procedures and measures should be implemented to securely manage software installation on operational systems. | Applicable |
|
| Y |
| Yes | None | Information Security |
A.8.20 | Networks security Networks and network devices should be secured, managed and controlled to protect information in systems and applications. | Applicable |
|
| Y |
| Yes | None | Information Security |
A.8.21 | Security of network services Security mechanisms, service levels and service requirements of network services should be identified, implemented and monitored. | Applicable |
|
| Y |
| Yes | None | Information Security |
A.8.22 | Segregation of networks Groups of information services, users and information systems should be segregated in the organization’s networks. | Applicable |
| Y | Y |
| Yes | None | Information Security |
A.8.23 | Web filtering Access to external websites should be managed to reduce exposure to malicious content. | Applicable |
|
| Y |
| Yes | None | Information Security |
A.8.24 | Use of cryptography Rules for the effective use of cryptography, including cryptographic key management, should be defined and implemented. | Applicable | Y | Y | Y |
| Yes | None | Information Security |
A.8.25 | Secure development life cycle Rules for the secure development of software and systems should be established and applied. | Applicable |
|
| Y |
| Yes | None | Information Technology Information Security |
A.8.26 | Application security requirements Information security requirements should be identified, specified and approved when developing or acquiring applications. | Applicable |
|
| Y |
| Yes | None | Information Security |
A.8.27 | Secure system architecture and engineering principles Principles for engineering secure systems should be established, documented, maintained and applied to any information system development activities. | Applicable |
|
| Y | Y | Yes | None | Information Technology Information Security |
A.8.28 | Secure coding Secure coding principles should be applied to software development. | Applicable |
|
| Y |
| Yes | None | Information Technology Information Security |
A.8.29 | Security testing in development and acceptance Security testing processes should be defined and implemented in the development life cycle. | Applicable |
|
| Y |
| Yes | None | Information Technology Information Security |
A.8.30 | Outsourced development The organization should direct, monitor and review the activities related to outsourced system development. | Applicable |
|
| Y |
| Yes | None | Information Technology Information Security |
A.8.31 | Separation of development, test and production environments Development, testing and production environments should be separated and secured. | Applicable |
|
| Y |
| Yes | None | Information Technology |
A.8.32 | Change management Changes to information processing facilities and information systems should be subject to change management procedures. | Applicable |
|
| Y |
| Yes | None | Information Technology Information Security |
A.8.33 | Test information Test information should be appropriately selected, protected and managed. | Applicable |
|
| Y |
| Yes | None | Information Technology |
A.8.34 | Protection of information systems during audit testing Audit tests and other assurance activities involving assessment of operational systems should be planned and agreed between the tester and appropriate management. | Applicable |
|
| Y |
| Yes | None | Information Security |
6.2 Information security objectives and planning to achieve them
Information security objectives will be established, in accordance with Example Corporation’s Information Security Policy and will consider any applicable information security requirement, as well as risk assessment and treatment results. The information security objectives will be measurable, if and when practical, and will reflect:
What will be done
Resources Required
Responsible Parties/Personnel
Completion Timeline
Metrics for Evaluation and Acceptance Criteria
Example Corporation information security objectives will reflect 5-7 objectives that will cover Confidentiality, Integrity, and Availability as it relates to Example Corporation’s ISMS. The objectives will be tracked and updated when needed (see table below).
INFORMATION SECURITY OBJECTIVES
Objective ID | Objective | Action | Required Resources | Responsible Party | Timeline | Acceptance Criteria | Status |
1 | All identified controls are in place | List controls Implement controls Verify controls | Specialist IT team Internal audit | Manager, GRC | 6 months | Refer to KPI Metrics table Section 9.1 | In progress |
2 | All business continuity plans have been tested in the previous year | Agree testing schedule Conduct tests Produce test reports | Operational staff time | CISO | 6 months | Refer to KPI Metrics table Section 9.1 | In progress |
3 | Training in information security has been provided for all key resources | Identify key resources Identify courses Attend courses Complete training records | Training budget Time of attendees | Manager, GRC | 3 months | Refer to KPI Metrics table Section 9.1 | Complete |
4 | Increase number of days provided by business teams for information security activities | Agree allocation with top management Plan involvement Conduct activities Record days spent | Business teams | CISO | 9 months | Refer to KPI Metrics table Section 9.1 | Behind Schedule |
5 | Reduce number of high priority risks on risk register | Hold workshops to identify ideas Implement ideas | Risk owners IT team | CISO | 9 months | Refer to KPI Metrics table Section 9.1 | In Progress |
6 | Find security weaknesses within Example Corporation’s Web and Mobile Application | Conduct a 3rd-party led external penetration test against app.examplecorp.com | Red Team Experts Manager, GRC (Liaison) | CISO | Report in hand by January 17, 2023 | Refer to KPI Metrics table Section 9.1 | Complete |
6.3 Planning of changes
All changes to the ISMS will be made in accordance with Example Corporation’s Change Management Policy. This will include planned and unplanned changes impacting the organization, software development, supplier services, and configuration management.
7. Support
7.1. Resources and 7.2 Competence
The proper operations and maintenance of the ISMS requires proper personnel planning and resources. Example Corporation management is devoted to making sure that the ISMS roles and responsibilities, as well as the skills necessary to perform them are well-defined, and that those roles are properly manned by people with the requisite skills (see Skills Matrix above). Records of competence will be maintained. Management will also make sure that the ISMS is prioritized in the budgeting process and properly resourced to guarantee optimal performance.
7.3. Awareness
To ensure the proper implementation of the controls, policies, and procedures, Example Corporation will promote awareness and provide training as to the necessity of such provisions, and how to perform their roles and responsibilities in accordance with these provisions.
7.4. Communication
Example Corporation’s communication plan outlines the lines of communication within the organization, and with outside entities, to include appropriate government agencies (e.g., law enforcement) and non-governmental organizations. It also defines times and intervals, events and situations, and personnel responsible for the communication (see below).
COMMUNICATION PLAN
Document/
Deliverable
| Frequency of Communication | Sender (Delivery from) | Audience
(Delivery to)
| Delivery Type | Delivery Evidence |
Internal Audit Report | Annually | -Internal Auditor -Member of Security Team | -CISO -Risk Committee | -Presentations -Drata Evidence Library (with Access to Drata) | -Committee Meeting Minutes -In Drata |
External Audit Report | Annually | -External Auditor -Member of Security Team | -CISO -Risk Committee -Board of Directors | -Presentations | -Risk Committee and/or Board of Directors Closing Meeting Minutes |
ISO 27001 Certificate | As New Certificates are Issued | -External Auditor -Member of Web Dev Team | -Posted on company website -Marketing -Sales | -Web Posting | -Website |
Corrective Action Report | Quarterly | -Member Responsible for Developing CARs | -CISO -Business Unit Leadership responsible for Corrective Actions -(For external findings) External Auditor | -Meetings -Drata Evidence Library (with Access to Drata) | -Meeting Minutes -In Drata |
ISMS Security Objectives | Quarterly | -Member Responsible for Developing objectives | -Business Unit Leadership for Security Objectives | -Meetings -Drata Evidence Library (with Access to Drata) | -Meeting Minutes -In Drata |
Risk Treatment Plans | Quarterly | -Member Responsible for Developing RTPs | -CISO -Risk Committee -Business Unit Leadership for RTP | -Meetings -Drata Evidence Library (with Access to Drata) | -Meeting Minutes -In Drata |
Management Review Report | Annually or as necessary | -Member Responsible for reporting metrics in Management Review | -CISO -Appropriate Business Unit Leadership | -Meetings -Drata Evidence Library (with Access to Drata) | -Meeting Minutes -In Drata |
External Incident Response Report | As necessary | -Designated member to communicate with external parties (e.g., government agency, NGOs, etc.) | -External Parties (e.g., government agencies, NGOs, etc.) | -Phone -As required by local regulations or standards | -Phone Log -Appropriate Records |
7.5. Documented Information
7.5.1. General
The following table includes the documents determined by Example Corporation as being necessary for the effectiveness of the ISMS.
MANDATORY RECORDS & DOCUMENTS
Document | Reference | Location |
ISO 27001:2022 TIER 1 DOCUMENTATION |
|
|
Scope of The Information Security Management System (ISMS) | Clause 4.3 | Section 4.3 of the ISMS Plan |
Information Security Policy | Clause 5.2 | Drata Policy Center |
Definition of Security Roles & Responsibilities | Clause 5.2, Annex A.6.2 | Skills Matrix section of the ISMS Plan |
Information Security Objectives | Clause 6.2 | Information Security Objectives section of the ISMS Plan |
Risk Assessment Process | Clause 6.1.2 | Risk Assessment Policy |
Risk Assessment Report | Clause 8.2 | Drata - Evidence Library |
Risk Treatment Process | Clause 6.1.3 | Risk Assessment Policy |
Risk Treatment Plan | Clause 6.1.3e | Drata - Evidence Library |
Statement of Applicability (For Controls in Annex A) | Clause 6.1.3d | Statement of Applicability section of the ISMS Plan |
List of Interested Parties, Legal & Other Requirements | Clauses 4.2 & 6.1 | Section 4.2 of the ISMS Plan |
Competence (e.g., Skills Matrix & Associated Proof Of Skills) | Clause 7.2 | Skills Matrix section of the ISMS Plan |
Evidence of Communication | Clause 7.4 | Communication Plan section of the ISMS Plan |
Procedure for Document Control | Clause 7.5 | Last page of ISMS Plan |
Monitoring & Measurement Results | Clause 9.1 | Drata - Monitoring page |
Internal Audit Plan & Reports | Clause 9.2 | Internal Audit Section of the ISMS Plan |
Results of Management Reviews of ISMS | Clause 9.3 | Appendix B of the ISMS Plan |
Nonconformities, Corrective Actions & Improvement Suggestions | Clause 10.1; 10.2 | Appendix C of the ISMS Plan |
ISO 27001:2022 TIER 2 DOCUMENTATION |
|
|
Inventory of Assets | Annex A.5.9 | Drata - Assets module |
Acceptable Use of Assets | Annex A.5.10 | Drata - Policy Center |
Access Control Policy | Annex A.5.15 | Drata - Policy Center |
Operating Procedures for Information Security | Annex A.5.37 | Drata - Policy Center |
Logging | Annex A.8.15 | Drata - Policy Center, AWS CloudTrail |
Incident Management Procedure | Annex A.5.26 | Drata - Policy Center |
Business Continuity Strategy & Procedures | Annex A.5.29 | Drata - Policy Center |
Statutory, Regulatory, And Contractual Requirements | Annex A.5.31 | Section 4.2 of the ISMS Plan |
CONDITIONAL RECORDS & DOCUMENTS (If Applicable)
Document | Reference | Location |
Confidentiality or Non-Disclosure Agreements | Annex A.6.6 | Google Drive |
Secure System Engineering Principles | Annex A.8.27 | Drata - Policy Center |
Supplier Security Policy | Annex A.5.19 | Google Drive |
DISCRETIONARY RECORDS & DOCUMENTS (Commonly Used)
Document | Reference | Location |
Controls for Managing Records | Clause 7.5.3 | Section 7.5.2-.3 of the ISMS Plan |
Procedure for Measuring and Monitoring | Clause 9.1 | Section 9.1 of the ISMS Plan |
Procedure for Corrective Action | Clause 10.2 | Appendix C of the ISMS Plan |
Bring Your Own Device (BYOD) Policy | Annex A.8.1 | Drata - Policy Center |
Mobile Device & Teleworking Policy | Annex A.8.1 | Drata - Policy Center |
Information Classification Policy | Annex A.5.12 | Drata - Policy Center |
User Access Rights Policies (Including Password Control) | Annex A.5.18 | Drata - Policy Center |
Disposal & Destruction Policy | Annex A.7.10; A.7.4 | Drata - Policy Center |
Procedures for Working in Secure Areas | Annex A.7.6 | Drata - Policy Center |
Clear Desk & Clear Screen Policy | Annex A.7.7 | Drata - Policy Center |
Change Management Policy | Clause 6.3; Annex A.8.32 | Drata - Policy Center |
Backup Policy | Annex A.8.13 | Drata - Policy Center |
Information Transfer Policy | Annex A.5.14 | Drata - Policy Center |
Business Impact Analysis | Annex A.5.29 | Drata - Policy Center |
ISMS Continuity Controls Testing Plan | Annex A.5.29 | Drata - Policy Center |
7.5.2. Creating and updating
Example Corporation ensures documentation generated by Example Corporation personnel is appropriately controlled. Consideration is given to:
Identification of documentation through the assignment of titles, dates, authors, and reference numbers.
Format including language, version, and media (physical or electronic) used to display and communicate documentation.
Review and approval for suitability, adequacy, and accuracy of the information contained within documentation.
The record of this consideration is contained within the “Revision History” table inside of each policy, and records of review and approval are contained within the Drata Policy Center, which documents the policy approval and assigned owner.
7.5.3. Control of documented information
Example Corporation’s crucial task in the operation and maintenance of the ISMS is the collection of the appropriate records and evidence to ensure the functionality of the ISMS, and the effectiveness of the system. The records will also reflect personnel performance and completion of necessary tasks.
Example Corporation will also have a systematic approach for document management. To control documents:
Classify documents properly
Define members with the rights for distribution, access, retrieval, and use of documents, and the necessary actions to be performed.
Identify methods currently used to receive, process, approve/reject, store and/ or delete documents.
Align business processes to document management requirements
Identify documents for control
Integrate change controls to ensure integrity of documents
9. Performance Evaluation / 10. Improvement
9.1. Monitoring, measurement, analysis and evaluation
Example Corporation will evaluate its security objectives by monitoring and measurement of implemented controls. Monitoring provides awareness of the status and state of assets and processes that have been selected to be watched, and can provide basic and immediate alerts if something is not performing as expected. Measurements allow for the evaluation of assets and processes based on predefined units. The assets and processes for evaluation will be properly documented, the company will produce and maintain reports and evidence of evaluations.
These evaluations are meant to allow the Example Corporation to:
Ensure control objectives are being satisfied and validate the decisions made;
Establish a roadmap to meet set targets and expectations;
Produce evidence and justification for implemented measures; and/or,
Discover and identify security gaps that would require change, corrective action(s), or intervention.
The following systems, processes and activities could be monitored:
ISMS Implementation
Incident Management
Vulnerability Management
Configuration Management
Security Awareness and Training
Access Control, Firewall and other Event Logging
Audits
Risk Assessment Process
Risk Treatment Process
Third Party Risk Management
Business Continuity Management
Physical and Environmental Security Management
System Monitoring
The following processes and activities could be measured:
Planning
Leadership
Risk Management
Policy Management
Resource Management
Communicating
Management Review
Documenting
Auditing
Effectiveness measures will be used to evaluate the effectiveness and impact of the risk treatment plan and related processes and controls related to the information security objectives. These measures could include:
Cost savings resulting from properly operating the ISMS, or costs incurred from addressing incidents
Level of customer trust
Achievement of other information security objectives
KPI Metrics
KPI | Infosec Objective ID (Fr. 6.2) | Frequency | Measure | Result | Target | Supporting Documentation | KPI Owner | Last Review Date |
ISMS Plan Review | 6 | Annually | (# of Reviews / 1) * 100 | 100% | 100% | Security Steering Committee Meeting Minutes | CISO | 01/20/2023 |
Information Security Policy Review | 1, 4 | Annually | (# of Reviews / 1) * 100 | 100% | 100% | Information Security Policy | CISO | 01/20/2023 |
Security Awareness Training | 3 | Annually | (# of employees who received SATE / total # of employees) * 100 | 87% | 90-100% | Proofpoint Security Awareness Training Results | Manager, GRC | 01/20/2023 |
Social Engineering Reporting Rate | 3 | Quarterly | (# of phishing simulation report / total # of employees) * 100 | 43% | >50% | Proofpoint Security Awareness Training Results | Manager, GRC | 03/06/2023 |
Social Engineering Failure Rate | 3 | Quarterly | (# of phishing failure / total # of employees) * 100 | 7% | <5% | Proofpoint Security Awareness Training Results | Manager, GRC | 03/06/2023 |
BC/DR Annual Test | 1, 2 | Annually | (# of BC/DR test performed / 1) * 100 | 100% | 100% | BC/DR Test Report | CISO | 02/17/2023 |
Annual Incident Response Test | 1, 5, 6 | Annually | (# of IR test performed / 1) * 100 | 100% | 100% | IR Test Report | CISO | 02/24/2023 |
Penetration Test | 1, 5, 6 | Annually | (# of penetration test performed / 1) * 100 | 100% | 100% | Penetration Test Report | Manager, GRC | 01/17/2023 |
Vulnerability Scans | 1, 5, 6 | Monthly | (# of vulnerability scans performed / 12) * 100 | 100% | 100% | AWS GuardDuty | Manager, GRC | 03/20/2023 |
User Access Reviews | 1, 6 | Quarterly | (# of user access reviews performed / 4) * 100 | 100% | 100% | User Access Review emails | Manager, GRC | 01/09/2023 |
Annual Board of Directors meeting on Cybersecurity | 4 | Annually | (# of Board Meetings / 1) * 100 | 100% | 100% | Board of Director Meeting Minutes | CISO | 03/03/2023 |
Platform Availability metric | 1, 4 | Monthly | ((100 - Down time) / 100) * 100 | 99.5% | 99.5% | Status page | IT | 03/20/2023 |
Drata Controls Monitoring | 1 | Daily | (# Passing test / Total number of test) * 100 | 93% | 95%-100% | Drata Monitoring | Manager, GRC | 03/23/2023 |
9.2. Internal audit
Internal Audits are a crucial element of Example Corporation’s ISMS and its continuous improvement. The process will ensure the discovery and identification of issues, gaps, malfunctions, etc. in the company’s ISMS that could ultimately damage or harm the company.
Frequency. Example Corporation will conduct an internal audit of its ISMS at least annually
Audit Entity. Example Corporation internal audits will be conducted by:
Employee, full-time auditor;
Employee, part-time auditor; or
Third party internal auditor (outside organization will conduct internal audit per rules set by Example Corporation)
In the case of an employee being selected as an auditor, Example Corporation will ensure that the auditor is objective and impartial. This will be done through different methods, such as selecting an employee from a different department or team to audit a specific department or team.
Documentation. Example Corporation will set and document the criteria and scope of each annual internal audit in the Internal Audit Program. It will also produce and maintain, for evidence, reports of the internal audit, where findings, gaps, and nonconformities will be outlined (see Appendix A).
Example Corporation will include in its Internal Audit Program sections such as:
Method of internal auditor selection
Process of planning the internal audit
Steps to conduct the internal audit
Post-audit activities
Internal audit checklist
Plan and Procedure. (See APPENDIX A)
9.3. Management review / 10.1. Continual improvement / 10.2. Nonconformity and corrective action
Management review. Example Corporation management will systematically review and make critical decisions concerning the ISMS. The review will be arranged by the CISO, who is also responsible for compiling all necessary information and inputs for consideration (see APPENDIX B).
The review will take into consideration:
Status of items, issues, and tasks from previous review
Any internal and external changes that impact security
Feedback from, and any security-related changes in needs and expectations of, interested parties
Feedback on the performance of the ISMS, to include:
Nonconformities and corrective actions
Monitoring and measurement results
Audit results
Fulfillment of information security objectives
Risk assessment results, and risk treatment status
Continual improvement opportunities
Decisions will be made concerning:
The ISMS scope and whether it requires modifications
Security policies and whether any require modifications
Security gaps and necessary improvements
Necessary resources
The overall effectiveness of the ISMS and fulfillment of its objectives
Implementation of different security strategies and training
Frequency. Example Corporation will conduct a management review of its ISMS at least annually, and as necessary.
Documentation and reporting. The considerations, discussions, and decisions from the management review will be recorded in the meeting minutes, which could also include discussions from other reviews. The results of the review, and subsequent tasks and responsibilities, will be communicated to relevant parties by e-mails and weekly ISO meetings & stand ups.
Corrective Action Plan. In the event of a nonconformity, Example Corporation will take action to control and correct it, or deal with the consequences, as applicable. Example Corporation will employ corrective action plans for the systematic elimination of issues and nonconformities. The plan will aim to resolve an issue from its root cause so that it can be prevented or mitigated in the future and sustain the corrective measures. It will include:
Review of the nonconformity
Root cause analysis and assessment
Determination of whether similar nonconformities are present or could occur
Required steps for root cause elimination
Implementing changes to the ISMS, if necessary
Risk-opportunity assessment of changes and review of their effectiveness
Time and cost assessment
Rubric for measuring effectiveness
Corrective Action Report. Example Corporation will document any corrective action taken in a corrective action report (see Appendix C). The report will at a minimum include:
Nature of nonconformities
Identified root cause
Corrective actions taken
Implementation of corrective actions
Result of corrective actions (include effectiveness)
APPENDIX A
Internal Audit Plan and Procedure
Purpose
The purpose of the internal audit is to ensure the effectiveness of Example Corporation’s information security management system, its continuous improvement, and conformance with the requirements of ISO 27001:2022, as set out in Clause 9.2 of the standard. It will ensure (a) conformance with the standard, and more importantly, (b) proper information security measures in place that are continuously improved. Additionally, the internal audit will:
Uncover nonconformities before others discover them;
Ensure a strong security stance by identifying areas that require attention prior to a security event;
Demonstrate and inform management commitment; and
Assist staff understanding and awareness.
Scope
This plan applies to Example Corporation internal audits of the ISMS, and establishes the procedures for carrying out the audit. The audit scope should match the ISMS.
Roles and responsibilities
Lead Auditor: Responsible for the planning and execution of the audit. The lead auditor is a competent entity independent from the ISMS, who is a member of the company independent of the ISMS OR a third party auditor.
Employees: Responsible for assisting in the audit process, when and as required.
Plan
Audit schedule
Properly planned out audit, and readily-available schedule to let all members aware of when each process will be audited over the upcoming cycle.
Allow time for better preparation and practical support.
Allow time for process owners to:
finish any improvement projects and gather valuable information on the implementation; or,
request that the auditor(s) focus on helping to gather information for other planned improvements.
Coordinate with process owners
Collaborate to determine the best time to review the process.
Auditor(s) can review previous audits to see if any follow-up is required on comments or concerns previously found.
Process owners can identify any areas that the auditor can look at to assist the process owner to identify information.
Ensure that the process owners will get value out of the audit process.
Conducting the audit
Gather, review, analyze information as outlined in the audit procedures below.
Identify areas that do not have operational evidence.
Identify areas that may function better if changes are made.
Reporting audit findings
Meet with interested parties and process owners to ensure an efficient flow of information (non-conforming).
Highlight areas of weakness to be addressed, and areas that could use improvement (improvement opportunities).
Follow-up
Ensure that identified areas of non-conformity are resolved and corrective actions have been taken.
Check any progress on identified improvement opportunities.
Procedure
Review ISMS documentation
Audit scope should match ISMS, setting clear limits for the internal audit.
All prescribed documents(See Prescribed Documentation above) are in place and readily available.
Identify any criteria, if any, needed for consideration during the audit
Identify the extent of work that may be done during the audit
Identify any anticipated limitations
Identify the main stakeholders in the ISMS
Any required documentation for the audit could be easily requested.
Management input
Designated internal auditor should be competent and independent.
Agree and determine the timing and resources required for the audit.
Set milestones/checkpoints for when the board should receive interim updates.
Discuss issues or concerns
Conduct practical assessment
Observe the operation of the ISMS, and whether it properly functions in practice by speaking with members involved and operating processes related to the ISMS, whether they are in an ISMS role or not.
Run audit tests to validate evidence as it is gathered.
Complete audit reports and document the results of each test.
Analyze evidence
Sort and review all evidence collected during the audit, as related to the company’s risk treatment plan and control objectives.
Identify any further gaps or need for further audit tests.
Report findings (see Appendix A). The report should include:
Classification and dissemination restrictions of the report
Intended recipient(s) of the report
An executive summary to highlight the key findings, high-level analysis and a conclusion
Scope, Timing, any outlined criteria
Analysis of the findings and compliance with each clause of the ISMS requirements
Recommendations
Post-audit actions
INTERNAL AUDIT REPORT | Confidentiality | Date of Audit | 02/14/2023 - 02/23/2023 |
|
|
Example Corporation | Internal Use | Date of Previous Audit | N/A |
|
|
RECIPIENT(S) | - John Smith - CISO - Jane Doe - Manager, GRC - Lisa Bautista - CEO - James Chapman - CTO - Alice Wallace - CFO |
|
|
|
|
EXECUTIVE SUMMARY |
|
|
|
|
|
Internal Audit has prepared the following report after conducting an audit on the Example Corporation’s web and mobile applications. This audit was conducted pursuant to receiving ISO 27001 certification for Example Corporation’s ISMS. This audit was conducted against the ISO 27001 and ISO 27002 standards. Evidence was collected through the use of the Drata Platform and collected from the interviews with the GRC Manager, and taking screenshots from specific systems not otherwise captured within the Drata Platform. The overall opinion of the internal audit is that Drata’s ISMS was established and is being operated appropriately. Three (3) minor non-conformities were noted and one (1) enhancements/process improvements were noted. It is the recommendation of Internal Audit that the three (3) minor non-conformities are remediated prior to beginning Stage 1 of the ISO 27001 audit. |
|
|
|
|
|
AUDITOR | AUDIT SCOPE & CRITERIA |
|
|
|
|
Auditor Name | Benedict Arnold | Scope |
Example Corporation Management Information Security Information Technology & Engineering Human Resources Legal
Amazon Web Services (AWS) GitHub Slack Jira
Example Corporation Web Application (app.examplecorp.com) Example Corporation Mobile Application (iOS & Android)
Not Applicable as Example Corporation has not physical locations in scope EXCLUSIONS. The following items are explicitly excluded from the ISMS scope of Example Corporation:
Sales Marketing Finance
Amazon Web Services (AWS) - Data Center & Physical Security Controls |
|
|
Internal or External? | Internal |
|
|
|
|
Organization (if external) | N/A | Criteria | Refer to associated document Drata ISMS SOA |
|
|
Primary Role | Lead Internal Auditor |
|
|
|
|
AUDIT METHOD | AUDIT FINDINGS |
|
|
|
|
Activity | Action | Nonconformities |
|
|
|
Document Review | All evidence were provided through the use of Drata platform’s Audit Hub and reviewed with Read-Only Access | Clause 7.5.2.B - Example Corporation's document history table does not include details such as format (Electronic/Physical), language, software version, etc. which is listed in item B of Clause 7.5.2. Annex A 5.13 - Example Corporation’s Data Classification Policy does not include guidance for labeling data. Annex A 5.22 - Example Corporation's Vendor Management Policy does not include procedures related to managing changes in supplier contracts, changes to the services delivered by suppliers, or changes at Example Corporation made in order to implement changes in supplier contracts or services. |
|
|
|
Evidential Sampling | For select controls, the Internal Auditor requested additional documentation including samples using a sample size of 1 as supplementary evidence to support provided documents. |
|
|
|
|
Interviews | Improvement Opportunities |
|
|
|
|
ISMS Key Members | Non-ISMS Members | Annex A 8.27 |
|
|
|
Jane Doe |
|
|
|
|
|
RECOMMENDATIONS |
|
|
|
|
|
Annex A 8.27 - Example Corporation's SDLC policy does not formally document secure engineering principles. Review and ensure that SDLC policy includes secure engineering principles. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
COMPLIANCE | POST-AUDIT ACTIONS |
|
|
|
|
Clause 4 Clause 5 Clause 6 Clause 7 Clause 8 Clause 9 Clause 10 |
Minor non-conformities found on Clause 7.5.2B, Annex A 5.13, and Annex A 5.22. | Example Corporation’s Management should review the provided Internal Audit report, develop a treatment plan, and remediate the non-conformities listed before moving into Stage 1 of the ISO 27001 audit. |
|
|
|
|
|
|
|
|
|
Dissemination Restrictions: | Internal Use only, this report is meant to be reviewed by management of ISMS |
|
|
|
|
Report PREPARED by: | Benedict Arnold | Internal Auditor | Remote - N/A | 2/23/2023 4PM PST |
|
Report APPROVED by: | John Smith | CISO | Remote - N/A | 2/24/2023 11AM PST |
|
APPENDIX B
MANAGEMENT REVIEW | Confidentiality | Date of Review | March 20, 2023 |
|
Example Corporation | Confidential | Date of Previous Review | March 10, 2023 |
|
MEETING DETAILS | ACTION ITEMS |
|
|
|
Participants | - John Smith - CISO - Jane Doe - Manager, GRC - Lisa Bautista - CEO - James Chapman - CTO - Alice Wallace - CFO - Benedict Arnold - Internal Auditor | Previous Items | Owner | Status |
Benedict Arnold | Conduct Internal Audit | Complete |
|
|
|
|
|
|
|
|
|
|
|
|
Input Items |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
INFORMATION SECURITY REVIEWS |
|
|
|
|
Y | Nonconformities and Corrective Actions |
|
|
|
Y | Monitoring and Measurement Results |
|
|
|
Y | Audit Results |
|
|
|
Y | Information Security Objectives Fulfillment |
|
|
|
DISCUSSION POINTS & DECISIONS | Current Items | Owner | Status |
|
ISMS Scope Modification | Not Applicable - ISMS is established | Establish Corrective Action Plans for Internal Audit non-conformities and opportunities for improvement | Jane Doe | In-Progress |
Security Policies Modification | Security Policies will be modified based on the issues identified during the 2023 ISO Internal Audit | Review failing monitoring tests and remediate | Jane Doe | In-Progress |
Overall ISMS Effectiveness | ISMS Plan is found to be effective with a few action items to meet Information Security Objectives 1 and 3. Please refer to KPI Metrics table on Section 9.1 | Following a failed simulation test, ensure that employees acknowledge the phishing refresher course | Jane Doe | In-Progress |
Changes Internal/External | Not Applicable - ISMS is established | Ensure employees take their security awareness training | Jane Doe | In-Progress |
Security Gaps | 3 minor non-conformities and 1 opportunity for improvement from Internal Audit were discussed | Develop strategies to encourage employees in reporting suspicious emails | Jane Doe | Not Started |
Security Improvements | Establish Corrective Action Plans for the 4 Identified Issues during the 2023 Internal Audit |
|
|
|
Security Strategies | Other security controls have been implemented to ensure continuous improvement of the ISMS |
|
|
|
NOTES: |
|
|
|
|
FOCUS FOR NEXT INTERNAL AUDIT | POST-REVIEW ACTIONS |
|
|
|
| Report Distribution | Method | Date |
|
Included as part of the ISMS Plan | Uploaded to Drata’s Policy Center | March 20, 2023 |
|
|
|
|
|
|
|
Report PREPARED by: | Jane Doe | Manager, GRC | Remote - N/A | March 20, 2023 |
Report APPROVED by: | John Smith | CISO | Remote - N/A | March 20, 2023 |
APPENDIX C
CORRECTIVE ACTION REPORT | Confidentiality | Date of Review | 02/28/2023 |
Example Corporation | Internal Use | Date of Previous Review | N/A |
NON-CONFORMITIES |
|
|
|
|
|
|
|
Nature | Documentation | Corrective Action | Include “Format” in all documents’ revision history table |
Root Cause | Example Corporation’s document history table does not include details such as format (Electronic/Physical), language, software version, etc. which is listed in item B of Clause 7.5.2. | Implementation | Completed |
Result/Effectiveness | Effective |
|
|
Due Date | March 16, 2023 | Owner | Jane Doe |
Notes: |
|
|
|
|
|
|
|
Nature | Documentation | Corrective Action | Include data labeling guidance to Example Corporation’s Data Classification Policy |
Root Cause | Example Corporation’s Data Classification Policy does not include guidance for labeling data. | Implementation | In Progress |
Result/Effectiveness | - |
|
|
Due Date | March 20, 2023 | Owner | Jane Doe |
Notes: |
|
|
|
|
|
|
|
Nature | Process and Documentation | Corrective Action | Develop and include procedures related to managing changes in supplier contracts to Vendor Management Policy |
Root Cause | Example Corporation's Vendor Management Policy does not include procedures related to managing changes in supplier contracts, changes to the services delivered by suppliers, or changes at Example Corporation made in order to implement changes in supplier contracts or services. | Implementation | Not Started |
Result/Effectiveness | - |
|
|
Due Date | March 24, 2023 | Owner | Jane Doe |
Notes: |
|
|
|
Revision History
Version | Date | Editor | Approver | Description of Changes | Format |
1.0 | 03/20/2023 | Jane Doe | John Smith | Initial Creation | .DOCX |