Skip to main content
All CollectionsComplianceISO 27001
ISO 27001:2022 Example ISMS Plan
ISO 27001:2022 Example ISMS Plan
Markindey Sineus avatar
Written by Markindey Sineus
Updated over a week ago

This is an example of a completed ISMS plan for ISO 27001:2022. This is only guidance and you should review the example language before including it in your own ISMS plan.

Information Security Management System Plan (ISO/IEC 27001:2022)

Example Corporation

____________________________________________________________________

Table of Contents:

Purpose

Background and Objectives

ISMS Plan

4. Context of the organization

4.1. Understanding the organizations and its context

4.2. Understanding the needs and expectations of interested parties

4.3. Determining the scope of the ISMS

5. Leadership

5.1. Leadership and commitment

5.2. Policies

5.3. Organizational roles, responsibilities and authorities

6./8.1 Planning

6.1. Actions to address risks and opportunities

6.1.1. General; 6.1.2 / 8.2. Information security risk assessment

6.1.3 / 8.3. Information security risk treatment

SOA REVISION HISTORY

6.2 Information security objectives and planning to achieve them

6.3 Planning of changes

7. Support

7.1. Resources and 7.2 Competence

7.3. Awareness

7.4. Communication

7.5. Documented Information

7.5.1. General

7.5.2. Creating and updating

7.5.3. Control of documented information

9. Performance Evaluation / 10. Improvement

9.1. Monitoring, measurement, analysis and evaluation

9.2. Internal audit

9.3. Management review / 10.1. Continual improvement / 10.2. Nonconformity and corrective action

APPENDIX A

APPENDIX B

APPENDIX C

Purpose

This Information Security Management System (ISMS) Plan aims to define the principles, requirements, and basic rules for the establishment, implementation and operation of the Information Security Management System.

Background and Objectives

The ISMS Plan lays the foundation of the company’s Information Security Management System, and identifies the roadmap for the establishment, implementation and operation of the ISMS and its continued efficacy. This document is supplemented by security policies and procedures that enable the treatment of risks to the organization.

Key objectives of the ISMS Plan are to:

  • Define the context of the organization

  • Define the scope of the ISMS

  • Provide guidance for the implementation of risk assessment findings into a Statement of Applicability

  • Provide proper steps and timelines for the implementation and maintenance of the ISMS

  • Outline the internal audit process, audit reviews, and remedial actions

  • Identify all necessary documents and records

  • Continual improvement of the ISMS

ISMS Plan

4. Context of the organization

4.1. Understanding the organizations and its context

To establish an effective ISMS, have a better understanding of relevant information security issues, develop successful strategies, and allocate appropriate resources to garner optimal results, Example Corporation will define its internal and external context as they pertain to information security.

Internal and external issues are those factors relevant to Example Corporation’s purpose and that affect Example Corporation’s ability to achieve the intended outcomes of its ISMS.

Internal issues include, but are not limited to:

  • Governance, organizational structure, (see Organization Chart) and roles and responsibilities for the ISMS (see Skills Matrix)

  • Policies, objectives and the strategies in place achieve them

  • Company culture, values, mission, and vision (see Information Security Policy)

  • Flow of information and the decision-making process (see Information Security Policy)

  • Capabilities, (e.g. capital, time, people, processes, systems and technology)

  • Form and extent of contractual relationships (see Vendor Management Policy)

External issues include, but are not limited to:

  • Information Security laws and regulations that are applicable to the company (see below)

  • Social and cultural

  • Interested parties (see below) and their cultures

  • Market trends and customer preferences

  • Political, public policy, and economic changes

  • Technological trends that could impact implemented security controls

4.2. Understanding the needs and expectations of interested parties

APPLICABLE LAWS AND REGULATIONS (EXTERNAL)

Requirements / Notes

Responsible Party

International

GDPR

Security provisions of GDPR include data protection which ISO 27001 helps demonstrate.

Example Corporation

Federal

HIPAA

Security provisions of HIPAA include controls which ISO 27001 helps demonstrate.

Example Corporation

State

CCPA

Security provisions of CCPA include controls which ISO 27001 helps demonstrate.

Example Corporation

Local

N/A

N/A

N/A

CONTRACTUAL REQUIREMENTS (EXTERNAL)

Requirements / Notes

Responsible Party

JP Morgan

JP Morgan Chase requires an ISO 27001 as part of the MSA signed between Example Corporation and JP Morgan Chase Bank in 2022.

ISO 27001 Certification

Example Corporation

Amazon

Amazon requires evidence that Example Corporation is effectively managing the security of data provided to Example Corporation within the MSA signed in 2021 and management of Example Corporation has agreed that an ISO 27001 certification fulfills this requirement.

Any Independent Audit report fulfills agreement

Example Corporation

Technology Customers

Example Corporation provides a provision in all contracts between Example Corporation and customers operating in the technology industry that an ISO 27001 will be provided for their review.

ISO 27001 Certification

Example Corporation

INTERESTED PARTIES (INTERNAL/EXTERNAL)

Requirements / Notes

Responsible Party

Customers

Customers who signed our DPA are interested in gaining assurance that Example Corporation protects data provided to them.

Evidence that client data is protected. ISO 27001 certification

Example Corporation

Suppliers

Suppliers are interested in gaining assurance that Example Corporation protects data provided to them

Evidence that client data is protected. ISO 27001 certification

Example Corporation

Regulators

European Data Protection Authorities

Evidence that demonstrates Example Corporation has a strategy for protecting Personal Data

Example Corporation

Contracts

See “Contractual Requirements (External)”

See “Contractual Requirements (External)”

See “Contractual Requirements (External)”

Shareholders/Owners/Investors

Example Corporation’s Board of Directors

Assurance that Example Corporation is continually improving its product offering and ISMS

Example Corporation

Management

Example Corporation’s Management is interested in providing its clients assurance that client data provided are adequately and reasonably protected

Evidence that client data is protected. ISO 27001 certification

Example Corporation

DEPARTMENTS & BUSINESS UNITS (INTERNAL)

Requirements / Notes

Responsible Party

IT & Engineering

Management of Example Corporation has determined that a structured approach to implementing security control is needed for the software development process at Example Corporation. Management of Example Corporation agrees that Annex A 5.8 of ISO 27001 meets the business requirements to fulfill this.

A more structured approach to implementing security controls.

IT & Engineering

HR

Management of Example Corporation has determined that additional controls related to onboarding and terminations are required at Example Corporation within the Human Resources department. Management of Example Corporation has determined that Annex A 6.0 of ISO 27001 will fulfill the need for these controls.

More formalized onboarding/offboarding process.

Human Resources

Security

Management of Example Corporation has determined, with input from the Security team, that an organized approach is needed to reduce the time that the Security team spends selecting security controls to implement. Management and Security have determined that ISO 27001 provides an organized framework for the management of Information Security within an organization which meets the needs of Example Corporation.

Reduced time spent selecting security controls for implementation.

Information Security

4.3. Determining the scope of the ISMS

This document provides a clear definition for the Information Security Management System (ISMS) boundaries of Example Corporation, and applies to all matters related to the ISMS, to include documentation and activities.

This document will be used by:

  • Example Corporation Management

  • Members responsible for implementation of the ISMS

  • Example Corporation Employees

Through this document, Example Corporation will define the boundaries of its ISMS by outlining information that needs to be protected. This information is under the direct responsibility of Example Corporation and will be safeguarded regardless of it being additionally stored, processed or transferred in or out of the ISMS scope. In the event of the transfer of information out of the ISMS, the responsibility of applying security measures will be transferred to the external party responsible for its management.

The following items will establish the ISMS boundaries of Example Corporation, within the context of legal, regulatory, contractual, interested parties, and other stated requirements:

  • Organizational Units

Example Corporation Management

Information Security

Information Technology & Engineering

Human Resources

Legal

  • Networks and IT Infrastructure

Amazon Web Services (AWS)

GitHub

Slack

Jira

  • Processes and Services

Example Corporation Web Application (app.examplecorp.com)

Example Corporation Mobile Application (iOS & Android)

  • Locations

Not Applicable as Example Corporation has no physical locations in scope

[For companies with office locations in scope, list the appropriate address (e.g. 123 Fake Street, Fakeville, CA 91001) and/or the broad general location (e.g. Example Corporation Southeast Asia Office)]

EXCLUSIONS. The following items are explicitly excluded from the ISMS scope of Example Corporation:

  • Business Units:

Sales

Marketing

Finance

  • Vendor Dependencies:

Amazon Web Services (AWS) - Data Center & Physical Security Controls

5. Leadership

5.1. Leadership and commitment

To ensure the success of the Information Security Management System (ISMS), the management team of Example Corporation must be fully aware and appropriately engaged in matters involving the ISMS. Management must provide proper resources (e.g., personnel, funding, etc.) for the establishment, implementation, and maintenance of the ISMS.

Top Management shall demonstrate its leadership and commitment through:

  • Establishing an information security policy

  • Ensuring ISMS, roles, responsibilities and authorities are assigned

  • Communicating the importance of effective information security management

Management commitment can be demonstrated, for example, by:

  • Motivating & empowering persons to contribute to the effectiveness of the ISMS

  • Reinforcing organizational accountability for information security management results

  • Creating and maintaining an internal environment in which persons can become fully involved in achieving the organization’s information security objectives

5.2. Policies

In addition to this plan, the information security plans, processes and procedures of Example Corporation will be outlined in a series of policies that define the vision and mission of Example Corporation’s management as to what needs to be achieved to ensure the protection of information, and how that will be accomplished. These policies will include:

  • Information Security Policy

  • Acceptable Use Policy

  • Asset Management Policy

  • Backup Policy

  • Business Continuity/Disaster Recovery Plans

  • Code of Conduct

  • Data Classification, Retention, and Protection Policies

  • Encryption and Password Policies

  • Incident Response Plan

  • Physical Security Policy

  • Responsible Disclosure Policy

  • Risk Assessment Policy

  • Software Development Life Cycle Policy

  • System Access Management Policy

  • Vendor Management Policy

  • Vulnerability Management Policy

5.3. Organizational roles, responsibilities and authorities

The CISO and GRC Manager are responsible for:

  • The design, development, maintenance, dissemination, and enforcement of the items contained in this policy and associated policies.

  • Ensuring that the information security management system conforms to the requirements of ISO/IEC 27001:2022 (Clause 5.2c and Clause 5.3a).

  • Reporting on the performance of the information security program to top management to identify areas for continuous improvement (Clause 5.2d and Clause 5.3b).

The objectives and measures outlined by this plan and associated policies shall be maintained and enforced by the roles and responsibilities specified in each policy and the company Skills Matrix (see below).

SKILLS MATRIX

Role Title

Job Description

ISMS Responsibilities

Required Skills & Competence

Current Member

Fully Competent (Y/N)

Competency Plan

(if not fully competent)

Proof of Competency

CISO

Responsible for establishing and maintaining a comprehensive corporate-wide information security management program based on industry-accepted information security and risk management frameworks.

a) The design, development, maintenance, dissemination, and enforcement of the items contained in this policy and other ISP policies.

b) Ensuring that the information security management system conforms to the requirements of ISO/IEC 27001:2022.

c) Reporting on the performance of the information security program to top management to identify areas for continuous improvement (5.2d, 5.3b).

  • 10 years of IT and security experience

  • Master’s Degree

  • Information Security Management Certification (e.g., CISSP, CISM, C-CISO)

John Smith

N

  • Requires one more year of experience

  • Resume

  • Copy of certifications

  • List of completed Trainings in a specific time period

  • URL to LinkedIn profile

Manager, GRC

Leads the development and maintenance of the company’s compliance program to support the alignment of security architectures, plans, controls, processes, policies, and procedures with security standards and operational goals.

a) The design, development, maintenance, dissemination, and enforcement of the items contained in this policy and other ISP policies.

b) Ensuring that the information security management system conforms to the requirements of ISO/IEC 27001:2022.

c) Reporting on the performance of the information security program to top management to identify areas for continuous improvement (5.2d, 5.3b.

  • ISO 27001 implementation experience

  • Audit experience

  • Project management experience

Jane Doe

Y

  • N/A

  • Resume

  • Copy of certifications

  • URL to LinkedIn profile

Internal Auditor

Leads in performing a full audit cycle including risk management and control management over operations’ effectiveness, financial reliability, and compliance with all applicable directives, standards, and regulations.

a) Conduct annual Internal Audits to drive Continuous Improvement across the Drata ISMS.

  • Audit experience

  • Independence from implementation and daily operation of the Drata ISMS

Benedict Arnold

Y

  • N/A

  • Resume

  • Copy of certifications

  • URL to LinkedIn profile

6./8.1 Planning

6.1. Actions to address risks and opportunities

6.1.1. General; 6.1.2 / 8.2. Information security risk assessment

Methodology. Example Corporation will establish a well-defined methodology for risk assessment tailored to the company’s circumstances and needs, which will include the method of defining the following (see Risk Assessment Policy):

  • Risks that could cause the loss of confidentiality, integrity, and/or availability of information

  • Identity of risk owners

  • Assessment consequences and the likelihood of the risk

  • Risk calculation

  • Risk acceptance

The risk methodology will ensure that the risk assessment results are consistent across all relevant sectors of the company with comparable results.

Performance. Example Corporation will conduct a risk assessment as outlined in its Risk Assessment Policy, and will produce a Risk Assessment Report.

6.1.3 / 8.3. Information security risk treatment

  • Risk Treatment Plan. The Risk Treatment Plan is a crucial part of the ISMS implementation. Example Corporation will have a well-defined Risk Treatment Plan, which will outline how the controls from the Statement of Applicability will be implemented, to include responsible parties, timing and intervals, and allocated resources/budges.

  • Evaluation of Effectiveness. Example Corporation will measure and evaluate the fulfillment and effectiveness of the controls in place and other ISMS objectives in place, as set forth in the Risk Treatment Plan

  • Statement of Applicability. The Statement of Applicability (SOA) links Example Corporation’s risk assessment and treatment with the implementation of the ISMS. It provides the company with an overview of what needs to be done in information security, why, and how.

The SOA will list all Annex A controls that are applicable and those that are not. Each control decision will have a justification as to whether they were implemented, why and where (see below).

SOA REVISION HISTORY

Version

Date

Editor

Description of Changes

1.0

12/21/22

Jane Doe

Initial Creation

STATEMENT OF APPLICABILITY

* LR: Legal Requirement, CO: Contractual Obligation, BR/BP: Business Requirement/Best Practice, RRA: Results of Risk Assessment

CONTROL

OBJECTIVE & DESCRIPTION

STATUS

(Applicable/NA)

LR

CO

BR/ BP

RRA

IMPLEMENTATION

(Yes/No)

REMARKS

RESPONSIBLE ENTITY (Dept/Role)

A.5

INFORMATION SECURITY POLICIES

A.5.1

Policies for information security

Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur.

Applicable

Y

Yes

None

Management

Information Security

A.5.2

Information security roles and responsibilities

Information security roles and responsibilities should be defined and allocated according to the organization needs.

Applicable

Y

Yes

None

Management

Information Security

A.5.3

Segregation of duties

Conflicting duties and conflicting areas of responsibility should be segregated.

Applicable

Y

Yes

None

Management

Information Security

A.5.4

Management responsibilities

Management should require all personnel to apply information security in accordance with the established information security policy, topic-specific policies and procedures of the organization.

Applicable

Y

Yes

None

Management

A.5.5

Contact with authorities

The organization should establish and maintain contact with relevant authorities.

Applicable

Y

Yes

None

Management

Information Security

Legal

A.5.6

Contact with special interest groups

The organization should establish and maintain contact with special interest groups or other specialist security forums and professional associations.

Applicable

Y

Yes

None

Management

Information Technology

A.5.7

Threat intelligence

Information relating to information security threats should be collected and analyzed to produce threat intelligence.

Applicable

Y

Yes

None

Information Security

A.5.8

Information security in project management

Information security should be integrated into project management.

Applicable

Y

Y

Yes

None

Information Technology

Information Security

A.5.9

Inventory of information and other associated assets

An inventory of information and other associated assets, including owners, should be developed and maintained.

Applicable

Y

Yes

None

Information Technology

A.5.10

Acceptable use of information and other associated assets

Rules for the acceptable use and procedures for handling information and other associated assets should be identified, documented and implemented.

Applicable

Y

Yes

None

Management

Information Technology

Human Resources

A.5.11

Return of assets

Personnel and other interested parties as appropriate should return all the organization’s assets in their possession upon change or termination of their employment, contract or agreement.

Applicable

Y

Yes

None

Management

Information Technology

Human Resources

A.5.12

Classification of information

Information should be classified according to the information security needs of the organization based on confidentiality, integrity, availability and relevant interested party requirements.

Applicable

Y

Yes

None

Management

Information Security

A.5.13

Labeling of information

An appropriate set of procedures for information labeling should be developed and implemented in accordance with the information classification scheme adopted by the organization.

Applicable

Y

Y

Yes

None

Management

Information Security

A.5.14

Information transfer

Information transfer rules, procedures, or agreements should be in place for all types of transfer facilities within the organization and between the organization and other parties.

Applicable

Y

Y

Yes

None

Management

Information Security

Information Technology

A.5.15

Access control

Rules to control physical and logical access to information and other associated assets should be established and implemented based on business and information security requirements.

Applicable

Y

Y

Yes

None

Information Security

Information Technology

A.5.16

Identity management

The full life cycle of identities should be managed.

Applicable

Y

Yes

None

Information Technology

A.5.17

Authentication information

Allocation and management of authentication information should be controlled by a management process, including advising personnel on the appropriate handling of authentication information.

Applicable

Y

Y

Yes

None

Information Technology

A.5.18

Access rights

Access rights to information and other associated assets should be provisioned, reviewed, modified and removed in accordance with the organization’s topic-specific policy on and rules for access control.

Applicable

Y

Y

Yes

None

Information Technology

A.5.19

Information security in supplier relationships

Processes and procedures should be defined and implemented to manage the information security risks associated with the use of supplier’s products or services.

Applicable

Y

Y

Yes

None

Management

Information Security

A.5.20

Addressing information security within supplier agreements

Relevant information security requirements should be established and agreed with each supplier based on the type of supplier relationship.

Applicable

Y

Y

Yes

None

Management

Information Security

A.5.21

Managing information security in the ICT supply chain

Processes and procedures should be defined and implemented to manage the information security risks associated with the ICT products and services supply chain.

Applicable

Y

Yes

None

Information Security

A.5.22

Monitoring, review and change management of supplier services

The organization should regularly monitor, review, evaluate and manage change in supplier information security practices and service delivery.

Applicable

Y

Y

Y

Yes

None

Management

Information Security

A.5.23

Information security for use of cloud services

Processes for acquisition, use, management and exit from cloud services should be established in accordance with the organization’s information security requirements.

Applicable

Y

Y

Yes

None

Management

Information Security

A.5.24

Information security incident management planning and preparation

The organization should plan and prepare for managing information security incidents by defining, establishing and communicating information security incident management processes, roles and responsibilities.

Applicable

Y

Y

Y

Yes

None

Information Security

A.5.25

Assessment and decision on information security events

The organization should assess information security events and decide if they are to be categorized as information security incidents.

Applicable

Y

Y

Y

Yes

None

Management

Information Security

A.5.26

Response to information security incidents

Information security incidents should be responded to in accordance with the documented procedures.

Applicable

Y

Y

Y

Yes

None

Information Security

A.5.27

Learning from information security incidents

Knowledge gained from information security incidents should be used to strengthen and improve the information security controls.

Applicable

Y

Yes

None

Information Security

A.5.28

Collection of evidence

The organization should establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events.

Applicable

Y

Y

Y

Yes

None

Information Security

A.5.29

Information security during disruption

The organization should plan how to maintain information security at an appropriate level during disruption.

Applicable

Y

Yes

None

Management

Information Security

A.5.30

ICT readiness for business continuity

ICT readiness should be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements.

Applicable

Y

Yes

None

Management

Information Security

A.5.31

Legal, statutory, regulatory and contractual requirements

Legal, statutory, regulatory and contractual requirements relevant to information security and the organization’s approach to meet these requirements should be identified, documented and kept up to date.

Applicable

Y

Y

Yes

None

Management

Information Security

Legal

A.5.32

Intellectual property rights

The organization should implement appropriate procedures to protect intellectual property rights.

Applicable

Y

Y

Yes

None

Management

Information Security

Legal

A.5.33

Protection of records

Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release.

Applicable

Y

Y

Yes

None

Management

Information Security

Legal

A.5.34

Privacy and protection of PII

The organization should identify and meet the requirements regarding the preservation of privacy and protection of PII according to applicable laws and regulations and contractual requirements.

Applicable

Y

Y

Y

Yes

None

Management

Information Security

Legal

A.5.35

Independent review of information security

The organization’s approach to managing information security and its implementation including people, processes and technologies should be reviewed independently at planned intervals, or when significant changes occur.

Applicable

Y

Y

Y

Yes

None

Management

Information Security

A.5.36

Compliance with policies, rules and standards for information security

Compliance with the organization’s information security policy, topic-specific policies, rules and standards should be regularly reviewed.

Applicable

Y

Y

Y

Yes

None

Management

Information Security

A.5.37

Documented operating procedures

Operating procedures for information processing facilities should be documented and made available to personnel who need them.

Applicable

Y

Y

Y

Yes

None

Management

Information Security

A.6

PEOPLE CONTROLS

A.6.1

Screening

Background verification checks on all candidates to become personnel should be carried out prior to joining the organization and on an ongoing basis taking into consideration applicable laws, regulations and ethics and be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.

Applicable

Y

Y

Y

Yes

None

Human Resources

A.6.2

Terms and conditions of employment

The employment contractual agreements should state the personnel’s and the organization’s responsibilities for information security.

Applicable

Y

Y

Yes

None

Management

Human Resources

A.6.3

Information security awareness, education and training

Personnel of the organization and relevant interested parties should receive appropriate information security awareness, education and training and regular updates of the organization's information security policy, topic-specific policies and procedures, as relevant for their job function.

Applicable

Y

Y

Yes

None

Human Resources

Information Security

A.6.4

Disciplinary process

A disciplinary process should be formalized and communicated to take actions against personnel and other relevant interested parties who have committed an information security policy violation.

Applicable

Y

Y

Yes

None

Management

Human Resources

A.6.5

Responsibilities after termination or change of employment

Information security responsibilities and duties that remain valid after termination or change of employment should be defined, enforced and communicated to relevant personnel and other interested parties.

Applicable

Y

Y

Yes

None

Management

Human Resources

Information Security

A.6.6

Confidentiality or non-disclosure agreements

Confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information should be identified, documented, regularly reviewed and signed by personnel and other relevant interested parties.

Applicable

Y

Y

Yes

None

Management

Human Resources

Legal

A.6.7

Remote working

Security measures should be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organization’s premises.

Applicable

Y

Yes

None

Management

Information Technology

A.6.8

Information security event reporting

The organization should provide a mechanism for personnel to report observed or suspected information security events through appropriate channels in a timely manner.

Applicable

Y

Yes

None

Management

Information Security

All Users

A.7

PHYSICAL CONTROLS

A.7.1

Physical security perimeters

Security perimeters should be defined and used to protect areas that contain information and other associated assets.

Not Applicable

N/A

N/A

N/A

N/A

No

Example Corporation does not have a physical location in scope for the ISMS Plan.

N/A

A.7.2

Physical entry

Secure areas should be protected by appropriate entry controls and access points.

Not Applicable

N/A

N/A

N/A

N/A

No

Example Corporation does not have a physical location in scope for the ISMS Plan.

N/A

A.7.3

Securing offices, rooms and facilities

Physical security for offices, rooms and facilities should be designed and implemented.

Not Applicable

N/A

N/A

N/A

N/A

No

Example Corporation does not have a physical location in scope for the ISMS Plan.

N/A

A.7.4

Physical security monitoring

Premises should be continuously monitored for unauthorized physical access.

Not Applicable

N/A

N/A

N/A

N/A

No

Example Corporation does not have a physical location in scope for the ISMS Plan.

N/A

A.7.5

Protecting against physical and environmental threats

Protection against physical and environmental threats, such as natural disasters and other intentional or unintentional physical threats to infrastructure should be designed and implemented.

Not Applicable

N/A

N/A

N/A

N/A

No

Example Corporation does not have a physical location in scope for the ISMS Plan.

N/A

A.7.6

Working in secure areas

Security measures for working in secure areas should be designed and implemented.

Not Applicable

N/A

N/A

N/A

N/A

No

Owned by Cloud Service Provider

Cloud Service Provider

A.7.7

Clear desk and clear screen

Clear desk rules for papers and removable storage media and clear screen rules for information processing facilities should be defined and appropriately enforced.

Not Applicable

N/A

N/A

N/A

N/A

No

Example Corporation does not have a physical location in scope for the ISMS Plan.

N/A

A.7.8

Equipment siting and protection

Equipment should be sited securely and protected.

Not Applicable

N/A

N/A

N/A

N/A

No

Owned by Cloud Service Provider

Cloud Service Provider

A.7.9

Security of assets off-premises

Off-site assets should be protected.

Not Applicable

N/A

N/A

N/A

N/A

No

Owned by Cloud Service Provider

Cloud Service Provider

A.7.10

Storage media

Storage media should be managed through their life cycle of acquisition, use, transportation and disposal in accordance with the organization’s classification scheme and handling requirements.

Not Applicable

N/A

N/A

N/A

N/A

No

Example Corporation does not have a physical location in scope for the ISMS Plan.

N/A

A.7.11

Supporting utilities

Information processing facilities should be protected from power failures and other disruptions caused by failures in supporting utilities.

Not Applicable

N/A

N/A

N/A

N/A

No

Owned by Cloud Service Provider

Cloud Service Provider

A.7.12

Cabling security

Cables carrying power, data or supporting information services should be protected from interception, interference or damage.

Not Applicable

N/A

N/A

N/A

N/A

No

Owned by Cloud Service Provider

Cloud Service Provider

A.7.13

Equipment maintenance

Equipment should be maintained correctly to ensure availability, integrity and confidentiality of information.

Not Applicable

N/A

N/A

N/A

N/A

No

Owned by Cloud Service Provider

Cloud Service Provider

A.7.14

Secure disposal or re-use of equipment

Items of equipment containing storage media should be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use.

Applicable

Y

Yes

None

Information Technology

A.8

TECHNICAL CONTROLS

A.8.1

User endpoint devices

Information stored on, processed by or accessible via user endpoint devices should be protected.

Applicable

Y

Yes

None

Information Technology

A.8.2

Privileged access rights

The allocation and use of privileged access rights should be restricted and managed.

Applicable

Y

Yes

None

Information Technology

Information Security

A.8.3

Information access restriction

Access to information and other associated assets should be restricted in accordance with the established topic-specific policy on access control.

Applicable

Y

Y

Yes

None

Information Technology

Information Security

A.8.4

Access to source code

Read and write access to source code, development tools and software libraries should be appropriately managed.

Applicable

Y

Y

Yes

None

Information Technology

Information Security

A.8.5

Secure authentication

Secure authentication technologies and procedures should be implemented based on information access restrictions and the topic-specific policy on access control.

Applicable

Y

Y

Yes

None

Information Technology

Information Security

A.8.6

Capacity management

The use of resources should be monitored and adjusted in line with current and expected capacity requirements.

Applicable

Y

Yes

None

Information Technology

A.8.7

Protection against malware

Protection against malware should be implemented and supported by appropriate user awareness.

Applicable

Y

Y

Yes

None

Information Security

A.8.8

Management of technical vulnerabilities

Information about technical vulnerabilities of information systems in use should be obtained, the organization’s exposure to such vulnerabilities should be evaluated and appropriate measures should be taken.

Applicable

Y

Y

Yes

None

Information Security

A.8.9

Configuration management

Configurations, including security configurations, of hardware, software, services and networks should be established, documented, implemented, monitored and reviewed.

Applicable

Y

Yes

None

Information Technology

A.8.10

Information deletion

Information stored in information systems, devices or in any other storage media should be deleted when no longer required.

Applicable

Y

Y

Y

Yes

None

Information Security

A.8.11

Data masking

Data masking should be used in accordance with the organization’s topic-specific policy on access control and other related topic-specific policies, and business requirements, taking applicable legislation into consideration.

Applicable

Y

Y

Y

Yes

None

Information Security

A.8.12

Data leakage prevention

Data leakage prevention measures should be applied to systems, networks and any other devices that process, store or transmit sensitive information.

Applicable

Y

Y

Y

Yes

None

Information Security

A.8.13

Information backup

Backup copies of information, software and systems should be maintained and regularly tested in accordance with the agreed topic-specific policy on backup.

Applicable

Y

Yes

None

Information Technology

Information Security

A.8.14

Redundancy of information processing facilities

Information processing facilities should be implemented with redundancy sufficient to meet availability requirements.

Applicable

Y

Yes

None

Information Technology

A.8.15

Logging

Logs that record activities, exceptions, faults and other relevant events should be produced, stored, protected and analyzed.

Applicable

Y

Y

Y

Yes

None

Information Security

A.8.16

Monitoring activities

Networks, systems and applications should be monitored for anomalous behavior and appropriate actions taken to evaluate potential information security incidents.

Applicable

Y

Yes

None

Information Security

A.8.17

Clock synchronization

The clocks of information processing systems used by the organization should be synchronized to approved time sources.

Applicable

Y

Yes

None

Information Technology

A.8.18

Use of privileged utility programs

The use of utility programs that can be capable of overriding system and application controls should be restricted and tightly controlled.

Applicable

Y

Yes

None

Information Security

A.8.19

Installation of software on operational systems

Procedures and measures should be implemented to securely manage software installation on operational systems.

Applicable

Y

Yes

None

Information Security

A.8.20

Networks security

Networks and network devices should be secured, managed and controlled to protect information in systems and applications.

Applicable

Y

Yes

None

Information Security

A.8.21

Security of network services

Security mechanisms, service levels and service requirements of network services should be identified, implemented and monitored.

Applicable

Y

Yes

None

Information Security

A.8.22

Segregation of networks

Groups of information services, users and information systems should be segregated in the organization’s networks.

Applicable

Y

Y

Yes

None

Information Security

A.8.23

Web filtering

Access to external websites should be managed to reduce exposure to malicious content.

Applicable

Y

Yes

None

Information Security

A.8.24

Use of cryptography

Rules for the effective use of cryptography, including cryptographic key management, should be defined and implemented.

Applicable

Y

Y

Y

Yes

None

Information Security

A.8.25

Secure development life cycle

Rules for the secure development of software and systems should be established and applied.

Applicable

Y

Yes

None

Information Technology

Information Security

A.8.26

Application security requirements

Information security requirements should be identified, specified and approved when developing or acquiring applications.

Applicable

Y

Yes

None

Information Security

A.8.27

Secure system architecture and engineering principles

Principles for engineering secure systems should be established, documented, maintained and applied to any information system development activities.

Applicable

Y

Y

Yes

None

Information Technology

Information Security

A.8.28

Secure coding

Secure coding principles should be applied to software development.

Applicable

Y

Yes

None

Information Technology

Information Security

A.8.29

Security testing in development and acceptance

Security testing processes should be defined and implemented in the development life cycle.

Applicable

Y

Yes

None

Information Technology

Information Security

A.8.30

Outsourced development

The organization should direct, monitor and review the activities related to outsourced system development.

Applicable

Y

Yes

None

Information Technology

Information Security

A.8.31

Separation of development, test and production environments

Development, testing and production environments should be separated and secured.

Applicable

Y

Yes

None

Information Technology

A.8.32

Change management

Changes to information processing facilities and information systems should be subject to change management procedures.

Applicable

Y

Yes

None

Information Technology

Information Security

A.8.33

Test information

Test information should be appropriately selected, protected and managed.

Applicable

Y

Yes

None

Information Technology

A.8.34

Protection of information systems during audit testing

Audit tests and other assurance activities involving assessment of operational systems should be planned and agreed between the tester and appropriate management.

Applicable

Y

Yes

None

Information Security

6.2 Information security objectives and planning to achieve them

Information security objectives will be established, in accordance with Example Corporation’s Information Security Policy and will consider any applicable information security requirement, as well as risk assessment and treatment results. The information security objectives will be measurable, if and when practical, and will reflect:

  • What will be done

  • Resources Required

  • Responsible Parties/Personnel

  • Completion Timeline

  • Metrics for Evaluation and Acceptance Criteria

Example Corporation information security objectives will reflect 5-7 objectives that will cover Confidentiality, Integrity, and Availability as it relates to Example Corporation’s ISMS. The objectives will be tracked and updated when needed (see table below).

INFORMATION SECURITY OBJECTIVES

Objective ID

Objective

Action

Required Resources

Responsible Party

Timeline

Acceptance Criteria

Status

1

All identified controls are in place

List controls

Implement controls

Verify controls

Specialist IT team

Internal audit

Manager, GRC

6 months

Refer to KPI Metrics table Section 9.1

In progress

2

All business continuity plans have been tested in the previous year

Agree testing schedule

Conduct tests

Produce test reports

Operational staff time

CISO

6 months

Refer to KPI Metrics table Section 9.1

In progress

3

Training in information security has been provided for all key resources

Identify key resources

Identify courses

Attend courses

Complete training records

Training budget

Time of attendees

Manager, GRC

3 months

Refer to KPI Metrics table Section 9.1

Complete

4

Increase number of days provided by business teams for information security activities

Agree allocation with top management

Plan involvement

Conduct activities

Record days spent

Business teams

CISO

9 months

Refer to KPI Metrics table Section 9.1

Behind Schedule

5

Reduce number of high

priority risks on risk register

Hold workshops to identify ideas

Implement ideas

Risk owners

IT team

CISO

9 months

Refer to KPI Metrics table Section 9.1

In Progress

6

Find security weaknesses within Example Corporation’s Web and Mobile Application

Conduct a 3rd-party led external penetration test against app.examplecorp.com

Red Team Experts

Manager, GRC (Liaison)

CISO

Report in hand by January 17, 2023

Refer to KPI Metrics table Section 9.1

Complete

6.3 Planning of changes

All changes to the ISMS will be made in accordance with Example Corporation’s Change Management Policy. This will include planned and unplanned changes impacting the organization, software development, supplier services, and configuration management.

7. Support

7.1. Resources and 7.2 Competence

The proper operations and maintenance of the ISMS requires proper personnel planning and resources. Example Corporation management is devoted to making sure that the ISMS roles and responsibilities, as well as the skills necessary to perform them are well-defined, and that those roles are properly manned by people with the requisite skills (see Skills Matrix above). Records of competence will be maintained. Management will also make sure that the ISMS is prioritized in the budgeting process and properly resourced to guarantee optimal performance.

7.3. Awareness

To ensure the proper implementation of the controls, policies, and procedures, Example Corporation will promote awareness and provide training as to the necessity of such provisions, and how to perform their roles and responsibilities in accordance with these provisions.

7.4. Communication

Example Corporation’s communication plan outlines the lines of communication within the organization, and with outside entities, to include appropriate government agencies (e.g., law enforcement) and non-governmental organizations. It also defines times and intervals, events and situations, and personnel responsible for the communication (see below).

COMMUNICATION PLAN

Document/

Deliverable

Frequency of Communication

Sender

(Delivery from)

Audience

(Delivery to)

Delivery Type

Delivery Evidence

Internal Audit Report

Annually

-Internal Auditor

-Member of Security Team

-CISO

-Risk Committee

-Email

-Presentations

-Drata Evidence Library (with Access to Drata)

-Email

-Committee Meeting Minutes

-In Drata

External Audit Report

Annually

-External Auditor

-Member of Security Team

-CISO

-Risk Committee

-Board of Directors

-Email

-Presentations

-Risk Committee and/or Board of Directors Closing Meeting Minutes

ISO 27001 Certificate

As New Certificates are Issued

-External Auditor

-Member of Web Dev Team

-Posted on company website

-Marketing

-Sales

-Email

-Web Posting

-Email

-Website

Corrective Action Report

Quarterly

-Member Responsible for Developing CARs

-CISO

-Business Unit Leadership responsible for Corrective Actions

-(For external findings) External Auditor

-Email

-Meetings

-Drata Evidence Library (with Access to Drata)

-Email

-Meeting Minutes

-In Drata

ISMS Security Objectives

Quarterly

-Member Responsible for Developing objectives

-Business Unit Leadership for Security Objectives

-Email

-Meetings

-Drata Evidence Library (with Access to Drata)

-Email

-Meeting Minutes

-In Drata

Risk Treatment Plans

Quarterly

-Member Responsible for Developing RTPs

-CISO

-Risk Committee

-Business Unit Leadership for RTP

-Email

-Meetings

-Drata Evidence Library (with Access to Drata)

-Email

-Meeting Minutes

-In Drata

Management Review Report

Annually or as necessary

-Member Responsible for reporting metrics in Management Review

-CISO

-Appropriate Business Unit Leadership

-Email

-Meetings

-Drata Evidence Library (with Access to Drata)

-Email

-Meeting Minutes

-In Drata

External Incident Response Report

As necessary

-Designated member to communicate with external parties (e.g., government agency, NGOs, etc.)

-External Parties (e.g., government agencies, NGOs, etc.)

-Email

-Phone

-As required by local regulations or standards

-Email

-Phone Log

-Appropriate Records

7.5. Documented Information

7.5.1. General

The following table includes the documents determined by Example Corporation as being necessary for the effectiveness of the ISMS.

MANDATORY RECORDS & DOCUMENTS

Document

Reference

Location

ISO 27001:2022 TIER 1 DOCUMENTATION

Scope of The Information Security Management System (ISMS)

Clause 4.3

Section 4.3 of the ISMS Plan

Information Security Policy

Clause 5.2

Drata Policy Center

Definition of Security Roles & Responsibilities

Clause 5.2, Annex A.6.2

Skills Matrix section of the ISMS Plan

Information Security Objectives

Clause 6.2

Information Security Objectives section of the ISMS Plan

Risk Assessment Process

Clause 6.1.2

Risk Assessment Policy

Risk Assessment Report

Clause 8.2

Drata - Evidence Library

Risk Treatment Process

Clause 6.1.3

Risk Assessment Policy

Risk Treatment Plan

Clause 6.1.3e

Drata - Evidence Library

Statement of Applicability (For Controls in Annex A)

Clause 6.1.3d

Statement of Applicability section of the ISMS Plan

List of Interested Parties, Legal & Other Requirements

Clauses 4.2 & 6.1

Section 4.2 of the ISMS Plan

Competence (e.g., Skills Matrix & Associated Proof Of Skills)

Clause 7.2

Skills Matrix section of the ISMS Plan

Evidence of Communication

Clause 7.4

Communication Plan section of the ISMS Plan

Procedure for Document Control

Clause 7.5

Last page of ISMS Plan

Monitoring & Measurement Results

Clause 9.1

Drata - Monitoring page

Internal Audit Plan & Reports

Clause 9.2

Internal Audit Section of the ISMS Plan

Results of Management Reviews of ISMS

Clause 9.3

Appendix B of the ISMS Plan

Nonconformities, Corrective Actions & Improvement Suggestions

Clause 10.1; 10.2

Appendix C of the ISMS Plan

ISO 27001:2022 TIER 2 DOCUMENTATION

Inventory of Assets

Annex A.5.9

Drata - Assets module

Acceptable Use of Assets

Annex A.5.10

Drata - Policy Center

Access Control Policy

Annex A.5.15

Drata - Policy Center

Operating Procedures for Information Security

Annex A.5.37

Drata - Policy Center

Logging

Annex A.8.15

Drata - Policy Center, AWS CloudTrail

Incident Management Procedure

Annex A.5.26

Drata - Policy Center

Business Continuity Strategy & Procedures

Annex A.5.29

Drata - Policy Center

Statutory, Regulatory, And Contractual Requirements

Annex A.5.31

Section 4.2 of the ISMS Plan

CONDITIONAL RECORDS & DOCUMENTS (If Applicable)

Document

Reference

Location

Confidentiality or Non-Disclosure Agreements

Annex A.6.6

Google Drive

Secure System Engineering Principles

Annex A.8.27

Drata - Policy Center

Supplier Security Policy

Annex A.5.19

Google Drive

DISCRETIONARY RECORDS & DOCUMENTS (Commonly Used)

Document

Reference

Location

Controls for Managing Records

Clause 7.5.3

Section 7.5.2-.3 of the ISMS Plan

Procedure for Measuring and Monitoring

Clause 9.1

Section 9.1 of the ISMS Plan

Procedure for Corrective Action

Clause 10.2

Appendix C of the ISMS Plan

Bring Your Own Device (BYOD) Policy

Annex A.8.1

Drata - Policy Center

Mobile Device & Teleworking Policy

Annex A.8.1

Drata - Policy Center

Information Classification Policy

Annex A.5.12

Drata - Policy Center

User Access Rights Policies (Including Password Control)

Annex A.5.18

Drata - Policy Center

Disposal & Destruction Policy

Annex A.7.10; A.7.4

Drata - Policy Center

Procedures for Working in Secure Areas

Annex A.7.6

Drata - Policy Center

Clear Desk & Clear Screen Policy

Annex A.7.7

Drata - Policy Center

Change Management Policy

Clause 6.3; Annex A.8.32

Drata - Policy Center

Backup Policy

Annex A.8.13

Drata - Policy Center

Information Transfer Policy

Annex A.5.14

Drata - Policy Center

Business Impact Analysis

Annex A.5.29

Drata - Policy Center

ISMS Continuity Controls Testing Plan

Annex A.5.29

Drata - Policy Center

7.5.2. Creating and updating

Example Corporation ensures documentation generated by Example Corporation personnel is appropriately controlled. Consideration is given to:

  • Identification of documentation through the assignment of titles, dates, authors, and reference numbers.

  • Format including language, version, and media (physical or electronic) used to display and communicate documentation.

  • Review and approval for suitability, adequacy, and accuracy of the information contained within documentation.

The record of this consideration is contained within the “Revision History” table inside of each policy, and records of review and approval are contained within the Drata Policy Center, which documents the policy approval and assigned owner.

7.5.3. Control of documented information

Example Corporation’s crucial task in the operation and maintenance of the ISMS is the collection of the appropriate records and evidence to ensure the functionality of the ISMS, and the effectiveness of the system. The records will also reflect personnel performance and completion of necessary tasks.

Example Corporation will also have a systematic approach for document management. To control documents:

  • Classify documents properly

  • Define members with the rights for distribution, access, retrieval, and use of documents, and the necessary actions to be performed.

  • Identify methods currently used to receive, process, approve/reject, store and/ or delete documents.

  • Align business processes to document management requirements

  • Identify documents for control

  • Integrate change controls to ensure integrity of documents

9. Performance Evaluation / 10. Improvement

9.1. Monitoring, measurement, analysis and evaluation

Example Corporation will evaluate its security objectives by monitoring and measurement of implemented controls. Monitoring provides awareness of the status and state of assets and processes that have been selected to be watched, and can provide basic and immediate alerts if something is not performing as expected. Measurements allow for the evaluation of assets and processes based on predefined units. The assets and processes for evaluation will be properly documented, the company will produce and maintain reports and evidence of evaluations.

These evaluations are meant to allow the Example Corporation to:

  • Ensure control objectives are being satisfied and validate the decisions made;

  • Establish a roadmap to meet set targets and expectations;

  • Produce evidence and justification for implemented measures; and/or,

  • Discover and identify security gaps that would require change, corrective action(s), or intervention.

The following systems, processes and activities could be monitored:

  • ISMS Implementation

  • Incident Management

  • Vulnerability Management

  • Configuration Management

  • Security Awareness and Training

  • Access Control, Firewall and other Event Logging

  • Audits

  • Risk Assessment Process

  • Risk Treatment Process

  • Third Party Risk Management

  • Business Continuity Management

  • Physical and Environmental Security Management

  • System Monitoring

The following processes and activities could be measured:

  • Planning

  • Leadership

  • Risk Management

  • Policy Management

  • Resource Management

  • Communicating

  • Management Review

  • Documenting

  • Auditing

Effectiveness measures will be used to evaluate the effectiveness and impact of the risk treatment plan and related processes and controls related to the information security objectives. These measures could include:

  • Cost savings resulting from properly operating the ISMS, or costs incurred from addressing incidents

  • Level of customer trust

  • Achievement of other information security objectives

KPI Metrics

KPI

Infosec Objective ID (Fr. 6.2)

Frequency

Measure

Result

Target

Supporting Documentation

KPI Owner

Last Review Date

ISMS Plan Review

6

Annually

(# of Reviews / 1) * 100

100%

100%

Security Steering Committee Meeting Minutes

CISO

01/20/2023

Information Security Policy Review

1, 4

Annually

(# of Reviews / 1) * 100

100%

100%

Information Security Policy

CISO

01/20/2023

Security Awareness Training

3

Annually

(# of employees who received SATE / total # of employees) * 100

87%

90-100%

Proofpoint Security Awareness Training Results

Manager, GRC

01/20/2023

Social Engineering Reporting Rate

3

Quarterly

(# of phishing simulation report / total # of employees) * 100

43%

>50%

Proofpoint Security Awareness Training Results

Manager, GRC

03/06/2023

Social Engineering Failure Rate

3

Quarterly

(# of phishing failure / total # of employees) * 100

7%

<5%

Proofpoint Security Awareness Training Results

Manager, GRC

03/06/2023

BC/DR Annual Test

1, 2

Annually

(# of BC/DR test performed / 1) * 100

100%

100%

BC/DR Test Report

CISO

02/17/2023

Annual Incident Response Test

1, 5, 6

Annually

(# of IR test performed / 1) * 100

100%

100%

IR Test Report

CISO

02/24/2023

Penetration Test

1, 5, 6

Annually

(# of penetration test performed / 1) * 100

100%

100%

Penetration Test Report

Manager, GRC

01/17/2023

Vulnerability Scans

1, 5, 6

Monthly

(# of vulnerability scans performed / 12) * 100

100%

100%

AWS GuardDuty

Manager, GRC

03/20/2023

User Access Reviews

1, 6

Quarterly

(# of user access reviews performed / 4) * 100

100%

100%

User Access Review emails

Manager, GRC

01/09/2023

Annual Board of Directors meeting on Cybersecurity

4

Annually

(# of Board Meetings / 1) * 100

100%

100%

Board of Director Meeting Minutes

CISO

03/03/2023

Platform Availability metric

1, 4

Monthly

((100 - Down time) / 100) * 100

99.5%

99.5%

Status page

IT

03/20/2023

Drata Controls Monitoring

1

Daily

(# Passing test / Total number of test) * 100

93%

95%-100%

Drata Monitoring

Manager, GRC

03/23/2023

9.2. Internal audit

Internal Audits are a crucial element of Example Corporation’s ISMS and its continuous improvement. The process will ensure the discovery and identification of issues, gaps, malfunctions, etc. in the company’s ISMS that could ultimately damage or harm the company.

  • Frequency. Example Corporation will conduct an internal audit of its ISMS at least annually

  • Audit Entity. Example Corporation internal audits will be conducted by:

    • Employee, full-time auditor;

    • Employee, part-time auditor; or

    • Third party internal auditor (outside organization will conduct internal audit per rules set by Example Corporation)

    • In the case of an employee being selected as an auditor, Example Corporation will ensure that the auditor is objective and impartial. This will be done through different methods, such as selecting an employee from a different department or team to audit a specific department or team.

  • Documentation. Example Corporation will set and document the criteria and scope of each annual internal audit in the Internal Audit Program. It will also produce and maintain, for evidence, reports of the internal audit, where findings, gaps, and nonconformities will be outlined (see Appendix A).

    Example Corporation will include in its Internal Audit Program sections such as:

    • Method of internal auditor selection

    • Process of planning the internal audit

    • Steps to conduct the internal audit

    • Post-audit activities

    • Internal audit checklist

  • Plan and Procedure. (See APPENDIX A)

9.3. Management review / 10.1. Continual improvement / 10.2. Nonconformity and corrective action

  • Management review. Example Corporation management will systematically review and make critical decisions concerning the ISMS. The review will be arranged by the CISO, who is also responsible for compiling all necessary information and inputs for consideration (see APPENDIX B).

    The review will take into consideration:

    • Status of items, issues, and tasks from previous review

    • Any internal and external changes that impact security

    • Feedback from, and any security-related changes in needs and expectations of, interested parties

    • Feedback on the performance of the ISMS, to include:

      • Nonconformities and corrective actions

      • Monitoring and measurement results

      • Audit results

      • Fulfillment of information security objectives

    • Risk assessment results, and risk treatment status

    • Continual improvement opportunities

    Decisions will be made concerning:

    • The ISMS scope and whether it requires modifications

    • Security policies and whether any require modifications

    • Security gaps and necessary improvements

    • Necessary resources

    • The overall effectiveness of the ISMS and fulfillment of its objectives

    • Implementation of different security strategies and training

  • Frequency. Example Corporation will conduct a management review of its ISMS at least annually, and as necessary.

  • Documentation and reporting. The considerations, discussions, and decisions from the management review will be recorded in the meeting minutes, which could also include discussions from other reviews. The results of the review, and subsequent tasks and responsibilities, will be communicated to relevant parties by e-mails and weekly ISO meetings & stand ups.

  • Corrective Action Plan. In the event of a nonconformity, Example Corporation will take action to control and correct it, or deal with the consequences, as applicable. Example Corporation will employ corrective action plans for the systematic elimination of issues and nonconformities. The plan will aim to resolve an issue from its root cause so that it can be prevented or mitigated in the future and sustain the corrective measures. It will include:

    • Review of the nonconformity

    • Root cause analysis and assessment

    • Determination of whether similar nonconformities are present or could occur

    • Required steps for root cause elimination

    • Implementing changes to the ISMS, if necessary

    • Risk-opportunity assessment of changes and review of their effectiveness

    • Time and cost assessment

    • Rubric for measuring effectiveness

  • Corrective Action Report. Example Corporation will document any corrective action taken in a corrective action report (see Appendix C). The report will at a minimum include:

    • Nature of nonconformities

    • Identified root cause

    • Corrective actions taken

    • Implementation of corrective actions

    • Result of corrective actions (include effectiveness)

APPENDIX A

Internal Audit Plan and Procedure

Purpose

The purpose of the internal audit is to ensure the effectiveness of Example Corporation’s information security management system, its continuous improvement, and conformance with the requirements of ISO 27001:2022, as set out in Clause 9.2 of the standard. It will ensure (a) conformance with the standard, and more importantly, (b) proper information security measures in place that are continuously improved. Additionally, the internal audit will:

  • Uncover nonconformities before others discover them;

  • Ensure a strong security stance by identifying areas that require attention prior to a security event;

  • Demonstrate and inform management commitment; and

  • Assist staff understanding and awareness.

Scope

This plan applies to Example Corporation internal audits of the ISMS, and establishes the procedures for carrying out the audit. The audit scope should match the ISMS.

Roles and responsibilities

Lead Auditor: Responsible for the planning and execution of the audit. The lead auditor is a competent entity independent from the ISMS, who is a member of the company independent of the ISMS OR a third party auditor.

Employees: Responsible for assisting in the audit process, when and as required.

Plan

  • Audit schedule

    • Properly planned out audit, and readily-available schedule to let all members aware of when each process will be audited over the upcoming cycle.

    • Allow time for better preparation and practical support.

    • Allow time for process owners to:

      1. finish any improvement projects and gather valuable information on the implementation; or,

      2. request that the auditor(s) focus on helping to gather information for other planned improvements.

  • Coordinate with process owners

    • Collaborate to determine the best time to review the process.

    • Auditor(s) can review previous audits to see if any follow-up is required on comments or concerns previously found.

    • Process owners can identify any areas that the auditor can look at to assist the process owner to identify information.

    • Ensure that the process owners will get value out of the audit process.

  • Conducting the audit

    • Gather, review, analyze information as outlined in the audit procedures below.

    • Identify areas that do not have operational evidence.

    • Identify areas that may function better if changes are made.

  • Reporting audit findings

    • Meet with interested parties and process owners to ensure an efficient flow of information (non-conforming).

    • Highlight areas of weakness to be addressed, and areas that could use improvement (improvement opportunities).

  • Follow-up

    • Ensure that identified areas of non-conformity are resolved and corrective actions have been taken.

    • Check any progress on identified improvement opportunities.

Procedure

  • Review ISMS documentation

    • Audit scope should match ISMS, setting clear limits for the internal audit.

    • All prescribed documents(See Prescribed Documentation above) are in place and readily available.

  • Identify any criteria, if any, needed for consideration during the audit

    • Identify the extent of work that may be done during the audit

    • Identify any anticipated limitations

  • Identify the main stakeholders in the ISMS

    • Any required documentation for the audit could be easily requested.

  • Management input

    • Designated internal auditor should be competent and independent.

    • Agree and determine the timing and resources required for the audit.

    • Set milestones/checkpoints for when the board should receive interim updates.

    • Discuss issues or concerns

  • Conduct practical assessment

    • Observe the operation of the ISMS, and whether it properly functions in practice by speaking with members involved and operating processes related to the ISMS, whether they are in an ISMS role or not.

    • Run audit tests to validate evidence as it is gathered.

    • Complete audit reports and document the results of each test.

  • Analyze evidence

    • Sort and review all evidence collected during the audit, as related to the company’s risk treatment plan and control objectives.

    • Identify any further gaps or need for further audit tests.

  • Report findings (see Appendix A). The report should include:

    • Classification and dissemination restrictions of the report

    • Intended recipient(s) of the report

    • An executive summary to highlight the key findings, high-level analysis and a conclusion

    • Scope, Timing, any outlined criteria

    • Analysis of the findings and compliance with each clause of the ISMS requirements

    • Recommendations

    • Post-audit actions

INTERNAL AUDIT REPORT

Confidentiality

Date of Audit

02/14/2023 - 02/23/2023

Example Corporation

Internal Use

Date of Previous Audit

N/A

RECIPIENT(S)

- John Smith - CISO

- Jane Doe - Manager, GRC

- Lisa Bautista - CEO

- James Chapman - CTO

- Alice Wallace - CFO

EXECUTIVE SUMMARY

Internal Audit has prepared the following report after conducting an audit on the Example Corporation’s web and mobile applications. This audit was conducted pursuant to receiving ISO 27001 certification for Example Corporation’s ISMS. This audit was conducted against the ISO 27001 and ISO 27002 standards. Evidence was collected through the use of the Drata Platform and collected from the interviews with the GRC Manager, and taking screenshots from specific systems not otherwise captured within the Drata Platform. The overall opinion of the internal audit is that Drata’s ISMS was established and is being operated appropriately. Three (3) minor non-conformities were noted and one (1) enhancements/process improvements were noted. It is the recommendation of Internal Audit that the three (3) minor non-conformities are remediated prior to beginning Stage 1 of the ISO 27001 audit.

AUDITOR

AUDIT SCOPE & CRITERIA

Auditor Name

Benedict Arnold

Scope

  • Organizational Units

Example Corporation Management

Information Security

Information Technology & Engineering

Human Resources

Legal

  • Networks and IT Infrastructure

Amazon Web Services (AWS)

GitHub

Slack

Jira

  • Processes and Services

Example Corporation Web Application (app.examplecorp.com)

Example Corporation Mobile Application (iOS & Android)

  • Locations

Not Applicable as Example Corporation has not physical locations in scope

EXCLUSIONS. The following items are explicitly excluded from the ISMS scope of Example Corporation:

  • Business Units:

Sales

Marketing

Finance

  • Vendor Dependencies:

Amazon Web Services (AWS) - Data Center & Physical Security Controls

Internal or External?

Internal

Organization (if external)

N/A

Criteria

Refer to associated document Drata ISMS SOA

Primary Role

Lead Internal Auditor

AUDIT METHOD

AUDIT FINDINGS

Activity

Action

Nonconformities

Document Review

All evidence were provided through the use of Drata platform’s Audit Hub and reviewed with Read-Only Access

Clause 7.5.2.B - Example Corporation's document history table does not include details such as format (Electronic/Physical), language, software version, etc. which is listed in item B of Clause 7.5.2.

Annex A 5.13 - Example Corporation’s Data Classification Policy does not include guidance for labeling data.

Annex A 5.22 - Example Corporation's Vendor Management Policy does not include procedures related to managing changes in supplier contracts, changes to the services delivered by suppliers, or changes at Example Corporation made in order to implement changes in supplier contracts or services.

Evidential Sampling

For select controls, the Internal Auditor requested additional documentation including samples using a sample size of 1 as supplementary evidence to support provided documents.

Interviews

Improvement Opportunities

ISMS Key Members

Non-ISMS Members

Annex A 8.27

Jane Doe

RECOMMENDATIONS

Annex A 8.27 - Example Corporation's SDLC policy does not formally document secure engineering principles. Review and ensure that SDLC policy includes secure engineering principles.

COMPLIANCE

POST-AUDIT ACTIONS

Clause 4

Clause 5

Clause 6

Clause 7

Clause 8

Clause 9

Clause 10

Minor non-conformities found on Clause 7.5.2B, Annex A 5.13, and Annex A 5.22.

Example Corporation’s Management should review the provided Internal Audit report, develop a treatment plan, and remediate the non-conformities listed before moving into Stage 1 of the ISO 27001 audit.

Dissemination Restrictions:

Internal Use only, this report is meant to be reviewed by management of ISMS

Report PREPARED by:

Benedict Arnold

Internal Auditor

Remote - N/A

2/23/2023

4PM PST

Report APPROVED by:

John Smith

CISO

Remote - N/A

2/24/2023

11AM PST

APPENDIX B

MANAGEMENT REVIEW

Confidentiality

Date of Review

March 20, 2023

Example Corporation

Confidential

Date of Previous Review

March 10, 2023

MEETING DETAILS

ACTION ITEMS

Participants

- John Smith - CISO

- Jane Doe - Manager, GRC

- Lisa Bautista - CEO

- James Chapman - CTO

- Alice Wallace - CFO

- Benedict Arnold - Internal Auditor

Previous Items

Owner

Status

Benedict Arnold

Conduct Internal Audit

Complete

Input Items

  • Evaluation and internal audit Reports

  • Assessments, tests, or incidents lessons learned

  • Improvement inputs from the company

INFORMATION SECURITY REVIEWS

Y

Nonconformities and Corrective Actions

Y

Monitoring and Measurement Results

Y

Audit Results

Y

Information Security Objectives Fulfillment

DISCUSSION POINTS & DECISIONS

Current Items

Owner

Status

ISMS Scope Modification

Not Applicable - ISMS is established

Establish Corrective Action Plans for Internal Audit non-conformities and opportunities for improvement

Jane Doe

In-Progress

Security Policies Modification

Security Policies will be modified based on the issues identified during the 2023 ISO Internal Audit

Review failing monitoring tests and remediate

Jane Doe

In-Progress

Overall ISMS Effectiveness

ISMS Plan is found to be effective with a few action items to meet Information Security Objectives 1 and 3. Please refer to KPI Metrics table on Section 9.1

Following a failed simulation test, ensure that employees acknowledge the phishing refresher course

Jane Doe

In-Progress

Changes Internal/External

Not Applicable - ISMS is established

Ensure employees take their security awareness training

Jane Doe

In-Progress

Security Gaps

3 minor non-conformities and 1 opportunity for improvement from Internal Audit were discussed

Develop strategies to encourage employees in reporting suspicious emails

Jane Doe

Not Started

Security Improvements

Establish Corrective Action Plans for the 4 Identified Issues during the 2023 Internal Audit

Security Strategies

Other security controls have been implemented to ensure continuous improvement of the ISMS

NOTES:

FOCUS FOR NEXT INTERNAL AUDIT

POST-REVIEW ACTIONS

Report Distribution

Method

Date

Included as part of the ISMS Plan

Uploaded to Drata’s Policy Center

March 20, 2023

Report PREPARED by:

Jane Doe

Manager, GRC

Remote - N/A

March 20, 2023

Report APPROVED by:

John Smith

CISO

Remote - N/A

March 20, 2023

APPENDIX C

CORRECTIVE ACTION REPORT

Confidentiality

Date of Review

02/28/2023

Example Corporation

Internal Use

Date of Previous Review

N/A

NON-CONFORMITIES

  1. Clause 7.5.2B

Nature

Documentation

Corrective Action

Include “Format” in all documents’ revision history table

Root Cause

Example Corporation’s document history table does not include details such as format (Electronic/Physical), language, software version, etc. which is listed in item B of Clause 7.5.2.

Implementation

Completed

Result/Effectiveness

Effective

Due Date

March 16, 2023

Owner

Jane Doe

Notes:

  1. Annex A 5.13

Nature

Documentation

Corrective Action

Include data labeling guidance to Example Corporation’s Data Classification Policy

Root Cause

Example Corporation’s Data Classification Policy does not include guidance for labeling data.

Implementation

In Progress

Result/Effectiveness

-

Due Date

March 20, 2023

Owner

Jane Doe

Notes:

  1. Annex A 5.22

Nature

Process and Documentation

Corrective Action

Develop and include procedures related to managing changes in supplier contracts to Vendor Management Policy

Root Cause

Example Corporation's Vendor Management Policy does not include procedures related to managing changes in supplier contracts, changes to the services delivered by suppliers, or changes at Example Corporation made in order to implement changes in supplier contracts or services.

Implementation

Not Started

Result/Effectiveness

-

Due Date

March 24, 2023

Owner

Jane Doe

Notes:

Revision History

Version

Date

Editor

Approver

Description of Changes

Format

1.0

03/20/2023

Jane Doe

John Smith

Initial Creation

.DOCX

Did this answer your question?