ISO 27001:2013 Example ISMS Plan

This is an example of a completed ISMS plan for ISO 27001:2013. This is only guidance and you should review the example language before including it in your own ISMS plan.

Information Security Management System Plan (ISO/IEC 27001:2013)

Example Corporation

______________________________________________________________________

Table of Contents:

Purpose

Background and Objectives

ISMS Plan

4. Context of the organization

4.1. Understanding the organizations and its context

4.2. Understanding the needs and expectations of interested parties

4.3. Determining the scope of the ISMS

5. Leadership

5.1. Leadership and commitment

5.2. Policies

5.3. Organizational roles, responsibilities and authorities

6./8.1 Planning

6.1. Actions to address risks and opportunities

6.1.1. General; 6.1.2 / 8.2. Information security risk assessment

6.1.3 / 8.3. Information security risk treatment

SOA Revision History

6.2 Information security objectives and planning to achieve them

7. Support

7.1. Resources and 7.2 Competence

7.3. Awareness

7.4. Communication

7.5. Documented Information

7.5.1. General

7.5.2. Creating and updating

7.5.3. Control of documented information

9. Performance Evaluation

9.1. Monitoring, measurement, analysis and evaluation

9.2. Internal audit

9.3. Management review / 10.1. Nonconformity and corrective action / 10.2. Continual improvement

APPENDIX A

Internal Audit Plan and Procedure

Purpose

Scope

Roles and responsibilities

Plan

Procedure

APPENDIX B

APPENDIX C

Purpose

This Information Security Management System (ISMS) Plan aims to define the principles, requirements, and basic rules for the establishment, implementation and operation of the Information Security Management System.

Background and Objectives

The ISMS Plan lays the foundation of the company’s Information Security Management System, and identifies the roadmap for the establishment, implementation and operation of the ISMS and its continued efficacy. This document is supplemented by security policies and procedures that enable the treatment of risks to the organization.

Key objectives of the ISMS Plan are to:

Define the context of the organization
Define the scope of the ISMS
Provide guidance for the implementation of risk assessment findings into a Statement of Applicability
Provide proper steps and timelines for the implementation and maintenance of the ISMS
Outline the internal audit process, audit reviews, and remedial actions
Identify all necessary documents and records
Continual improvement of the ISMS

ISMS Plan

4. Context of the organization

4.1. Understanding the organizations and its context

To establish an effective ISMS, have a better understanding of relevant information security issues, develop successful strategies, and allocate appropriate resources to garner optimal results, Example Corporation will define its internal and external context as they pertain to information security.

Internal and external issues are those factors relevant to Example Corporation’s purpose and that affect Example Corporation’s ability to achieve the intended outcomes of its ISMS.

Internal issues include, but are not limited to:

Governance, organizational structure, (see Organization Chart) and roles and responsibilities for the ISMS (see Skills Matrix)
Policies, objectives and the strategies in place achieve them
Company culture, values, mission, and vision (see Information Security Policy)
Flow of information and the decision-making process (see Information Security Policy)
Capabilities, (e.g. capital, time, people, processes, systems and technology)
Form and extent of contractual relationships (see Vendor Management Policy)

External issues include, but are not limited to:

Information Security laws and regulations that are applicable to the company (see below)
Social and cultural
Interested parties (see below) and their cultures
Market trends and customer preferences
Political, public policy, and economic changes
Technological trends that could impact implemented security controls

4.2. Understanding the needs and expectations of interested parties

	APPLICABLE LAWS AND REGULATIONS (EXTERNAL)	*Requirements / Notes*
International	GDPR	Security provisions of GDPR include data protection which ISO 27001 helps demonstrate.
Federal	HIPAA	Security provisions of HIPAA include controls which ISO 27001 helps demonstrate.
State	CCPA	Security provisions of CCPA include controls which ISO 27001 helps demonstrate.
Local	N/A	N/A

	CONTRACTUAL REQUIREMENTS (EXTERNAL)	*Requirements / Notes*
JP Morgan	JP Morgan Chase requires an ISO 27001 as part of the MSA signed between Example Corporation and JP Morgan Chase Bank in 2022.	ISO 27001 Certification
Amazon	Amazon requires evidence that Example Corporation is effectively managing the security of data provided to Example Corporation within the MSA signed in 2021 and management of Example Corporation has agreed that an ISO 27001 certification fulfills this requirement.	Any Independent Audit report fulfills agreement
Technology Customers	Example Corporation provides a provision in all contracts between Example Corporation and customers operating in the technology industry that an ISO 27001 will be provided for their review.	ISO 27001 Certification

	INTERESTED PARTIES (INTERNAL/EXTERNAL)	*Requirements / Notes*
Customers	Customers who signed our DPA are interested in gaining assurance that Example Corporation protects data provided to them.	Evidence that client data is protected. ISO 27001 certification
Suppliers	Suppliers are interested in gaining assurance that Example Corporation protects data provided to them	Evidence that client data is protected. ISO 27001 certification
Regulators	European Data Protection Authorities	Evidence that demonstrates Example Corporation has a strategy for protecting Personal Data
Contracts	See “Contractual Requirements (External)”	See “Contractual Requirements (External)”
Shareholders/Owners/Investors	Example Corporation’s Board of Directors	Assurance that Example Corporation is continually improving its product offering and ISMS
Management	Example Corporation’s Management is interested in providing its clients assurance that client data provided are adequately and reasonably protected	Evidence that client data is protected. ISO 27001 certification

	DEPARTMENTS & BUSINESS UNITS (INTERNAL)	*Requirements / Notes*
IT & Engineering	Management of Example Corporation has determined that a structured approach to implementing security control is needed for the software development process at Example Corporation. Management of Example Corporation agrees that Annex A 5.8 of ISO 27001 meets the business requirements to fulfill this.	A more structured approach to implementing security controls.
HR	Management of Example Corporation has determined that additional controls related to onboarding and terminations are required at Example Corporation within the Human Resources department. Management of Example Corporation has determined that Annex A 6.0 of ISO 27001 will fulfill the need for these controls.	More formalized onboarding/offboarding process.
Security	Management of Example Corporation has determined, with input from the Security team, that an organized approach is needed to reduce the time that the Security team spends selecting security controls to implement. Management and Security have determined that ISO 27001 provides an organized framework for the management of Information Security within an organization which meets the needs of Example Corporation.	Reduced time spent selecting security controls for implementation.

4.3. Determining the scope of the ISMS

This document provides a clear definition for the Information Security Management System (ISMS) boundaries of Example Corporation, and applies to all matters related to the ISMS, to include documentation and activities.

This document will be used by:

Example Corporation Management
Members responsible for implementation of the ISMS
Example Corporation Employees

Through this document, Example Corporation will define the boundaries of its ISMS by outlining information that needs to be protected. This information is under the direct responsibility of Example Corporation and will be safeguarded regardless of it being additionally stored, processed or transferred in or out of the ISMS scope. In the event of the transfer of information out of the ISMS, the responsibility of applying security measures will be transferred to the external party responsible for its management.

The following items will establish the ISMS boundaries of Example Corporation, within the context of legal, regulatory, contractual, interested parties, and other stated requirements:

Organizational Units

Example Corporation Management

Information Security

Information Technology & Engineering

Human Resources

Legal

Networks and IT Infrastructure

Amazon Web Services (AWS)

GitHub

Slack

Jira

Processes and Services

Example Corporation Web Application (app.examplecorp.com)

Example Corporation Mobile Application (iOS & Android)

Locations

Not Applicable as Example Corporation has no physical locations in scope

[For companies with office locations in scope, list the appropriate address (e.g. 123 Fake Street, Fakeville, CA 91001) and/or the broad general location (e.g. Example Corporation Southeast Asia Office)]

EXCLUSIONS. The following items are explicitly excluded from the ISMS scope of Example Corporation:

Business Units:

Sales

Marketing

Finance

Vendor Dependencies:

Amazon Web Services (AWS) - Data Center & Physical Security Controls

5. Leadership

5.1. Leadership and commitment

To ensure the success of the Information Security Management System (ISMS), the management team of Example Corporation must be fully aware and appropriately engaged in matters involving the ISMS. Management must provide proper resources (e.g., personnel, funding, etc.) for the establishment, implementation, and maintenance of the ISMS.

Top Management shall demonstrate its leadership and commitment through:

Establishing an information security policy
Ensuring ISMS, roles, responsibilities and authorities are assigned
Communicating the importance of effective information security management

Management commitment can be demonstrated, for example, by:

Motivating & empowering persons to contribute to the effectiveness of the ISMS
Reinforcing organizational accountability for information security management results
Creating and maintaining an internal environment in which persons can become fully involved in achieving the organization’s information security objectives

5.2. Policies

In addition to this plan, the information security plans, processes and procedures of Example Corporation will be outlined in a series of policies that define the vision and mission of Example Corporation’s management as to what needs to be achieved to ensure the protection of information, and how that will be accomplished. These policies will include:

Information Security Policy
Acceptable Use Policy
Asset Management Policy
Backup Policy
Business Continuity/Disaster Recovery Plans
Code of Conduct
Data Classification, Retention, and Protection Policies
Encryption and Password Policies
Incident Response Plan
Physical Security Policy
Responsible Disclosure Policy
Risk Assessment Policy
Software Development Life Cycle Policy
System Access Management Policy
Vendor Management Policy
Vulnerability Management Policy

5.3. Organizational roles, responsibilities and authorities

The CISO and GRC Manager are responsible for:

The design, development, maintenance, dissemination, and enforcement of the items contained in this policy and associated policies.
Ensuring that the information security management system conforms to the requirements of ISO/IEC 27001:2013 (Clause 5.2c and Clause 5.3a).
Reporting on the performance of the information security program to top management to identify areas for continuous improvement (Clause 5.2d and Clause 5.3b).

The objectives and measures outlined by this plan and associated policies shall be maintained and enforced by the roles and responsibilities specified in each policy and the company Skills Matrix (see below).

SKILLS MATRIX

[Provide applicable skill matrix that outlines key ISMS roles and responsibilities, the skills required to execute those roles and responsibilities, information of eligible members who are in those roles (e.g., name, contact information, title, location/department, etc.), members’ skills, evidence of those skills (NOTE: could use url to member’s LinkedIn profile)]

Role Title	Job Description	ISMS Responsibilities	Required Skills & Competence	Current Member	Fully Competent (Y/N)	Competency Plan (if not fully competent)	Proof of Competency
CISO	Responsible for establishing and maintaining a comprehensive corporate-wide information security management program based on industry-accepted information security and risk management frameworks.	a) The design, development, maintenance, dissemination, and enforcement of the items contained in this policy and other ISP policies. b) Ensuring that the information security management system conforms to the requirements of ISO/IEC 27001:2013. c) Reporting on the performance of the information security program to top management to identify areas for continuous improvement (5.2d, 5.3b).	10 years of experience Master’s Degree Information Security Management Certification (e.g., CISSP, CISM, C-CISO)	John Smith	N	Requires one more year of experience	Resume Copy of certifications List of completed Trainings in a specific time period URL to LinkedIn profile
Manager, Compliance	Leads the development and maintenance of the company’s compliance program to support the alignment of security architectures, plans, controls, processes, policies, and procedures with security standards and operational goals.	a) The design, development, maintenance, dissemination, and enforcement of the items contained in this policy and other ISP policies. b) Ensuring that the information security management system conforms to the requirements of ISO/IEC 27001:2013. c) Reporting on the performance of the information security program to top management to identify areas for continuous improvement (5.2d, 5.3b.	ISO 27001 implementation experience Audit experience	Jane Doe	Y	N/A	Resume Copy of certifications URL to LinkedIn profile
Internal Auditor	Leads in performing a full audit cycle including risk management and control management over operations’ effectiveness, financial reliability, and compliance with all applicable directives, standards, and regulations.	a) Conduct annual Internal Audits to drive Continuous Improvement across the Drata ISMS.	Audit experience Independence from implementation and daily operation of the Drata ISMS	Benedict Arnold	Y	N/A	Resume Copy of certifications URL to LinkedIn profile

6./8.1 Planning

6.1. Actions to address risks and opportunities

6.1.1. General; 6.1.2 / 8.2. Information security risk assessment

Methodology. Example Corporation will establish a well-defined methodology for risk assessment tailored to the company’s circumstances and needs, which will include the method of defining the following (see Risk Assessment Policy):

Risks that could cause the loss of confidentiality, integrity, and/or availability of information
Identity of risk owners
Assessment consequences and the likelihood of the risk
Risk calculation
Risk acceptance

The risk methodology will ensure that the risk assessment results are consistent across all relevant sectors of the company with comparable results.

Performance. Example Corporation will conduct a risk assessment as outlined in its Risk Assessment Policy, and will produce a Risk Assessment Report.

6.1.3 / 8.3. Information security risk treatment

Risk Treatment Plan. The Risk Treatment Plan is a crucial part of the ISMS implementation. Example Corporation will have a well-defined Risk Treatment Plan, which will outline how the controls from the Statement of Applicability will be implemented, to include responsible parties, timing and intervals, and allocated resources/budges.
Evaluation of Effectiveness. Example Corporation will measure and evaluate the fulfillment and effectiveness of the controls in place and other ISMS objectives in place, as set forth in the Risk Treatment Plan
Statement of Applicability. The Statement of Applicability (SOA) links Example Corporation’s risk assessment and treatment with the implementation of the ISMS. It provides the company with an overview of what needs to be done in information security, why, and how.

The SOA will list all Annex A controls that are applicable and those that are not. Each control decision will have a justification as to whether they were implemented, why and where (see below).

SOA REVISION HISTORY

Version	Date	Editor	Description of Changes
1.0	12/21/22	Jane Doe	Initial Creation

STATEMENT OF APPLICABILITY

* LR: Legal Requirement, CO: Contractual Obligation, BR/BP: Business Requirement/Best Practice, RRA: Results of Risk Assessment
CONTROL	OBJECTIVE & DESCRIPTION	STATUS (Applicable/NA)	LR*	CO*	BR/ BP*	RRA*	REMARKS	RESPONSIBLE ENTITY (Dept/Role)
A.5	INFORMATION SECURITY POLICIES
A.5.1	MANAGEMENT DIRECTION FOR INFORMATION SECURITY *Objective: To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations.*
A.5.1.1	Policies for information security A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties.	Applicable			Y		None	Management Information Security
A.5.1.2	Review of the policies for information security The policies for information security shall be reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness.	Applicable			Y		None	Management Information Security
A.6	ORGANIZATION OF INFORMATION SECURITY
A.6.1	INTERNAL ORGANIZATION *Objective: To establish a management framework to initiate and control the implementation and operation of information security within the organization.*
A.6.1.1	Information security roles and responsibilities All information security responsibilities shall be defined and allocated.	Applicable			Y		None	Management Information Security
A.6.1.2	Segregation of duties Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s assets.	Applicable			Y		None	Management Information Security
A.6.1.3	Contact with authorities Appropriate contacts with relevant authorities shall be maintained.	Applicable	Y				None	Management Information Security Legal
A.6.1.4	Contact with special interest groups Appropriate contacts with special interest groups or other specialist security forums and professional associations shall be maintained.	Applicable			Y		None	Management Information Technology
A.6.1.5	Information security in project management Information security shall be addressed in project management, regardless of the type of the project.	Applicable		Y	Y		None	Information Technology Information Security
A.6.2	MOBILE DEVICES AND TELEWORKING *Objective: To ensure the security of teleworking and use of mobile devices*
A.6.2.1	Mobile device policy A policy and supporting security measures shall be adopted to manage the risks introduced by using mobile devices.	Applicable			Y		None	Information Technology
A.6.2.2	Teleworking A policy and supporting security measures shall be implemented to protect information accessed, processed or stored at teleworking sites.	Applicable			Y		None	Management Information Technology
A.7	HUMAN RESOURCE SECURITY
A.7.1	PRIOR TO EMPLOYMENT *Objective: To ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered.*
A.7.1.1	Screening Background verification checks on all candidates for employment shall be carried out in accordance with relevant laws, regulations and ethics and shall be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.	Applicable	Y	Y	Y		None	Human Resources
A.7.1.2	Terms and conditions of employment The contractual agreements with employees and contractors shall state their and the organization’s responsibilities for information security.	Applicable	Y		Y		None	Management Human Resources
A.7.2	DURING EMPLOYMENT *Objective: To ensure that employees and contractors are aware of and fulfill their information security responsibilities.*
A.7.2.1	Management responsibilities Management shall require all employees and contractors to apply information security in accordance with the established policies and procedures of the organization.	Applicable			Y		None	Management Information Security
A.7.2.2	Information security awareness, education and training All employees of the organization and, where relevant, contractors shall receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function.	Applicable	Y		Y		None	Human Resources Information Security
A.7.2.3	Disciplinary process There shall be a formal and communicated disciplinary process in place to take action against employees who have committed an information security breach.	Applicable	Y		Y		None	Management Human Resources
A.7.3	TERMINATION AND CHANGE OF EMPLOYMENT *Objective: To protect the organization’s interests as part of the process of changing or terminating employment.*
A.7.3.1	Termination or change of employment responsibilities Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, communicated to the employee or contractor and enforced.	Applicable	Y		Y		None	Management Human Resources Information Security
A.8	ASSET MANAGEMENT
A.8.1	RESPONSIBILITY FOR ASSETS *Objective: To identify organizational assets and define appropriate protection responsibilities.*
A.8.1.1	Inventory of assets Information, other assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained.	Applicable			Y		None	Information Technology
A.8.1.2	Ownership of assets Assets maintained in the inventory shall be owned.	Applicable			Y		None	Information Technology
A.8.1.3	Acceptable use of assets Rules for the acceptable use of information and of assets associated with information and information processing facilities shall be identified, documented and implemented.	Applicable			Y		None	Management Information Technology Human Resources
A.8.1.4	Return of assets All employees and external party users shall return all of the organizational assets in their possession upon termination of their employment, contract or agreement.	Applicable			Y		None	Management Information Technology Human Resources
A.8.2	INFORMATION CLASSIFICATION Objective: To ensure that information receives an appropriate level of protection in accordance with its importance to the organization.
A.8.2.1	Classification of information Information shall be classified in terms of legal requirements, value, criticality and sensitivity to unauthorized disclosure or modification.	Applicable			Y		None	Management Information Security
A.8.2.2	Labeling of information An appropriate set of procedures for information labeling shall be developed and implemented in accordance with the information classification scheme adopted by the organization.	Applicable			Y	Y	None	Management Information Security
A.8.2.3	Handling of assets Procedures for handling assets shall be developed and implemented in accordance with the information classification scheme adopted by the organization.	Applicable			Y		None	Management Information Technology Human Resources
A.8.3	MEDIA HANDLING *Objective: To prevent unauthorized disclosure, modification, removal or destruction of information stored on media.*
A.8.3.1	Management of removable media Procedures shall be implemented for the management of removable media in accordance with the classification scheme adopted by the organization.	Not Applicable	N/A	N/A	N/A	N/A	Example Corporation does not have a physical location in scope for the ISMS Plan.	N/A
A.8.3.2	Disposal of media Media shall be disposed of securely when no longer required, using formal procedures.	Not Applicable	N/A	N/A	N/A	N/A	Example Corporation does not have a physical location in scope for the ISMS Plan.	N/A
A.8.3.3	Physical media transfer Media containing information shall be protected against unauthorized access, misuse or corruption during transportation.	Not Applicable	N/A	N/A	N/A	N/A	Example Corporation does not have a physical location in scope for the ISMS Plan.	N/A
A.9	ACCESS CONTROL
A.9.1	BUSINESS REQUIREMENTS OF ACCESS CONTROL *Objective: To limit access to information and information processing facilities.*
A.9.1.1	Access control policy An access control policy shall be established, documented and reviewed based on business and information security requirements.	Applicable		Y	Y		None	Information Security Information Technology
A.9.1.2	Access to networks and network services Users shall only be provided with access to the network and net-work services that they have been specifically authorized to use.	Applicable		Y	Y		None	Information Security Information Technology
A.9.2	USER ACCESS MANAGEMENT *Objective: To ensure authorized user access and to prevent unauthorized access to systems and services.*
A.9.2.1	User registration and deregistration A formal user registration and de-registration process shall be implemented to enable assignment of access rights.	Applicable			Y		None	Information Technology
A.9.2.2	User access provisioning A formal user access provisioning process shall be implemented to assign or revoke access rights for all user types to all systems and services.	Applicable		Y	Y		None	Information Technology
A.9.2.3	Management of privileged access rights The allocation and use of privileged access rights shall be restricted and controlled.	Applicable			Y		None	Information Technology Information Security
A.9.2.4	Management of secret authentication information of users The allocation of secret authentication information shall be controlled through a formal management process.	Applicable		Y	Y		None	Information Technology
A.9.2.5	Review of user access rights Asset owners shall review users’ access rights at regular intervals.	Applicable		Y	Y		None	Information Technology
A.9.2.6	Removal or adjustment of access rights The access rights of all employees and external party users to information and information processing facilities shall be removed upon termination of their employment, contract or agreement, or adjusted upon change.	Applicable		Y	Y		None	Information Technology
A.9.3	USER RESPONSIBILITIES *Objective:* To make users accountable for safeguarding their authentication information.
A.9.3.1	Use of secret authentication information Users shall be required to follow the organization’s practices in the use of secret authentication information.	Applicable		Y	Y		None	Information Technology
A.9.4	SYSTEM AND APPLICATION ACCESS CONTROL *Objective:* To prevent unauthorized access to systems and applications.
A.9.4.1	Information access restriction Access to information and application system functions shall be restricted in accordance with the access control policy.	Applicable		Y	Y		None	Information Technology Information Security
A.9.4.2	Secure log-on procedures Where required by the access control policy, access to systems and applications shall be controlled by a secure log-on procedure.	Applicable		Y	Y		None	Information Technology Information Security
A.9.4.3	Password management system Password management systems shall be interactive and shall ensure quality passwords.	Applicable		Y	Y		None	Information Technology
A.9.4.4	Use of privileged utility programs The use of utility programs that might be capable of overriding system and application controls shall be restricted and tightly controlled.	Applicable			Y		None	Information Security
A.9.4.5	Access control to program source code Access to program source code shall be restricted.	Applicable		Y	Y		None	Information Technology Information Security
A.10	CRYPTOGRAPHY
A.10.1	CRYPTOGRAPHIC CONTROLS *Objective:* To ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information.
A.10.1.1	Policy on the use of cryptographic controls A policy on the use of cryptographic controls for protection of information shall be developed and implemented.	Applicable	Y	Y	Y		None	Information Security
A.10.1.2	Key management A policy on the use, protection and lifetime of cryptographic keys shall be developed and implemented through their whole lifecycle.	Applicable	Y	Y	Y		None	Information Security
A.11	PHYSICAL AND ENVIRONMENTAL SECURITY
A.11.1	SECURE AREAS *Objective:* To prevent unauthorized physical access, damage and interference to the organization’s information and information processing facilities.
A.11.1.1	Physical security perimeter Security perimeters shall be defined and used to protect areas that contain either sensitive or critical information and information processing facilities.	Not Applicable	N/A	N/A	N/A	N/A	Example Corporation does not have a physical location in scope for the ISMS Plan.	N/A
A.11.1.2	Physical entry controls Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access.	Not Applicable	N/A	N/A	N/A	N/A	Example Corporation does not have a physical location in scope for the ISMS Plan.	N/A
A.11.1.3	Securing offices, rooms and facilities Physical security for offices, rooms and facilities shall be designed and applied.	Not Applicable	N/A	N/A	N/A	N/A	Example Corporation does not have a physical location in scope for the ISMS Plan.	N/A
A.11.1.4	Protecting against external and environmental threats Physical protection against natural disasters, malicious attack or accidents shall be designed and applied	Not Applicable	N/A	N/A	N/A	N/A	Example Corporation does not have a physical location in scope for the ISMS Plan.	N/A
A.11.1.5	Working in secure areas Procedures for working in secure areas shall be designed and applied.	Not Applicable	N/A	N/A	N/A	N/A	Owned by Cloud Service Provider	Cloud Service Provider
A.11.1.6	Delivery and loading areas Access points such as delivery and loading areas and other points where unauthorized persons could enter the premises shall be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access.	Not Applicable	N/A	N/A	N/A	N/A	Example Corporation does not have a physical location in scope for the ISMS Plan.	N/A
A.11.2	EQUIPMENT *Objective:* To prevent loss, damage, theft or compromise of assets and interruption to the organization’s operations.
A.11.2.1	Equipment siting and protection Equipment shall be sited and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access.	Not Applicable	N/A	N/A	N/A	N/A	Owned by Cloud Service Provider	Cloud Service Provider
A.11.2.2	Supporting utilities Equipment shall be protected from power failures and other disruptions caused by failures in supporting utilities.	Not Applicable	N/A	N/A	N/A	N/A	Owned by Cloud Service Provider	Cloud Service Provider
A.11.2.3	Cabling security Power and telecommunications cabling carrying data or supporting information services shall be protected from interception, interference or damage.	Not Applicable	N/A	N/A	N/A	N/A	Owned by Cloud Service Provider	Cloud Service Provider
A.11.2.4	Equipment maintenance Equipment shall be correctly maintained to ensure its continued availability and integrity.	Not Applicable	N/A	N/A	N/A	N/A	Owned by Cloud Service Provider	Cloud Service Provider
A.11.2.5	Removal of assets Equipment, information or software shall not be taken off-site without prior authorization.	Not Applicable	N/A	N/A	N/A	N/A	Example Corporation does not have a physical location in scope for the ISMS Plan.	N/A
A.11.2.6	Security of equipment and assets off-premises Security shall be applied to off-site assets taking into account the different risks of working outside the organization’s premises.	Not Applicable	N/A	N/A	N/A	N/A	Owned by Cloud Service Provider	Cloud Service Provider
A.11.2.7	Secure disposal or reuse of equipment All items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use.	Applicable			Y		None	Information Technology
A.11.2.8	Unattended user equipment Users shall ensure that unattended equipment has appropriate protection.	Applicable			Y		None	Information Technology
A.11.2.9	Clear desk and clear screen policy A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities shall be adopted.	Not Applicable	N/A	N/A	N/A	N/A	Example Corporation does not have a physical location in scope for the ISMS Plan.	N/A
A.12	OPERATIONS SECURITY
A.12.1	OPERATIONAL PROCEDURES AND RESPONSIBILITIES *Objective: To ensure correct and secure operations of information processing facilities.*
A.12.1.1	Documented operating procedures Operating procedures shall be documented and made available to all users who need them.	Applicable	Y	Y	Y		None	Management Information Security
A.12.1.2	Change management Changes to the organization, business processes, information pro- cessing facilities and systems that affect information security shall be controlled	Applicable			Y		None	Information Technology Information Security
A.12.1.3	Capacity management The use of resources shall be monitored, tuned and projections made of future capacity requirements to ensure the required system performance.	Applicable			Y		None	Information Technology
A.12.1.4	Separation of development, testing and operational environments Development, testing, and operational environments shall be separated to reduce the risks of unauthorized access or changes to the operational environment.	Applicable			Y		None	Information Technology
A.12.2	PROTECTION FROM MALWARE *Objective: To ensure that information and information processing facilities are protected against malware.*
A.12.2.1	Controls against malware Detection, prevention and recovery controls to protect against malware shall be implemented, combined with appropriate user awareness.	Applicable		Y	Y		None	Information Security
A.12.3	BACKUP *Objective: To protect against loss of data.*
A.12.3.1	Information backup Backup copies of information, software and system images shall be taken and tested regularly in accordance with an agreed backup policy.	Applicable			Y		None	Information Technology Information Security
A.12.4	LOGGING AND MONITORING *Objective: To record events and generate evidence.*
A.12.4.1	Event logging Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed.	Applicable	Y	Y	Y		None	Information Security
A.12.4.2	Protection of log information Logging facilities and log information shall be protected against tampering and unauthorized access.	Applicable	Y	Y	Y		None	Information Security
A.12.4.3	Administrator and operator logs Control System administrator and system operator activities shall be logged and the logs protected and regularly reviewed.	Applicable	Y	Y	Y		None	Information Security
A.12.4.4	Clock synchronization The clocks of all relevant information processing systems within an organization or security domain shall be synchronized to a single reference time source.	Applicable			Y		None	Information Technology
A.12.5	CONTROL OF OPERATIONAL SOFTWARE *Objective: To ensure the integrity of operational systems.*
A.12.5.1	Installation of software on operational systems Procedures shall be implemented to control the installation of software on operational systems.	Applicable			Y		None	Information Security
A.12.6	TECHNICAL VULNERABILITY MANAGEMENT *Objective: To prevent exploitation of technical vulnerabilities.*
A.12.6.1	Management of technical vulnerabilities Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organization’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk	Applicable		Y	Y		None	Information Security
A.12.6.2	Restrictions on software installation Rules governing the installation of software by users shall be established and implemented.	Applicable			Y		None	Information Security
A.12.7	INFORMATION SYSTEMS AUDIT CONSIDERATIONS *Objective: To minimize the impact of audit activities on operational systems.*
A.12.7.1	Information systems audit controls Audit requirements and activities involving verification of operational systems shall be carefully planned and agreed to minimize disruptions to business processes.	Applicable			Y		None	Information Security
A.13	COMMUNICATIONS SECURITY
A.13.1	NETWORK SECURITY MANAGEMENT *Objective: To ensure the protection of information in networks and its supporting information processing facilities.*
A.13.1.1	Network controls Networks shall be managed and controlled to protect information in systems and applications.	Applicable			Y		None	Information Security
A.13.1.2	Security of network services Security mechanisms, service levels and management requirements of all network services shall be identified and included in network services agreements, whether these services are provided in-house or outsourced.	Applicable			Y		None	Information Security
A.13.1.3	Segregation in networks Groups of information services, users and information systems shall be segregated on networks.	Applicable		Y	Y		None	Information Security
A.13.2	INFORMATION TRANSFER *Objective: To maintain the security of information transferred within an organization and with any external entity.*
A.13.2.1	Information transfer policies and procedures Formal transfer policies, procedures and controls shall be in place to protect the transfer of information through the use of all types of communication facilities.	Applicable		Y	Y		None	Management Information Security Information Technology
A.13.2.2	Agreements on information transfer Agreements shall address the secure transfer of business information between the organization and external parties.	Applicable		Y	Y		None	Management Information Security Information Technology
A.13.2.3	Electronic messaging Information involved in electronic messaging shall be appropriately protected.	Applicable		Y	Y		None	Management Information Security Information Technology
A.13.2.4	Confidentiality or non- disclosure agreements Requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information shall be identified, regularly reviewed and documented.	Applicable		Y	Y		None	Management Human Resources Legal
A.14	SYSTEM ACQUISITION, DEVELOPMENT AND MAINTENANCE
A.14.1	SECURITY REQUIREMENTS OF INFORMATION SYSTEMS Objective: To ensure that information security is an integral part of information systems across the entire lifecycle. This also includes the requirements for information systems which provide services over public networks.
A.14.1.1	Information security requirements analysis and specification The information security related requirements shall be included in the requirements for new information systems or enhancements to existing information systems.	Applicable		Y	Y		None	Information Technology Information Security
A.14.1.2	Securing application services on public networks Information involved in application services passing over public networks shall be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification.	Applicable			Y		None	Information Security
A.14.1.3	Protecting application services transactions Information involved in application service transactions shall be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay.	Applicable			Y		None	Information Security
A.14.2	SECURITY IN DEVELOPMENT AND SUPPORT PROCESSES *Objective: To ensure that information security is designed and implemented within the development lifecycle of information systems.*
A.14.2.1	Secure development policy Rules for the development of software and systems shall be established and applied to developments within the organization.	Applicable			Y		None	Information Technology Information Security
A.14.2.2	System change control procedures Changes to systems within the development lifecycle shall be controlled by the use of formal change control procedures.	Applicable			Y		None	Information Technology Information Security
A.14.2.3	Technical review of applications after operating platform changes When operating platforms are changed, business critical applications shall be reviewed and tested to ensure there is no adverse impact on organizational operations or security.	Applicable			Y		None	Information Technology Information Security
A.14.2.4	Restrictions on changes to software packages Modifications to software packages shall be discouraged, limited to necessary changes and all changes shall be strictly controlled.	Applicable			Y		None	Information Technology Information Security
A.14.2.5	Secure system engineering principles Principles for engineering secure systems shall be established, documented, maintained and applied to any information system implementation efforts.	Applicable			Y	Y	None	Information Technology Information Security
A.14.2.6	Secure development environment Organizations shall establish and appropriately protect secure development environments for system development and integration efforts that cover the entire system development life cycle.	Applicable			Y		None	Information Technology
A.14.2.7	Outsourced development The organization shall supervise and monitor the activity of out-sourced system development.	Applicable			Y		None	Information Technology Information Security
A.14.2.8	System security testing Testing of security functionality shall be carried out during development.	Applicable			Y		None	Information Technology Information Security
A.14.2.9	System acceptance testing Acceptance testing programs and related criteria shall be established for new information systems, upgrades and new versions.	Applicable			Y		None	Information Technology Information Security
A.14.3	TEST DATA *Objective: To ensure the protection of data used for testing.*
A.14.3.1	Protection of test data Test data shall be selected carefully, protected and controlled.	Applicable			Y		None	Information Technology
A.15	SUPPLIER RELATIONSHIPS
A.15.1	INFORMATION SECURITY IN SUPPLIER RELATIONSHIPS *Objective: To ensure protection of the organization’s assets that are accessible by suppliers.*
A.15.1.1	Information security policy for supplier relationships Information security requirements for mitigating the risks associated with supplier’s access to the organization’s assets shall be agreed with the supplier and documented.	Applicable	Y		Y		None	Management Information Security
A.15.1.2	Addressing security within supplier agreements All relevant information security requirements shall be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for the organization’s information.	Applicable	Y		Y		None	Management Information Security
A.15.1.3	Information and communication technology supply chain Agreements with suppliers shall include requirements to address the information security risks associated with information and communications technology services and product supply chain	Applicable			Y		None	Information Security
A.15.2	SUPPLIER SERVICE DELIVERY MANAGEMENT *Objective: To maintain an agreed level of information security and service delivery in line with supplier agreements.*
A.15.2.1	Monitoring and review of supplier services Organizations shall regularly monitor, review and audit supplier service delivery.	Applicable	Y		Y	Y	None	Management Information Security
A.15.2.2	Managing changes to supplier services Changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures and controls, shall be managed, taking account of the criticality of business information, systems and processes involved and re-assessment of risks.	Applicable	Y		Y	Y	None	Management Information Security
A.16	Information security incident management
A.16.1	MANAGEMENT OF INFORMATION SECURITY INCIDENTS AND IMPROVEMENTS *Objective: To ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.*
A.16.1.1	Responsibilities and procedures Management responsibilities and procedures shall be established to ensure a quick, effective and orderly response to information security incidents.	Applicable	Y	Y	Y		None	Information Security
A.16.1.2	Reporting information security events Information security events shall be reported through appropriate management channels as quickly as possible.	Applicable			Y		None	Management Information Security All Users
A.16.1.3	Reporting information security weaknesses Employees and contractors using the organization’s information systems and services shall be required to note and report any observed or suspected information security weaknesses in systems or services.	Applicable			Y		None	Management Information Security All Users
A.16.1.4	Assessment of and decision on information security events Information security events shall be assessed and it shall be decided if they are to be classified as information security incidents.	Applicable	Y	Y	Y		None	Management Information Security
A.16.1.5	Response to information security incidents Information security incidents shall be responded to in accordance with the documented procedures.	Applicable	Y	Y	Y		None	Information Security
A.16.1.6	Learning from information security incidents Knowledge gained from analyzing and resolving information security incidents shall be used to reduce the likelihood or impact of future incidents.	Applicable			Y		None	Information Security
A.16.1.7	Collection of evidence The organization shall define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence.	Applicable	Y	Y	Y		None	Information Security
A.17	INFORMATION SECURITY ASPECTS OF BUSINESS CONTINUITY MANAGEMENT
A.17.1	INFORMATION SECURITY CONTINUITY *Objective: Information security continuity shall be embedded in the organization’s business continuity management systems.*
A.17.1.1	Planning information security continuity The organization shall determine its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or disaster.	Applicable			Y		None	Management Information Security
A.17.1.2	Implementing information security continuity The organization shall establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation.	Applicable			Y		None	Management Information Security
A.17.1.3	Verify, review and evaluate information security continuity The organization shall verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations.	Applicable			Y		None	Management Information Security
A.17.2	REDUNDANCIES *Objective: To ensure availability of information processing facilities.*
A.17.2.1	Availability of information processing facilities Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements.	Applicable			Y		None	Information Technology
A.18	COMPLIANCE
A.18.1	COMPLIANCE WITH LEGAL AND CONTRACTUAL REQUIREMENTS *Objective: To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements.*
A.18.1.1	Identification of applicable legislation and contractual requirements All relevant legislative statutory, regulatory, contractual requirements and the organization’s approach to meet these requirements shall be explicitly identified, documented and kept up to date for each information system and the organization.	Applicable	Y		Y		None	Management Information Security Legal
A.18.1.2	Intellectual property rights Appropriate procedures shall be implemented to ensure compliance with legislative, regulatory and contractual requirements related to intellectual property rights and use of proprietary software products.	Applicable	Y		Y		None	Management Information Security Legal
A.18.1.3	Protection of records Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislatory, regulatory, contractual and business requirements.	Applicable	Y		Y		None	Management Information Security Legal
A.18.1.4	Privacy and protection of personally identifiable information Privacy and protection of personally identifiable information shall be ensured as required in relevant legislation and regulation where applicable.	Applicable	Y	Y	Y		None	Management Information Security Legal
A.18.1.5	Regulation of cryptographic controls Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations.	Applicable	Y		Y		None	Management Information Security Legal
A.18.2	INFORMATION SECURITY REVIEWS *Objective: To ensure that information security is implemented and operated in accordance with the organizational policies and procedures.*
A.18.2.1	Independent review of information security The organization’s approach to managing information security and its implementation (i.e. control objectives, controls, policies, pro- cesses and procedures for information security) shall be reviewed independently at planned intervals or when significant changes occur.	Applicable	Y	Y	Y		None	Management Information Security
A.18.2.2	Compliance with security policies and standards Managers shall regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements.	Applicable	Y	Y	Y		None	Management Information Security
A.18.2.3	Technical compliance review Information systems shall be regularly reviewed for compliance with the organization’s information security policies and standards.	Applicable	Y	Y	Y		None	Management Information Security

6.2 Information security objectives and planning to achieve them

In accordance with Example Corporation’s Information Security Policy, the information security objectives will reflect (see below):

What will be done
Resources Required
Responsible Parties/Personnel
Completion Timeline
Metrics for Evaluation and Acceptance Criteria

Example Corporation information security objectives will reflect 5-7 objectives that will cover Confidentiality, Integrity, and Availability as it relates to Example Corporation’s ISMS. The objectives will be tracked and updated when needed.

INFORMATION SECURITY OBJECTIVES

Objective ID	Objective	Action	Required Resources	Responsible Party	Timeline	Acceptance Criteria	Status
1	All identified controls are in place	List controls Implement controls Verify controls	Specialist IT team Internal audit	Manager, GRC	6 months	Refer to KPI Metrics table Section 9.1	In progress
2	All business continuity plans have been tested in the previous year	Agree testing schedule Conduct tests Produce test reports	Operational staff time	CISO	6 months	Refer to KPI Metrics table Section 9.1	In progress
3	Training in information security has been provided for all key resources	Identify key resources Identify courses Attend courses Complete training records	Training budget Time of attendees	Manager, GRC	3 months	Refer to KPI Metrics table Section 9.1	Complete
4	Increase number of days provided by business teams for information security activities	Agree allocation with top management Plan involvement Conduct activities Record days spent	Business teams	CISO	9 months	Refer to KPI Metrics table Section 9.1	Behind Schedule
5	Reduce number of high priority risks on risk register	Hold workshops to identify ideas Implement ideas	Risk owners IT team	CISO	9 months	Refer to KPI Metrics table Section 9.1	In Progress

7. Support

7.1. Resources and 7.2 Competence

The proper operations and maintenance of the ISMS requires proper personnel planning and resources. Example Corporation management is devoted to making sure that the ISMS roles and responsibilities, as well as the skills necessary to perform them are well-defined, and that those roles are properly manned by people with the requisite skills (see Skills Matrix above). Management will also make sure that the ISMS is prioritized in the budgeting process and properly resourced to guarantee optimal performance.

7.3. Awareness

To ensure the proper implementation of the controls, policies, and procedures, Example Corporation will promote awareness and provide training as to the necessity of such provisions, and how to perform their roles and responsibilities in accordance with these provisions.

7.4. Communication

Example Corporation’s communication plan outlines the lines of communication within the organization, and with outside entities, to include appropriate government agencies (e.g., law enforcement) and non-governmental organizations. It also defines times and intervals, events and situations, and personnel responsible for the communication (see below).

COMMUNICATION PLAN

Document/ Deliverable	Frequency of Communication	Sender (Delivery from)	Audience (Delivery to)	Delivery Type	Delivery Evidence
Internal Audit Report	Annually	-Internal Auditor -Member of Security Team	-CISO -Risk Committee	-Email -Presentations -Drata Evidence Library (with Access to Drata)	-Email -Committee Meeting Minutes -In Drata
External Audit Report	Annually	-External Auditor -Member of Security Team	-CISO -Risk Committee -Board of Directors	-Email -Presentations	-Risk Committee and/or Board of Directors Closing Meeting Minutes
ISO 27001 Certificate	As New Certificates are Issued	-External Auditor -Member of Web Dev Team	-Posted on company website -Marketing -Sales	-Email -Web Posting	-Email -Website
Corrective Action Report	Quarterly	-Member Responsible for Developing CARs	-CISO -Business Unit Leadership responsible for Corrective Actions -(For external findings) External Auditor	-Email -Meetings -Drata Evidence Library (with Access to Drata)	-Email -Meeting Minutes -In Drata
ISMS Security Objectives	Quarterly	-Member Responsible for Developing objectives	-Business Unit Leadership for Security Objectives	-Email -Meetings -Drata Evidence Library (with Access to Drata)	-Email -Meeting Minutes -In Drata
Risk Treatment Plans	Quarterly	-Member Responsible for Developing RTPs	-CISO -Risk Committee -Business Unit Leadership for RTP	-Email -Meetings -Drata Evidence Library (with Access to Drata)	-Email -Meeting Minutes -In Drata
Management Review Report	Annually or as necessary	-Member Responsible for reporting metrics in Management Review	-CISO -Appropriate Business Unit Leadership	-Email -Meetings -Drata Evidence Library (with Access to Drata)	-Email -Meeting Minutes -In Drata
External Incident Response Report	As necessary	-Designated member to communicate with external parties (e.g., government agency, NGOs, etc.)	-External Parties (e.g., government agencies, NGOs, etc.)	-Email -Phone -As required by local regulations or standards	-Email -Phone Log -Appropriate Records

7.5. Documented Information

7.5.1. General

The following table includes the documents determined by Example Corporation as being necessary for the effectiveness of the ISMS.

MANDATORY RECORDS & DOCUMENTS

Document	Reference	Location
ISO 27001:2013 TIER 1 DOCUMENTATION
Scope of The Information Security Management System (ISMS)	Clause 4.3	Section 4.3 of the ISMS Plan
Information Security Policy	Clause 5.2	Drata Policy Center
Definition of Security Roles & Responsibilities	Clause 5.2, Annex A.7.1.2	Skills Matrix section of the ISMS Plan
Information Security Objectives	Clause 6.2	Information Security Objectives section of the ISMS Plan
Risk Assessment Process	Clause 6.1.2	Risk Assessment Policy
Risk Assessment Report	Clause 8.2	Drata - Evidence Library
Risk Treatment Process	Clause 6.1.3	Risk Assessment Policy
Risk Treatment Plan	Clause 6.1.3e	Drata - Evidence Library
Statement of Applicability (For Controls in Annex A)	Clause 6.1.3d	Statement of Applicability section of the ISMS Plan
List of Interested Parties, Legal & Other Requirements	Clauses 4.2 & 6.1	Section 4.2 of the ISMS Plan
Competence (e.g., Skills Matrix & Associated Proof Of Skills)	Clause 7.2	Skills Matrix section of the ISMS Plan
Evidence of Communication	Clause 7.4	Communication Plan section of the ISMS Plan
Procedure for Document Control	Clause 7.5	Last page of ISMS Plan
Monitoring & Measurement Results	Clause 9.1	Drata - Monitoring page
Internal Audit Plan & Reports	Clause 9.2	Internal Audit Section of the ISMS Plan
Results of Management Reviews of ISMS	Clause 9.3	Appendix B of the ISMS Plan
Nonconformities, Corrective Actions & Improvement Suggestions	Clause 10.1; 10.2	Appendix C of the ISMS Plan
ISO 27001:2013 TIER 2 DOCUMENTATION
Inventory of Assets	Annex A.8.1.1	Drata - Assets module
Acceptable Use of Assets	Annex A.8.1.3	Drata - Policy Center
Access Control Policy	Annex A.9.1.1	Drata - Policy Center
Operating Procedures for Information Security	Annex A.12.1.1	Drata - Policy Center
Logs of User Activities, Exceptions, Faults & Security Events	Annex A.12.4.1	Drata - Policy Center, AWS CloudTrail
Logs of System Administrator & System user activities, exceptions, faults and security events	Annex A.12.4.3	Drata - Policy Center, AWS CloudTrail
Incident Management Procedure	Annex A.16.1.5	Drata - Policy Center
Business Continuity Strategy & Procedures	Annex A.17.1	Drata - Policy Center
Statutory, Regulatory, And Contractual Requirements	Annex A.18.1.1	Section 4.2 of the ISMS Plan

CONDITIONAL RECORDS & DOCUMENTS (If Applicable)

Document	Reference	Location
Confidentiality or Non-Disclosure Agreements	Annex A.13.2.4	Google Drive
Secure System Engineering Principles	Annex A.14.2.5	Drata - Policy Center
Supplier Security Policy	Annex A.15.1.1	Google Drive

DISCRETIONARY RECORDS & DOCUMENTS (Commonly Used)

Document	Reference	Location
Controls for Managing Records	7.5	Section 7.5.2-.3 of the ISMS Plan
Procedure for Measuring and Monitoring	9.1	Section 9.1 of the ISMS Plan
Procedure for Corrective Action	10.1	Appendix C of the ISMS Plan
Bring Your Own Device (BYOD) Policy	Annex A.6.2.1	Drata - Policy Center
Mobile Device & Teleworking Policy	Annex A.6.2.1	Drata - Policy Center
Information Classification Policy	Annex A.8.2	Drata - Policy Center
User Access Rights Policies (Including Password Control)	Annex A.9.2	Drata - Policy Center
Disposal & Destruction Policy	Annex A.8.3.2; A.11.2.7	Drata - Policy Center
Procedures for Working in Secure Areas	Annex A.11.1.5	Drata - Policy Center
Clear Desk & Clear Screen Policy	Annex A.11.2.9	Drata - Policy Center
Organizational Change Management Policy	Annex A.12.1.2	Drata - Policy Center
Software Change Management Policy	Annex A.14.2.4	Drata - Policy Center
Backup Policy	Annex A.12.3.1	Drata - Policy Center
Information Transfer Policy	Annex A.13.2	Drata - Policy Center
Business Impact Analysis	Annex A.17.1.1	Drata - Policy Center
ISMS Continuity Controls Testing Plan	Annex A.17.1.3	Drata - Policy Center

7.5.2. Creating and updating

Example Corporation ensures documentation generated by Example Corporation personnel is appropriately controlled. Consideration is given to:

Identification of documentation through the assignment of titles, dates, authors, and reference numbers.
Format including language, version, and media (physical or electronic) used to display and communicate documentation.
Review and approval for suitability, adequacy, and accuracy of the information contained within documentation.

The record of this consideration is contained within the “Revision History” table inside of each policy, and records of review and approval are contained within the Drata Policy Center, which documents the policy approval and assigned owner.

7.5.3. Control of documented information

Example Corporation’s crucial task in the operation and maintenance of the ISMS is the collection of the appropriate records and evidence to ensure the functionality of the ISMS, and the effectiveness of the system. The records will also reflect personnel performance and completion of necessary tasks.

Example Corporation will also have a systematic approach for document management. To control documents:

Classify documents properly
Define members with the rights for distribution, access, retrieval, and use of documents, and the necessary actions to be performed.
Identify methods currently used to receive, process, approve/reject, store and/ or delete documents.
Align business processes to document management requirements
Identify documents for control
Integrate change controls to ensure integrity of documents

9. Performance Evaluation

9.1. Monitoring, measurement, analysis and evaluation

Example Corporation will evaluate its security objectives by monitoring and measurement of implemented controls. Monitoring provides awareness of the status and state of assets and processes that have been selected to be watched, and can provide basic and immediate alerts if something is not performing as expected. Measurements allow for the evaluation of assets and processes based on predefined units. The assets and processes for evaluation will be properly documented, the company will produce and maintain reports and evidence of evaluations.

These evaluations are meant to allow the Example Corporation to:

Ensure control objectives are being satisfied and validate the decisions made;
Establish a roadmap to meet set targets and expectations;
Produce evidence and justification for implemented measures; and/or,
Discover and identify security gaps that would require change, corrective action(s), or intervention.

KPI Metrics

KPI	Infosec Objective ID (Fr. 6.2)	Frequency	Measure	Result	Target	Supporting Documentation	KPI Owner	Last Review Date
*ISMS Plan Review*	6	Annually	(# of Reviews / 1) 100*	100%	100%	Security Steering Committee Meeting Minutes	CISO	01/20/2023
*Information Security Policy Review*	*1, 4*	Annually	(# of Reviews / 1) 100*	100%	100%	Information Security Policy	CISO	01/20/2023
*Security Awareness Training*	3	Annually	(# of employees who received SATE / total # of employees) 100*	87%	90-100%	Proofpoint Security Awareness Training Results	Manager, GRC	01/20/2023
*Social Engineering Reporting Rate*	3	Quarterly	(# of phishing simulation report / total # of employees) 100*	43%	>50%	Proofpoint Security Awareness Training Results	Manager, GRC	03/06/2023
*Social Engineering Failure Rate*	3	Quarterly	(# of phishing failure / total # of employees) 100*	7%	<5%	Proofpoint Security Awareness Training Results	Manager, GRC	03/06/2023
*BC/DR Annual Test*	*1, 2*	Annually	(# of BC/DR test performed / 1) 100*	100%	100%	BC/DR Test Report	CISO	02/17/2023
*Annual Incident Response Test*	*1, 5, 6*	Annually	(# of IR test performed / 1) 100*	100%	100%	IR Test Report	CISO	02/24/2023
*Penetration Test*	*1, 5, 6*	Annually	(# of penetration test performed / 1) 100*	100%	100%	Penetration Test Report	Manager, GRC	01/17/2023
*Vulnerability Scans*	*1, 5, 6*	Monthly	(# of vulnerability scans performed / 12) 100*	100%	100%	AWS GuardDuty	Manager, GRC	03/20/2023
*User Access Reviews*	*1, 6*	Quarterly	(# of user access reviews performed / 4) 100*	100%	100%	User Access Review emails	Manager, GRC	01/09/2023
*Annual Board of Directors meeting on Cybersecurity*	4	Annually	(# of Board Meetings / 1) 100*	100%	100%	Board of Director Meeting Minutes	CISO	03/03/2023
*Platform Availability metric*	*1, 4*	Monthly	((100 - Down time) / 100) 100*	99.5%	99.5%	Status page	IT	03/20/2023
*Drata Controls Monitoring*	1	Daily	(# Passing test / Total number of test) 100*	93%	95%-100%	Drata Monitoring	Manager, GRC	03/23/2023

9.2. Internal audit

Internal Audits are a crucial element of Example Corporation’s ISMS and its continuous improvement. The process will ensure the discovery and identification of issues, gaps, malfunctions, etc. in the company’s ISMS that could ultimately damage or harm the company.

Frequency. Example Corporation will conduct an internal audit of its ISMS at least annually.
Audit Entity. Example Corporation internal audits will be conducted by:
- Employee, full-time auditor;
- Employee, part-time auditor; or
- Third party internal auditor (outside organization will conduct internal audit per rules set by Example Corporation.
In the case of an employee being selected as an auditor, Example Corporation will ensure that the auditor is objective and impartial. This will be done through different methods, such as selecting an employee from a different department or team to audit a specific department or team.
Documentation. Example Corporation will set and document the criteria and scope of each annual internal audit in the Internal Audit Program. It will also produce and maintain, for evidence, reports of the internal audit, where findings, gaps, and nonconformities will be outlined (see Appendix A).
Example Corporation will include in its Internal Audit Program sections such as:
- Method of internal auditor selection
- Process of planning the internal audit
- Steps to conduct the internal audit
- Post-audit activities
- Internal audit checklist
Plan and Procedure. (See APPENDIX A)

9.3. Management review / 10.1. Nonconformity and corrective action / 10.2. Continual improvement

Management review. Example Corporation management will systematically review and make critical decisions concerning the ISMS. The review will be arranged by CISO, who is also responsible for compiling all necessary information and inputs for consideration (see APPENDIX B).
The review will take into consideration:
- Status of items, issues, and tasks from previous review
- Reports form evaluations and internal audits
- Lessons learned from assessments, tests, or incidents
- Improvement inputs from the company
- Any internal and external changes that impact security
Decisions will be made concerning:
- The ISMS scope and whether it requires modifications
- Security policies and whether any require modifications
- Security gaps and necessary improvements
- Necessary resources
- The overall effectiveness of the ISMS and fulfillment of its objectives
- Implementation of different security strategies and training
Frequency. Example Corporation will conduct a management review of its ISMS at least annually, and as necessary.
Documentation and reporting. The considerations, discussions, and decisions from the management review will be recorded in the meeting minutes, which could also include discussions from other reviews. The results of the review, and subsequent tasks and responsibilities, will be communicated to relevant parties by [METHOD, e.g., e-mail, meeting, all-hands, etc.].
Corrective Action Plan. Example Corporation will employ corrective action plans for the systematic elimination of issues and nonconformities. The plan will aim to resolve an issue from its root cause so that it can be prevented or mitigated in the future and sustain the corrective measures. It will include:
- Root cause analysis and assessment
- Required steps for root cause elimination
- Risk-opportunity assessment of changes
- Time and cost assessment
- Rubric for measuring effectiveness
Corrective Action Report. Example Corporation will document any corrective action taken in a corrective action report (see Appendix C). The report will at a minimum include:
- Nature of nonconformities
- Identified root cause
- Corrective actions taken
- Implementation of corrective actions
- Result of corrective actions (include effectiveness)

APPENDIX A

Internal Audit Plan and Procedure

Purpose

The purpose of the internal audit is to ensure the effectiveness of Example Corporation’s information security management system, its continuous improvement, and conformance with the requirements of ISO 27001:2013, as set out in Clause 9.2 of the standard. It will ensure (a) conformance with the standard, and more importantly, (b) proper information security measures in place that are continuously improved. Additionally, the internal audit will:

Uncover nonconformities before others discover them;
Ensure a strong security stance by identifying areas that require attention prior to a security event;
Demonstrate and inform management commitment; and
Assist staff understanding and awareness.

Scope

This plan applies to Example Corporation internal audits of the ISMS, and establishes the procedures for carrying out the audit. The audit scope should match the ISMS.

Roles and responsibilities

Lead Auditor: Responsible for the planning and execution of the audit. The lead auditor is a competent entity independent from the ISMS, who is a member of the company independent of the ISMS OR a third party auditor.

Employees: Responsible for assisting in the audit process, when and as required.

Plan

Audit schedule
- Properly planned out audit, and readily-available schedule to let all members aware of when each process will be audited over the upcoming cycle.
- Allow time for better preparation and practical support.
- Allow time for process owners to:
  1. finish any improvement projects and gather valuable information on the implementation; or,
  2. request that the auditor(s) focus on helping to gather information for other planned improvements.
Coordinate with process owners
- Collaborate to determine the best time to review the process.
- Auditor(s) can review previous audits to see if any follow-up is required on comments or concerns previously found.
- Process owners can identify any areas that the auditor can look at to assist the process owner to identify information.
- Ensure that the process owners will get value out of the audit process.
Conducting the audit
- Gather, review, analyze information as outlined in the audit procedures below.
- Identify areas that do not have operational evidence.
- Identify areas that may function better if changes are made.
Reporting audit findings
- Meet with interested parties and process owners to ensure an efficient flow of information (non-conforming).
- Highlight areas of weakness to be addressed, and areas that could use improvement (improvement opportunities).
Follow-up
- Ensure that identified areas of non-conformity are resolved and corrective actions have been taken.
- Check any progress on identified improvement opportunities.

Procedure

Review ISMS documentation
- Audit scope should match ISMS, setting clear limits for the internal audit.
- All prescribed documents(See Prescribed Documentation above) are in place and readily available.
Identify any criteria, if any, needed for consideration during the audit
- Identify the extent of work that may be done during the audit
- Identify any anticipated limitations
Identify the main stakeholders in the ISMS
- Any required documentation for the audit could be easily requested.
Management input
- Designated internal auditor should be competent and independent.
- Agree and determine the timing and resources required for the audit.
- Set milestones/checkpoints for when the board should receive interim updates.
- Discuss issues or concerns
Conduct practical assessment
- Observe the operation of the ISMS, and whether it properly functions in practice by speaking with members involved and operating processes related to the ISMS, whether they are in an ISMS role or not.
- Run audit tests to validate evidence as it is gathered.
- Complete audit reports and document the results of each test.
Analyze evidence
- Sort and review all evidence collected during the audit, as related to the company’s risk treatment plan and control objectives.
- Identify any further gaps or need for further audit tests.
Report findings (see Appendix A). The report should include:
- Classification and dissemination restrictions of the report
- Intended recipient(s) of the report
- An executive summary to highlight the key findings, high-level analysis and a conclusion
- Scope, Timing, any outlined criteria
- Analysis of the findings and compliance with each clause of the ISMS requirements
- Recommendations
- Post-audit actions

INTERNAL AUDIT REPORT	Confidentiality	Date of Audit	02/14/2023 - 02/23/2023
*Example Corporation*	*Internal Use*	Date of Previous Audit	N/A
RECIPIENT(S)	- John Smith - CISO - Jane Doe - Manager, GRC - Lisa Bautista - CEO - James Chapman - CTO - Alice Wallace - CFO
EXECUTIVE SUMMARY
Internal Audit has prepared the following report after conducting an audit on the Example Corporation’s web and mobile applications. This audit was conducted pursuant to receiving ISO 27001 certification for Example Corporation’s ISMS. This audit was conducted against the ISO 27001 and ISO 27002 standards. Evidence was collected through the use of the Drata Platform and collected from the interviews with the GRC Manager, and taking screenshots from specific systems not otherwise captured within the Drata Platform. The overall opinion of the internal audit is that Drata’s ISMS was established and is being operated appropriately. Three (3) minor non-conformities were noted and one (1) enhancements/process improvements were noted. It is the recommendation of Internal Audit that the three (3) minor non-conformities are remediated prior to beginning Stage 1 of the ISO 27001 audit.
AUDITOR	AUDIT SCOPE & CRITERIA
Auditor Name	Benedict Arnold	Scope	Organizational Units Example Corporation Management Information Security Information Technology & Engineering Human Resources Legal Networks and IT Infrastructure Amazon Web Services (AWS) GitHub Slack Jira Processes and Services Example Corporation Web Application (app.examplecorp.com) Example Corporation Mobile Application (iOS & Android) Locations Not Applicable as Example Corporation has not physical locations in scope EXCLUSIONS. The following items are explicitly excluded from the ISMS scope of Example Corporation: Business Units: Sales Marketing Finance Vendor Dependencies: Amazon Web Services (AWS) - Data Center & Physical Security Controls
Internal or External?	Internal
Organization (if external)	N/A	Criteria	Refer to associated document Drata ISMS SOA
Primary Role	Lead Internal Auditor
AUDIT METHOD	AUDIT FINDINGS
Activity	Action	Nonconformities
Document Review	All evidence were provided through the use of Drata platform’s Audit Hub and reviewed with Read-Only Access	Clause 7.5.2.B - Example Corporation's document history table does not include details such as format (Electronic/Physical), language, software version, etc. which is listed in item B of Clause 7.5.2. Annex A 8.2.2 - Example Corporation’s Data Classification Policy does not include guidance for labeling data. Annex A 15.2.2 - Example Corporation's Vendor Management Policy does not include procedures related to managing changes in supplier contracts, changes to the services delivered by suppliers, or changes at Example Corporation made in order to implement changes in supplier contracts or services.
Evidential Sampling	For select controls, the Internal Auditor requested additional documentation including samples using a sample size of 1 as supplementary evidence to support provided documents.
Interviews	Improvement Opportunities
ISMS Key Members	Non-ISMS Members	Annex A 14.2.5
Jane Doe
RECOMMENDATIONS
Annex A 14.2.5 - Example Corporation's SDLC policy does not formally document secure engineering principles. Review and ensure that SDLC policy includes secure engineering principles.


COMPLIANCE	POST-AUDIT ACTIONS
Clause 4 Clause 5 Clause 6 Clause 7 Clause 8 Clause 9 Clause 10	Minor non-conformities found on Clause 7.5.2B, Annex A 8.2.2, and Annex A 15.2.2.	Example Corporation’s Management should review the provided Internal Audit report, develop a treatment plan, and remediate the non-conformities listed before moving into Stage 1 of the ISO 27001 audit.

Dissemination Restrictions:	Internal Use only, this report is meant to be reviewed by management of ISMS
Report PREPARED by:	Benedict Arnold	Internal Auditor	Remote - N/A	2/23/2023 4PM PST
Report APPROVED by:	John Smith	CISO	Remote - N/A	2/24/2023 11AM PST

APPENDIX B

MANAGEMENT REVIEW	Confidentiality	Date of Review	March 20, 2023
*Example Corporation*	*Confidential*	Date of Previous Review	March 10, 2023
MEETING DETAILS	ACTION ITEMS
Participants	- John Smith - CISO - Jane Doe - Manager, GRC - Lisa Bautista - CEO - James Chapman - CTO - Alice Wallace - CFO - Benedict Arnold - Internal Auditor	Previous Items	Owner	Status
Benedict Arnold	Conduct Internal Audit	Complete


Input Items	Evaluation and internal audit Reports Assessments, tests, or incidents lessons learned Improvement inputs from the company


INFORMATION SECURITY REVIEWS
Y	Nonconformities and Corrective Actions
Y	Monitoring and Measurement Results
Y	Audit Results
Y	Information Security Objectives Fulfillment
DISCUSSION POINTS & DECISIONS	Current Items	Owner	Status
ISMS Scope Modification	Not Applicable - ISMS is established	Establish Corrective Action Plans for Internal Audit non-conformities and opportunities for improvement	Jane Doe	In-Progress
Security Policies Modification	Security Policies will be modified based on the issues identified during the 2023 ISO Internal Audit	Review failing monitoring tests and remediate	Jane Doe	In-Progress
Overall ISMS Effectiveness	ISMS Plan is found to be effective with a few action items to meet Information Security Objectives 1 and 3. Please refer to KPI Metrics table on Section 9.1	Following a failed simulation test, ensure that employees acknowledge the phishing refresher course	Jane Doe	In-Progress
Changes Internal/External	Not Applicable - ISMS is established	Ensure employees take their security awareness training	Jane Doe	In-Progress
Security Gaps	3 minor non-conformities and 1 opportunity for improvement from Internal Audit were discussed	Develop strategies to encourage employees in reporting suspicious emails	Jane Doe	Not Started
Security Improvements	Establish Corrective Action Plans for the 4 Identified Issues during the 2023 Internal Audit
Security Strategies
NOTES:
FOCUS FOR NEXT INTERNAL AUDIT	POST-REVIEW ACTIONS
	Report Distribution	Method	Date
Included as part of the ISMS Plan	Uploaded to Drata’s Policy Center	March 20, 2023

Report PREPARED by:	Jane Doe	Manager, GRC	Remote - N/A	March 20, 2023
Report APPROVED by:	John Smith	CISO	Remote - N/A	March 20, 2023

APPENDIX C

CORRECTIVE ACTION REPORT	Confidentiality	Date of Review	02/28/2023
*Example Corporation*	*Internal Use*	Date of Previous Review	N/A
NON-CONFORMITIES
Clause 7.5.2B
Nature	Documentation	Corrective Action	Include “Format” in all documents’ revision history table
Root Cause	Example Corporation’s document history table does not include details such as format (Electronic/Physical), language, software version, etc. which is listed in item B of Clause 7.5.2.	Implementation	Completed
Result/Effectiveness	Effective
Due Date	March 16, 2023	Owner	Jane Doe
Notes:
Annex A 8.2.2
Nature	Documentation	Corrective Action	Include data labeling guidance to Example Corporation’s Data Classification Policy
Root Cause	Example Corporation’s Data Classification Policy does not include guidance for labeling data.	Implementation	In Progress
Result/Effectiveness	-
Due Date	March 20, 2023	Owner	Jane Doe
Notes:
Annex A 15.2.2
Nature	Process and Documentation	Corrective Action	Develop and include procedures related to managing changes in supplier contracts to Vendor Management Policy
Root Cause	Example Corporation's Vendor Management Policy does not include procedures related to managing changes in supplier contracts, changes to the services delivered by suppliers, or changes at Example Corporation made in order to implement changes in supplier contracts or services.	Implementation	Not Started
Result/Effectiveness	-
Due Date	March 24, 2023	Owner	Jane Doe
Notes:

Revision History

Version	Date	Editor	Approver	Description of Changes	Format
1.0	03/20/2023	Jane Doe	John Smith	Initial Creation	.DOCX