Skip to main content
All CollectionsFrameworksISO 27001
ISO 27001:2013 Example ISMS Plan
ISO 27001:2013 Example ISMS Plan
Updated over a year ago

This is an example of a completed ISMS plan for ISO 27001:2013. This is only guidance and you should review the example language before including it in your own ISMS plan.

Information Security Management System Plan (ISO/IEC 27001:2013)

Example Corporation

______________________________________________________________________

Table of Contents:

Purpose

Background and Objectives

ISMS Plan

4. Context of the organization

4.1. Understanding the organizations and its context

4.2. Understanding the needs and expectations of interested parties

4.3. Determining the scope of the ISMS

5. Leadership

5.1. Leadership and commitment

5.2. Policies

5.3. Organizational roles, responsibilities and authorities

6./8.1 Planning

6.1. Actions to address risks and opportunities

6.1.1. General; 6.1.2 / 8.2. Information security risk assessment

6.1.3 / 8.3. Information security risk treatment

SOA Revision History

6.2 Information security objectives and planning to achieve them

7. Support

7.1. Resources and 7.2 Competence

7.3. Awareness

7.4. Communication

7.5. Documented Information

7.5.1. General

7.5.2. Creating and updating

7.5.3. Control of documented information

9. Performance Evaluation

9.1. Monitoring, measurement, analysis and evaluation

9.2. Internal audit

9.3. Management review / 10.1. Nonconformity and corrective action / 10.2. Continual improvement

APPENDIX A

Internal Audit Plan and Procedure

Purpose

Scope

Roles and responsibilities

Plan

Procedure

APPENDIX B

APPENDIX C

Purpose

This Information Security Management System (ISMS) Plan aims to define the principles, requirements, and basic rules for the establishment, implementation and operation of the Information Security Management System.

Background and Objectives

The ISMS Plan lays the foundation of the company’s Information Security Management System, and identifies the roadmap for the establishment, implementation and operation of the ISMS and its continued efficacy. This document is supplemented by security policies and procedures that enable the treatment of risks to the organization.

Key objectives of the ISMS Plan are to:

  • Define the context of the organization

  • Define the scope of the ISMS

  • Provide guidance for the implementation of risk assessment findings into a Statement of Applicability

  • Provide proper steps and timelines for the implementation and maintenance of the ISMS

  • Outline the internal audit process, audit reviews, and remedial actions

  • Identify all necessary documents and records

  • Continual improvement of the ISMS

ISMS Plan

4. Context of the organization

4.1. Understanding the organizations and its context

To establish an effective ISMS, have a better understanding of relevant information security issues, develop successful strategies, and allocate appropriate resources to garner optimal results, Example Corporation will define its internal and external context as they pertain to information security.

Internal and external issues are those factors relevant to Example Corporation’s purpose and that affect Example Corporation’s ability to achieve the intended outcomes of its ISMS.

Internal issues include, but are not limited to:

  • Governance, organizational structure, (see Organization Chart) and roles and responsibilities for the ISMS (see Skills Matrix)

  • Policies, objectives and the strategies in place achieve them

  • Company culture, values, mission, and vision (see Information Security Policy)

  • Flow of information and the decision-making process (see Information Security Policy)

  • Capabilities, (e.g. capital, time, people, processes, systems and technology)

  • Form and extent of contractual relationships (see Vendor Management Policy)

External issues include, but are not limited to:

  • Information Security laws and regulations that are applicable to the company (see below)

  • Social and cultural

  • Interested parties (see below) and their cultures

  • Market trends and customer preferences

  • Political, public policy, and economic changes

  • Technological trends that could impact implemented security controls

4.2. Understanding the needs and expectations of interested parties

APPLICABLE LAWS AND REGULATIONS (EXTERNAL)

Requirements / Notes

International

GDPR

Security provisions of GDPR include data protection which ISO 27001 helps demonstrate.

Federal

HIPAA

Security provisions of HIPAA include controls which ISO 27001 helps demonstrate.

State

CCPA

Security provisions of CCPA include controls which ISO 27001 helps demonstrate.

Local

N/A

N/A

CONTRACTUAL REQUIREMENTS (EXTERNAL)

Requirements / Notes

JP Morgan

JP Morgan Chase requires an ISO 27001 as part of the MSA signed between Example Corporation and JP Morgan Chase Bank in 2022.

ISO 27001 Certification

Amazon

Amazon requires evidence that Example Corporation is effectively managing the security of data provided to Example Corporation within the MSA signed in 2021 and management of Example Corporation has agreed that an ISO 27001 certification fulfills this requirement.

Any Independent Audit report fulfills agreement

Technology Customers

Example Corporation provides a provision in all contracts between Example Corporation and customers operating in the technology industry that an ISO 27001 will be provided for their review.

ISO 27001 Certification

INTERESTED PARTIES (INTERNAL/EXTERNAL)

Requirements / Notes

Customers

Customers who signed our DPA are interested in gaining assurance that Example Corporation protects data provided to them.

Evidence that client data is protected. ISO 27001 certification

Suppliers

Suppliers are interested in gaining assurance that Example Corporation protects data provided to them

Evidence that client data is protected. ISO 27001 certification

Regulators

European Data Protection Authorities

Evidence that demonstrates Example Corporation has a strategy for protecting Personal Data

Contracts

See “Contractual Requirements (External)”

See “Contractual Requirements (External)”

Shareholders/Owners/Investors

Example Corporation’s Board of Directors

Assurance that Example Corporation is continually improving its product offering and ISMS

Management

Example Corporation’s Management is interested in providing its clients assurance that client data provided are adequately and reasonably protected

Evidence that client data is protected. ISO 27001 certification

DEPARTMENTS & BUSINESS UNITS (INTERNAL)

Requirements / Notes

IT & Engineering

Management of Example Corporation has determined that a structured approach to implementing security control is needed for the software development process at Example Corporation. Management of Example Corporation agrees that Annex A 5.8 of ISO 27001 meets the business requirements to fulfill this.

A more structured approach to implementing security controls.

HR

Management of Example Corporation has determined that additional controls related to onboarding and terminations are required at Example Corporation within the Human Resources department. Management of Example Corporation has determined that Annex A 6.0 of ISO 27001 will fulfill the need for these controls.

More formalized onboarding/offboarding process.

Security

Management of Example Corporation has determined, with input from the Security team, that an organized approach is needed to reduce the time that the Security team spends selecting security controls to implement. Management and Security have determined that ISO 27001 provides an organized framework for the management of Information Security within an organization which meets the needs of Example Corporation.

Reduced time spent selecting security controls for implementation.

4.3. Determining the scope of the ISMS

This document provides a clear definition for the Information Security Management System (ISMS) boundaries of Example Corporation, and applies to all matters related to the ISMS, to include documentation and activities.

This document will be used by:

  • Example Corporation Management

  • Members responsible for implementation of the ISMS

  • Example Corporation Employees

Through this document, Example Corporation will define the boundaries of its ISMS by outlining information that needs to be protected. This information is under the direct responsibility of Example Corporation and will be safeguarded regardless of it being additionally stored, processed or transferred in or out of the ISMS scope. In the event of the transfer of information out of the ISMS, the responsibility of applying security measures will be transferred to the external party responsible for its management.

The following items will establish the ISMS boundaries of Example Corporation, within the context of legal, regulatory, contractual, interested parties, and other stated requirements:

  • Organizational Units

Example Corporation Management

Information Security

Information Technology & Engineering

Human Resources

Legal

  • Networks and IT Infrastructure

Amazon Web Services (AWS)

GitHub

Slack

Jira

  • Processes and Services

Example Corporation Web Application (app.examplecorp.com)

Example Corporation Mobile Application (iOS & Android)

  • Locations

Not Applicable as Example Corporation has no physical locations in scope

[For companies with office locations in scope, list the appropriate address (e.g. 123 Fake Street, Fakeville, CA 91001) and/or the broad general location (e.g. Example Corporation Southeast Asia Office)]

EXCLUSIONS. The following items are explicitly excluded from the ISMS scope of Example Corporation:

  • Business Units:

Sales

Marketing

Finance

  • Vendor Dependencies:

Amazon Web Services (AWS) - Data Center & Physical Security Controls

5. Leadership

5.1. Leadership and commitment

To ensure the success of the Information Security Management System (ISMS), the management team of Example Corporation must be fully aware and appropriately engaged in matters involving the ISMS. Management must provide proper resources (e.g., personnel, funding, etc.) for the establishment, implementation, and maintenance of the ISMS.

Top Management shall demonstrate its leadership and commitment through:

  • Establishing an information security policy

  • Ensuring ISMS, roles, responsibilities and authorities are assigned

  • Communicating the importance of effective information security management

Management commitment can be demonstrated, for example, by:

  • Motivating & empowering persons to contribute to the effectiveness of the ISMS

  • Reinforcing organizational accountability for information security management results

  • Creating and maintaining an internal environment in which persons can become fully involved in achieving the organization’s information security objectives

5.2. Policies

In addition to this plan, the information security plans, processes and procedures of Example Corporation will be outlined in a series of policies that define the vision and mission of Example Corporation’s management as to what needs to be achieved to ensure the protection of information, and how that will be accomplished. These policies will include:

  • Information Security Policy

  • Acceptable Use Policy

  • Asset Management Policy

  • Backup Policy

  • Business Continuity/Disaster Recovery Plans

  • Code of Conduct

  • Data Classification, Retention, and Protection Policies

  • Encryption and Password Policies

  • Incident Response Plan

  • Physical Security Policy

  • Responsible Disclosure Policy

  • Risk Assessment Policy

  • Software Development Life Cycle Policy

  • System Access Management Policy

  • Vendor Management Policy

  • Vulnerability Management Policy

5.3. Organizational roles, responsibilities and authorities

The CISO and GRC Manager are responsible for:

  • The design, development, maintenance, dissemination, and enforcement of the items contained in this policy and associated policies.

  • Ensuring that the information security management system conforms to the requirements of ISO/IEC 27001:2013 (Clause 5.2c and Clause 5.3a).

  • Reporting on the performance of the information security program to top management to identify areas for continuous improvement (Clause 5.2d and Clause 5.3b).

The objectives and measures outlined by this plan and associated policies shall be maintained and enforced by the roles and responsibilities specified in each policy and the company Skills Matrix (see below).

SKILLS MATRIX

[Provide applicable skill matrix that outlines key ISMS roles and responsibilities, the skills required to execute those roles and responsibilities, information of eligible members who are in those roles (e.g., name, contact information, title, location/department, etc.), members’ skills, evidence of those skills (NOTE: could use url to member’s LinkedIn profile)]

Role Title

Job Description

ISMS Responsibilities

Required Skills & Competence

Current Member

Fully Competent (Y/N)

Competency Plan

(if not fully competent)

Proof of Competency

CISO

Responsible for establishing and maintaining a comprehensive corporate-wide information security management program based on industry-accepted information security and risk management frameworks.

a) The design, development, maintenance, dissemination, and enforcement of the items contained in this policy and other ISP policies.

b) Ensuring that the information security management system conforms to the requirements of ISO/IEC 27001:2013.

c) Reporting on the performance of the information security program to top management to identify areas for continuous improvement (5.2d, 5.3b).

  • 10 years of experience

  • Master’s Degree

  • Information Security Management Certification (e.g., CISSP, CISM, C-CISO)

John Smith

N

  • Requires one more year of experience

  • Resume

  • Copy of certifications

  • List of completed Trainings in a specific time period

  • URL to LinkedIn profile

Manager, Compliance

Leads the development and maintenance of the company’s compliance program to support the alignment of security architectures, plans, controls, processes, policies, and procedures with security standards and operational goals.

a) The design, development, maintenance, dissemination, and enforcement of the items contained in this policy and other ISP policies.

b) Ensuring that the information security management system conforms to the requirements of ISO/IEC 27001:2013.

c) Reporting on the performance of the information security program to top management to identify areas for continuous improvement (5.2d, 5.3b.

  • ISO 27001 implementation experience

  • Audit experience

Jane Doe

Y

  • N/A

  • Resume

  • Copy of certifications

  • URL to LinkedIn profile

Internal Auditor

Leads in performing a full audit cycle including risk management and control management over operations’ effectiveness, financial reliability, and compliance with all applicable directives, standards, and regulations.

a) Conduct annual Internal Audits to drive Continuous Improvement across the Drata ISMS.

  • Audit experience

  • Independence from implementation and daily operation of the Drata ISMS

Benedict Arnold

Y

  • N/A

  • Resume

  • Copy of certifications

  • URL to LinkedIn profile

6./8.1 Planning

6.1. Actions to address risks and opportunities

6.1.1. General; 6.1.2 / 8.2. Information security risk assessment

Methodology. Example Corporation will establish a well-defined methodology for risk assessment tailored to the company’s circumstances and needs, which will include the method of defining the following (see Risk Assessment Policy):

  • Risks that could cause the loss of confidentiality, integrity, and/or availability of information

  • Identity of risk owners

  • Assessment consequences and the likelihood of the risk

  • Risk calculation

  • Risk acceptance

The risk methodology will ensure that the risk assessment results are consistent across all relevant sectors of the company with comparable results.

Performance. Example Corporation will conduct a risk assessment as outlined in its Risk Assessment Policy, and will produce a Risk Assessment Report.

6.1.3 / 8.3. Information security risk treatment

  • Risk Treatment Plan. The Risk Treatment Plan is a crucial part of the ISMS implementation. Example Corporation will have a well-defined Risk Treatment Plan, which will outline how the controls from the Statement of Applicability will be implemented, to include responsible parties, timing and intervals, and allocated resources/budges.

  • Evaluation of Effectiveness. Example Corporation will measure and evaluate the fulfillment and effectiveness of the controls in place and other ISMS objectives in place, as set forth in the Risk Treatment Plan

  • Statement of Applicability. The Statement of Applicability (SOA) links Example Corporation’s risk assessment and treatment with the implementation of the ISMS. It provides the company with an overview of what needs to be done in information security, why, and how.

The SOA will list all Annex A controls that are applicable and those that are not. Each control decision will have a justification as to whether they were implemented, why and where (see below).

SOA REVISION HISTORY

Version

Date

Editor

Description of Changes

1.0

12/21/22

Jane Doe

Initial Creation

STATEMENT OF APPLICABILITY

* LR: Legal Requirement, CO: Contractual Obligation, BR/BP: Business Requirement/Best Practice, RRA: Results of Risk Assessment

CONTROL

OBJECTIVE & DESCRIPTION

STATUS

(Applicable/NA)

LR*

CO*

BR/ BP*

RRA*

REMARKS

RESPONSIBLE ENTITY (Dept/Role)

A.5

INFORMATION SECURITY POLICIES

A.5.1

MANAGEMENT DIRECTION FOR INFORMATION SECURITY

Objective: To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations.

A.5.1.1

Policies for information security

A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties.

Applicable

Y

None

Management

Information Security

A.5.1.2

Review of the policies for information security

The policies for information security shall be reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness.

Applicable

Y

None

Management

Information Security

A.6

ORGANIZATION OF INFORMATION SECURITY

A.6.1

INTERNAL ORGANIZATION

Objective: To establish a management framework to initiate and control the implementation and operation of information security within the organization.

A.6.1.1

Information security roles and responsibilities

All information security responsibilities shall be defined and allocated.

Applicable

Y

None

Management

Information Security

A.6.1.2

Segregation of duties

Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s assets.

Applicable

Y

None

Management

Information Security

A.6.1.3

Contact with authorities

Appropriate contacts with relevant authorities shall be maintained.

Applicable

Y

None

Management

Information Security

Legal

A.6.1.4

Contact with special interest groups

Appropriate contacts with special interest groups or other specialist security forums and professional associations shall be maintained.

Applicable

Y

None

Management

Information Technology

A.6.1.5

Information security in project management

Information security shall be addressed in project management, regardless of the type of the project.

Applicable

Y

Y

None

Information Technology

Information Security

A.6.2

MOBILE DEVICES AND TELEWORKING

Objective: To ensure the security of teleworking and use of mobile devices

A.6.2.1

Mobile device policy

A policy and supporting security measures shall be adopted to manage the risks introduced by using mobile devices.

Applicable

Y

None

Information Technology

A.6.2.2

Teleworking

A policy and supporting security measures shall be implemented to protect information accessed, processed or stored at teleworking sites.

Applicable

Y

None

Management

Information Technology

A.7

HUMAN RESOURCE SECURITY

A.7.1

PRIOR TO EMPLOYMENT

Objective: To ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered.

A.7.1.1

Screening

Background verification checks on all candidates for employment shall be carried out in accordance with relevant laws, regulations and ethics and shall be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.

Applicable

Y

Y

Y

None

Human Resources

A.7.1.2

Terms and conditions of employment

The contractual agreements with employees and contractors shall state their and the organization’s responsibilities for information security.

Applicable

Y

Y

None

Management

Human Resources

A.7.2

DURING EMPLOYMENT

Objective: To ensure that employees and contractors are aware of and fulfill their information security responsibilities.

A.7.2.1

Management responsibilities

Management shall require all employees and contractors to apply information security in accordance with the established policies and procedures of the organization.

Applicable

Y

None

Management

Information Security

A.7.2.2

Information security awareness, education and training

All employees of the organization and, where relevant, contractors shall receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function.

Applicable

Y

Y

None

Human Resources

Information Security

A.7.2.3

Disciplinary process

There shall be a formal and communicated disciplinary process in place to take action against employees who have committed an information security breach.

Applicable

Y

Y

None

Management

Human Resources

A.7.3

TERMINATION AND CHANGE OF EMPLOYMENT

Objective: To protect the organization’s interests as part of the process of changing or terminating employment.

A.7.3.1

Termination or change of employment responsibilities

Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, communicated to the employee or contractor and enforced.

Applicable

Y

Y

None

Management

Human Resources

Information Security

A.8

ASSET MANAGEMENT

A.8.1

RESPONSIBILITY FOR ASSETS

Objective: To identify organizational assets and define appropriate protection responsibilities.

A.8.1.1

Inventory of assets

Information, other assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained.

Applicable

Y

None

Information Technology

A.8.1.2

Ownership of assets

Assets maintained in the inventory shall be owned.

Applicable

Y

None

Information Technology

A.8.1.3

Acceptable use of assets

Rules for the acceptable use of information and of assets associated with information and information processing facilities shall be identified, documented and implemented.

Applicable

Y

None

Management

Information Technology

Human Resources

A.8.1.4

Return of assets

All employees and external party users shall return all of the organizational assets in their possession upon termination of their employment, contract or agreement.

Applicable

Y

None

Management

Information Technology

Human Resources

A.8.2

INFORMATION CLASSIFICATION

Objective: To ensure that information receives an appropriate level of protection in accordance with its importance to the organization.

A.8.2.1

Classification of information

Information shall be classified in terms of legal requirements, value, criticality and sensitivity to unauthorized disclosure or modification.

Applicable

Y

None

Management

Information Security

A.8.2.2

Labeling of information

An appropriate set of procedures for information labeling shall be developed and implemented in accordance with the information classification scheme adopted by the organization.

Applicable

Y

Y

None

Management

Information Security

A.8.2.3

Handling of assets

Procedures for handling assets shall be developed and implemented in accordance with the information classification scheme adopted by the organization.

Applicable

Y

None

Management

Information Technology

Human Resources

A.8.3

MEDIA HANDLING

Objective: To prevent unauthorized disclosure, modification, removal or destruction of information stored on media.

A.8.3.1

Management of removable media

Procedures shall be implemented for the management of removable media in accordance with the classification scheme adopted by the organization.

Not Applicable

N/A

N/A

N/A

N/A

Example Corporation does not have a physical location in scope for the ISMS Plan.

N/A

A.8.3.2

Disposal of media

Media shall be disposed of securely when no longer required, using formal procedures.

Not Applicable

N/A

N/A

N/A

N/A

Example Corporation does not have a physical location in scope for the ISMS Plan.

N/A

A.8.3.3

Physical media transfer

Media containing information shall be protected against unauthorized access, misuse or corruption during transportation.

Not Applicable

N/A

N/A

N/A

N/A

Example Corporation does not have a physical location in scope for the ISMS Plan.

N/A

A.9

ACCESS CONTROL

A.9.1

BUSINESS REQUIREMENTS OF ACCESS CONTROL

Objective: To limit access to information and information processing facilities.

A.9.1.1

Access control policy

An access control policy shall be established, documented and reviewed based on business and information security requirements.

Applicable

Y

Y

None

Information Security

Information Technology

A.9.1.2

Access to networks and network services

Users shall only be provided with access to the network and net-work services that they have been specifically authorized to use.

Applicable

Y

Y

None

Information Security

Information Technology

A.9.2

USER ACCESS MANAGEMENT

Objective: To ensure authorized user access and to prevent unauthorized access to systems and services.

A.9.2.1

User registration and deregistration

A formal user registration and de-registration process shall be implemented to enable assignment of access rights.

Applicable

Y

None

Information Technology

A.9.2.2

User access provisioning

A formal user access provisioning process shall be implemented to assign or revoke access rights for all user types to all systems and services.

Applicable

Y

Y

None

Information Technology

A.9.2.3

Management of privileged access rights

The allocation and use of privileged access rights shall be restricted and controlled.

Applicable

Y

None

Information Technology

Information Security

A.9.2.4

Management of secret authentication information of users

The allocation of secret authentication information shall be controlled through a formal management process.

Applicable

Y

Y

None

Information Technology

A.9.2.5

Review of user access rights

Asset owners shall review users’ access rights at regular intervals.

Applicable

Y

Y

None

Information Technology

A.9.2.6

Removal or adjustment of access rights

The access rights of all employees and external party users to information and information processing facilities shall be removed upon termination of their employment, contract or agreement, or adjusted upon change.

Applicable

Y

Y

None

Information Technology

A.9.3

USER RESPONSIBILITIES

Objective: To make users accountable for safeguarding their authentication information.

A.9.3.1

Use of secret authentication information

Users shall be required to follow the organization’s practices in the use of secret authentication information.

Applicable

Y

Y

None

Information Technology

A.9.4

SYSTEM AND APPLICATION ACCESS CONTROL

Objective: To prevent unauthorized access to systems and applications.

A.9.4.1

Information access restriction

Access to information and application system functions shall be restricted in accordance with the access control policy.

Applicable

Y

Y

None

Information Technology

Information Security

A.9.4.2

Secure log-on procedures

Where required by the access control policy, access to systems and applications shall be controlled by a secure log-on procedure.

Applicable

Y

Y

None

Information Technology

Information Security

A.9.4.3

Password management system

Password management systems shall be interactive and shall ensure quality passwords.

Applicable

Y

Y

None

Information Technology

A.9.4.4

Use of privileged utility programs

The use of utility programs that might be capable of overriding system and application controls shall be restricted and tightly controlled.

Applicable

Y

None

Information Security

A.9.4.5

Access control to program source code

Access to program source code shall be restricted.

Applicable

Y

Y

None

Information Technology

Information Security

A.10

CRYPTOGRAPHY

A.10.1

CRYPTOGRAPHIC CONTROLS

Objective: To ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information.

A.10.1.1

Policy on the use of cryptographic controls

A policy on the use of cryptographic controls for protection of information shall be developed and implemented.

Applicable

Y

Y

Y

None

Information Security

A.10.1.2

Key management

A policy on the use, protection and lifetime of cryptographic keys shall be developed and implemented through their whole lifecycle.

Applicable

Y

Y

Y

None

Information Security

A.11

PHYSICAL AND ENVIRONMENTAL SECURITY

A.11.1

SECURE AREAS

Objective: To prevent unauthorized physical access, damage and interference to the organization’s information and information processing facilities.

A.11.1.1

Physical security perimeter

Security perimeters shall be defined and used to protect areas that contain either sensitive or critical information and information processing facilities.

Not Applicable

N/A

N/A

N/A

N/A

Example Corporation does not have a physical location in scope for the ISMS Plan.

N/A

A.11.1.2

Physical entry controls

Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access.

Not Applicable

N/A

N/A

N/A

N/A

Example Corporation does not have a physical location in scope for the ISMS Plan.

N/A

A.11.1.3

Securing offices, rooms and facilities

Physical security for offices, rooms and facilities shall be designed and applied.

Not Applicable

N/A

N/A

N/A

N/A

Example Corporation does not have a physical location in scope for the ISMS Plan.

N/A

A.11.1.4

Protecting against external and environmental threats

Physical protection against natural disasters, malicious attack or accidents shall be designed and applied

Not Applicable

N/A

N/A

N/A

N/A

Example Corporation does not have a physical location in scope for the ISMS Plan.

N/A

A.11.1.5

Working in secure areas

Procedures for working in secure areas shall be designed and applied.

Not Applicable

N/A

N/A

N/A

N/A

Owned by Cloud Service Provider

Cloud Service Provider

A.11.1.6

Delivery and loading areas

Access points such as delivery and loading areas and other points where unauthorized persons could enter the premises shall be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access.

Not Applicable

N/A

N/A

N/A

N/A

Example Corporation does not have a physical location in scope for the ISMS Plan.

N/A

A.11.2

EQUIPMENT

Objective: To prevent loss, damage, theft or compromise of assets and interruption to the organization’s operations.

A.11.2.1

Equipment siting and protection

Equipment shall be sited and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access.

Not Applicable

N/A

N/A

N/A

N/A

Owned by Cloud Service Provider

Cloud Service Provider

A.11.2.2

Supporting utilities

Equipment shall be protected from power failures and other disruptions caused by failures in supporting utilities.

Not Applicable

N/A

N/A

N/A

N/A

Owned by Cloud Service Provider

Cloud Service Provider

A.11.2.3

Cabling security

Power and telecommunications cabling carrying data or supporting information services shall be protected from interception, interference or damage.

Not Applicable

N/A

N/A

N/A

N/A

Owned by Cloud Service Provider

Cloud Service Provider

A.11.2.4

Equipment maintenance

Equipment shall be correctly maintained to ensure its continued availability and integrity.

Not Applicable

N/A

N/A

N/A

N/A

Owned by Cloud Service Provider

Cloud Service Provider

A.11.2.5

Removal of assets

Equipment, information or software shall not be taken off-site without prior authorization.

Not Applicable

N/A

N/A

N/A

N/A

Example Corporation does not have a physical location in scope for the ISMS Plan.

N/A

A.11.2.6

Security of equipment and assets off-premises

Security shall be applied to off-site assets taking into account the different risks of working outside the organization’s premises.

Not Applicable

N/A

N/A

N/A

N/A

Owned by Cloud Service Provider

Cloud Service Provider

A.11.2.7

Secure disposal or reuse of equipment

All items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use.

Applicable

Y

None

Information Technology

A.11.2.8

Unattended user equipment

Users shall ensure that unattended equipment has appropriate protection.

Applicable

Y

None

Information Technology

A.11.2.9

Clear desk and clear screen policy

A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities shall be adopted.

Not Applicable

N/A

N/A

N/A

N/A

Example Corporation does not have a physical location in scope for the ISMS Plan.

N/A

A.12

OPERATIONS SECURITY

A.12.1

OPERATIONAL PROCEDURES AND RESPONSIBILITIES

Objective: To ensure correct and secure operations of information processing facilities.

A.12.1.1

Documented operating procedures

Operating procedures shall be documented and made available to all users who need them.

Applicable

Y

Y

Y

None

Management

Information Security

A.12.1.2

Change management

Changes to the organization, business processes, information pro- cessing facilities and systems that affect information security shall be controlled

Applicable

Y

None

Information Technology

Information Security

A.12.1.3

Capacity management

The use of resources shall be monitored, tuned and projections made of future capacity requirements to ensure the required system performance.

Applicable

Y

None

Information Technology

A.12.1.4

Separation of development, testing and operational environments

Development, testing, and operational environments shall be separated to reduce the risks of unauthorized access or changes to the operational environment.

Applicable

Y

None

Information Technology

A.12.2

PROTECTION FROM MALWARE

Objective: To ensure that information and information processing facilities are protected against malware.

A.12.2.1

Controls against malware

Detection, prevention and recovery controls to protect against malware shall be implemented, combined with appropriate user awareness.

Applicable

Y

Y

None

Information Security

A.12.3

BACKUP

Objective: To protect against loss of data.

A.12.3.1

Information backup

Backup copies of information, software and system images shall be taken and tested regularly in accordance with an agreed backup policy.

Applicable

Y

None

Information Technology

Information Security

A.12.4

LOGGING AND MONITORING

Objective: To record events and generate evidence.

A.12.4.1

Event logging

Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed.

Applicable

Y

Y

Y

None

Information Security

A.12.4.2

Protection of log information

Logging facilities and log information shall be protected against tampering and unauthorized access.

Applicable

Y

Y

Y

None

Information Security

A.12.4.3

Administrator and operator logs Control

System administrator and system operator activities shall be logged and the logs protected and regularly reviewed.

Applicable

Y

Y

Y

None

Information Security

A.12.4.4

Clock synchronization

The clocks of all relevant information processing systems within an organization or security domain shall be synchronized to a single reference time source.

Applicable

Y

None

Information Technology

A.12.5

CONTROL OF OPERATIONAL SOFTWARE

Objective: To ensure the integrity of operational systems.

A.12.5.1

Installation of software on operational systems

Procedures shall be implemented to control the installation of software on operational systems.

Applicable

Y

None

Information Security

A.12.6

TECHNICAL VULNERABILITY MANAGEMENT

Objective: To prevent exploitation of technical vulnerabilities.

A.12.6.1

Management of technical vulnerabilities

Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organization’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk

Applicable

Y

Y

None

Information Security

A.12.6.2

Restrictions on software installation

Rules governing the installation of software by users shall be established and implemented.

Applicable

Y

None

Information Security

A.12.7

INFORMATION SYSTEMS AUDIT CONSIDERATIONS

Objective: To minimize the impact of audit activities on operational systems.

A.12.7.1

Information systems audit controls

Audit requirements and activities involving verification of operational systems shall be carefully planned and agreed to minimize disruptions to business processes.

Applicable

Y

None

Information Security

A.13

COMMUNICATIONS SECURITY

A.13.1

NETWORK SECURITY MANAGEMENT

Objective: To ensure the protection of information in networks and its supporting information processing facilities.

A.13.1.1

Network controls

Networks shall be managed and controlled to protect information in systems and applications.

Applicable

Y

None

Information Security

A.13.1.2

Security of network services

Security mechanisms, service levels and management requirements of all network services shall be identified and included in network services agreements, whether these services are provided in-house or outsourced.

Applicable

Y

None

Information Security

A.13.1.3

Segregation in networks

Groups of information services, users and information systems shall be segregated on networks.

Applicable

Y

Y

None

Information Security

A.13.2

INFORMATION TRANSFER

Objective: To maintain the security of information transferred within an organization and with any external entity.

A.13.2.1

Information transfer policies and procedures

Formal transfer policies, procedures and controls shall be in place to protect the transfer of information through the use of all types of communication facilities.

Applicable

Y

Y

None

Management

Information Security

Information Technology

A.13.2.2

Agreements on information transfer

Agreements shall address the secure transfer of business information between the organization and external parties.

Applicable

Y

Y

None

Management

Information Security

Information Technology

A.13.2.3

Electronic messaging

Information involved in electronic messaging shall be appropriately protected.

Applicable

Y

Y

None

Management

Information Security

Information Technology

A.13.2.4

Confidentiality or non- disclosure agreements

Requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information shall be identified, regularly reviewed and documented.

Applicable

Y

Y

None

Management

Human Resources

Legal

A.14

SYSTEM ACQUISITION, DEVELOPMENT AND MAINTENANCE

A.14.1

SECURITY REQUIREMENTS OF INFORMATION SYSTEMS

Objective: To ensure that information security is an integral part of information systems across the entire lifecycle. This also includes the requirements for information systems which provide services over public networks.

A.14.1.1

Information security requirements analysis and specification

The information security related requirements shall be included in the requirements for new information systems or enhancements to existing information systems.

Applicable

Y

Y

None

Information Technology

Information Security

A.14.1.2

Securing application services on public networks

Information involved in application services passing over public networks shall be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification.

Applicable

Y

None

Information Security

A.14.1.3

Protecting application services transactions

Information involved in application service transactions shall be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay.

Applicable

Y

None

Information Security

A.14.2

SECURITY IN DEVELOPMENT AND SUPPORT PROCESSES

Objective: To ensure that information security is designed and implemented within the development lifecycle of information systems.

A.14.2.1

Secure development policy

Rules for the development of software and systems shall be established and applied to developments within the organization.

Applicable

Y

None

Information Technology

Information Security

A.14.2.2

System change control procedures

Changes to systems within the development lifecycle shall be controlled by the use of formal change control procedures.

Applicable

Y

None

Information Technology

Information Security

A.14.2.3

Technical review of applications after operating platform changes

When operating platforms are changed, business critical applications shall be reviewed and tested to ensure there is no adverse impact on organizational operations or security.

Applicable

Y

None

Information Technology

Information Security

A.14.2.4

Restrictions on changes to software packages

Modifications to software packages shall be discouraged, limited to necessary changes and all changes shall be strictly controlled.

Applicable

Y

None

Information Technology

Information Security

A.14.2.5

Secure system engineering principles

Principles for engineering secure systems shall be established, documented, maintained and applied to any information system implementation efforts.

Applicable

Y

Y

None

Information Technology

Information Security

A.14.2.6

Secure development environment

Organizations shall establish and appropriately protect secure development environments for system development and integration efforts that cover the entire system development life cycle.

Applicable

Y

None

Information Technology

A.14.2.7

Outsourced development

The organization shall supervise and monitor the activity of out-sourced system development.

Applicable

Y

None

Information Technology

Information Security

A.14.2.8

System security testing

Testing of security functionality shall be carried out during development.

Applicable

Y

None

Information Technology

Information Security

A.14.2.9

System acceptance testing

Acceptance testing programs and related criteria shall be established for new information systems, upgrades and new versions.

Applicable

Y

None

Information Technology

Information Security

A.14.3

TEST DATA

Objective: To ensure the protection of data used for testing.

A.14.3.1

Protection of test data

Test data shall be selected carefully, protected and controlled.

Applicable

Y

None

Information Technology

A.15

SUPPLIER RELATIONSHIPS

A.15.1

INFORMATION SECURITY IN SUPPLIER RELATIONSHIPS

Objective: To ensure protection of the organization’s assets that are accessible by suppliers.

A.15.1.1

Information security policy for supplier relationships

Information security requirements for mitigating the risks associated with supplier’s access to the organization’s assets shall be agreed with the supplier and documented.

Applicable

Y

Y

None

Management

Information Security

A.15.1.2

Addressing security within supplier agreements

All relevant information security requirements shall be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for the organization’s information.

Applicable

Y

Y

None

Management

Information Security

A.15.1.3

Information and communication technology supply chain

Agreements with suppliers shall include requirements to address the information security risks associated with information and communications technology services and product supply chain

Applicable

Y

None

Information Security

A.15.2

SUPPLIER SERVICE DELIVERY MANAGEMENT

Objective: To maintain an agreed level of information security and service delivery in line with supplier agreements.

A.15.2.1

Monitoring and review of supplier services

Organizations shall regularly monitor, review and audit supplier service delivery.

Applicable

Y

Y

Y

None

Management

Information Security

A.15.2.2

Managing changes to supplier services

Changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures and controls, shall be managed, taking account of the criticality of business information, systems and processes involved and re-assessment of risks.

Applicable

Y

Y

Y

None

Management

Information Security

A.16

Information security incident management

A.16.1

MANAGEMENT OF INFORMATION SECURITY INCIDENTS AND IMPROVEMENTS

Objective: To ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.

A.16.1.1

Responsibilities and procedures

Management responsibilities and procedures shall be established to ensure a quick, effective and orderly response to information security incidents.

Applicable

Y

Y

Y

None

Information Security

A.16.1.2

Reporting information security events

Information security events shall be reported through appropriate management channels as quickly as possible.

Applicable

Y

None

Management

Information Security

All Users

A.16.1.3

Reporting information security weaknesses

Employees and contractors using the organization’s information systems and services shall be required to note and report any observed or suspected information security weaknesses in systems or services.

Applicable

Y

None

Management

Information Security

All Users

A.16.1.4

Assessment of and decision on information security events

Information security events shall be assessed and it shall be decided if they are to be classified as information security incidents.

Applicable

Y

Y

Y

None

Management

Information Security

A.16.1.5

Response to information security incidents

Information security incidents shall be responded to in accordance with the documented procedures.

Applicable

Y

Y

Y

None

Information Security

A.16.1.6

Learning from information security incidents

Knowledge gained from analyzing and resolving information security incidents shall be used to reduce the likelihood or impact of future incidents.

Applicable

Y

None

Information Security

A.16.1.7

Collection of evidence

The organization shall define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence.

Applicable

Y

Y

Y

None

Information Security

A.17

INFORMATION SECURITY ASPECTS OF BUSINESS CONTINUITY MANAGEMENT

A.17.1

INFORMATION SECURITY CONTINUITY

Objective: Information security continuity shall be embedded in the organization’s business continuity management systems.

A.17.1.1

Planning information security continuity

The organization shall determine its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or disaster.

Applicable

Y

None

Management

Information Security

A.17.1.2

Implementing information security continuity

The organization shall establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation.

Applicable

Y

None

Management

Information Security

A.17.1.3

Verify, review and evaluate information security continuity

The organization shall verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations.

Applicable

Y

None

Management

Information Security

A.17.2

REDUNDANCIES

Objective: To ensure availability of information processing facilities.

A.17.2.1

Availability of information processing facilities

Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements.

Applicable

Y

None

Information Technology

A.18

COMPLIANCE

A.18.1

COMPLIANCE WITH LEGAL AND CONTRACTUAL REQUIREMENTS

Objective: To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements.

A.18.1.1

Identification of applicable legislation and contractual requirements

All relevant legislative statutory, regulatory, contractual requirements and the organization’s approach to meet these requirements shall be explicitly identified, documented and kept up to date for each information system and the organization.

Applicable

Y

Y

None

Management

Information Security

Legal

A.18.1.2

Intellectual property rights

Appropriate procedures shall be implemented to ensure compliance with legislative, regulatory and contractual requirements related to intellectual property rights and use of proprietary software products.

Applicable

Y

Y

None

Management

Information Security

Legal

A.18.1.3

Protection of records

Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislatory, regulatory, contractual and business requirements.

Applicable

Y

Y

None

Management

Information Security

Legal

A.18.1.4

Privacy and protection of personally identifiable information

Privacy and protection of personally identifiable information shall be ensured as required in relevant legislation and regulation where applicable.

Applicable

Y

Y

Y

None

Management

Information Security

Legal

A.18.1.5

Regulation of cryptographic controls

Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations.

Applicable

Y

Y

None

Management

Information Security

Legal

A.18.2

INFORMATION SECURITY REVIEWS

Objective: To ensure that information security is implemented and operated in accordance with the organizational policies and procedures.

A.18.2.1

Independent review of information security

The organization’s approach to managing information security and its implementation (i.e. control objectives, controls, policies, pro- cesses and procedures for information security) shall be reviewed independently at planned intervals or when significant changes occur.

Applicable

Y

Y

Y

None

Management

Information Security

A.18.2.2

Compliance with security policies and standards

Managers shall regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements.

Applicable

Y

Y

Y

None

Management

Information Security

A.18.2.3

Technical compliance review

Information systems shall be regularly reviewed for compliance with the organization’s information security policies and standards.

Applicable

Y

Y

Y

None

Management

Information Security

6.2 Information security objectives and planning to achieve them

In accordance with Example Corporation’s Information Security Policy, the information security objectives will reflect (see below):

  • What will be done

  • Resources Required

  • Responsible Parties/Personnel

  • Completion Timeline

  • Metrics for Evaluation and Acceptance Criteria

Example Corporation information security objectives will reflect 5-7 objectives that will cover Confidentiality, Integrity, and Availability as it relates to Example Corporation’s ISMS. The objectives will be tracked and updated when needed.

INFORMATION SECURITY OBJECTIVES

Objective ID

Objective

Action

Required Resources

Responsible Party

Timeline

Acceptance Criteria

Status

1

All identified controls are in place

List controls

Implement controls

Verify controls

Specialist IT team

Internal audit

Manager, GRC

6 months

Refer to KPI Metrics table Section 9.1

In progress

2

All business continuity plans have been tested in the previous year

Agree testing schedule

Conduct tests

Produce test reports

Operational staff time

CISO

6 months

Refer to KPI Metrics table Section 9.1

In progress

3

Training in information security has been provided for all key resources

Identify key resources

Identify courses

Attend courses

Complete training records

Training budget

Time of attendees

Manager, GRC

3 months

Refer to KPI Metrics table Section 9.1

Complete

4

Increase number of days provided by business teams for information security activities

Agree allocation with top management

Plan involvement

Conduct activities

Record days spent

Business teams

CISO

9 months

Refer to KPI Metrics table Section 9.1

Behind Schedule

5

Reduce number of high

priority risks on risk register

Hold workshops to identify ideas

Implement ideas

Risk owners

IT team

CISO

9 months

Refer to KPI Metrics table Section 9.1

In Progress

7. Support

7.1. Resources and 7.2 Competence

The proper operations and maintenance of the ISMS requires proper personnel planning and resources. Example Corporation management is devoted to making sure that the ISMS roles and responsibilities, as well as the skills necessary to perform them are well-defined, and that those roles are properly manned by people with the requisite skills (see Skills Matrix above). Management will also make sure that the ISMS is prioritized in the budgeting process and properly resourced to guarantee optimal performance.

7.3. Awareness

To ensure the proper implementation of the controls, policies, and procedures, Example Corporation will promote awareness and provide training as to the necessity of such provisions, and how to perform their roles and responsibilities in accordance with these provisions.

7.4. Communication

Example Corporation’s communication plan outlines the lines of communication within the organization, and with outside entities, to include appropriate government agencies (e.g., law enforcement) and non-governmental organizations. It also defines times and intervals, events and situations, and personnel responsible for the communication (see below).

COMMUNICATION PLAN

Document/

Deliverable

Frequency of Communication

Sender

(Delivery from)

Audience

(Delivery to)

Delivery Type

Delivery Evidence

Internal Audit Report

Annually

-Internal Auditor

-Member of Security Team

-CISO

-Risk Committee

-Email

-Presentations

-Drata Evidence Library (with Access to Drata)

-Email

-Committee Meeting Minutes

-In Drata

External Audit Report

Annually

-External Auditor

-Member of Security Team

-CISO

-Risk Committee

-Board of Directors

-Email

-Presentations

-Risk Committee and/or Board of Directors Closing Meeting Minutes

ISO 27001 Certificate

As New Certificates are Issued

-External Auditor

-Member of Web Dev Team

-Posted on company website

-Marketing

-Sales

-Email

-Web Posting

-Email

-Website

Corrective Action Report

Quarterly

-Member Responsible for Developing CARs

-CISO

-Business Unit Leadership responsible for Corrective Actions

-(For external findings) External Auditor

-Email

-Meetings

-Drata Evidence Library (with Access to Drata)

-Email

-Meeting Minutes

-In Drata

ISMS Security Objectives

Quarterly

-Member Responsible for Developing objectives

-Business Unit Leadership for Security Objectives

-Email

-Meetings

-Drata Evidence Library (with Access to Drata)

-Email

-Meeting Minutes

-In Drata

Risk Treatment Plans

Quarterly

-Member Responsible for Developing RTPs

-CISO

-Risk Committee

-Business Unit Leadership for RTP

-Email

-Meetings

-Drata Evidence Library (with Access to Drata)

-Email

-Meeting Minutes

-In Drata

Management Review Report

Annually or as necessary

-Member Responsible for reporting metrics in Management Review

-CISO

-Appropriate Business Unit Leadership

-Email

-Meetings

-Drata Evidence Library (with Access to Drata)

-Email

-Meeting Minutes

-In Drata

External Incident Response Report

As necessary

-Designated member to communicate with external parties (e.g., government agency, NGOs, etc.)

-External Parties (e.g., government agencies, NGOs, etc.)

-Email

-Phone

-As required by local regulations or standards

-Email

-Phone Log

-Appropriate Records

7.5. Documented Information

7.5.1. General

The following table includes the documents determined by Example Corporation as being necessary for the effectiveness of the ISMS.

MANDATORY RECORDS & DOCUMENTS

Document

Reference

Location

ISO 27001:2013 TIER 1 DOCUMENTATION

Scope of The Information Security Management System (ISMS)

Clause 4.3

Section 4.3 of the ISMS Plan

Information Security Policy

Clause 5.2

Drata Policy Center

Definition of Security Roles & Responsibilities

Clause 5.2, Annex A.7.1.2

Skills Matrix section of the ISMS Plan

Information Security Objectives

Clause 6.2

Information Security Objectives section of the ISMS Plan

Risk Assessment Process

Clause 6.1.2

Risk Assessment Policy

Risk Assessment Report

Clause 8.2

Drata - Evidence Library

Risk Treatment Process

Clause 6.1.3

Risk Assessment Policy

Risk Treatment Plan

Clause 6.1.3e

Drata - Evidence Library

Statement of Applicability (For Controls in Annex A)

Clause 6.1.3d

Statement of Applicability section of the ISMS Plan

List of Interested Parties, Legal & Other Requirements

Clauses 4.2 & 6.1

Section 4.2 of the ISMS Plan

Competence (e.g., Skills Matrix & Associated Proof Of Skills)

Clause 7.2

Skills Matrix section of the ISMS Plan

Evidence of Communication

Clause 7.4

Communication Plan section of the ISMS Plan

Procedure for Document Control

Clause 7.5

Last page of ISMS Plan

Monitoring & Measurement Results

Clause 9.1

Drata - Monitoring page

Internal Audit Plan & Reports

Clause 9.2

Internal Audit Section of the ISMS Plan

Results of Management Reviews of ISMS

Clause 9.3

Appendix B of the ISMS Plan

Nonconformities, Corrective Actions & Improvement Suggestions

Clause 10.1; 10.2

Appendix C of the ISMS Plan

ISO 27001:2013 TIER 2 DOCUMENTATION

Inventory of Assets

Annex A.8.1.1

Drata - Assets module

Acceptable Use of Assets

Annex A.8.1.3

Drata - Policy Center

Access Control Policy

Annex A.9.1.1

Drata - Policy Center

Operating Procedures for Information Security

Annex A.12.1.1

Drata - Policy Center

Logs of User Activities, Exceptions, Faults & Security Events

Annex A.12.4.1

Drata - Policy Center, AWS CloudTrail

Logs of System Administrator & System user activities, exceptions, faults and security events

Annex A.12.4.3

Drata - Policy Center, AWS CloudTrail

Incident Management Procedure

Annex A.16.1.5

Drata - Policy Center

Business Continuity Strategy & Procedures

Annex A.17.1

Drata - Policy Center

Statutory, Regulatory, And Contractual Requirements

Annex A.18.1.1

Section 4.2 of the ISMS Plan

CONDITIONAL RECORDS & DOCUMENTS (If Applicable)

Document

Reference

Location

Confidentiality or Non-Disclosure Agreements

Annex A.13.2.4

Google Drive

Secure System Engineering Principles

Annex A.14.2.5

Drata - Policy Center

Supplier Security Policy

Annex A.15.1.1

Google Drive

DISCRETIONARY RECORDS & DOCUMENTS (Commonly Used)

Document

Reference

Location

Controls for Managing Records

7.5

Section 7.5.2-.3 of the ISMS Plan

Procedure for Measuring and Monitoring

9.1

Section 9.1 of the ISMS Plan

Procedure for Corrective Action

10.1

Appendix C of the ISMS Plan

Bring Your Own Device (BYOD) Policy

Annex A.6.2.1

Drata - Policy Center

Mobile Device & Teleworking Policy

Annex A.6.2.1

Drata - Policy Center

Information Classification Policy

Annex A.8.2

Drata - Policy Center

User Access Rights Policies (Including Password Control)

Annex A.9.2

Drata - Policy Center

Disposal & Destruction Policy

Annex A.8.3.2; A.11.2.7

Drata - Policy Center

Procedures for Working in Secure Areas

Annex A.11.1.5

Drata - Policy Center

Clear Desk & Clear Screen Policy

Annex A.11.2.9

Drata - Policy Center

Organizational Change Management Policy

Annex A.12.1.2

Drata - Policy Center

Software Change Management Policy

Annex A.14.2.4

Drata - Policy Center

Backup Policy

Annex A.12.3.1

Drata - Policy Center

Information Transfer Policy

Annex A.13.2

Drata - Policy Center

Business Impact Analysis

Annex A.17.1.1

Drata - Policy Center

ISMS Continuity Controls Testing Plan

Annex A.17.1.3

Drata - Policy Center

7.5.2. Creating and updating

Example Corporation ensures documentation generated by Example Corporation personnel is appropriately controlled. Consideration is given to:

  • Identification of documentation through the assignment of titles, dates, authors, and reference numbers.

  • Format including language, version, and media (physical or electronic) used to display and communicate documentation.

  • Review and approval for suitability, adequacy, and accuracy of the information contained within documentation.

The record of this consideration is contained within the “Revision History” table inside of each policy, and records of review and approval are contained within the Drata Policy Center, which documents the policy approval and assigned owner.

7.5.3. Control of documented information

Example Corporation’s crucial task in the operation and maintenance of the ISMS is the collection of the appropriate records and evidence to ensure the functionality of the ISMS, and the effectiveness of the system. The records will also reflect personnel performance and completion of necessary tasks.

Example Corporation will also have a systematic approach for document management. To control documents:

  • Classify documents properly

  • Define members with the rights for distribution, access, retrieval, and use of documents, and the necessary actions to be performed.

  • Identify methods currently used to receive, process, approve/reject, store and/ or delete documents.

  • Align business processes to document management requirements

  • Identify documents for control

  • Integrate change controls to ensure integrity of documents

9. Performance Evaluation

9.1. Monitoring, measurement, analysis and evaluation

Example Corporation will evaluate its security objectives by monitoring and measurement of implemented controls. Monitoring provides awareness of the status and state of assets and processes that have been selected to be watched, and can provide basic and immediate alerts if something is not performing as expected. Measurements allow for the evaluation of assets and processes based on predefined units. The assets and processes for evaluation will be properly documented, the company will produce and maintain reports and evidence of evaluations.

These evaluations are meant to allow the Example Corporation to:

  • Ensure control objectives are being satisfied and validate the decisions made;

  • Establish a roadmap to meet set targets and expectations;

  • Produce evidence and justification for implemented measures; and/or,

  • Discover and identify security gaps that would require change, corrective action(s), or intervention.

KPI Metrics

KPI

Infosec Objective ID (Fr. 6.2)

Frequency

Measure

Result

Target

Supporting Documentation

KPI Owner

Last Review Date

ISMS Plan Review

6

Annually

(# of Reviews / 1) * 100

100%

100%

Security Steering Committee Meeting Minutes

CISO

01/20/2023

Information Security Policy Review

1, 4

Annually

(# of Reviews / 1) * 100

100%

100%

Information Security Policy

CISO

01/20/2023

Security Awareness Training

3

Annually

(# of employees who received SATE / total # of employees) * 100

87%

90-100%

Proofpoint Security Awareness Training Results

Manager, GRC

01/20/2023

Social Engineering Reporting Rate

3

Quarterly

(# of phishing simulation report / total # of employees) * 100

43%

>50%

Proofpoint Security Awareness Training Results

Manager, GRC

03/06/2023

Social Engineering Failure Rate

3

Quarterly

(# of phishing failure / total # of employees) * 100

7%

<5%

Proofpoint Security Awareness Training Results

Manager, GRC

03/06/2023

BC/DR Annual Test

1, 2

Annually

(# of BC/DR test performed / 1) * 100

100%

100%

BC/DR Test Report

CISO

02/17/2023

Annual Incident Response Test

1, 5, 6

Annually

(# of IR test performed / 1) * 100

100%

100%

IR Test Report

CISO

02/24/2023

Penetration Test

1, 5, 6

Annually

(# of penetration test performed / 1) * 100

100%

100%

Penetration Test Report

Manager, GRC

01/17/2023

Vulnerability Scans

1, 5, 6

Monthly

(# of vulnerability scans performed / 12) * 100

100%

100%

AWS GuardDuty

Manager, GRC

03/20/2023

User Access Reviews

1, 6

Quarterly

(# of user access reviews performed / 4) * 100

100%

100%

User Access Review emails

Manager, GRC

01/09/2023

Annual Board of Directors meeting on Cybersecurity

4

Annually

(# of Board Meetings / 1) * 100

100%

100%

Board of Director Meeting Minutes

CISO

03/03/2023

Platform Availability metric

1, 4

Monthly

((100 - Down time) / 100) * 100

99.5%

99.5%

Status page

IT

03/20/2023

Drata Controls Monitoring

1

Daily

(# Passing test / Total number of test) * 100

93%

95%-100%

Drata Monitoring

Manager, GRC

03/23/2023

9.2. Internal audit

Internal Audits are a crucial element of Example Corporation’s ISMS and its continuous improvement. The process will ensure the discovery and identification of issues, gaps, malfunctions, etc. in the company’s ISMS that could ultimately damage or harm the company.

  • Frequency. Example Corporation will conduct an internal audit of its ISMS at least annually.

  • Audit Entity. Example Corporation internal audits will be conducted by:

    • Employee, full-time auditor;

    • Employee, part-time auditor; or

    • Third party internal auditor (outside organization will conduct internal audit per rules set by Example Corporation.

    In the case of an employee being selected as an auditor, Example Corporation will ensure that the auditor is objective and impartial. This will be done through different methods, such as selecting an employee from a different department or team to audit a specific department or team.

  • Documentation. Example Corporation will set and document the criteria and scope of each annual internal audit in the Internal Audit Program. It will also produce and maintain, for evidence, reports of the internal audit, where findings, gaps, and nonconformities will be outlined (see Appendix A).

    Example Corporation will include in its Internal Audit Program sections such as:

    • Method of internal auditor selection

    • Process of planning the internal audit

    • Steps to conduct the internal audit

    • Post-audit activities

    • Internal audit checklist

  • Plan and Procedure. (See APPENDIX A)

9.3. Management review / 10.1. Nonconformity and corrective action / 10.2. Continual improvement

  • Management review. Example Corporation management will systematically review and make critical decisions concerning the ISMS. The review will be arranged by CISO, who is also responsible for compiling all necessary information and inputs for consideration (see APPENDIX B).

    The review will take into consideration:

    • Status of items, issues, and tasks from previous review

    • Reports form evaluations and internal audits

    • Lessons learned from assessments, tests, or incidents

    • Improvement inputs from the company

    • Any internal and external changes that impact security

  • Decisions will be made concerning:

    • The ISMS scope and whether it requires modifications

    • Security policies and whether any require modifications

    • Security gaps and necessary improvements

    • Necessary resources

    • The overall effectiveness of the ISMS and fulfillment of its objectives

    • Implementation of different security strategies and training

  • Frequency. Example Corporation will conduct a management review of its ISMS at least annually, and as necessary.

  • Documentation and reporting. The considerations, discussions, and decisions from the management review will be recorded in the meeting minutes, which could also include discussions from other reviews. The results of the review, and subsequent tasks and responsibilities, will be communicated to relevant parties by [METHOD, e.g., e-mail, meeting, all-hands, etc.].

  • Corrective Action Plan. Example Corporation will employ corrective action plans for the systematic elimination of issues and nonconformities. The plan will aim to resolve an issue from its root cause so that it can be prevented or mitigated in the future and sustain the corrective measures. It will include:

    • Root cause analysis and assessment

    • Required steps for root cause elimination

    • Risk-opportunity assessment of changes

    • Time and cost assessment

    • Rubric for measuring effectiveness

  • Corrective Action Report. Example Corporation will document any corrective action taken in a corrective action report (see Appendix C). The report will at a minimum include:

    • Nature of nonconformities

    • Identified root cause

    • Corrective actions taken

    • Implementation of corrective actions

    • Result of corrective actions (include effectiveness)

APPENDIX A

Internal Audit Plan and Procedure

Purpose

The purpose of the internal audit is to ensure the effectiveness of Example Corporation’s information security management system, its continuous improvement, and conformance with the requirements of ISO 27001:2013, as set out in Clause 9.2 of the standard. It will ensure (a) conformance with the standard, and more importantly, (b) proper information security measures in place that are continuously improved. Additionally, the internal audit will:

  • Uncover nonconformities before others discover them;

  • Ensure a strong security stance by identifying areas that require attention prior to a security event;

  • Demonstrate and inform management commitment; and

  • Assist staff understanding and awareness.

Scope

This plan applies to Example Corporation internal audits of the ISMS, and establishes the procedures for carrying out the audit. The audit scope should match the ISMS.

Roles and responsibilities

Lead Auditor: Responsible for the planning and execution of the audit. The lead auditor is a competent entity independent from the ISMS, who is a member of the company independent of the ISMS OR a third party auditor.

Employees: Responsible for assisting in the audit process, when and as required.

Plan

  • Audit schedule

    • Properly planned out audit, and readily-available schedule to let all members aware of when each process will be audited over the upcoming cycle.

    • Allow time for better preparation and practical support.

    • Allow time for process owners to:

      1. finish any improvement projects and gather valuable information on the implementation; or,

      2. request that the auditor(s) focus on helping to gather information for other planned improvements.

  • Coordinate with process owners

    • Collaborate to determine the best time to review the process.

    • Auditor(s) can review previous audits to see if any follow-up is required on comments or concerns previously found.

    • Process owners can identify any areas that the auditor can look at to assist the process owner to identify information.

    • Ensure that the process owners will get value out of the audit process.

  • Conducting the audit

    • Gather, review, analyze information as outlined in the audit procedures below.

    • Identify areas that do not have operational evidence.

    • Identify areas that may function better if changes are made.

  • Reporting audit findings

    • Meet with interested parties and process owners to ensure an efficient flow of information (non-conforming).

    • Highlight areas of weakness to be addressed, and areas that could use improvement (improvement opportunities).

  • Follow-up

    • Ensure that identified areas of non-conformity are resolved and corrective actions have been taken.

    • Check any progress on identified improvement opportunities.

Procedure

  • Review ISMS documentation

    • Audit scope should match ISMS, setting clear limits for the internal audit.

    • All prescribed documents(See Prescribed Documentation above) are in place and readily available.

  • Identify any criteria, if any, needed for consideration during the audit

    • Identify the extent of work that may be done during the audit

    • Identify any anticipated limitations

  • Identify the main stakeholders in the ISMS

    • Any required documentation for the audit could be easily requested.

  • Management input

    • Designated internal auditor should be competent and independent.

    • Agree and determine the timing and resources required for the audit.

    • Set milestones/checkpoints for when the board should receive interim updates.

    • Discuss issues or concerns

  • Conduct practical assessment

    • Observe the operation of the ISMS, and whether it properly functions in practice by speaking with members involved and operating processes related to the ISMS, whether they are in an ISMS role or not.

    • Run audit tests to validate evidence as it is gathered.

    • Complete audit reports and document the results of each test.

  • Analyze evidence

    • Sort and review all evidence collected during the audit, as related to the company’s risk treatment plan and control objectives.

    • Identify any further gaps or need for further audit tests.

  • Report findings (see Appendix A). The report should include:

    • Classification and dissemination restrictions of the report

    • Intended recipient(s) of the report

    • An executive summary to highlight the key findings, high-level analysis and a conclusion

    • Scope, Timing, any outlined criteria

    • Analysis of the findings and compliance with each clause of the ISMS requirements

    • Recommendations

    • Post-audit actions

INTERNAL AUDIT REPORT

Confidentiality

Date of Audit

02/14/2023 - 02/23/2023

Example Corporation

Internal Use

Date of Previous Audit

N/A

RECIPIENT(S)

- John Smith - CISO

- Jane Doe - Manager, GRC

- Lisa Bautista - CEO

- James Chapman - CTO

- Alice Wallace - CFO

EXECUTIVE SUMMARY

Internal Audit has prepared the following report after conducting an audit on the Example Corporation’s web and mobile applications. This audit was conducted pursuant to receiving ISO 27001 certification for Example Corporation’s ISMS. This audit was conducted against the ISO 27001 and ISO 27002 standards. Evidence was collected through the use of the Drata Platform and collected from the interviews with the GRC Manager, and taking screenshots from specific systems not otherwise captured within the Drata Platform. The overall opinion of the internal audit is that Drata’s ISMS was established and is being operated appropriately. Three (3) minor non-conformities were noted and one (1) enhancements/process improvements were noted. It is the recommendation of Internal Audit that the three (3) minor non-conformities are remediated prior to beginning Stage 1 of the ISO 27001 audit.

AUDITOR

AUDIT SCOPE & CRITERIA

Auditor Name

Benedict Arnold

Scope

  • Organizational Units

Example Corporation Management

Information Security

Information Technology & Engineering

Human Resources

Legal

  • Networks and IT Infrastructure

Amazon Web Services (AWS)

GitHub

Slack

Jira

  • Processes and Services

Example Corporation Web Application (app.examplecorp.com)

Example Corporation Mobile Application (iOS & Android)

  • Locations

Not Applicable as Example Corporation has not physical locations in scope

EXCLUSIONS. The following items are explicitly excluded from the ISMS scope of Example Corporation:

  • Business Units:

Sales

Marketing

Finance

  • Vendor Dependencies:

Amazon Web Services (AWS) - Data Center & Physical Security Controls

Internal or External?

Internal

Organization (if external)

N/A

Criteria

Refer to associated document Drata ISMS SOA

Primary Role

Lead Internal Auditor

AUDIT METHOD

AUDIT FINDINGS

Activity

Action

Nonconformities

Document Review

All evidence were provided through the use of Drata platform’s Audit Hub and reviewed with Read-Only Access

Clause 7.5.2.B - Example Corporation's document history table does not include details such as format (Electronic/Physical), language, software version, etc. which is listed in item B of Clause 7.5.2.

Annex A 8.2.2 - Example Corporation’s Data Classification Policy does not include guidance for labeling data.

Annex A 15.2.2 - Example Corporation's Vendor Management Policy does not include procedures related to managing changes in supplier contracts, changes to the services delivered by suppliers, or changes at Example Corporation made in order to implement changes in supplier contracts or services.

Evidential Sampling

For select controls, the Internal Auditor requested additional documentation including samples using a sample size of 1 as supplementary evidence to support provided documents.

Interviews

Improvement Opportunities

ISMS Key Members

Non-ISMS Members

Annex A 14.2.5

Jane Doe

RECOMMENDATIONS

Annex A 14.2.5 - Example Corporation's SDLC policy does not formally document secure engineering principles. Review and ensure that SDLC policy includes secure engineering principles.

COMPLIANCE

POST-AUDIT ACTIONS

Clause 4

Clause 5

Clause 6

Clause 7

Clause 8

Clause 9

Clause 10

Minor non-conformities found on Clause 7.5.2B, Annex A 8.2.2, and Annex A 15.2.2.

Example Corporation’s Management should review the provided Internal Audit report, develop a treatment plan, and remediate the non-conformities listed before moving into Stage 1 of the ISO 27001 audit.

Dissemination Restrictions:

Internal Use only, this report is meant to be reviewed by management of ISMS

Report PREPARED by:

Benedict Arnold

Internal Auditor

Remote - N/A

2/23/2023

4PM PST

Report APPROVED by:

John Smith

CISO

Remote - N/A

2/24/2023

11AM PST

APPENDIX B

MANAGEMENT REVIEW

Confidentiality

Date of Review

March 20, 2023

Example Corporation

Confidential

Date of Previous Review

March 10, 2023

MEETING DETAILS

ACTION ITEMS

Participants

- John Smith - CISO

- Jane Doe - Manager, GRC

- Lisa Bautista - CEO

- James Chapman - CTO

- Alice Wallace - CFO

- Benedict Arnold - Internal Auditor

Previous Items

Owner

Status

Benedict Arnold

Conduct Internal Audit

Complete

Input Items

  • Evaluation and internal audit Reports

  • Assessments, tests, or incidents lessons learned

  • Improvement inputs from the company

INFORMATION SECURITY REVIEWS

Y

Nonconformities and Corrective Actions

Y

Monitoring and Measurement Results

Y

Audit Results

Y

Information Security Objectives Fulfillment

DISCUSSION POINTS & DECISIONS

Current Items

Owner

Status

ISMS Scope Modification

Not Applicable - ISMS is established

Establish Corrective Action Plans for Internal Audit non-conformities and opportunities for improvement

Jane Doe

In-Progress

Security Policies Modification

Security Policies will be modified based on the issues identified during the 2023 ISO Internal Audit

Review failing monitoring tests and remediate

Jane Doe

In-Progress

Overall ISMS Effectiveness

ISMS Plan is found to be effective with a few action items to meet Information Security Objectives 1 and 3. Please refer to KPI Metrics table on Section 9.1

Following a failed simulation test, ensure that employees acknowledge the phishing refresher course

Jane Doe

In-Progress

Changes Internal/External

Not Applicable - ISMS is established

Ensure employees take their security awareness training

Jane Doe

In-Progress

Security Gaps

3 minor non-conformities and 1 opportunity for improvement from Internal Audit were discussed

Develop strategies to encourage employees in reporting suspicious emails

Jane Doe

Not Started

Security Improvements

Establish Corrective Action Plans for the 4 Identified Issues during the 2023 Internal Audit

Security Strategies

NOTES:

FOCUS FOR NEXT INTERNAL AUDIT

POST-REVIEW ACTIONS

Report Distribution

Method

Date

Included as part of the ISMS Plan

Uploaded to Drata’s Policy Center

March 20, 2023

Report PREPARED by:

Jane Doe

Manager, GRC

Remote - N/A

March 20, 2023

Report APPROVED by:

John Smith

CISO

Remote - N/A

March 20, 2023

APPENDIX C

CORRECTIVE ACTION REPORT

Confidentiality

Date of Review

02/28/2023

Example Corporation

Internal Use

Date of Previous Review

N/A

NON-CONFORMITIES

  1. Clause 7.5.2B

Nature

Documentation

Corrective Action

Include “Format” in all documents’ revision history table

Root Cause

Example Corporation’s document history table does not include details such as format (Electronic/Physical), language, software version, etc. which is listed in item B of Clause 7.5.2.

Implementation

Completed

Result/Effectiveness

Effective

Due Date

March 16, 2023

Owner

Jane Doe

Notes:

  1. Annex A 8.2.2

Nature

Documentation

Corrective Action

Include data labeling guidance to Example Corporation’s Data Classification Policy

Root Cause

Example Corporation’s Data Classification Policy does not include guidance for labeling data.

Implementation

In Progress

Result/Effectiveness

-

Due Date

March 20, 2023

Owner

Jane Doe

Notes:

  1. Annex A 15.2.2

Nature

Process and Documentation

Corrective Action

Develop and include procedures related to managing changes in supplier contracts to Vendor Management Policy

Root Cause

Example Corporation's Vendor Management Policy does not include procedures related to managing changes in supplier contracts, changes to the services delivered by suppliers, or changes at Example Corporation made in order to implement changes in supplier contracts or services.

Implementation

Not Started

Result/Effectiveness

-

Due Date

March 24, 2023

Owner

Jane Doe

Notes:

Revision History

Version

Date

Editor

Approver

Description of Changes

Format

1.0

03/20/2023

Jane Doe

John Smith

Initial Creation

.DOCX

Did this answer your question?