Sans ISO 17799 Audit Checklist

Organizations looking to gain certification as per ISO 17799 will find this checklist beneficial in identifying areas where gaps or critical aspects of their ISMS might exist.

Edit your form – add or replace text, add fillable fields, insert images, highlight or blackout data for discretion, highlight data highlights or blackout data, easily share via URL, email or fax and more!

1. Risk Assessment
Risk evaluation is the practice of identifying hazards, analyzing their associated risks, and developing methods to eliminate or manage those hazards that cannot be eliminated altogether. Ideally, risk evaluation should be an organized, documented, and systematic process with periodic reviews and updates to keep an accurate account.

There is no single method for assessing risk, as it depends on what kind of work your organization performs and its specific circumstances. But certain components should always be present when performing risk evaluation.

First, determine which laws, regulations, codes of practice, standards and internal policies that pertain to your organization’s activities. Next, identify risks associated with those activities (hazard identification). Finally, assess risk levels against best practices – this will allow you to prioritize which controls will provide the greatest benefit to your organization.

2. Security Policy
An effective information security policy provides rules, procedures, and guidelines for protecting an organization’s data assets against theft, loss, and unauthorized access. Policy documents usually include an acceptable use policy, physical security policy and operational policy outlining how information and systems should be shared externally.

Security policies define potential threats from within and without. For instance, disgruntled employees could steal information or damage computer systems through illegal acts.

Each security policy should include its scope, which defines who it applies to. This could include location, business unit or job role criteria – even organizational concepts like “need to know.” The goal should be limiting who must abide by each security policy so as to lower risk and improve compliance.

3. Access Control
An access control plan provides a plan for restricting access to the information systems of your business. Its aim is to minimize risks such as theft, vandalism or accidental or intentional damage by making sure only authorized personnel have access to this data.

Discretionary access control (DAC) is a type of security model in which data owners determine which objects receive permissions, making this approach more flexible than other models; however, it could pose security vulnerabilities if system administrators do not strictly oversee permission settings.

RBAC (Role-Based Access Control) is an increasingly popular form of access control, used for example to restrict lab access only during specific times of the day for students. This model significantly limits discretion from users who might grant themselves more privileges than necessary.

4. Monitoring
Monitoring involves being able to quickly recognize threats, analyze them, and respond promptly. A SIEM system can serve as an essential asset in an SOC but only if used effectively by its staff.

Monitoring can present two potential perils. One is failing to record enough data that improves security; and two, recording too much and amassing large volumes that you cannot comprehend or use effectively.

To protect themselves against the first risk, SAN managers must conduct at least one annual review of their BCP. By documenting such reviews, it will be possible to demonstrate the efficacy of procedures should an emergency occur.

5. Training
Organizations should ensure their employees and contractors receive training in information security policies and procedures, with refresher courses held at least annually to help reduce errors or fraud and optimize operational efficiency. This helps reduce risks while increasing operational efficiencies.

ISO 27001 is an extensive compliance framework that requires considerable preparation. IT professionals may feel anxious during the audit process for fear that they will miss something essential that could thwart their chances of attaining successful certification.

Fill out the Sans ISO 17799 Audit Checklist online from any device with text boxes, checkboxes and dropdown menus to enter answers. Upload images or sign a digital signature document; highlight or blackout sensitive data if necessary for discretion. Save or share completed form via URL link.