ISBN 0-9770309-5-4 1/17/2008 1



Similar documents
Evidence Product Checklist For Standard IEC 62304:2006 Medical device software Software life cycle processes

EVIDENCE PRODUCT CHECKLIST For the FDA Document. Guidance for Industry, FDA Reviewers and Compliance on Off-The-Shelf Software Use in Medical Devices

SUPPLIER ASSESSMENT CHECKLIST

SEPT EVIDENCE PRODUCT CHECKLIST For ISO Standard 9004:2009 Managing for the sustained success of an organization A quality management approach

Sample Pages for TEMPLATE FOR A SOFTWARE DOCUMENTATION MANAGEMENT PLAN

TEMPLATES FOR SOFTWARE CONFIGURATION MANAGEMENT DOCUMENTS DELUXE VERSION 2.0. ISBN Number:

Templates For Software Configuration Management Documents

Sample pages of the TEMPLATE FOR A SOFTWARE MAINTENANCE PLAN

Motor Vehicle Repossession Services Agreement

LETTER OF INTENT FOR BUSINESS TRANSACTION & GUIDELINES

CHECKLIST ISO/IEC 17021:2011 Conformity Assessment Requirements for Bodies Providing Audit and Certification of Management Systems

We released this document in response to a Freedom of Information request. Over time it may become out of date. Department for Work and Pensions

Information Security Policy. Chapter 12. Asset Management

DRAFT GUIDELINES FOR ADVERTISING AND MARKETING OF FINANCIAL PRODUCTS

FRED 62 Draft amendments to FRS 102 The Financial Reporting Standard applicable in the UK and Republic of Ireland


GENERAL CONTRACT AGREEMENT & GUIDE

PSAB AT A GLANCE Section PS 1201 Financial Statement Presentation

FRAMEWORK FOR THE PREPARATION OF ACCOUNTS. Best Practice Guidance

VARONIS SUPPORT PRINCIPLES

IAS 28 Investments in Associates Impairment of investments in associates in separate financial statements

ISO Revisions Whitepaper

HIPAA BUSINESS ASSOCIATE AGREEMENT

MODEL WARRANTY BILL OF SALE & GUIDELINES

TRADEMARK ASSIGNMENT & GUIDELINES

The Open Group Certified IT Specialist (Open CITS) Program: Accreditation Agreement. May 2011 Revision The Open Group

Home Warranty Insurance - Western Australia Insurance Policy

Background. Audit Quality and Public Interest vs. Cost

Installment Sales and Security Agreement

CONSOLIDATED VERSION IEC Medical device software Software life cycle processes. colour inside. Edition

NON-DISCLOSURE AGREEMENT (Mutual)

EMPLOYMENT AGREEMENT & GUIDE

Certification criteria for. Internal QMS Auditor Training Course

TG TRANSITIONAL GUIDELINES FOR ISO/IEC :2015, ISO 9001:2015 and ISO 14001:2015 CERTIFICATION BODIES

Contract Provisions. 1. Party Names: Is each party clearly identified by official legal name? department, center or program name.

Applaud Solutions Technical Support Policies

Advanced Planning PDP Client for Microsoft Excel 1.3 Install PeopleBook

august09 tpp Internal Audit and Risk Management Policy for the NSW Public Sector OFFICE OF FINANCIAL MANAGEMENT Policy & Guidelines Paper

Spillemyndigheden s change management programme. Version of 1 July 2012

Loan to Deposit Ratio

A LETTER OF INTENT IS ENFORCEABLE. A LETTER OF INTENT IS NOT ENFORCEABLE. Ira Meislik i

CKEditor for Drupal License Agreement

2015. All rights reserved.

Contracts, agreements and tendering

INTERNATIONAL STANDARD ON RELATED SERVICES 4410 ENGAGEMENTS TO COMPILE FINANCIAL STATEMENTS CONTENTS

ARTL PKI. Certificate Policy PKI Disclosure Statement

FORMAL LETTER OF APPOINTMENT FOR INDEPENDENT DIRECTORS

EXPLANATORY MEMORANDUM TO THE COMPANIES ACT 2006 (ANNUAL RETURNS) REGULATIONS No. [XXXX]

Evaluation Reminders. For Team Chairs Evaluators, Financial Reviewers, And Generalists Institutions being Reviewed

RE: PCAOB Rulemaking Docket Matter No. 004 Statement Regarding the Establishment of Auditing and Other Professional Standards

APES 315 INTRODUCTION LIVE CHAT: QUESTIONS AND ANSWERS

COMPLAINT HANDLING POLICY

CORPORATE GOVERNANCE CODE

May Leases. Comments to be received by 13 September 2013

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS

Commonwealth of Pennsylvania Software License Requirements Contract # Tab Software

Agreed-Upon Procedures Engagements

International Financial Reporting Standards (IFRS)

Application Note Gemalto Access Client for windows smart card and EFS on Microsoft Windows Vista

Case Study Food Manufacturing Company

INTERNATIONAL STANDARD ON AUDITING (UK AND IRELAND) 450 EVALUATION OF MISSTATEMENTS IDENTIFIED DURING THE AUDIT

FINAL DOCUMENT. Guidelines for Regulatory Auditing of Quality Management Systems of Medical Device Manufacturers Part 1: General Requirements

Dynamic Planner ACE Fund Ratings Service. Technical Guide

November 9, /584

Internal Auditing Course

Writing an Introductory Paragraph for an Expository Essay

CP14 ISSUE 5 DATED 1 st OCTOBER 2015 BINDT Audit Procedure Conformity Assessment and Certification/Verification of Management Systems

PARTNERSHIP DISSOLUTION AGREEMENT & GUIDE

Guidance for audit committees. The internal audit function

Security Overview. A guide to data security at AIMES Data Centres. TEL: enquiries@aimes.

Example Parish Council (the Parish Council) Commencement Date Means the date of the commencement of this Agreement being: 8 April 2015

SAN DIEGO COMMUNITY COLLEGE DISTRICT INSTITUTIONAL REVIEW BOARD (IRB) INVESTIGATOR GUIDELINES FOR RESEARCH USING HUMAN SUBJECTS

A CSi Solution for Jack Henry Streamline

PATENT APPLICATION ASSIGNMENT & GUIDELINES

INTERNATIONAL STANDARD ON REVIEW ENGAGEMENTS 2410 REVIEW OF INTERIM FINANCIAL INFORMATION PERFORMED BY THE INDEPENDENT AUDITOR OF THE ENTITY CONTENTS

EMR-3000 Quick Start Guide. IB E Rev. A. Contents. Description

FRED 50 Draft FRC Abstract 1

The Old Man and The Sea

Technical Accounting Alert

Beacon Financial Group - Privacy Policy

Personal Information Protection and Electronic Documents Act

CCA DSS SP 2 Release Notes. For Microsoft Dynamics GP v10.0, v2010 and v2013

INTELLECTUAL PROPERTY ASSIGNMENT & GUIDELINES

ISO 9001:2008 Internal Audit Guidance

Transcription:

Sample Pages of Evidence Product Checklist for Standard ISO/IEC 27002:2005 Information technology techniques -- Code of practice for information security management (Revision 1 to incorporate Technical Corrigendum 1) ISBN 0-9770309-5-4 1/17/2008 1

Sample Pages of Evidence Product Checklist for Standard ISO/IEC 27002:2005 Information technology techniques -- Code of practice for information security management (Revision 1 to incorporate Technical Corrigendum 1) ISBN 0-9770309-5-4 Authors: Maynard Hanscom CISSP, George Jackelen PMP and Stan Magee CCP Produced by Software Engineering Process Technology (SEPT) 2725 NW Pine Cone Drive Issaquah, WA. 98027 Tel. 425-391-2344 E-mail: stanmagee@smartwire.net Web Site: www.12207.com 2008. Software Engineering Process Technology (SEPT) All rights reserved. 1/17/2008 2

Change Page History Date Change Reason 1/3/2008 Incorporate Technical Number change, throughout the document Corrigendum 1 17799 has been replaced with 27002. 1/17/2008 3

ISO/IEC 27002:2005 techniques -- Code of practice for information security management Evidence Product Checklist Introduction The process of defining what is necessary for compliance with a standard such as ISO/IEC 177799:2005 for security management of information and related assets is often confusing and laborious because the directions contained in the standards are unclear or ambiguous. To aid in determining what is actually recommended by the document in the way of physical evidence of compliance, the experts at SEPT have produced this checklist. This checklist is constructed around a classification scheme of physical evidence comprised of policies, procedures, plans, records, documents, audits, and reviews. There must be an accompanying record of some type when an audit or review has been accomplished. This record would define the findings of the review or audit and any corrective action to be taken. For the sake of brevity this checklist does not call out a separate record for each review or audit. All policies, procedures and records should be reviewed but the checklist does not call out a review for each item unless the standard calls out the review. In this checklist manuals, reports, scripts and specifications are included in the document category. The Authors have carefully reviewed the document ISO/IEC 27002:2005 Information technology techniques -- Code of practice for information security management" and defined the physical evidence recommended based upon this classification scheme. SEPT has conducted a second review of the complete list to ensure that the documents producers did not leave out a physical piece of evidence that a reasonable person would expect to find. It could certainly be argued that if the document did not call it out then it is not recommended; however if the document was used by an organization to improve its process, then it would make sense to recognize missing documents. Therefore, there are documents specified in this checklist that are implied by the standard, though not specifically called out in the document, and they are designated by an asterisk (*) throughout this checklist. These items are classified as suggested. If a document is called out more than one time, only the first reference is stipulated. There are occasional situations in which a procedure or document is not necessarily separate and could be contained within another document or procedure. For example, the Equipment Siting and Protection " could be a part of the Equipment. The authors have called out these individual items separately to ensure that the organization does not overlook any facet of physical evidence. If the organization does not require a separate document, and an item can be a subset of another document or record, then this fact should be denoted in the detail section of the checklist for that item. This should be done in the form of a statement reflecting that the information for this document may be found in section XX of XYZ. If the organizational requirements do not call for this physical evidence for a particular project, this should 1/17/2008 4

also be denoted with a statement reflecting that this physical evidence is not recommended and why. The reasons for the evidence not being recommended should be clearly presented in this statement. Further details on this step are provided in the Detail Steps section of the introduction. The size of these documents could vary from paragraphs to volumes depending upon the size and complexity of the project or business requirements. ISO/IEC 27002:2005 Information technology techniques -- Code of practice for information security management" Checklist This checklist was prepared by analyzing each clause of this document for the key words that signify a: Policy Plan Records (Including Manuals, Reports, Scripts and Specifications) Audit This checklist specifies evidence that is unique and industry best practices. After reviewing the completed document, the second review was conducted from a common sense reasonable person approach. If a document or other piece of evidence appeared to be recommended, but was not called out in the document, then it is added with an asterisk (*) after its notation in the checklist. The information was transferred into checklist tables, based on the type of product or evidence. Recommended items do not have an asterisk (*) after its notation in the checklist. Using the Checklist When a company is planning to use the ISO/IEC 27002:2005 Information technology techniques -- Code of practice for information security management", the company should review the evidence checklist. If the company s present process does not address an ISO/IEC 27002:2005 product, then this question should be asked: Is the evidence product recommended for the type of business of the company? If in the view of the company the evidence is not recommended, the rationale should be documented and inserted in the checklist and quality control manual. This rationale should pass the reasonable person rule. If the evidence is recommended, plans should be prepared to address the missing item(s). Detail Steps An organization should compare the proposed output of their organization against the checklist. In doing this, they will find one of five conditions that exist for each item listed in the checklist. The following five conditions and the actions required by these conditions are listed in the table below. 1/17/2008 5

Condition 1 The title of the documented evidence specified by the checklist (, Plan, Records, (Including Manuals, Reports, Scripts and Specifications), Audit and ) agrees with the title of the evidence being planned by the organization. 2 The title of the documented evidence specified by the checklist (document, etc) disagrees with the title of the evidence planned by the organization but the content is the same. 3 The title of the documented evidence specified by the checklist (document, etc) is combined with another piece of evidence. 4 The title of the documented evidence specified by the checklist (document, etc) is not planned by the organization because it is not required. 5 The title of the documented evidence called out by the checklist (document, etc) is not planned by the organization and should be planned by it. Action Required Record in the checklist that the organization is compliant. Record in the checklist the evidence title the organization uses and record that the organization is compliant, and the evidence is the same although the title is different. Record in the checklist the titles of the evidence (document, etc) in which this information is contained. Record in the checklist that the evidence is not required and the rationale for this decision. Record in the checklist when this evidence will be planned and reference a plan for accomplishing the task. Components of the Checklist This checklist is composed of 9 sections: Section 1. Introduction Section 2. Composites of all recommended and suggested ISO/IEC 27002:2005 Information technology techniques -- Code of practice for information security management" evidence products. Sections 3-8. Individual checklists for each evidence type. Section 9. About the Authors Product Support All reasonable questions concerning this checklist or its use will be addressed free of charge for 60 days from the time of purchase, up to a maximum of 4 hours consultation time. 1/17/2008 6

Warranties and Liability Software Engineering Process Technology (SEPT) makes no warranties implied or stated with respect to this checklist, and it is provided on an as is basis. SEPT will have no liability for any indirect, incidental, special or consequential damages or any loss of revenue or profits arising under, or with respect to the use of this document. 1/17/2008 7

Section 2 ISO/IEC 27002:2005 Evidence Products Checklist By Clause ISO/IEC 27002:2005 Clause Number and Name Policies and s 4.0 Risk assessment and treatment 4.1 Assessing security risks Risk Assessment Results 4.2 Treating security risks 5.0 policy 5.1 Information security policy 5.1.1 Information security policy document 5.1.2 of the information security policy Policy Policy Policy Plans Records s Audits and s Risk Assessment Results Policy Risk Assessment Results Policy Policy 1/17/2008 * Suggested item 8

Section 2 ISO/IEC 27002:2005 Evidence Products Checklist By Clause ISO/IEC 27002:2005 Clause Number and Name Policies and s 6.0 Organization of information security 6.1 Internal Organization Infrastructure 6.1.1 Management commitment to informational security 6.1.2 Information security coordination Goals Awareness Plan User Training Plans Records s Audits and s Awareness Plan Specialist Adviser Records Infrastructure * Goals Infrastructure Goals Awareness Plan User Training 1/17/2008 * Suggested item 9

Section 2 ISO/IEC 27002:2005 Evidence Products Checklist By Clause ISO/IEC 27002:2005 Clause Number and Name 6.1.3 Allocation of information security responsibilities Policies and s Asset Responsibility Authorization Level Authorization Process for Implementing Information Processing Responsibility Roles and Responsibilities of Information Asset Owners Plans Records s Audits and s Authorization Level Records Asset Responsibility * Responsibility Roles and Responsibilities of Information Asset Owners System Asset System Process Asset Responsibility Responsibility Roles and Responsibilities of Information Asset Owners System Asset System Process 1/17/2008 * Suggested item 10

Section 2 ISO/IEC 27002:2005 Evidence Products Checklist By Clause ISO/IEC 27002:2005 Clause Number and Name 6.1.3 Allocation of information security responsibilities (Cont. 1) 6.1.4 Authorization process for information processing facilities Policies and s System Asset System Process New Information Processing Facilities Authorization s Use of (Personnel or Privately) Owned Information Processing Facilities and or Equipment Plans Records s Audits and s 1/17/2008 * Suggested item 11

Section 2 ISO/IEC 27002:2005 Evidence Products Checklist By Clause ISO/IEC 27002:2005 Clause Number and Name Policies and s 6.1.5 Confidentiality agreements Confidentiality/ Non-Disclosure Agreement Confidentiality/ Non-Disclosure Agreement 6.1.6 Contact with authorities Contact With Authorities 6.1.7 Contact with special interest groups Contact With Special Interest Groups Sharing Agreements Plans Records s Audits and s Confidentiality Confidentiality /Non- /Non- Disclosure Disclosure Agreement Agreement Records* Contact With Authorities Records Sharing Agreements Confidentiality/ Non-Disclosure Agreement Confidentiality/ Non-Disclosure Agreement Confidentiality/ Non-Disclosure Agreement Sharing Agreements 1/17/2008 * Suggested item 12

Section 2 ISO/IEC 27002:2005 Evidence Products Checklist By Clause Last Sample page 1/17/2008 * Suggested item 13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information