This is an example of a completed ISMS plan for ISO 27001:2022. This is only guidance and you should review the example language before including it in your own ISMS plan.
A downloadable version of this template can be found at the bottom of this article.
Information Security Management System Plan (ISO/IEC 27001:2022)
Example Corporation
____________________________________________________________________
Table of Contents:
Purpose
Background and Objectives
ISMS Plan
4. Context of the organization
4.1. Understanding the organizations and its context
4.2. Understanding the needs and expectations of interested parties
4.3. Determining the scope of the ISMS
5. Leadership
5.1. Leadership and commitment
5.2. Policies
5.3. Organizational roles, responsibilities and authorities
6./8.1 Planning
6.1. Actions to address risks and opportunities
6.1.1. General; 6.1.2 / 8.2. Information security risk assessment
6.1.3 / 8.3. Information security risk treatment
SOA REVISION HISTORY
6.2 Information security objectives and planning to achieve them
6.3 Planning of changes
7. Support
7.1. Resources and 7.2 Competence
7.3. Awareness
7.4. Communication
7.5. Documented Information
7.5.1. General
7.5.2. Creating and updating
7.5.3. Control of documented information
9. Performance Evaluation / 10. Improvement
9.1. Monitoring, measurement, analysis and evaluation
9.2. Internal audit
9.3. Management review / 10.1. Continual improvement / 10.2. Nonconformity and corrective action
APPENDIX A
APPENDIX B
APPENDIX C
Internal Audit Plan and Procedure
Purpose
This Information Security Management System (ISMS) Plan aims to define the principles, requirements, and basic rules for the establishment, implementation and operation of the Information Security Management System.
Background and Objectives
The ISMS Plan lays the foundation of the company’s ISMS, and identifies the roadmap for the establishment, implementation and operation of the ISMS and its continued efficacy. This document is supplemented by security policies and procedures that enable the treatment of risks to the organization.
Key objectives of the ISMS Plan are to:
Define the context of the organization
Define the scope of the ISMS
Provide guidance for the implementation of risk treatment and creation of the statement of applicability
Identify all necessary documents and records
Outline the internal audit process, audit reviews, and remedial actions
Establish expectations for continual improvement of the ISMS
The ISMS will be designed and implemented in accordance with the following reference standards:
ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection - Information security management systems - Requirements
ISO/IEC 27017:2015 Information technology - Security techniques - Code of practice for information security controls based on ISO/IEC 27002 for cloud services
ISO/IEC 27018:2019 Information technology - Security techniques - Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
[GUIDANCE NOTE: Edit this section to include only applicable standards.]
ISMS Plan
4. Context of the organization
4.1. Understanding the organization and its context
Example Corporation has identified issues relevant to the ISMS. Internal and external issues are those factors relevant to Example Corporation’s purpose and that affect Example Corporation’s ability to achieve the intended outcomes of its ISMS.
Internal issues relevant to the ISMS include, but are not limited to:
Example Corporation culture, as guided by its values, mission, and vision:
Mission: <Insert organization mission or link to where it’s available>
Vision: <Insert organization vision or link to where it’s available>
Values: <Insert organization values or link to where it’s available>
Governance, organizational structure, (see Organizational Chart) and roles and responsibilities for the ISMS (see Skills Matrix)
Policies, objectives and the strategies in place to achieve them (see Information Security Policy and topic-specific policies)
Internal capabilities, (e.g. capital, time, people, processes, systems and technology)
Internal interested parties and their expectations (see below)
Form and extent of contractual relationships (see Vendor Management Policy and vendor register)
External issues relevant to the ISMS include, but are not limited to:
Laws and regulations that are applicable to Example Corporation (see below)
Interested parties and their expectations (see below)
Vendor and supplier compliance to applicable standards, laws, and regulations and Example Corporation’s security requirements;
Market trends and customer preferences
Political, public policy, and economic changes
Technological trends and emerging fields and their associated threats.
[GUIDANCE NOTE: These are examples of internal and external issues. You must customize this section to your organization and be prepared to describe/provide examples if asked by auditors during a certification audit (e.g., describe market trends and customer preferences if included as an external issue.)
Example Corporation has determined that climate change is not a relevant issue.
<OR>
Example Corporation has determined that issues related to climate change are relevant for the ISMS, including:
<EXAMPLE> Impacts on natural resources and greenhouse gas emissions due to increased power consumption of computational resources.
<+>
[GUIDANCE NOTE: This marks the first amendment to ISO 27001:2022. Organizations are advised to evaluate whether climate change impacts their specific environment and operations. The provided example guidance is illustrative, and it is crucial for organizations to assess which aspects of climate change are pertinent to their unique circumstances.]
4.2. Understanding the needs and expectations of interested parties
APPLICABLE LAWS AND REGULATIONS (EXTERNAL) | Requirements / Notes |
EU: |
|
General Data Protection Regulation (EU) | <Example> Article 32 of GDPR requires appropriate technical and organizational measures commensurate with the level of risk, which will be implemented through the ISMS. |
EU-US Data Privacy Framework (EU / US) |
|
EU AI Act (EU) |
|
Digital Services Act (EU) |
|
Digital Markets Act (EU) |
|
Ethics Guidelines for Trustworthy AI (EU) |
|
Network and Information Security Directive (EU) |
|
Digital Operational Resilience Act - DORA (EU) |
|
|
|
US: |
|
AI Training Act (US) |
|
National AI Initiative Act (US) |
|
AI In Government Act (US) |
|
Health Insurance Portability and Accountability Act (US) |
|
California Consumer Privacy Act (US-CA) |
|
|
|
Australia: |
|
AI Ethics Framework (AU) |
|
Data Availability and Transparency Act 2022 (AU) |
|
Competition and Consumer Data Right Rules (AU) |
|
|
|
Brazil: |
|
Brazilian General Data Protection (BR) |
|
|
|
Canada: |
|
Privacy Act (CA) |
|
Quebec’s Law 25 (CA) |
|
|
|
India: |
|
Information Technology Act (IN) |
|
The Information Technology Rules (IN) |
|
Competition Act (IN) |
|
Digital Personal Data Protection Act (IN) |
|
Copyright Act (IN) |
|
National e-Governance Plan (IN) |
|
Law No. 27 of 2022 on Personal Data Protection (IN) |
|
Electronic Information Law (IN) |
|
Article 40 of Law No. 36 of 1999 regarding Telecommunications (IN) |
|
Law No. 14 of 2008 on Public Information Transparency (IN) |
|
|
|
Israel: |
|
Basic Law: Human Dignity and Liberty (IL) |
|
Privacy Protection Law (IL) |
|
Data Security Regulation (IL) |
|
Credit Data Law (IL) |
|
Copyright Act (IL) |
|
|
|
Japan: |
|
Improving Transparency and Fairness of Digital Platforms Act (JP) |
|
|
|
New Zealand: |
|
Privacy Act (NZ) |
|
|
|
UK: |
|
UK General Data Protection Regulation (UK) |
|
[GUIDANCE NOTE: The above are example laws and regulations that may be relevant to your organization and your ISMS.You must review and update the table as appropriate (for example, remove the jurisdictions you do not operate in). You should also consider whether there are additional ones not listed that are relevant to you by consulting with your own privacy, compliance, and legal teams.
CONTRACTUAL REQUIREMENTS (EXTERNAL) | Requirements / Notes |
[EXAMPLE] Example Corporation (Customer) | [EXAMPLE] Example Corporation requires an ISO 27001 certification as part of the MSA signed in 2022. |
[EXAMPLE] Enterprise Customers | [EXAMPLE] Example Corporation provides a provision in all contracts with enterprise customers that evidence of an annual penetration test will be provided upon request. |
+ |
|
[GUIDANCE NOTE: Update to reflect any contractual requirements relevant to your ISMS. For example:
1. Requirements from customers to implement ISO 27001 or other security framework
2. Requirements to implement specific security technical and organizational measures, such as penetration tests
3. Any other contractual requirements]
INTERESTED PARTIES (EXTERNAL) | Requirements / Notes | Will requirements be managed through the ISMS? |
[EXAMPLE] Customers | Service delivery and performance in accordance with SLAs and terms of service (e.g., availability of the system and/or services). | Yes |
| Protection of customer data through technical and organizational measures. | Yes |
| Maintaining compliance with security standards such as ISO 27001. | Yes |
[EXAMPLE] Suppliers | Ability to meet financial obligations. | No |
[EXAMPLE] Regulators/Law Enforcement | Compliance with applicable legislation and regulations. | Yes |
| Ability and capability to protect and safeguard sensitive customer data as well as preventing financial fraud or malicious intent. | Yes |
| Ability to handle all potential incidents related to the company, its products and services, or its personnel. | Yes |
[EXAMPLE] Shareholders/Owners/Investors | Achieving growth goals and business objectives such as profit margins. | No |
+ |
|
|
[GUIDANCE NOTE: Organizations to determine which of these requirements will be addressed through the ISMS.]
INTERESTED PARTIES (INTERNAL) | Requirements / Notes | Will requirements be managed through the ISMS? |
[EXAMPLE] Engineering | Having the tools and resources to implement secure design and development processes. | Yes |
[EXAMPLE] HR | Maintaining high employee engagement and morale. | No |
| Hiring and retaining competent and ethical personnel. | Yes |
[EXAMPLE] Security/IT | Providing personnel with the necessary knowledge and awareness to detect and report security events (e.g. phishing attempts) | Yes |
[EXAMPLE] Senior Management | Achieving business objectives related to information security. | Yes |
| Ability to respond to and/or mitigate major security breaches, incidents, lawsuits, disasters, and other global events. | Yes |
| Continuously improving business processes to eliminate nonconformities that result in unnecessary capital and resources. | Yes |
| Ability to forecast and respond to market trends and major competitor tactics. | No |
+ |
|
|
[GUIDANCE NOTE: These are examples of interested parties and requirements. You must customize to your organization. Note that the requirements of interested parties can include legal and regulatory requirements and contractual obligations]
<IF APPLICABLE> Example Corporation did not identify any requirements from interested parties related to climate change.
[GUIDANCE NOTE: Relevant interested parties can have requirements related to climate change.
You must consider whether interested parties have requirements related to climate change relevant to your ISMS and update the table above accordingly (e.g., climate change regulatory actions and initiatives from national agencies in your jurisdiction, etc.). Otherwise, keep this note.]
4.3. Determining the scope of the ISMS
The scope of Example Corporation’s ISMS comprises the following standards:
ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection - Information security management systems - Requirements
ISO/IEC 27017:2015 Information technology - Security techniques - Code of practice for information security controls based on ISO/IEC 27002 for cloud services
ISO/IEC 27018:2019 Information technology - Security techniques - Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
[GUIDANCE NOTE: The scope of the ISMS as defined here will be explicitly described in your certificate of registration. Edit this section to include only applicable standards.]
The scope of the ISMS was established taking into account the internal and external issues, legal, regulatory, and contractual requirements, expectations of interested parties, and other stated requirements to include the following:
Organizational Units/Departments
<Outline organizational units/Departments included in the scope>
Example:
Product
Engineering
Security
IT
People
<+>
Systems, Applications and Infrastructure
<Outline systems and applications included in the scope>
Example:
AWS/Azure/GCP
GitHub/GitLab
Jenkins
DataDog
Okta
Google Workspace
Teleport
Twilio
Sentry
ADP
<+>
Business Processes, Products and Services
<Outline business processes, products and services included in the scope>
Example:
[Company] Web Application (app.examplecorp.com)
[Company] Mobile Application (iOS/Android)
Services:
MSSP
Development
Locations
<Outline locations included in the scope, including addresses>
Example:
Main office: P. Sherman, 42 Wallaby Way, Sydney <OR>
Example Corporation has no physical locations in scope for the ISMS as the company’s workforce is primarily/entirely remote. All activities relevant to the ISMS are conducted remotely.
[GUIDANCE NOTE: For Example Corporations with no physical locations, this section could be removed.]
<Outline any additional categories included in the scope>
<+>
Interfaces and dependencies between activities performed by other organizations include, but are not limited to, the following:
Drata: Provides a cloud platform for continuous control monitoring used to track implementation of the ISMS
<Name>: Provides vCISO and ISMS implementation services
(+)
EXCLUSIONS
The following items are explicitly excluded from the ISMS scope of Example Corporation:
[GUIDANCE MOTE: Specify all individual elements which are to be specifically excluded from the scope, such as organizational teams, business processes or services, systems, locations not relevant for the ISMS].
Example:
Marketing/Design personnel will be excluded from the departmental scope as this department does not handle any customer data and is not involved in activities relevant to the ISMS.
Office at P. Sherman, 43 Wallaby Way, Sydney will be excluded from the in-scope locations as this is a shared coworking space; there are no critical assets and it is entirely managed by WeWorks.
5. Leadership
5.1. Leadership and commitment
Top management for the scope of the ISMS includes:
<NAME, TITLE>
<NAME, TITLE>
<NAME, TITLE>
[GUIDANCE NOTE: Top management-Person or group of people who directs and controls an organization at the highest level. Top management has the power to delegate authority and provide resources within the organization. If the scope of the management system covers only part of an organization, then top management refers to those who direct and control that part of the organization. Consider C-Suite officers, information security committee members, etc. and their expected involvement in the ISMS.]
Top management will demonstrate its leadership and commitment to the ISMS through:
Establishing an Information Security Policy (see Information Security Policy)
Ensuring ISMS, roles, responsibilities and authorities are assigned
Ensuring resources needed for the ISMS implementation (e.g., resources needed to implement necessary controls) are made available
Communicating the importance of effective information security management
Motivating & empowering persons to contribute to the effectiveness of the ISMS
Reinforcing organizational accountability for information security management results
Creating and maintaining an internal environment in which persons can become fully involved in achieving the organization’s information security objectives
5.2. Policies
Management has established an Information Security Policy that is available as documented information, managed, and communicated to company personnel via <Drata or other platform>. Management may also make the Information Security Policy available to external parties in certain circumstances as deemed appropriate (e.g., to satisfy due diligence requests from prospects, etc).
Through the establishment and implementation of the Information Security Policy, management is committed to satisfying applicable requirements related to information security and continuously improving the ISMS.
In addition to this plan and the Information Security Policy, management will establish and implement topic-specific policies to support the implementation of information security controls in specific areas of the organization and security areas. These topic-specific policies will be managed and made available to personnel via <Drata or other platform>.
5.3. Organizational roles, responsibilities and authorities
The [SECURITY OFFICER//OTHER RESPONSIBLE PARTY] is responsible for:
The design, development, maintenance, dissemination, and enforcement of the items contained in this policy and associated policies.
Ensuring that the information security management system conforms to the requirements of ISO/IEC 27001:2022 (Clause 5.2c and Clause 5.3a).
Reporting on the performance of the information security program to top management to identify areas for continuous improvement (Clause 5.2d and Clause 5.3b).
The objectives and measures outlined by this plan and associated policies shall be maintained and enforced by the roles and responsibilities specified in each policy and the company Skills Matrix (see below).
SKILLS MATRIX
Role Title | ISMS Responsibilities | Required Skills & Competence | Current Personnel or Members | Fully Competent (Y/N) | Competency Plan
(if not fully competent)
| Proof of Competence |
CIO/CEO/CISO / Other | 1 - Oversight of the ISMS implementation 2 - Providing leadership support including resources to implement the ISMS 3 - Fostering a culture of continuous improvement 4 - Monitoring the performance of the ISMS |
| John Smith | Y | N/A |
|
Security Officer/Other Responsible Party | 1 - The design, development, maintenance, dissemination, and enforcement of the items contained in this policy and other ISP policies. 2 - Ensuring that the information security management system conforms to the requirements of the standard. 3 - Reporting on the performance of the information security program to top management to identify areas for continuous improvement (5.2d, 5.3b). |
| Jane Doe | N | Does not have ISO/IEC 27001 implementation experience. Will complete ISO/IEC 27001 lead implementer training by the end of this year. |
|
(+) |
|
|
|
|
|
|
[GUIDANCE NOTE: This is an example Skills Matrix to document ISMS roles and responsibilities and competence as required by the standard. You must customize it for your organization.]
6./8.1 Planning
6.1. Actions to address risks and opportunities
6.1.1. General; 6.1.2 / 8.2. Information security risk assessment
Methodology
Example Corporation will establish a methodology for risk assessment which will include the following:
Process for identifying risks that could cause the loss of confidentiality, integrity, and/or availability of information
Identification of risk owners
Assessment of consequences and the likelihood of risks
The risk methodology will ensure that the risk assessment results are consistent across all relevant sectors of the company with comparable results (see Risk Assessment Policy).
Performance
Example Corporation will conduct the risk assessment process as outlined in its Risk Assessment Policy <FREQUENCY - annually at a minimum, quarterly recommended> or when significant changes occur
6.1.3 / 8.3. Information security risk treatment
Risk Treatment Plan. The Risk Treatment Plan is a crucial part of the ISMS implementation. Example Corporation will document a Risk Treatment Plan for every identified risk, which will include the necessary controls to modify risk, responsible party, and as deemed necessary, timing and intervals, and allocated resources/budgets.
Evaluation of Effectiveness. Example Corporation will measure and evaluate the fulfillment and effectiveness of the controls in place and other ISMS objectives in place, as set forth in the Risk Treatment Plan.
Statement of Applicability. The Statement of Applicability (SOA) links Example Corporation’s risk assessment and treatment with the implementation of the ISMS. The SOA will list all controls identified by Example Corporation to be necessary to implement the risk treatment plan based on the results of the risk assessment. This may include ISO 27001 Annex A controls, controls from other frameworks, custom controls deemed necessary by the organization, etc. The SOA will indicate any controls that are not deemed necessary to treat an identified risk as justification for exclusion. Each control in the SOA will have implementation status and implementation details. Refer to Appendix A for Example Corporations statement of applicability.
[GUIDANCE NOTE: You must complete a Statement of Applicability (SoA) and provide it to your certification body. This can be included in Appendix A of your ISMS documentation or maintained as a standalone document.
The SoA must:
List all 93 Annex A controls (they are listed in the template at the bottom of the page)
Clearly state whether each control is applicable or not
Provide a justification for any exclusions
Describe the implementation status of each applicable control
While the SoA is part of your broader ISMS plan, many organizations choose to keep it as a separate document. You can store it in your Evidence Library if that works best for your documentation structure.
Note: An export of controls from Drata can be a helpful starting point, but it is not sufficient on its own. The export indicates scope status, but does not include the required justifications. If you use the export, be sure to add columns to capture applicability decisions and rationale for each of the 93 controls.]
6.2 Information security objectives and planning to achieve them
Information security objectives will be established, in accordance with Example Corporation’s Information Security Policy and will consider any applicable information security requirement, as well as risk assessment and treatment results. The information security objectives will be measurable, if and when practical, and will reflect:
what will be done;
what resources will be required;
who will be responsible;
when it will be completed; and
how the results will be evaluated.
Example Corporation information security objectives will reflect the objectives for the protection of the Confidentiality, Integrity, and Availability of information as it relates to Example Corporation’s ISMS. The objectives will be monitored and updated when needed (see table below).
INFORMATION SECURITY OBJECTIVES (202X)
ID | Objective | Actions to Achieve Objectives | Required Resources | How Will It Be Monitored | Responsible Party | Timeline | Evaluation Criteria |
1 | EXAMPLE 1. Achieve and maintain ISO/IEC 27001 Certification | 1 - Implement ISMS requirements 2 - Perform a risk assessment and implement necessary controls based on results 3 - Conduct management review and internal audits at planned intervals 4 - Engage certification body to perform initial certification audit 5 - After initial certification perform required activities at least annually for surveillance audit | 1 - Budget for implementing required certification activities (e.g., engaging with a certification body, internal auditor, etc.) 2 - Operational staff and top management time | 1 - Implementation of the ISMS and associated activities will be monitored in Drata.
2 - ISO/IEC 27001 certificate will be provided by certification body upon completion of successful audit | <CISO or other responsible party> | Initial certification expected to be obtained by QX, 202X.
Surveillance audits will be conducted every year thereafter to maintain the certification. | 1 - ISO/IEC 27001 certification received by the organization by expected date.
2 -Successful surveillance audits and maintenance of the certification. |
2 | EXAMPLE 2: Foster a culture of security throughout the entire organization | 1 - Training personnel periodically on security awareness and monitor completion 2 - Provide internal communication channels to report security events 3 - Require personnel to acknowledge security policies | 1 - Security awareness training resources or platform and tracking mechanism 2 - Internal security communication channels (e.g., Slack/MS Teams, security email, etc.) 3 - Policy management platform | 1 - Completion status for security awareness training and policy acknowledgement
2 - Usage of internal security communication channels | <CISO/HR or other responsible party> | Training and policy acknowledgement will be expected during personnel onboarding and at least every 12 months.
Usage of internal security communication channels will be ongoing
| 1 - 95% personnel complete security awareness training and policy acknowledgements on time
2 - Internal security communication channels actively used to report events |
3 | EXAMPLE 3: Evaluate and consider the impact of technology changes and implement appropriate responses | 1 - Perform risk assessments at planned intervals to consider technology changes 2 - Discuss technology changes in management review meetings | 1 - Operational staff and top management time 2 - Methodology for risk assessment
| 1 - Completion of the risk assessment activities
2 - Conducting the management review meetings | <CISO or other responsible party> | Initial risk assessment and management review to be performed by QX, 202X and then at least annually thereafter | 1 - Updated risk register following risk assessment activities
2 - Management reviews agenda and minutes
|
4 | EXAMPLE 4: Meet contractual commitments around availability of the product and services | 1 - Implement and maintain a high availability infrastructure with redundancy
| 1 - Operational staff time 2 - Budget for additional cost of redundant infrastructure | 1 - Uptime % for product/service within status portal | <Engineering Lead or other responsible party> | Ongoing | Uptime % for product/service within availability SLA |
5 | EXAMPLE 5: Protect confidentiality, availability, and integrity of customer data | 1 - Implement strong encryption for data at rest and in transit 2 - Implement strong authentication mechanisms such as MFA 3 - Implement access control policies based on the principle of least privilege and need-to-know | 1 - Operational staff time 2 - Resources to implement access control processes and mechanisms (processes for provisioning, reviewing, and deprovisioning access) | 1 - All databases and services encrypted at rest and in transit per Drata monitoring 2 - All users have MFA enabled per Drata monitoring
3 - All terminated users have access disabled per Drata monitoring | <IT Lead or other responsible party> | Ongoing | Successful monitoring results in Drata |
6 | EXAMPLE 6: Institutionalize organizational incident response capabilities | 1 - Establish an incident response plan and a disaster recovery plan 2 - Define recovery time objectives (RTOs) and recovery point objectives (RPOs) 2 - Conduct annual incident or BCP/DRP response tests | 1 - Operational staff time 2 - Documented plans 3 - Dedicated time scheduled to conduct activities | 1 - Incident response and disaster recovery plan documented and available within Drata
2 - Incident response or BCP/DRP tests successfully conducted | <Engineering Lead or other responsible party> | Initial incident response or BCP/DRP test to be performed by QX, 202X and then at least annually thereafter | Ability to recover in line with RTOs and RPOs during the incident response or BCP/DRP tests |
[GUIDANCE NOTE: This table includes example objectives. Customize it to your organization and update periodically (at least annually). Consider existing objectives in your organization (e.g., OKRs, annual goals, etc.)]
6.3 Planning of changes
All changes to the ISMS will be made in accordance with Example Corporation’s policies, including, but not limited to, the Information Security Policy, Risk Assessment Policy, Change Management Policy and this ISMS plan. This will include planned and unplanned changes impacting the organization and the ISMS, such as:
Changes to policies and procedures resulting from ad-hoc or periodic reviews
Changes to control implementations resulting from risk treatment activities
Software development changes
Changes to vendors and suppliers
Configuration changes
Changes to ISMS documentation
7. Support
7.1. Resources and 7.2 Competence
The proper operations and maintenance of the ISMS requires proper personnel planning and resources. Example Corporation management is devoted to making sure that the ISMS roles and responsibilities, as well as the skills necessary to perform them are well-defined, and that those roles are properly manned by people with the requisite skills (see Skills Matrix above). Records of competence will be maintained. Management will also make sure that the ISMS is prioritized in the budgeting process and properly resourced to guarantee optimal performance.
7.3. Awareness
To ensure the proper implementation of the controls, policies, and procedures, Example Corporation will promote awareness and provide training as to the necessity of such provisions, and how to perform their roles and responsibilities in accordance with these provisions.
7.4. Communication
Example Corporation’s communication plan outlines the lines of communication within the organization, and with outside entities, to include appropriate government agencies (e.g., law enforcement) and non-governmental organizations. It also defines times and intervals, events and situations, and personnel responsible for the communication (see below).
COMMUNICATION PLAN
Document/
Deliverable
| Frequency of Communication | Sender (Delivery from) | Audience
(Delivery to)
| Delivery Type | Delivery Evidence |
Internal Audit Report | Annually | -Internal Auditor -Member of Security Team | -CISO -Risk Committee | -Presentations -Drata Evidence Library (with Access to Drata) | -Committee Meeting Minutes -In Drata |
External Audit Report | Annually | -External Auditor -Member of Security Team | -CISO -Risk Committee -Board of Directors | -Presentations | -Risk Committee and/or Board of Directors Closing Meeting Minutes |
ISO 27001 Certificate | As New Certificates are Issued | -External Auditor -Member of Web Dev Team | -Posted on company website -Marketing -Sales | -Web Posting | -Website |
Corrective Action Report | Quarterly | -Member Responsible for Developing CARs | -CISO -Business Unit Leadership responsible for Corrective Actions -(For external findings) External Auditor | -Meetings -Drata Evidence Library (with Access to Drata) | -Meeting Minutes -In Drata |
ISMS Security Objectives | Quarterly | -Member Responsible for Developing objectives | -Business Unit Leadership for Security Objectives | -Meetings -Drata Evidence Library (with Access to Drata) | -Meeting Minutes -In Drata |
Risk Treatment Plans | Quarterly | -Member Responsible for Developing RTPs | -CISO -Risk Committee -Business Unit Leadership for RTP | -Meetings -Drata Evidence Library (with Access to Drata) | -Meeting Minutes -In Drata |
Management Review Report | Annually or as necessary | -Member Responsible for reporting metrics in Management Review | -CISO -Appropriate Business Unit Leadership | -Meetings -Drata Evidence Library (with Access to Drata) | -Meeting Minutes -In Drata |
External Incident Response Report | As necessary | -Designated member to communicate with external parties (e.g., government agency, NGOs, etc.) | -External Parties (e.g., government agencies, NGOs, etc.) | -Phone -As required by local regulations or standards | -Phone Log -Appropriate Records |
[GUIDANCE NOTE: This is an example communication plan. Customize it to your organization. Consider existing means of communication within your organization (e.g., periodic all-hands calls, newsletters, periodic leadership discussions, quarterly business reviews, etc.)]
7.5. Documented Information
7.5.1. General
The following table includes the documents determined by Example Corporation as being necessary for the effectiveness of the ISMS.
MANDATORY RECORDS & DOCUMENTS
Document | Reference | Location |
ISO 27001:2022 TIER 1 DOCUMENTATION |
|
|
Scope of The Information Security Management System (ISMS) | Clause 4.3 | Section 4.3 of the ISMS Plan |
Information Security Policy | Clause 5.2 | Drata Policy Center |
Definition of Security Roles & Responsibilities | Clause 5.2, Annex A.6.2 | Skills Matrix section of the ISMS Plan |
Information Security Objectives | Clause 6.2 | Information Security Objectives section of the ISMS Plan |
Risk Assessment Process | Clause 6.1.2 | Risk Assessment Policy |
Risk Assessment Report | Clause 8.2 | Drata - Evidence Library |
Risk Treatment Process | Clause 6.1.3 | Risk Assessment Policy |
Risk Treatment Plan | Clause 6.1.3e | Drata - Evidence Library |
Statement of Applicability (For Controls in Annex A) | Clause 6.1.3d | Statement of Applicability section of the ISMS Plan |
List of Interested Parties, Legal & Other Requirements | Clauses 4.2 & 6.1 | Section 4.2 of the ISMS Plan |
Competence (e.g., Skills Matrix & Associated Proof Of Skills) | Clause 7.2 | Skills Matrix section of the ISMS Plan |
Evidence of Communication | Clause 7.4 | Communication Plan section of the ISMS Plan |
Procedure for Document Control | Clause 7.5 | Last page of ISMS Plan |
Monitoring & Measurement Results | Clause 9.1 | Drata - Monitoring page |
Internal Audit Plan & Reports | Clause 9.2 | Internal Audit Section of the ISMS Plan |
Results of Management Reviews of ISMS | Clause 9.3 | Appendix B of the ISMS Plan |
Nonconformities, Corrective Actions & Improvement Suggestions | Clause 10.1; 10.2 | Appendix C of the ISMS Plan |
ISO 27001:2022 TIER 2 DOCUMENTATION |
|
|
Inventory of Assets | Annex A.5.9 | Drata - Assets module |
Acceptable Use of Assets | Annex A.5.10 | Drata - Policy Center |
Access Control Policy | Annex A.5.15 | Drata - Policy Center |
Operating Procedures for Information Security | Annex A.5.37 | Drata - Policy Center |
Logging | Annex A.8.15 | Drata - Policy Center, AWS CloudTrail |
Incident Management Procedure | Annex A.5.26 | Drata - Policy Center |
Business Continuity Strategy & Procedures | Annex A.5.29 | Drata - Policy Center |
Statutory, Regulatory, And Contractual Requirements | Annex A.5.31 | Section 4.2 of the ISMS Plan |
[GUIDANCE NOTE: This list includes REQUIRED documented information for the ISMS. The certification body will demand to see documented evidence of each. Customize location as appropriate.]
CONDITIONAL RECORDS & DOCUMENTS (If Applicable)
Document | Reference | Location |
Confidentiality or Non-Disclosure Agreements | Annex A.6.6 | Google Drive |
Secure System Engineering Principles | Annex A.8.27 | Drata - Policy Center |
Supplier Security Policy | Annex A.5.19 | Google Drive |
DISCRETIONARY RECORDS & DOCUMENTS (Commonly Used)
Document | Reference | Location |
Controls for Managing Records | Clause 7.5.3 | Section 7.5.2-.3 of the ISMS Plan |
Procedure for Measuring and Monitoring | Clause 9.1 | Section 9.1 of the ISMS Plan |
Procedure for Corrective Action | Clause 10.2 | Appendix C of the ISMS Plan |
Bring Your Own Device (BYOD) Policy | Annex A.8.1 | Drata - Policy Center |
Mobile Device & Teleworking Policy | Annex A.8.1 | Drata - Policy Center |
Information Classification Policy | Annex A.5.12 | Drata - Policy Center |
User Access Rights Policies (Including Password Control) | Annex A.5.18 | Drata - Policy Center |
Disposal & Destruction Policy | Annex A.7.10; A.7.4 | Drata - Policy Center |
Procedures for Working in Secure Areas | Annex A.7.6 | Drata - Policy Center |
Clear Desk & Clear Screen Policy | Annex A.7.7 | Drata - Policy Center |
Change Management Policy | Clause 6.3; Annex A.8.32 | Drata - Policy Center |
Backup Policy | Annex A.8.13 | Drata - Policy Center |
Information Transfer Policy | Annex A.5.14 | Drata - Policy Center |
Business Impact Analysis | Annex A.5.29 | Drata - Policy Center |
ISMS Continuity Controls Testing Plan | Annex A.5.29 | Drata - Policy Center |
7.5.2. Creating and updating
Example Corporation ensures documentation generated by Example Corporation personnel is appropriately controlled. Consideration is given to:
Identification of documentation through the assignment of titles, dates, authors, and reference numbers.
Format including language, version, and media (physical or electronic) used to display and communicate documentation.
Review and approval for suitability, adequacy, and accuracy of the information contained within documentation.
The record of this consideration is contained within the “Revision History” table inside of each policy, and records of review and approval are contained within the Drata Policy Center, which documents the policy approval and assigned owner.
7.5.3. Control of documented information
Example Corporation’s crucial task in the operation and maintenance of the ISMS is the collection of the appropriate records and evidence to ensure the functionality of the ISMS, and the effectiveness of the system. The records will also reflect personnel performance and completion of necessary tasks.
Example Corporation will also have a systematic approach for document management. To control documents:
Classify documents properly
Define members with the rights for distribution, access, retrieval, and use of documents, and the necessary actions to be performed.
Identify methods currently used to receive, process, approve/reject, store and/ or delete documents.
Align business processes to document management requirements
Identify documents for control
Integrate change controls to ensure integrity of documents
9. Performance Evaluation / 10. Improvement
9.1. Monitoring, measurement, analysis and evaluation
Example Corporation will evaluate its security objectives by monitoring and measurement of implemented controls. Monitoring provides awareness of the status and state of assets and processes that have been selected to be watched, and can provide basic and immediate alerts if something is not performing as expected. Measurements allow for the evaluation of assets and processes based on predefined units. The assets and processes for evaluation will be properly documented, the company will produce and maintain reports and evidence of evaluations.
These evaluations are meant to allow the Example Corporation to:
Ensure control objectives are being satisfied and validate the decisions made;
Establish a roadmap to meet set targets and expectations;
Produce evidence and justification for implemented measures; and/or,
Discover and identify security gaps that would require change, corrective action(s), or intervention.
The following systems, processes and activities could be monitored:
ISMS Implementation
Incident Management
Vulnerability Management
Configuration Management
Security Awareness and Training
Access Control, Firewall and other Event Logging
Audits
Risk Assessment Process
Risk Treatment Process
Third Party Risk Management
Business Continuity Management
Physical and Environmental Security Management
System Monitoring
The following processes and activities could be measured:
Planning
Leadership
Risk Management
Policy Management
Resource Management
Communicating
Management Review
Documenting
Auditing
Effectiveness measures will be used to evaluate the effectiveness and impact of the risk treatment plan and related processes and controls related to the information security objectives. These measures could include:
Cost savings resulting from properly operating the ISMS, or costs incurred from addressing incidents
Level of customer trust
Achievement of other information security objectives
KPI Metrics
KPI | Infosec Objective ID (Fr. 6.2) | Frequency | Measure | Result | Target | Supporting Documentation | KPI Owner | Last Review Date |
ISMS Plan Review | 6 | Annually | (# of Reviews / 1) * 100 | 100% | 100% | Security Steering Committee Meeting Minutes | CISO | 01/20/2023 |
Information Security Policy Review | 1, 4 | Annually | (# of Reviews / 1) * 100 | 100% | 100% | Information Security Policy | CISO | 01/20/2023 |
Security Awareness Training | 3 | Annually | (# of employees who received SATE / total # of employees) * 100 | 87% | 90-100% | Proofpoint Security Awareness Training Results | Manager, GRC | 01/20/2023 |
Social Engineering Reporting Rate | 3 | Quarterly | (# of phishing simulation report / total # of employees) * 100 | 43% | >50% | Proofpoint Security Awareness Training Results | Manager, GRC | 03/06/2023 |
Social Engineering Failure Rate | 3 | Quarterly | (# of phishing failure / total # of employees) * 100 | 7% | <5% | Proofpoint Security Awareness Training Results | Manager, GRC | 03/06/2023 |
BC/DR Annual Test | 1, 2 | Annually | (# of BC/DR test performed / 1) * 100 | 100% | 100% | BC/DR Test Report | CISO | 02/17/2023 |
Annual Incident Response Test | 1, 5, 6 | Annually | (# of IR test performed / 1) * 100 | 100% | 100% | IR Test Report | CISO | 02/24/2023 |
Penetration Test | 1, 5, 6 | Annually | (# of penetration test performed / 1) * 100 | 100% | 100% | Penetration Test Report | Manager, GRC | 01/17/2023 |
Vulnerability Scans | 1, 5, 6 | Monthly | (# of vulnerability scans performed / 12) * 100 | 100% | 100% | AWS GuardDuty | Manager, GRC | 03/20/2023 |
User Access Reviews | 1, 6 | Quarterly | (# of user access reviews performed / 4) * 100 | 100% | 100% | User Access Review emails | Manager, GRC | 01/09/2023 |
Annual Board of Directors meeting on Cybersecurity | 4 | Annually | (# of Board Meetings / 1) * 100 | 100% | 100% | Board of Director Meeting Minutes | CISO | 03/03/2023 |
Platform Availability metric | 1, 4 | Monthly | ((100 - Down time) / 100) * 100 | 99.5% | 99.5% | Status page | IT | 03/20/2023 |
Drata Controls Monitoring | 1 | Daily | (# Passing test / Total number of test) * 100 | 93% | 95%-100% | Drata Monitoring | Manager, GRC | 03/23/2023 |
[GUIDANCE NOTE: These are examples of KPI metrics. You must customize it to your organization. Considering existing KPIs, goals and OKRs measured across different departments in your organization and how they are monitored, reported, and evaluated (e.g., quarterly business reviews, periodic executive level meetings, etc.)]
9.2. Internal audit
Internal Audits are a crucial element of Example Corporation’s ISMS and its continuous improvement. The process will ensure the discovery and identification of issues, gaps, malfunctions, etc. in the company’s ISMS that could ultimately damage or harm the company.
Frequency. Example Corporation will conduct an internal audit of its ISMS at least annually
Audit Entity. Example Corporation internal audits will be conducted by:
Employee, full-time auditor;
Employee, part-time auditor; or
Third party internal auditor (outside organization will conduct internal audit per rules set by Example Corporation)
In the case of an employee being selected as an auditor, Example Corporation will ensure that the auditor is objective and impartial. This will be done through different methods, such as selecting an employee from a different department or team to audit a specific department or team.
Documentation. Example Corporation will set and document the criteria and scope of each annual internal audit in the Internal Audit Program. It will also produce and maintain, for evidence, reports of the internal audit, where findings, gaps, and nonconformities will be outlined (see Appendix A).
Example Corporation will include in its Internal Audit Program sections such as:
Method of internal auditor selection
Process of planning the internal audit
Steps to conduct the internal audit
Post-audit activities
Internal audit checklist
Plan and Procedure. (See APPENDIX A)
9.3. Management review / 10.1. Continual improvement / 10.2. Nonconformity and corrective action
Management review. Example Corporation management will systematically review and make critical decisions concerning the ISMS. The review will be <ASSIGN MEMBER (e.g., CISO)>, who is also responsible for compiling all necessary information and inputs for consideration (see APPENDIX B).
The review will take into consideration:
Status of items, issues, and tasks from previous review
Any internal and external changes that impact security
Feedback from, and any security-related changes in needs and expectations of, interested parties
Feedback on the performance of the ISMS, to include:
Nonconformities and corrective actions
Monitoring and measurement results
Audit results
Fulfillment of information security objectives
Risk assessment results, and risk treatment status
Continual improvement opportunities
Decisions will be made concerning:
The ISMS scope and whether it requires modifications
Security policies and whether any require modifications
Security gaps and necessary improvements
Necessary resources
The overall effectiveness of the ISMS and fulfillment of its objectives
Implementation of different security strategies and training
Frequency. Example Corporation will conduct a management review of its ISMS <INTERVAL (at least annually)>, and as necessary.
Documentation and reporting. The considerations, discussions, and decisions from the management review will be recorded in the meeting minutes, which could also include discussions from other reviews. The results of the review, and subsequent tasks and responsibilities, will be communicated to relevant parties by [METHOD, e.g., e-mail, meeting, all-hands, etc.].
Nonconformity and corrective action plan.
In the event of a nonconformity, [COMPANY NAME] will take action to control and correct it, or deal with the consequences, as applicable. [COMPANY NAME] will employ corrective action plans for the systematic elimination of issues and nonconformities. The plan will aim to resolve an issue from its root cause so that it can be prevented or mitigated in the future and sustain the corrective measures. It will include:
Review of the nonconformity
Root cause analysis and assessment
Determination of whether similar nonconformities are present or could occur
Required steps for root cause elimination
Implementing changes to the ISMS, if necessary
Risk-opportunity assessment of changes and review of their effectiveness
Time and cost assessment
Rubric for measuring effectiveness
[COMPANY NAME] will document any corrective actions taken. The documentation will at a minimum include:
Nature of nonconformities
Identified root cause
Corrective actions taken
Implementation of corrective actions
Result of corrective actions (include effectiveness)
ISMS Plan Revision History
Version | Date | Editor | Approver | Description of Changes | Format |
1.0 |
|
|
|
|
|
1.1 | 12/19/2024 | Ari Mojiri | Ari Mojiri | Typo and formatting corrections; removal of trailing periods for section numbers. |
|
|
|
|
|
|
|
APPENDIX A
Statement of Applicability (SOA) & SOA Revision History
You may use this optional template to document your statement of applicability. You may use this document or create a separate copy and manage it in a different format (e.g., internal wiki, etc.)
ISO/IEC 27001:2022 Annex A
NOTE: Per ISO/IEC 27001, the information security controls listed in Annex A are not exhaustive and additional information security controls can be included if needed.
NOTE 2: Per ISO/IEC 27006, It is possible for an organization to design its own necessary controls or to select them from any source, therefore it is possible that an organization is certified to ISO/IEC 27001 even though none of its necessary controls are those specified in ISO/IEC 27001:2022, Annex A.
NOTE 3: Per ISO/IEC 27005, only controls identified in the risk assessment can be included in the SOA. Controls cannot be added to the SOA independent of the risk assessment. There should be consistency between the controls necessary to realize selected risk treatment options and the SOA. The SOA can state that the justification for the inclusion of a control is the same for all controls and that they have been identified in the risk assessment as necessary to treat one or more risks to an acceptable level. No further justification for the inclusion of a control is needed for any of the controls.
NOTE 4: The justification for the inclusion of all controls listed as applicable in this SOA is the same for all controls: they have been identified in the risk assessment as necessary to treat one or more risks identified in the risk assessment to an acceptable level.
Statement of Applicability
[IMPORTANT NOTE: Downloadable version of the sample template can be found at the bottom of the page. When completing Appendix A, assess all 93 Annex A controls and determine if each is applicable based on your risk assessment. Clearly state whether each control is included or excluded, and provide specific, risk-based justifications for any exclusions. Avoid vague language, tie decisions to your actual environment. For applicable controls, note their implementation status and reference supporting policies or procedures to ensure the SoA is clear, justified, and audit-ready.]
|
|
|
|
|
|
CONTROL | CONTROL TITLE & DESCRIPTION | APPLICABLE? (Y/N) | JUSTIFICATION FOR EXCLUSION | IMPLEMENTED? (Y/N) | IMPLEMENTATION DETAILS |
A.5 | ORGANIZATIONAL CONTROLS |
|
|
|
|
A.5.1 | Policies for information security Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur. | [EXAMPLE] Y | [EXAMPLE] N/A | [EXAMPLE] Y | [EXAMPLE] All company policies currently approved by management and acknowledged by employees |
A.5.2 | Information security roles and responsibilities Information security roles and responsibilities should be defined and allocated according to the organization needs. |
|
|
|
|
A.5.3 | Segregation of duties Conflicting duties and conflicting areas of responsibility should be segregated. |
|
|
|
|
A.5.4 | Management responsibilities Management should require all personnel to apply information security in accordance with the established information security policy, topic-specific policies and procedures of the organization. |
|
|
|
|
A.5.5 | Contact with authorities The organization should establish and maintain contact with relevant authorities. |
|
|
|
|
A.5.6 | Contact with special interest groups The organization should establish and maintain contact with special interest groups or other specialist security forums and professional associations. |
|
|
|
|
A.5.7 | Threat intelligence Information relating to information security threats should be collected and analysed to produce threat intelligence. |
|
|
|
|
A.5.8 | Information security in project management Information security should be integrated into project management. |
|
|
|
|
A.5.9 | Inventory of information and other associated assets An inventory of information and other associated assets, including owners, should be developed and maintained. |
|
|
|
|
A.5.10 | Acceptable use of information and other associated assets Rules for the acceptable use and procedures for handling information and other associated assets should be identified, documented and implemented. |
|
|
|
|
A.5.11 | Return of assets Personnel and other interested parties as appropriate should return all the organization’s assets in their possession upon change or termination of their employment, contract or agreement. |
|
|
|
|
A.5.12 | Classification of information Information should be classified according to the information security needs of the organization based on confidentiality, integrity, availability and relevant interested party requirements. |
|
|
|
|
A.5.13 | Labeling of information An appropriate set of procedures for information labeling should be developed and implemented in accordance with the information classification scheme adopted by the organization. | [EXAMPLE] Y | [EXAMPLE] N/A | [EXAMPLE] N - In progress | [EXAMPLE] Currently rolling out labeling strategy across the organization through Google Drive labeling features; expected completion by end of Q4 202X |
A.5.14 | Information transfer Information transfer rules, procedures, or agreements should be in place for all types of transfer facilities within the organization and between the organization and other parties. |
|
|
|
|
A.5.15 | Access control Rules to control physical and logical access to information and other associated assets should be established and implemented based on business and information security requirements. |
|
|
|
|
A.5.16 | Identity management The full life cycle of identities should be managed. |
|
|
|
|
A.5.17 | Authentication information Allocation and management of authentication information should be controlled by a management process, including advising personnel on the appropriate handling of authentication information. |
|
|
|
|
A.5.18 | Access rights Access rights to information and other associated assets should be provisioned, reviewed, modified and removed in accordance with the organization’s topic-specific policy on and rules for access control. |
|
|
|
|
A.5.19 | Information security in supplier relationships Processes and procedures should be defined and implemented to manage the information security risks associated with the use of supplier’s products or services. |
|
|
|
|
A.5.20 | Addressing information security within supplier agreements Relevant information security requirements should be established and agreed with each supplier based on the type of supplier relationship. |
|
|
|
|
A.5.21 | Managing information security in the ICT supply chain Processes and procedures should be defined and implemented to manage the information security risks associated with the ICT products and services supply chain. |
|
|
|
|
A.5.22 | Monitoring, review and change management of supplier services The organization should regularly monitor, review, evaluate and manage change in supplier information security practices and service delivery. |
|
|
|
|
A.5.23 | Information security for use of cloud services Processes for acquisition, use, management and exit from cloud services should be established in accordance with the organization’s information security requirements. |
|
|
|
|
A.5.24 | Information security incident management planning and preparation The organization should plan and prepare for managing information security incidents by defining, establishing and communicating information security incident management processes, roles and responsibilities. |
|
|
|
|
A.5.25 | Assessment and decision on information security events The organization should assess information security events and decide if they are to be categorized as information security incidents. |
|
|
|
|
A.5.26 | Response to information security incidents Information security incidents should be responded to in accordance with the documented procedures. |
|
|
|
|
A.5.27 | Learning from information security incidents Knowledge gained from information security incidents should be used to strengthen and improve the information security controls. |
|
|
|
|
A.5.28 | Collection of evidence The organization should establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events. |
|
|
|
|
A.5.29 | Information security during disruption The organization should plan how to maintain information security at an appropriate level during disruption. |
|
|
|
|
A.5.30 | ICT readiness for business continuity ICT readiness should be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements. |
|
|
|
|
A.5.31 | Legal, statutory, regulatory and contractual requirements Legal, statutory, regulatory and contractual requirements relevant to information security and the organization’s approach to meet these requirements should be identified, documented and kept up to date. |
|
|
|
|
A.5.32 | Intellectual property rights The organization should implement appropriate procedures to protect intellectual property rights. |
|
|
|
|
A.5.33 | Protection of records Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release. |
|
|
|
|
A.5.34 | Privacy and protection of PII The organization should identify and meet the requirements regarding the preservation of privacy and protection of PII according to applicable laws and regulations and contractual requirements. |
|
|
|
|
A.5.35 | Independent review of information security The organization’s approach to managing information security and its implementation including people, processes and technologies should be reviewed independently at planned intervals, or when significant changes occur. |
|
|
|
|
A.5.36 | Compliance with policies, rules and standards for information security Compliance with the organization’s information security policy, topic-specific policies, rules and standards should be regularly reviewed. |
|
|
|
|
A.5.37 | Documented operating procedures Operating procedures for information processing facilities should be documented and made available to personnel who need them. |
|
|
|
|
A.6 | PEOPLE CONTROLS |
|
|
|
|
A.6.1 | Screening Background verification checks on all candidates to become personnel should be carried out prior to joining the organization and on an ongoing basis taking into consideration applicable laws, regulations and ethics and be proportional to the business requirements, the classification of the information to be accessed and the perceived risks. |
|
|
|
|
A.6.2 | Terms and conditions of employment The employment contractual agreements should state the personnel’s and the organization’s responsibilities for information security. |
|
|
|
|
A.6.3 | Information security awareness, education and training Personnel of the organization and relevant interested parties should receive appropriate information security awareness, education and training and regular updates of the organization's information security policy, topic-specific policies and procedures, as relevant for their job function. |
|
|
|
|
A.6.4 | Disciplinary process A disciplinary process should be formalized and communicated to take actions against personnel and other relevant interested parties who have committed an information security policy violation. |
|
|
|
|
A.6.5 | Responsibilities after termination or change of employment Information security responsibilities and duties that remain valid after termination or change of employment should be defined, enforced and communicated to relevant personnel and other interested parties. |
|
|
|
|
A.6.6 | Confidentiality or non-disclosure agreements Confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information should be identified, documented, regularly reviewed and signed by personnel and other relevant interested parties. |
|
|
|
|
A.6.7 | Remote working Security measures should be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organization’s premises. |
|
|
|
|
A.6.8 | Information security event reporting The organization should provide a mechanism for personnel to report observed or suspected information security events through appropriate channels in a timely manner. |
|
|
|
|
A.7 | PHYSICAL CONTROLS |
|
|
|
|
A.7.1 | Physical security perimeters Security perimeters should be defined and used to protect areas that contain information and other associated assets. |
|
|
|
|
A.7.2 | Physical entry Secure areas should be protected by appropriate entry controls and access points. |
|
|
|
|
A.7.3 | Securing offices, rooms and facilities Physical security for offices, rooms and facilities should be designed and implemented. |
|
|
|
|
A.7.4 | Physical security monitoring Premises should be continuously monitored for unauthorized physical access. |
|
|
|
|
A.7.5 | Protecting against physical and environmental threats Protection against physical and environmental threats, such as natural disasters and other intentional or unintentional physical threats to infrastructure should be designed and implemented. |
|
|
|
|
A.7.6 | Working in secure areas Security measures for working in secure areas should be designed and implemented. |
|
|
|
|
A.7.7 | Clear desk and clear screen Clear desk rules for papers and removable storage media and clear screen rules for information processing facilities should be defined and appropriately enforced. |
|
|
|
|
A.7.8 | Equipment siting and protection Equipment should be sited securely and protected. |
|
|
|
|
A.7.9 | Security of assets off-premises Off-site assets should be protected. |
|
|
|
|
A.7.10 | Storage media Storage media should be managed through their life cycle of acquisition, use, transportation and disposal in accordance with the organization’s classification scheme and handling requirements. |
|
|
|
|
A.7.11 | Supporting utilities Information processing facilities should be protected from power failures and other disruptions caused by failures in supporting utilities. |
|
|
|
|
A.7.12 | Cabling security Cables carrying power, data or supporting information services should be protected from interception, interference or damage. |
|
|
|
|
A.7.13 | Equipment maintenance Equipment should be maintained correctly to ensure availability, integrity and confidentiality of information. |
|
|
|
|
A.7.14 | Secure disposal or re-use of equipment Items of equipment containing storage media should be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use. |
|
|
|
|
A.8 | TECHNICAL CONTROLS |
|
|
|
|
A.8.1 | User endpoint devices Information stored on, processed by or accessible via user endpoint devices should be protected. |
|
|
|
|
A.8.2 | Privileged access rights The allocation and use of privileged access rights should be restricted and managed. |
|
|
|
|
A.8.3 | Information access restriction Access to information and other associated assets should be restricted in accordance with the established topic-specific policy on access control. |
|
|
|
|
A.8.4 | Access to source code Read and write access to source code, development tools and software libraries should be appropriately managed. |
|
|
|
|
A.8.5 | Secure authentication Secure authentication technologies and procedures should be implemented based on information access restrictions and the topic-specific policy on access control. |
|
|
|
|
A.8.6 | Capacity management The use of resources should be monitored and adjusted in line with current and expected capacity requirements. |
|
|
|
|
A.8.7 | Protection against malware Protection against malware should be implemented and supported by appropriate user awareness. |
|
|
|
|
A.8.8 | Management of technical vulnerabilities Information about technical vulnerabilities of information systems in use should be obtained, the organization’s exposure to such vulnerabilities should be evaluated and appropriate measures should be taken. |
|
|
|
|
A.8.9 | Configuration management Configurations, including security configurations, of hardware, software, services and networks should be established, documented, implemented, monitored and reviewed. |
|
|
|
|
A.8.10 | Information deletion Information stored in information systems, devices or in any other storage media should be deleted when no longer required. |
|
|
|
|
A.8.11 | Data masking Data masking should be used in accordance with the organization’s topic-specific policy on access control and other related topic-specific policies, and business requirements, taking applicable legislation into consideration. |
|
|
|
|
A.8.12 | Data leakage prevention Data leakage prevention measures should be applied to systems, networks and any other devices that process, store or transmit sensitive information. |
|
|
|
|
A.8.13 | Information backup Backup copies of information, software and systems should be maintained and regularly tested in accordance with the agreed topic-specific policy on backup. |
|
|
|
|
A.8.14 | Redundancy of information processing facilities Information processing facilities should be implemented with redundancy sufficient to meet availability requirements. |
|
|
|
|
A.8.15 | Logging Logs that record activities, exceptions, faults and other relevant events should be produced, stored, protected and analysed. |
|
|
|
|
A.8.16 | Monitoring activities Networks, systems and applications should be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents. |
|
|
|
|
A.8.17 | Clock synchronization The clocks of information processing systems used by the organization should be synchronized to approved time sources. |
|
|
|
|
A.8.18 | Use of privileged utility programs The use of utility programs that can be capable of overriding system and application controls should be restricted and tightly controlled. |
|
|
|
|
A.8.19 | Installation of software on operational systems Procedures and measures should be implemented to securely manage software installation on operational systems. |
|
|
|
|
A.8.20 | Networks security Networks and network devices should be secured, managed and controlled to protect information in systems and applications. |
|
|
|
|
A.8.21 | Security of network services Security mechanisms, service levels and service requirements of network services should be identified, implemented and monitored. |
|
|
|
|
A.8.22 | Segregation of networks Groups of information services, users and information systems should be segregated in the organization’s networks. |
|
|
|
|
A.8.23 | Web filtering Access to external websites should be managed to reduce exposure to malicious content. |
|
|
|
|
A.8.24 | Use of cryptography Rules for the effective use of cryptography, including cryptographic key management, should be defined and implemented. |
|
|
|
|
A.8.25 | Secure development life cycle Rules for the secure development of software and systems should be established and applied. |
|
|
|
|
A.8.26 | Application security requirements Information security requirements should be identified, specified and approved when developing or acquiring applications. |
|
|
|
|
A.8.27 | Secure system architecture and engineering principles Principles for engineering secure systems should be established, documented, maintained and applied to any information system development activities. |
|
|
|
|
A.8.28 | Secure coding Secure coding principles should be applied to software development. |
|
|
|
|
A.8.29 | Security testing in development and acceptance Security testing processes should be defined and implemented in the development life cycle. |
|
|
|
|
A.8.30 | Outsourced development The organization should direct, monitor and review the activities related to outsourced system development. | Not Applicable | Not needed to implement risk treatment plan | N/A | N/A |
A.8.31 | Separation of development, test and production environments Development, testing and production environments should be separated and secured. |
|
|
|
|
A.8.32 | Change management Changes to information processing facilities and information systems should be subject to change management procedures. |
|
|
|
|
A.8.33 | Test information Test information should be appropriately selected, protected and managed. |
|
|
|
|
A.8.34 | Protection of information systems during audit testing Audit tests and other assurance activities involving assessment of operational systems should be planned and agreed between the tester and appropriate management. |
|
|
|
|
Addendum for ISO/IEC 27017
CONTROL | CONTROL TITLE & DESCRIPTION | APPLICABLE? (Y/N) | JUSTIFICATION FOR EXCLUSION | IMPLEMENTED? (Y/N) | IMPLEMENTATION DETAILS |
CLD 6.3.1 | Shared roles and responsibilities within a cloud computing environment Responsibilities for shared information security roles in the use of the cloud service should be allocated to identified parties, documented, communicated and implemented by both the cloud service customer and the cloud service provider. |
|
|
|
|
CLD 8.1.5 | Removal of cloud service customer assets Assets of the cloud service customer that are on the cloud service provider's premises should be removed, and returned if necessary, in a timely manner upon termination of the cloud service agreement. |
|
|
|
|
CLD 9.5.1 | Segregation in virtual computing environments A cloud service customer's virtual environment running on a cloud service should be protected from other cloud service customers and unauthorized persons. |
|
|
|
|
CLD 9.5.2 | Virtual Machine Hardening Virtual machines in a cloud computing environment should be hardened to meet business needs. |
|
|
|
|
CLD 12.1.5 | Administrator's operational security Procedures for administrative operations of a cloud computing environment should be defined, documented and monitored. |
|
|
|
|
CLD 12.4.5 | Monitoring of Cloud Services The cloud service customer should have the capability to monitor specified aspects of the operation of the cloud services that the cloud service customer uses. |
|
|
|
|
CLD 13.1.4 | Alignment of security management for virtual and physical networks Upon configuration of virtual networks, consistency of configurations between virtual and physical networks should be verified based on the cloud service provider's network security policy. |
|
|
|
|
[Delete if your ISMS doesn't include ISO27017]
Addendum for ISO/IEC 27018
CONTROL | CONTROL TITLE & DESCRIPTION | APPLICABLE? (Y/N) | JUSTIFICATION FOR EXCLUSION | IMPLEMENTED? (Y/N) | IMPLEMENTATION DETAILS |
A.2.1 | Obligation to co-operate regarding PII principals’ rights The public cloud PII processor should provide the cloud service customer with the means to enable them to fulfill their obligation to facilitate the exercise of PII principals’ rights to access, correct and/or erase PII pertaining to them. |
|
|
|
|
A.3.1 | Public cloud PII processor’s purpose PII to be processed under a contract should not be processed for any purpose independent of the instructions of the cloud service customer. |
|
|
|
|
A.3.2 | Public cloud PII processor's commercial use PII processed under a contract should not be used by the public cloud PII processor for the purposes of marketing and advertising without express consent. Such consent should not be a condition of receiving the service. |
|
|
|
|
A.5.1 | Secure erasure of temporary files Temporary files and documents should be erased or destroyed within a specified, documented period. |
|
|
|
|
A.6.1 | PII disclosure notification The contract between the public cloud PII processor and the cloud service customer should require the public cloud PII processor to notify the cloud service customer, in accordance with any procedure and time periods agreed in the contract, of any legally binding request for disclosure of PII by a law enforcement authority, unless such a disclosure is otherwise prohibited. |
|
|
|
|
A.6.2 | Recording of PII disclosures Disclosures of PII to third parties should be recorded, including what PII has been disclosed, to whom and at what time. |
|
|
|
|
A.8.1 | Disclosure of sub-contracted PII processing The use of sub-contractors by the public cloud PII processor to process PII should be disclosed to the relevant cloud service customers before their use. |
|
|
|
|
A.10.1 | Notification of a data breach involving PII The public cloud PII processor should promptly notify the relevant cloud service customer in the event of any unauthorized access to PII or unauthorized access to processing equipment or facilities resulting in loss, disclosure or alteration of PII. |
|
|
|
|
A.10.2 | Retention period for administrative security policies and guidelines Copies of security policies and operating procedures should be retained for a specified, documented period on replacement (including updating). |
|
|
|
|
A.10.3 | PII return, transfer and disposal The public cloud PII processor should have a policy in respect of the return, transfer and/or disposal of PII and should make this policy available to the cloud service customer. |
|
|
|
|
A.11.1 | Confidentiality or non-disclosure agreements Individuals under the public cloud PII processor’s control with access to PII should be subject to a confidentiality obligation. |
|
|
|
|
A.11.2 | Restriction of the creation of hardcopy material The creation of hardcopy material displaying PII should be restricted. |
|
|
|
|
A.11.3 | Control and logging of data restoration There should be a procedure for, and a log of, data restoration efforts. |
|
|
|
|
A 11.4 | Protecting data on storage media leaving the premises PII on media leaving the organization's premises should be subject to an authorization procedure and should not be accessible to anyone other than authorized personnel (e.g. by encrypting the data concerned). |
|
|
|
|
A.11.5 | Use of unencrypted portable storage media and devices Portable physical media and portable devices that do not permit encryption should not be used except where it is unavoidable, and any use of such portable media and devices should be documented. |
|
|
|
|
A.11.6 | Encryption of PII transmitted over public data-transmission networks PII that is transmitted over public data-transmission networks should be encrypted prior to transmission. |
|
|
|
|
A.11.7 | Secure disposal of hardcopy materials Where hardcopy materials are destroyed, they should be destroyed securely using mechanisms such as cross-cutting, shredding, incinerating, pulping, etc. |
|
|
|
|
A.11.8 | Unique use of user IDs If more than one individual has access to stored PII, then they should each have a distinct user ID for identification, authentication and authorization purposes. |
|
|
|
|
A,11.9 | Records of authorized users An up-to-date record of the users or profiles of users who have authorized access to the information system should be maintained. |
|
|
|
|
A.11.10 | User ID management De-activated or expired user IDs should not be granted to other individuals. |
|
|
|
|
A.11.11 | Contract measures Contracts between the cloud service customer and the public cloud PII processor should specify minimum technical and organizational measures to ensure that the contracted security arrangements are in place and that data are not processed for any purpose independent of the instructions of the controller. Such measures should not be subject to unilateral reduction by the public cloud PII processor. |
|
|
|
|
A.11.12 | Sub-contracted PII processing Contracts between the public cloud PII processor and any sub-contractors that process PII should specify minimum technical and organizational measures that meet the information security and PII protection obligations of the public cloud PII processor. Such measures should not be subject to unilateral reduction by the sub-contractor. |
|
|
|
|
A.11.13 | Access to data on pre-used data storage space The public cloud PII processor should ensure that whenever data storage space is assigned to a cloud service customer, any data previously residing on that storage space is not visible to that cloud service customer. |
|
|
|
|
A.12.1 | Geographical location of PII The public cloud PII processor should specify and document the countries in which PII can possibly be stored. |
|
|
|
|
A.12.2 | Intended destination of PII PII transmitted using a data-transmission network should be subject to appropriate controls designed to ensure that data reaches its intended destination. |
|
|
|
|
[Delete if your ISMS does not include ISO 27018.]
Statement of Applicability Revision History
Version | Date | Editor | Approver | Description of Changes |
1.0 | XX/XX/XX |
|
| Initial creation |
|
|
|
|
|
|
|
|
|
|
APPENDIX B
Management Review Agenda and Minutes Template
You may use this optional template to satisfy requirements for documented information of the management reviews per clause 9.3 To use this template, create a separate copy and document the agenda and minutes for every management review meeting. Documentation of the management review should be maintained separate from this ISMS plan. We recommend you delete this template from the ISMS plan before finalizing the document and submitting it for final review and approval.
<DATE> | <QX> Management Review Meeting
Attendees: < >
Status of action items from previous management reviews
Action Item | Responsible Party | Status |
<Example> Request quotes for certification audit | <Example> IT Manager | <Example> Completed |
Changes in external and internal issues that are relevant to the information security management systems:
<Example> The rise of artificial intelligence has become a relevant external issue as there is an increased risk that employees will enter company or customer data in online AI tools
Changes in needs and expectations of interested parties that are relevant to the information
security management system;
<Example> We entered into a contract with a new customer that requires ISO/IEC 27017 to be implemented as part of the ISMS before the end of next year
Audit results
<Example> Internal Audit was completed on XX/XX. We received the audit report with 2 minor nonconformities (see below).
Review of nonconformities and corrective actions:
<Example> Internal Audit identified the following nonconformities:
13 controls marked applicable in the statement of applicability did not tie to a risk in the risk register (6.1.3)
Two policy documents have not been reviewed and approved within the past year as required by the information security policy.
Monitoring and measurement results
<Insert evidence (for example, links to dashboards, reports, presentations etc.) to results of metrics evaluation as defined in clause 9.1>
Fulfillment of information security objectives
<Example> We are on track to achieve our information security objective of achieving ISO/IEC 27001 certification by QX, 202X (objectives were defined in clause 6 of the ISMS plan).
Feedback from interested parties
<Example> We communicated the expected certification date to JP Morgan (customer) to whom we are contractually obligated to obtain the certification this year and received positive feedback.
Results of risk assessment and status of risk treatment plan
<Example> The most recent risk assessment was completed on XX/XX. As of these date and after implementing the risk treatment plan since the previous risk assessment the following remain:
1 critical risk
3 high risks
3 medium risks
75 low risks - The residual risks for these have been deemed acceptable following the implementation of the necessary controls
Opportunities for continual improvement
<Example> The most recent risk assessment was completed on XX/XX. As of these date and after implementing the risk treatment plan since the previous risk assessment the following remain:
1 critical risk
3 high risks
3 medium risks
75 low risks - The residual risks for these have been deemed acceptable following the implementation of the necessary controls
Decisions and need for changes to the information security management system
Action Item | Responsible Party | Expected Completion Date |
Schedule meeting for review of quotes and selection of certification auditor | <Example> IT Manager | <Example> XX/XX/XXXX |
Implement corrective actions for the nonconformities identified in the internal audit | <Example> IT Manager | <Example> XX/XX/XXXX |
APPENDIX C
Corrective Action Report Template
You may use this optional template to satisfy requirements for documented information of the evaluation of nonconformities and corrective actions per clause 10.2. To use this template, create a separate copy and complete an evaluation every time a nonconformity (e.g., control failure, non-fulfillment of a requirement) is identified. Nonconformities can be identified from many sources including internal audits, external audits, personnel reporting, etc.Documentation of nonconformities and corrective actions should be maintained separate from this ISMS plan. We recommend you delete this template from the ISMS plan before finalizing the document and submitting it for final review and approval.
CORRECTIVE ACTION REPORT | Confidentiality | Date of Review | [DATE] |
[COMPANY NAME] | [LEVEL] | Date of Previous Review | [DATE] |
NON-CONFORMITIES |
|
|
|
|
|
|
|
Date Identified |
| Description |
|
Source |
| Corrective Action |
|
Root Cause |
| Implementation |
|
Result/Effectiveness |
|
|
|
Due Date |
| Owner |
|
Notes: |
|
|
|
|
|
|
|
Date Identified |
| Description |
|
Source |
| Corrective Action |
|
Root Cause |
| Implementation |
|
Result/Effectiveness |
|
|
|
Due Date |
| Owner |
|
Notes: |
|
|
|
Internal Audit Plan and Procedure
Purpose
The purpose of the internal audit is to ensure the effectiveness of Example Corporation’s information security management system, its continuous improvement, and conformance with the requirements of ISO 27001:2022, as set out in Clause 9.2 of the standard. It will ensure (a) conformance with the standard, and more importantly, (b) proper information security measures in place that are continuously improved. Additionally, the internal audit will:
Uncover nonconformities before others discover them;
Ensure a strong security stance by identifying areas that require attention prior to a security event;
Demonstrate and inform management commitment; and
Assist staff understanding and awareness.
Scope
This plan applies to Example Corporation internal audits of the ISMS, and establishes the procedures for carrying out the audit. The audit scope should match the ISMS.
Roles and responsibilities
Lead Auditor: Responsible for the planning and execution of the audit. The lead auditor is a competent entity independent from the ISMS, who is a member of the company independent of the ISMS OR a third party auditor.
Employees: Responsible for assisting in the audit process, when and as required.
Plan
Audit schedule
Properly planned out audit, and readily-available schedule to let all members aware of when each process will be audited over the upcoming cycle.
Allow time for better preparation and practical support.
Allow time for process owners to:
finish any improvement projects and gather valuable information on the implementation; or,
request that the auditor(s) focus on helping to gather information for other planned improvements.
Coordinate with process owners
Collaborate to determine the best time to review the process.
Auditor(s) can review previous audits to see if any follow-up is required on comments or concerns previously found.
Process owners can identify any areas that the auditor can look at to assist the process owner to identify information.
Ensure that the process owners will get value out of the audit process.
Conducting the audit
Gather, review, analyze information as outlined in the audit procedures below.
Identify areas that do not have operational evidence.
Identify areas that may function better if changes are made.
Reporting audit findings
Meet with interested parties and process owners to ensure an efficient flow of information (non-conforming).
Highlight areas of weakness to be addressed, and areas that could use improvement (improvement opportunities).
Follow-up
Ensure that identified areas of non-conformity are resolved and corrective actions have been taken.
Check any progress on identified improvement opportunities.
Procedure
Review ISMS documentation
Audit scope should match ISMS, setting clear limits for the internal audit.
All prescribed documents(See Prescribed Documentation above) are in place and readily available.
Identify any criteria, if any, needed for consideration during the audit
Identify the extent of work that may be done during the audit
Identify any anticipated limitations
Identify the main stakeholders in the ISMS
Any required documentation for the audit could be easily requested.
Management input
Designated internal auditor should be competent and independent.
Agree and determine the timing and resources required for the audit.
Set milestones/checkpoints for when the board should receive interim updates.
Discuss issues or concerns
Conduct practical assessment
Observe the operation of the ISMS, and whether it properly functions in practice by speaking with members involved and operating processes related to the ISMS, whether they are in an ISMS role or not.
Run audit tests to validate evidence as it is gathered.
Complete audit reports and document the results of each test.
Analyze evidence
Sort and review all evidence collected during the audit, as related to the company’s risk treatment plan and control objectives.
Identify any further gaps or need for further audit tests.
Report findings (see Appendix A). The report should include:
Classification and dissemination restrictions of the report
Intended recipient(s) of the report
An executive summary to highlight the key findings, high-level analysis and a conclusion
Scope, Timing, any outlined criteria
Analysis of the findings and compliance with each clause of the ISMS requirements
Recommendations
Post-audit actions
INTERNAL AUDIT REPORT | Confidentiality | Date of Audit | 02/14/2023 - 02/23/2023 |
|
|
Example Corporation | Internal Use | Date of Previous Audit | N/A |
|
|
RECIPIENT(S) | - John Smith - CISO - Jane Doe - Manager, GRC - Lisa Bautista - CEO - James Chapman - CTO - Alice Wallace - CFO |
|
|
|
|
EXECUTIVE SUMMARY |
|
|
|
|
|
Internal Audit has prepared the following report after conducting an audit on the Example Corporation’s web and mobile applications. This audit was conducted pursuant to receiving ISO 27001 certification for Example Corporation’s ISMS. This audit was conducted against the ISO 27001 and ISO 27002 standards. Evidence was collected through the use of the Drata Platform and collected from the interviews with the GRC Manager, and taking screenshots from specific systems not otherwise captured within the Drata Platform. The overall opinion of the internal audit is that Drata’s ISMS was established and is being operated appropriately. Three (3) minor non-conformities were noted and one (1) enhancements/process improvements were noted. It is the recommendation of Internal Audit that the three (3) minor non-conformities are remediated prior to beginning Stage 1 of the ISO 27001 audit. |
|
|
|
|
|
AUDITOR | AUDIT SCOPE & CRITERIA |
|
|
|
|
Auditor Name | Benedict Arnold | Scope |
Example Corporation Management Information Security Information Technology & Engineering Human Resources Legal
Amazon Web Services (AWS) GitHub Slack Jira
Example Corporation Web Application (app.examplecorp.com) Example Corporation Mobile Application (iOS & Android)
Not Applicable as Example Corporation has not physical locations in scope EXCLUSIONS. The following items are explicitly excluded from the ISMS scope of Example Corporation:
Sales Marketing Finance
Amazon Web Services (AWS) - Data Center & Physical Security Controls |
|
|
Internal or External? | Internal |
|
|
|
|
Organization (if external) | N/A | Criteria | Refer to associated document Drata ISMS SOA |
|
|
Primary Role | Lead Internal Auditor |
|
|
|
|
AUDIT METHOD | AUDIT FINDINGS |
|
|
|
|
Activity | Action | Nonconformities |
|
|
|
Document Review | All evidence were provided through the use of Drata platform’s Audit Hub and reviewed with Read-Only Access | Clause 7.5.2.B - Example Corporation's document history table does not include details such as format (Electronic/Physical), language, software version, etc. which is listed in item B of Clause 7.5.2. Annex A 5.13 - Example Corporation’s Data Classification Policy does not include guidance for labeling data. Annex A 5.22 - Example Corporation's Vendor Management Policy does not include procedures related to managing changes in supplier contracts, changes to the services delivered by suppliers, or changes at Example Corporation made in order to implement changes in supplier contracts or services. |
|
|
|
Evidential Sampling | For select controls, the Internal Auditor requested additional documentation including samples using a sample size of 1 as supplementary evidence to support provided documents. |
|
|
|
|
Interviews | Improvement Opportunities |
|
|
|
|
ISMS Key Members | Non-ISMS Members | Annex A 8.27 |
|
|
|
Jane Doe |
|
|
|
|
|
RECOMMENDATIONS |
|
|
|
|
|
Annex A 8.27 - Example Corporation's SDLC policy does not formally document secure engineering principles. Review and ensure that SDLC policy includes secure engineering principles. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
COMPLIANCE | POST-AUDIT ACTIONS |
|
|
|
|
Clause 4 Clause 5 Clause 6 Clause 7 Clause 8 Clause 9 Clause 10 |
Minor non-conformities found on Clause 7.5.2B, Annex A 5.13, and Annex A 5.22. | Example Corporation’s Management should review the provided Internal Audit report, develop a treatment plan, and remediate the non-conformities listed before moving into Stage 1 of the ISO 27001 audit. |
|
|
|
|
|
|
|
|
|
Dissemination Restrictions: | Internal Use only, this report is meant to be reviewed by management of ISMS |
|
|
|
|
Report PREPARED by: | Benedict Arnold | Internal Auditor | Remote - N/A | 2/23/2023 4PM PST |
|
Report APPROVED by: | John Smith | CISO | Remote - N/A | 2/24/2023 11AM PST |
|
Revision History
Version | Date | Editor | Approver | Description of Changes | Format |
1.0 | 03/20/2023 | Jane Doe | John Smith | Initial Creation | .DOCX |