ISO/IEC 27001:2013 IS

Statement of Applicabi
Controls Status (gap ana
Introduction

This spreadsheet is used to record and track the status of your organization as you implement the mandator
The main body of ISO/IEC 27001 formally specifies a number of mandatory requirements that must be fulfill
compliant with the standard. All the mandatory requirements for certification concern the manage
the standard requires management to determine the organization's information security risks, assess them,
policies and procedures defined in the ISMS. It does not mandate specific security controls.
However, Annex A to '27001 outlines a suite of information security controls that the management system w
organization (which depends on its information security risks). The security controls in Annex A are explaine
regulations etc.

Instructions

1. Design and implement an ISMS complying with all the mandatory elements specified in the main body of
mandatory
ISMS
requirements
sheet
to track
and
record
its status.
2. Identify and
assess
the information
security
risks
facing
those
parts of the organization that are declared

using the drop-down selectors in the status column of the annex A controls sheet. Note: do not feel con
additional rows if you determine that other security controls are needed to treat your information security ri
merely a guide, a starting point.

3. Systematically check and record the status of your security risks and controls, updating the status colum
4. Once your ISMS is operating normally, the metrics are looking good and you have amassed sufficient ev
accredited certification body. They will check that your ISMS fulfills the standard's mandatory requirements
and monitored according to the ISMS policies and procedures. Thereafter, the spreadsheet should both be m
and periodically reviewed/audited.

History
and
acknowledgements
Bala Ramanan
donated
the original ISO/IEC 27001:2005 version of the 27001 requirements worksheet.

Joe
the
ISO27k
Toolkit
Ed Hodgson updated the workbook for ISO/IEC 27001:2013. Gary Hinson fiddled with the wording and forma
ISO27k Toolkit.

Copyright

This work is copyright 2014, ISO27k Forum, some rights reserved. It is licensed under the Creative Comm
reproduce, circulate, use and create derivative works from this provided that (a) it is not sold or incorporated
www.ISO27001security.com,
and (c)any
derivative
works
thatand
are 27002
shared to
with
thirdmuch
partiessense
are subject
thean
s
Note:
you need licensed copies
of both
ISO/IEC
27001
make
of this,
is not sufficient! In particular, we have paraphrased and shortened the wording of the standards in ways
the
ISO27k
not this workbook.
Please
visit standards,
ISO27001security.com
for further advice and guidance on the ISO27k standards, including the IS
Toolkit:

www.ISO27001security

Status of ISO/IEC 27001 implementation

Sectio
n

ISO/IEC 27001 requirement

Organisational context
Determine the organization's ISMS objectives and any issues that might affect its
? Unknown
effectiveness

4.2

Interested parties

4.2 (a)

Identify interested parties including applicable laws, regulations, contracts etc.

4.2 (b)

Determine their information security-relevant requirements and obligations

4.3
4.3

Determine and document the ISMS scope

Leadership
Leadership & commitment
Top management must demonstrate leadership & commitment to the ISMS

6
6.1
6.1.1

Defined

Policy

5.2

5.3

Limited

Establish, implement, maintain and continually improve an ISMS according to the

standard! Nonexistent

5.2

5.3

Initial

ISMS

5.1
5.1

Limited

ISMS scope

4.4
4.4

Document the information security policy Nonexistent

Organizational roles, responsibilities & authorities

Assign and communicate information security rles & responsibilities Not applicable

Planning
Actions to address risks & opportunities
Design/plan the ISMS to satisfy the requirements, addressing risks & opportunities ? Unknown

6.1.2

Define and apply an information security risk assessment process ? Unknown

6.1.3

Document and apply an information security risk treatment process ? Unknown

6.2
6.2

Information security objectives & plans

Establish and document the information security objectives and plans ? Unknown

Support

7.1

Resources
Determine and allocate necessary resources for the ISMS ? Unknown

7.1

7.2
7.2

Competence
Determine, document and make available necessary competences ? Unknown

7.3

Awareness
Establish a security awareness program ? Unknown

7.3

7.4
7.4

Communication
Determine the need for internal and external communications relevant to the
? Unknown
ISMS

7.5
7.5.1
7.5.2

Documented information
Provide documentation required by the standard plus that required by the
? Unknown
organization
Provide document titles, authors etc., format them consistently, and review &
? Unknown
approve them
Control the documentation properly ? Unknown

7.5.3

8
8.1
8.1

8.2
8.2

8.3
8.3

9
9.1
9.1

Notes

Context of the organisation

4.1
4.1

Status

Operation
Operational planning and control
Plan, implement, control & document ISMS processes to manage risks (i.e. a risk
? Unknown
treatment plan)

Information security risk assessment

(Re)assess & document information security risks regularly & on changes ? Unknown

Information security risk treatment

Implement the risk treatment plan (treat the risks!) and document the results ? Unknown

Performance evaluation
Monitoring, measurement, analysis and evaluation
Monitor, measure, analyze and evaluate the ISMS and the controls ? Unknown

9.2

Internal audit
Plan & conduct internal audits of the ISMS ? Unknown

9.2

9.3

Management review

9.3

Undertake regular management reviews of the ISMS ? Unknown

10 Improvement
10.1
10.1

10.2
10.2

Nonconformity and corrective action

Identify, fix and take action to prevent recurrence of nonconformities,
? Unknown
documenting the actions

Continual improvement
Continually improve the ISMS ? Unknown

27
01/10/2017

Number of requirements

Page3 of 8

Statement
of Applicability and status of information security controls
Sectio
n

Information security control

Status

Notes

A5 Information security policies

A5.1

Management direction for information security

A5.1.1

Policies for information security

? Unknown

A5.1.2

Review of the policies for information security

Nonexistent

A6 Organization of information security

A6.1

Internal organization

A6.1.1

Information security roles and responsibilities

A6.1.2

Segregation of duties

A6.1.3

Contact with authorities

A6.1.4

Contact with special interest groups

A6.1.5

Information security in project management

A6.2

Initial
Limited
Defined
Managed
Optimized

Mobile devices and teleworking

A6.2.1

Mobile device policy

Optimized

Teleworking Not applicable

A6.2.2

A7 Human resource security

A7.1

Prior to employment

A7.1.1

Screening

? Unknown

A7.1.2

Terms and conditions of employment

? Unknown

A7.2

During employment

A7.2.1

Management responsibilities

? Unknown

A7.2.2

Information security awareness, education and training

? Unknown

A7.2.3

Disciplinary process

? Unknown

A7.3
A7.3.1

Termination and change of employment

Termination or change of employment responsibilities

? Unknown

A8 Asset management
A8.1

Responsibility for assets

Inventory of assets

? Unknown

A8.1.2

Ownership of assets

? Unknown

A8.1.3

Acceptable use of assets

? Unknown

A8.1.4

Return of assets

? Unknown

A8.2.1

Classification of information

? Unknown

A8.2.2

Labelling of information

? Unknown

A8.2.3

Handling of assets

? Unknown

A8.3.1

Management of removable media

? Unknown

A8.3.2

Disposal of media

? Unknown

A8.3.3

Physical media transfer

? Unknown

A8.1.1

A8.2

A8.3

Information classification

Media handling

A9 Access control
A9.1

Business requirements of access control

Access control policy

? Unknown

Access to networks and network services

? Unknown

A9.1.1
A9.1.2

A9.2

User access management

A9.2.1

User registration and de-registration

? Unknown

A9.2.2

User access provisioning

? Unknown

A9.2.3

Management of privileged access rights

? Unknown

A9.2.4

Management of secret authentication information of users

? Unknown

A9.2.5

Review of user access rights

? Unknown

A9.2.6

Removal or adjustment of access rights

? Unknown

A9.3
A9.3.1

A9.4

User responsibilities
Use of secret authentication information

? Unknown

System and application access control

A9.4.1

Information access restriction

? Unknown

A9.4.2

Secure log-on procedures

? Unknown
01/10/2017

Page 4 of 8

Statement
of Applicability and status of information security controls
Sectio
n

Information security control

Status

A9.4.3

Password management system

? Unknown

A9.4.4

Use of privileged utility programs

? Unknown

A9.4.5

Access control to program source code

? Unknown

Notes

A10 Cryptography
A10.1

Cryptographic controls

A10.1.1

Policy on the use of cryptographic controls

? Unknown

A10.1.2

Key management

? Unknown

A11 Physical and environmental security

A11.1

Secure areas

A11.1.1

Physical security perimeter

? Unknown

A11.1.2

Physical entry controls

? Unknown

A11.1.3

Securing offices, rooms and facilities

? Unknown

A11.1.4

Protecting against external and environmental threats

? Unknown

A11.1.5

Working in secure areas

? Unknown

A11.1.6

Delivery and loading areas

? Unknown

A11.2.1

Equipment siting and protection

? Unknown

A11.2.2

Supporting utilities

? Unknown

A11.2.3

Cabling security

? Unknown

A11.2.4

Equipment maintenance

? Unknown

A11.2.5

Removal of assets

? Unknown

A11.2.6

Security of equipment and assets off-premises

? Unknown

A11.2.7

Secure disposal or reuse of equipment

? Unknown

A11.2.8

Unattended user equipment

? Unknown

A11.2.9

Clear desk and clear screen policy

? Unknown

A11.2

Equipment

A12 Operations security

A12.1

Operational procedures and responsibilities

A12.1.1

Documented operating procedures

? Unknown

A12.1.2

Change management

? Unknown

A12.1.3

Capacity management

? Unknown

A12.1.4

Separation of development, testing and operational environments

? Unknown

A12.2

Protection from malware

Controls against malware

? Unknown

Information backup

? Unknown

A12.4.1

Event logging

? Unknown

A12.4.2

Protection of log information

? Unknown

A12.4.3

Administrator and operator logs

? Unknown

A12.4.4

Clock synchronisation

? Unknown

A12.2.1

A12.3

Backup

A12.3.1

A12.3

A12.5
A12.5.1

A12.6

Logging and monitoring

Control of operational software

Installation of software on operational systems

? Unknown

Technical vulnerability management

A12.6.1

Management of technical vulnerabilities

? Unknown

A12.6.2

Restrictions on software installation

? Unknown

A12.7
A12.7.1

Information systems audit considerations

Information systems audit controls

? Unknown

A13 Communications security

A13.1

Network security management

A13.1.1

Network controls

? Unknown

A13.1.2

Security of network services

? Unknown

A13.1.3

Segregation in networks

? Unknown

A13.2
A13.2.1

Information transfer
Information transfer policies and procedures

? Unknown
01/10/2017

Page 5 of 8

Statement
of Applicability and status of information security controls
Sectio
n

Information security control

Status

A13.2.2

Agreements on information transfer

? Unknown

A13.2.3

Electronic messaging

? Unknown

A13.2.4

Confidentiality or nondisclosure agreements

? Unknown

Notes

A14 System acquisition, developm

A14.1

Security requirements of information systems

A14.1.1

Information security requirements analysis and specification

? Unknown

A14.1.2

Securing application services on public networks

? Unknown

A14.1.3

Protecting application services transactions

? Unknown

A14.2

Security in development and support processes

Secure development policy

? Unknown

A14.2.2

System change control procedures

? Unknown

A14.2.3

Technical review of applications after operating platform changes

? Unknown

A14.2.4

Restrictions on changes to software packages

? Unknown

A14.2.5

Secure system engineering principles

? Unknown

A14.2.6

Secure Development Environment

? Unknown

A14.2.7

Outsourced development

? Unknown

A14.2.8

System security testing

? Unknown

A14.2.9

System acceptance testing

? Unknown

Protection of test data

? Unknown

A14.2.1

A14.3

Test data

A14.3.1

A15 Supplier relationships

A15.1

Information security in supplier relationships

A15.1.1

Information security policy for supplier relationships

? Unknown

A15.1.2

Addressing security within supplier agreements

? Unknown

ICT supply chain

? Unknown

A15.1.3

A15.2

Supplier service delivery management

A15.2.1

Monitoring and review of supplier services

? Unknown

A15.2.2

Managing changes to supplier services

? Unknown

A16 Information security incident m

A16.1 Management of information security incidents & improvements
A16.1.1

Responsibilities and procedures

? Unknown

A16.1.2

Reporting information security events

? Unknown

A16.1.3

Reporting information security weaknesses

? Unknown

A16.1.4

Assessment of and decision on information security events

? Unknown

A16.1.5

Response to information security incidents

? Unknown

A16.1.6

Learning from information security incidents

? Unknown

A16.1.7

Collection of evidence

? Unknown

A17 Information security aspects of BCM

A17.1

BCM is Business Continuity Management

Information security continuity

Planning information security continuity

? Unknown

A17.1.2

Implementing information security continuity

? Unknown

A17.1.3

Verify, review and evaluate information security continuity

? Unknown

A17.1.1

A17.2

Redundancies

A17.2.1

Availability of information processing facilities

? Unknown

A18 Compliance
A18.1 Compliance with legal and contractual requirements
A18.1.1

Identification of applicable legislation and contractual requirements

? Unknown

A18.1.2

Intellectual property rights

? Unknown

A18.1.3

Protection of records

? Unknown

A18.1.4

Privacy and protection of personally identifiable information

? Unknown

A18.1.5

Regulation of cryptographic controls

? Unknown

A18.2

Information security reviews

A18.2.1

Independent review of information security

? Unknown

A18.2.2

Compliance with security policies and standards

? Unknown
01/10/2017

Page 6 of 8

Statement
of Applicability and status of information security controls
Sectio
n
A18.2.3

Information security control

Technical compliance review

Status

Notes

? Unknown
114

01/10/2017

Number of controls

Page 7 of 8

Status

Proportion Proportion of
of ISMS
information
requirement
security
s
controls

Meaning
Has not even been checked yet

74%

93%

Complete lack of recognizable policy,

procedure, control etc.

7%

1%

Development has barely started and

will require significant work to fulfill
the requirements

4%

1%

Progressing nicely but not yet

complete

7%

1%

Development is more or less complete

although detail is lacking and/or it is
not yet implemented, enforced and
actively supported by top
management

4%

1%

Development is complete, the

process/control has been
implemented and recently started
operating

0%

1%

The requirement is fully satisfied, is

operating fully as expected, is being
actively monitored and improved, and
there is substantial evidence to prove
all that to the auditors

0%

2%

ALL requirements in the main body of

ISO/IEC 27001 are mandatory IF your
ISMS is to be certified. Otherwise,
managemnent can ignore them.

4%

1%

Total

100%

100%

ISMS implementation status

? Unknown

Nonexistent

Initial
Limited
Defined
Managed
Optimized

Not applicable

? Unknown
Nonexistent
Initial
Limited
Defined
Managed
Optimized
Not applicable

Infosec controls status

? Unknown
Nonexistent
Initial
Limited
Defined
Managed
Optimized
Not applicable