Page 1

Please Note: This sample shows only a small part of the complete gap assessment tool.

Terms Used

ISO/IEC 27001 Gap Assessment Tool - Questionnaire

ISMS = Information Security Management System

Information security management systems - Requirements

Area

Section

Sub-section

ISO/IEC 27001 Requirements

ISO/IEC 27001 requirements met? Action needed to meet requirement

4 Context of the organization 4.1 Understanding the organization and its context

Have the external and internal issues that affect the ISMS been determined? Have the interested parties and their requirements been identified? Has the scope of the ISMS been determined and documented? Is an ISMS in place and being continually improved?

4.2 Understanding the needs and expectations of interested parties 4.3 Determining the scope of the information security management system 4.4 Information security management system

Totals:

Yes Yes Yes Yes

4

5 Leadership 5.1 Leadership and commitment

Does top management demonstrate leadership and commitment to the ISMS by providing resources and communicating effectively? (see list a to h)

Yes

5.2 Policy

Is a documented information security policy in place? Does it set objectives for the ISMS? Does it commit the organization to satsifying requirements and continually improving the ISMS? Is it adequately communicated? Are roles, responsibilities and authorities for the ISMS defined?

Yes

5.3 Organizational roles, responsibilities and authorities Totals:

Yes Yes Yes Yes

6

6 Planning 6.1 Actions to address risks and opportunities

6.1.1 General

6.1.2 Information Security Risk Assessment

Does the plan for the ISMS take into account the relevant issues and requirements? Are all of the relevant risks and opportunities determined? Are actions planned to address the identified risks and opportunities? Is a documented information security risk assessment process defined and applied? Is it clear when risk assessments should be carried out? Has a risk assessment been carried out with respect to the confidentiality, integrity and availability of the information within scope? Have risk owners been identified? Have risks been analysed, evaluated and prioritised for treatment?

Yes Yes Yes Yes Yes Yes

Yes Yes

Action owner


Terms Used

ISO/IEC 27017 Cloud Service Customer (CSC) Gap Assessment Tool - Questionnaire

CSP = Cloud Service Provider CSC = Cloud Service Customer

Code of practice for information security controls based on ISO/IEC 27002 for cloud services Note: Only those controls that are listed in the ISO/IEC 27017 standard that apply to Cloud Service Customers (CSCs) are shown here.

Area

Section

Sub-section

ISO/IEC 27017 Cloud service customer requirements

ISO/IEC 27017 CSC requirements met? Action needed to meet requirement

A.5 Information security policies A.5.1 Management direction for information security

A.5.1.1 Policies for information security

Is there an information security policy for cloud computing? Does the policy consider the specific risks associated with using cloud services?

Totals:

Yes Yes

2

A.6 Organization of information security A.6.1 Internal organization

A.6.1.1 Information security roles and responsibilities

A.6.1.3 Contact with authorities CLD.6.3 Relationship between cloud service customer and cloud service provider

CLD.6.3.1 Shared roles and responsibilities within a cloud computing environment

Are the roles and responsibilities concerned with the security of the cloud service agreed between the CSC and the CSP and documented, including the interface with the CSP support function? Are all of the authorities relevant to both the CSC and the CSP identified? Are cloud service users aware of their roles and responsibilities in using each cloud service?

Totals:

Yes

Yes Yes

3

A.7 Human resources security A.7.2 During employment

A.7.2.2 Information security awareness, education and training

Do awareness training efforts include the specifi risks and issues to do with the use of cloud services?

Totals:

Yes

1

A.8 Asset management A.8.1 Responsibility for assets

A.8.1.1 Inventory of assets CLD.8.1.5 Removal of cloud service customer assets

A.8.2 Information classification

A.8.2.2 Labelling of information

Totals:

Are information assets stored in the cloud included on the asset inventory? When terminating a cloud service, is the process clear and documented and does it cover all of the assets involved? Are assets stored in the cloud appropriately labelled?

Yes Yes

Yes

3

Action owner


Terms Used

ISO/IEC 27017 Cloud Service Provider (CSP) Gap Assessment Tool - Questionnaire

CSP = Cloud Service Provider CSC = Cloud Service Customer

Code of practice for information security controls based on ISO/IEC 27002 for cloud services Note: Only those controls that are listed in the ISO/IEC 27017 standard that apply to Cloud Service Providers (CSPs) are shown here.

Area

Section

Sub-section

ISO/IEC 27017 Cloud service provider requirements

ISO/IEC 27017 CSP requirements met? Action needed to meet requirement

A.5 Information security policies A.5.1 Management direction for information security

A.5.1.1 Policies for information security

Has the information security policy been augmented to reflect the specific risks associated with operating as a cloud service provider?

Totals:

Yes

1

A.6 Organization of information security A.6.1 Internal organization

A.6.1.1 Information security roles and responsibilities A.6.1.3 Contact with authorities

CLD.6.3 Relationship between cloud service customer and cloud service provider

CLD.6.3.1 Shared roles and responsibilities within a cloud computing environment

Have information security responsibilities been defined between parties in the cloud relationship? Have customers been informed of the geographical spread of the CSP's operations and the countries involved? Has the split of responsibilities for information security been documented and made clear to customers?

Totals:

Yes

Yes

Yes

3

A.7 Human resources security A.7.2 During employment

A.7.2.2 Information security awareness, education and training

Has awareness training been provided to employees and third parties regarding appropriate handling of customer data?

Totals:

Yes

1

A.8 Asset management A.8.1 Responsibility for assets

A.8.1.1 Inventory of assets

CLD.8.1.5 Removal of cloud service customer assets A.8.2 Information classification

A.8.2.2 Labelling of information

Totals:

Is a distinction made between cloud service customer data and cloud service derived data? Is information provided to customers regarding procedures used for the removal of a customer service and associated data? Have facilities that are provided for the customer to label their data been communicated to the customer?

Yes

Yes

Yes

3

Action owner


Terms Used

ISO/IEC 27018 Gap Assessment Tool - Questionnaire

CSP = Cloud Service Provider

Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors

CSC = Cloud Service Customer PII = Personally Identifiable Information

Note: Only those controls that are listed in the ISO/IEC 27018 standard are shown here.

Area

Section

Sub-section

ISO/IEC 27018 requirements

A.5.1.1 Policies for information security

Does the CSP information security policy include a statement committing to meeting PII protection legislation and contractual terms? Are information security responsibilities between CSP, sub-contractors and CSC clearly allocated in contractual agreements?

ISO/IEC 27018 requirements met? Action needed to meet requirement

A.5 Information security policies A.5.1 Management direction for information security

Totals:

Yes

Yes

2

A.6 Organization of information security A.6.1 Internal organization

A.6.1.1 Information security roles and responsibilities

Is a CSP point of contact identified for CSCs regarding PII processing?

Totals:

Yes

1

A.7 Human resources security A.7.2 During employment

A.7.2.2 Information security awareness, education and training

Are CSP employees made aware of the importance of protecting PII and the consequences of failing to do so?

Yes

Totals:

1

Totals:

0

A.8 Asset management

A.9 Access control A.9.2 User access management

A.9.2.1 User registration and de-registration

A.9.4.2 Secure log-on procedures

Totals:

Do procedures address the situation where user access has been compromised e.g. stolen passwords? Are secure log-on procedures available if requested by the CSC?

Yes

Yes

2

Action owner


Gap Assessment Results ISO/IEC 27001 Information Security Standard Area of ISO/IEC 27001 Standard

4 Context of the organization 5 Leadership 6 Planning 7 Support 8 Operation 9 Performance evaluation 10 Improvement A.5 Information security policies A.6 Organization of information security A.7 Human resources security A.8 Asset management A.9 Access control A.10 Cryptography A.11 Physical and environmental security A.12 Operations security A.13 Communications security A.14 System acquisition, development and maintenance A.15 Supplier relationships A.16 Information security incident management A.17 Information security aspects of business continuity management A.18 Compliance Totals

Number of requirements in section

No. requirements met % Conformant

4 6 16 8 4 6 2 2 7 6 10 14 2 15 14 7 13 5 7 4 8

4 6 16 8 4 6 2 2 7 6 10 14 2 15 14 7 13 5 7 4 8

100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100%

160

160

100%

ISO/IEC 27017 Code of Practice for Cloud Services - Cloud Service Customer (CSC) Area of ISO/IEC 27017 Code of Practice

Number of requirements in section

No. requirements met % Conformant

A.5 Information security policies A.6 Organization of information security A.7 Human resources security A.8 Asset management A.9 Access control A.10 Cryptography A.11 Physical and environmental security A.12 Operations security A.13 Communications security A.14 System acquisition, development and maintenance A.15 Supplier relationships A.16 Information security incident management A.17 Information security aspects of business continuity management A.18 Compliance

2 3 1 3 6 2 1 9 1 2 2 3 0 5

2 3 1 3 6 2 1 9 1 2 2 3 0 5

100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100%

Totals

40

40

100%


Profile for CertiKit Limited

ISMS-FORM-00-4 ISO27001-17-18 Gap Assessment Tool - Questionnaire based  

ISMS-FORM-00-4 ISO27001-17-18 Gap Assessment Tool - Questionnaire based  

Profile for public-it