ISO 27001:2013

GAP ANALYSIS CHECKLIST

4 CONTEXT OF THE DOCUMENT / INFORMATION

ORGANISATION YES NO REFERENCE

Have the internal and external issues that are relevant

to the ISMS, and that impact on the achievement of its
expected outcome, been determined?

4.2 UNDERSTANDING THE NEEDS AND

EXPECTATIONS OF INTERESTED PARTIES

Has the organisation determined the interested parties

that are relevant to the ISMS?

Have the requirements of these interested parties been

determined, including legal, regulatory and contractual
requirements?
 4.3 SCOPE OF THE ISMS

Have the boundaries and applicability of the ISMS

been determined to establish its scope, taking into
consideration the external and internal issues, the
requirements of interested parties and the interfaces
and dependencies with other organizations?

Is the scope of the ISMS documented?

5 LEADERSHIP DOCUMENT / INFORMATION

YES NO REFERENCE

5.1 LEADERSHIP AND COMMITMENT

Does Top Management demonstrate leadership and

commitment in establishing the information security
policy and objectives, in consideration of the strategic
direction of the organization, and in promotion of
continual improvement?

Does Top Management demonstrate leadership and

commitment in ensuring the integration of the ISMS
requirements into its business processes?

Does Top Management demonstrate leadership and

commitment in ensuring that resources are available
for the ISMS, and directing and supporting
individuals, including management, who contribute to
its effectiveness?

Does Top Management demonstrate leadership and

commitment in communicating the importance of
effective information security and conformance to
ISMS requirements?
 5.2 POLICY

Is there an established information security policy

that is appropriate, gives a framework for setting
objectives, and demonstrates commitment to meeting
requirements and for continual improvement?

Is the policy documented and communicated to

employees and relevant interested parties?

5.3 ORGANIZATIONAL ROLES,

RESPONSIBILITIES AND AUTHORITIES

Are the roles within the ISMS clearly defined and

communicated?

Are the responsibilities and authorities for

conformance and reporting on ISMS performance
assigned?

6 PLANNING DOCUMENT / INFORMATION

YES NO REFERENCE

6.1 ADDRESS RISK AND OPPORTUNITIES

Have the internal and external issues, and the

requirements of interested parties been considered to
determine the risks and opportunities that need to be
addressed to ensure that the ISMS achieves its
outcome, that undesired effects are prevented or
reduced, and that continual improvement is achieved?

Have actions to address risks and opportunities been

planned, and integrated into the ISMS processes, and
are they evaluated for effectiveness?
 6.1.3 INFORMATION SECURITY OBJECTIVES
AND PLANNING TO ACHIEVE THEM

Is there an information security risk treatment process

to select appropriate risk treatment options for the
results of the information security risk assessment, and
are controls determined to implement the risk
treatment option chosen?

Have the controls determined, been compared with

ISO/IEC 27001:2013 Annex A to verify that no necessary
controls have been missed?

Has a Statement of Applicability been produced to

justify Annex A exclusions, and inclusions together with
the control implementation status?

Has an information security risk treatment plan been

formulated and approved by risk owners, and have
residual information security risks been authorised by
risk owners?

Is documented information about the information

security risk treatment process available?

6.2 INFORMATION SECURITY OBJECTIVES AND

PLANNING TO ACHIEVE THEM

Have measurable ISMS objectives and targets

been established, documented and communicated
throughout the organization?

In setting its objectives, has the organization

determined what needs to be done, when and by
whom?
 7 SUPPORT DOCUMENT / INFORMATION
YES NO REFERENCE

7.1 RESOURCES & 7.2 COMPETENCE

Is the ISMS adequately resourced?

Is there a process defined and documented for

determining competence for ISMS roles?

Are those undertaking ISMS roles competent, and is

this competence documented appropriately?

7.3 AWARENESS & 7.4 COMMUNICATION

Is everyone within the organization’s control aware of

the importance of the information security policy, their
contribution to the effectiveness of the ISMS and the
implications of not conforming?

Has the organization determined the need for internal

and external communications relevant to the ISMS,
including what to communicate, when, with whom, and
who by, and the processes by which this is achieved?

7.5 DOCUMENTED INFORMATION

Has the organization determined the documented

information necessary for the effectiveness of the ISMS?

Is the documented information in the appropriate

format, and has it been identified, reviewed and
approved for suitability?

Is the documented information controlled such that

it is available and adequately protected, distributed,
stored, retained and under change control, including
documents of external origin required by the
organization for the ISMS?
 8 OPERATIONS DOCUMENT / INFORMATION
YES NO REFERENCE

8.1 OPERATIONAL PLANNING AND CONTROL

Has a programme to ensure the ISMS achieves its

outcomes, requirements and objectives been devel-
oped and implemented?

Is documented evidence retained to demonstrate that

processes have been carried out as planned?

Are changes planned and controlled, and unintended

changes reviewed to mitigate any adverse results?

Have outsourced processes been determined and are

they controlled?

Are information security risk assessments performed

at planned intervals or when significant changes occur,
and is documented information retained?

Has the information security risk treatment plan

been implemented and documented information
retained?

9 PERFORMANCE EVALUATION DOCUMENT / INFORMATION

YES NO REFERENCE
9.1 MONITORING, MEASUREMENT, ANALYSIS
AND EVALUATION

Is the information security performance and

effectiveness of the ISMS evaluated?

Has it been determined what needs to be monitored

and measured, when, by whom, the methods to be
used, and when the results will be evaluated?

Is documented information retained

as evidence of the results of monitoring and
measurement?
 9.2 INTERNAL AUDIT

Are internal audits conducted periodically to check

that the ISMS is effective and conforms to both ISO/IEC
27001:2013 and the organization’s requirements?

Are the audits conducted by an appropriate method

and in line with an audit programme based on the
results of risk assessments and previous audits?

Are results of audits reported to management, and is

documented information about the audit programme
and audit results retained?

Where non conformities are identified, are they subject

to corrective action (see section 18)?

9.3 MANAGEMENT REVIEW

Do top management undertake a periodic

review of the ISMS?

Does the output from the ISMS management review

identify changes and improvements?

Are the results of the management review documented,

acted upon and communicated to interested parties as
appropriate?
 10 IMPROVEMENT DOCUMENT / INFORMATION
YES NO REFERENCE
10.1 NONCONFORMITY AND CORRECTIVE
ACTION & 10.2 CONTINUAL IMPROVEMENT

Have actions to control, correct and deal with the

consequences of non-conformities been identified?

Has the need for action been evaluated to eliminate

the root cause of non-conformities to prevent
reoccurrence?

Have any actions identified been implemented

and reviewed for effectiveness and given rise to
improvements to the ISMS?

Is documented information retained as evidence of

the nature of non-conformities, actions taken and the
results?

ANNEX A CONTROLS DOCUMENT / INFORMATION

YES NO REFERENCE

Are information security policies that provide

management direction defined and regularly reviewed?

Has a management framework been established to

control the implementation and operation of security
within the organization, including assignment of
responsibilities and segregation of conflicting duties?

Are appropriate contacts with authorities and special

interest groups maintained?

Is information security addressed in Projects?

Is there a mobile device policy and teleworking policy

in place?

Are human resources subject to screening, and do they

have terms and conditions of employment defining
their information security responsibilities?
Are employees required to adhere to the information
security policies and procedures, provided with
awareness, education and training, and is there a
disciplinary process?

Are the information security responsibilities and duties

communicated and enforced for employees who
terminate or change employment?

Is there an inventory of assets associated with

information and information processing, have owners
been assigned, and are rules for acceptable use of
assets and return of assets defined?

Is information classified and appropriately labelled, and

have procedures for handling assets in accordance of
their classification been defined?

Are there procedures for the removal, disposal and

transit of media containing information?

Has an access control policy been defined and

reviewed, and is user access to the network controlled
in line with the policy?

Is there a formal user registration process assigning

and revoking access and access rights to systems and
services, and are access rights regularly reviewed, and
removed upon termination of employment?

Are privileged access rights restricted and controlled,

and is secret authentication information controlled, and
users made aware of the practices for use?

Is access to information restricted in line with the

access control policy, and is access controlled via a
secure log-on procedure?

Are password management systems interactive and do

they enforce a quality password?
Is the use of utility programs and access to program
source code restricted?

Is there a policy for the use of cryptography and key

management?

Are there policies and controls to prevent unauthorised

physical access and damage to information and
information processing facilities?

Are there policies and controls in place to prevent

loss, damage, theft or compromise of assets and
interruptions to operations?

Are operating procedures documented and are

changes to the organization, business processes and
information systems controlled?

Are resources monitored and projections made of

future capacity requirements?

Is there separation of development, testing and

operational environments?

Is there protection against malware?

Are information, software and systems subject to back

up and regular testing?

Are there controls in place to log events and generate

evidence?

Is the implementation of software on operational

systems controlled, and are there rules governing the
installation of software by users?

Is the implementation of software on operational

systems controlled, and are there rules governing the
installation of software by users?

Are networks managed, segregated when necessary,

and controlled to protect information systems, and are
network services subject to service agreements?
Are there policies and agreements to maintain the
security of information transferred within or outside of
the organization?

Are information security requirements for information

systems defined and is information passing over
public networks and application service transactions
protected?

Are systems and rules for the development of software

established and changes to systems within the
development lifecycle formally controlled?

Are business critical applications reviewed and tested

after changes to operating system platforms and are
there restrictions to changes to software packages?

Have secure engineering principles been established

and are they maintained and implemented, including
secure development environments, security testing, the
use of test data and system acceptance testing?

Is outsourced software development supervised and

monitored?

Are there policies and agreements in place to protect

information assets that are accessible to suppliers, and
is the agreed level of information security and service
delivery monitored and managed, including changes to
provision of services?

Is there a consistent approach to the management of

security incidents and weaknesses, including
assignment of responsibilities, reporting, assessment,
response, analysis and collection of evidence?

Is information security continuity embedded within

the business continuity management system,
including determination of requirements in adverse
situations, procedures and controls, and verification of
effectiveness?
Are information processing facilities implemented with
redundancy to meet availability requirements?

Have all legislative, statutory, regulatory and

contractual requirements and the approach to
meeting these requirements been defined for each
information system and the organization, including
but not limited to procedures for intellectual property
rights, protection of records, privacy and protection of
personal information and regulation of cryptographic
controls?

Is there an independent review of information

security?

Do managers regularly review the compliance of

information processing and procedures within their
areas of responsibility?

Are information systems regularly reviewed for

technical compliance with policies and standards?
 Step 1: ‘How To’ E-Book Step 4: ISO Essentials Course

Step 2: Gap Analysis Course

Step 5: Internal Auditors Course

Step 3: Purchase The Relevant Standards

Step 6: Virtual Coaching