ISO 22301 CHECKLIST TEMPLATE

IN
ISO 22301 IMPLEMENTATION
TASKS COMPLIANCE NOTES
CONTROL PHASES
?

5 Leadership

5.1 Leadership and commitment

6 Organization of information security

6.1 information security roles and responsibilities

Security roles and Roles and

6.1.1
responsibilities responsibilities defined?

Segregation of duties
6.1.2 Segregation of duties
defined?

Verification body /
6.1.3 Contact with authorities authority contacted for
compliance verification?

Establish contact with

Contact with special
6.1.4 special interest groups
interest groups
regarding compliance?

Evidence of information
Information security in
6.1.5 security in project
project management
management?

6.2 Mobile devices and teleworking

6.2.1
Defined policy for
Mobile device policy
mobile devices?

Defined policy for

6.2.2 Teleworking
NO working remotely?
YES
UNKNOWN
YES
7 Human resources security

7.1 Prior to employment

Defined policy for

7.1.1 Screening screening employees
prior to employment?

Defined policy for HR

Terms and conditions of
7.1.2 terms and conditions of
employment
employment?

7.2 During employment

Defined policy for

Management
7.2.1 management
responsibilities
responsibilities?
Defined policy for
Information security
information security
7.2.2 awareness, education,
awareness, education,
and training
and training?
Defined policy for
disciplinary process
7.2.3 Disciplinary process
regarding information
security?
7.3
Termination and change of employment
Defined policy for HR
Termination or change- termination or change-
7.3.1 of-employment
NO
YES of-employment policy
UNKNOWN
YES
responsibilities regarding information
security?
8 Asset management

8.1 Responsibilities for assets

Complete inventory list

8.1.1 Inventory of assets
of assets?

Complete ownership list

8.1.2 Ownership of assets
of assets

Acceptable use of Defined acceptable use

8.1.3
assets of assets policy

Defined return of assets

8.1.4 Return of assets
policy?

8.2 Information classification

Defined policy for

Classification of
8.2.1 classification
information
of information?
 Defined policy for
8.2.2 Labeling of information
labeling of information?

Defined policy for

8.2.3 Handling of assets handling
of assets?

8.3 Media handling

Defined policy for

Management of
8.3.1 management
removable media
of removable media?
8.3.2
Defined policy for
Disposal of media disposal
of media?

Defined policy for

8.3.3. Physical media transfer physical
NO
YES media transfer?
UNKNOWN
YES

9 Access control

9.1 Responsibilities for assets

Defined policy for

9.1.1 Access control policy access
control?

Defined policy for

Access to networks and
9.1.2 access to networks and
network services
network services?

9.2 Responsibilities for assets

Defined policy for user

User asset registration
9.2.1 asset registration and
and de-registration
de-registration?

User access Defined policy for user

9.2.2
provisioning access provisioning?

Defined policy for

Management of
management
9.2.3 privileged
of privileged access
access rights
rights?
Defined policy for
Management of secret management
9.2.4 authentication of secret authentication
information of users
information of users?
Defined policy for
Review of user access
9.2.5 review of user access
rights
rights?

Defined policy for

Removal or adjustment
9.2.6 removal or adjustment
of access rights
of access rights?
9.3 User responsibilities

Use of secret Defined policy for use of

9.3.1 authentication secret authentication
information information?

9.4 System and application access control

Defined policy for

Information access
9.4.1 information access
restrictions
restrictions?

Defined policy for

Secure log-in
9.4.2 secure log-in
procedures
procedures?

Defined policy for

Password management
9.4.3 password management
systems
systems?
9.4.4
Defined policy for use of
Use of privileged utility
privileged utility
programs
programs?
Defined policy for
Access control to access control
9.4.5
program
NO source code to program source
YES
UNKNOWN
YES code?
10 Cryptography

10.1 Cryptographic controls

10.1.1
Policy for the use of Defined policy for use of
cryptographic controls cryptographic controls?

Defined policy for key

10.1.2 Key management
NO management?
YES
UNKNOWN
YES

11 Physical and environmental security

11.1 Secure areas

Defined policy for

Physical security
11.1.1 physical security
perimeter
perimeter?

Defined policy for

11.1.2 Physical entry controls
physical entry controls?

Defined policy for

Securing offices, rooms,
11.1.3 securing offices, rooms,
and facilities
and facilities?
Defined policy for
Protection against
protection against
11.1.4 external and
external and
environmental threats
environmental threats?
 Defined policy for
11.1.5 Working in secure areas working in secure
areas?

Defined policy for

Delivery and loading
11.1.6 delivery and loading
areas
areas?

11.2 Equipment

Defined policy for

Equipment siting and
11.2.1 equipment siting and
protection
protection?

Defined policy for

11.2.2 Supporting utilities
supporting utilities?

Defined policy for

11.2.3 Cabling security
cabling security?

Defined policy for

Equipment
11.2.4 equipment
maintenance
maintenance?

Defined policy for

11.2.5 Removal of assets
removal of assets?

Defined policy for

Security of equipment security of equipment
11.2.6
and assets off-premises and assets off-
premises?

Secure disposal or re- Secure disposal or re-

11.2.7
use of equipment use of equipment?

11.2.8
Defined policy for
Unattended user
unattended user
equipment
equipment?

Defined policy for clear

Clear desk and clear
11.2.9 desk and clear screen
screen policy
NO
YES
UNKNOWN
YES policy?

12 Operations security

12.1 Operational procedures and responsibilities

Defined policy for

Documented operating
12.1.1 documented operating
procedures
procedures?

Defined policy for

12.1.2 Change management
change management?

Defined policy for

12.1.3 Capacity management
capacity management?
 Defined policy for
Separation of
separation of
development, testing,
12.1.4 development, testing,
and operational
and operational
environments
environments?
12.2 Protection from malware

Defined policy for

Controls against
12.2.1 controls against
malware
malware?

12.3 System backup

Defined policy for

12.3.1 Backup
backing up systems?

Defined policy for

12.3.2 Information Backup
information backup?

12.4 Logging and monitoring

Defined policy for event

12.4.1 Event logging
logging?

Defined policy for

Protection of log
12.4.2 protection of
information
log information?

Defined policy for

Administrator and
12.4.3 administrator and
operator log
operator log?

Defined policy for clock

12.4.4 Clock synchronization
synchronization?

12.5 Control of operational software

Defined policy for

Installation of software
12.5.1 installation of software
on operational systems
on operational systems?

12.6 Technical vulnerability management

Defined policy for
Management of management of
12.6.1
technical vulnerabilities technical
vulnerabilities?
Defined policy for
Restriction on software
12.6.2 restriction on software
installation
installation?
12.7
Information systems audit considerations

Defined policy for

Information system
12.7.1 information system
audit control
NO
YES
UNKNOWN
YES audit control?
13 Communication security

13.1 Network security management

Defined policy for

13.1.1 Network controls
network controls?

Defined policy for

Security of network
13.1.2 security of network
services
services?

Defined policy for

13.1.3 Segregation in networks segregation in
networks?

13.2 Information transfer

Defined policy for
Information transfer information transfer
13.2.1
policies and procedures policies and
procedures?
Defined policy for
Agreements on
13.2.2 agreements on
information transfer
information transfer?

Defined policy for

13.2.3 Electronic messaging
electronic messaging?

13.2.4
Defined policy for
Confidentiality or non-
confidentiality or non-
disclosure agreements
disclosure agreements?
Defined policy for
System acquisition,
system acquisition,
13.2.5 development, and
NO development, and
YES
maintenance
UNKNOWN
YES maintenance?
14 System acquisition, development, and maintenance

14.1 Security requirements of information systems

Defined policy for
Information security
information security
14.1.1 requirements analysis
requirements analysis
and specification
and specification?
Defined policy for
Securing application
securing application
14.1.2 services on public
services on public
networks
networks?
Defined policy for
Protecting application
14.1.3 protecting application
service transactions
service transactions?
14.2
Security in development and support processes

Defined policy for in-

14.2.1 In-house development
NO
YES house development?
UNKNOWN
YES

15 Supplier relationships
 Defined policy for
15.1.1 Supplier relationships
supplier relationships?

16 Information security incident management

Defined policy for

Information security
16.1.1 information security
management
management?

17 Information security aspects of business continuity management

17.1 Information security continuity

Defined policy for

Information security
17.1.1 information security
continuity
continuity?
17.2
Redundancies

Defined policy for

17.2.1 Redundancies
NO
YES redundancies?
UNKNOWN
YES

18 Compliance

18.1 Compliance with legal and contractual requirements

Defined policy for
Identification of
identification of
applicable legislation
18.1.1 applicable legislation
and contractual
and contractual
requirement
requirement?
Defined policy for
Intellectual property
18.1.2 intellectual property
rights
rights?

Defined policy for

18.1.3 Protection of records
protection of records?

Defined policy for

Privacy and protection
privacy and protection
18.1.4 of personally
of personally
identifiable information
identifiable information?
Defined policy for
Regulation of
18.1.5 regulation of
cryptographic control
cryptographic control?

18.1 Independent review of information security

Defined policy for
Compliance with
compliance with
18.1.1 security policies and
security policies and
standards
standards?
Defined policy for
Technical compliance
18.1.2 technical compliance
review
review?

DISCLAIMER
Any articles, templates, or information provided by Smartsheet on the website are for
reference only. While we strive to keep the information up to date and correct, we make no
representations or warranties of any kind, express or implied, about the completeness,
accuracy, reliability, suitability, or availability with respect to the website or the information,
articles, templates, or related graphics contained on the website. Any reliance you place on
such information is therefore strictly at your own risk.