ISO/IEC 27001 (Annex A) Controls Checklist

Information security policy and topic-specific policies are defined, approved, and communicated.

Evidence: Approved policy documents with review and communication records.

Rules to control physical and logical access are established based on business and security requirements.

Evidence: Access-control policy and role-to-access mapping.

The full life cycle of identities is managed.

Evidence: Identity life-cycle process and provisioning records.

Access rights are provisioned, reviewed, modified, and removed per the access-control policy.

Evidence: Access-rights review attestations.

Processes manage information-security risks associated with the use of suppliers.

Evidence: Supplier register with risk assessments and contract security clauses.

Acquisition, use, management, and exit of cloud services follow security requirements.

Evidence: Cloud-service inventory with provider assurance reviews.

Incident management is planned and prepared with defined roles and processes.

Evidence: Incident-management plan and exercise records.

ICT readiness is planned, implemented, and tested to meet continuity objectives.

Evidence: Continuity plan with recovery objectives and test results.

Background verification of candidates is performed prior to and during employment as appropriate.

Evidence: Screening procedure and completion evidence for sampled hires.

Personnel receive appropriate security awareness education and training.

Evidence: Training-completion report.

Allocation and use of privileged access rights are restricted and managed.

Evidence: Privileged-access inventory and review.

Protection against malware is implemented and supported by user awareness.

Evidence: Anti-malware coverage and detection reports.

Information about technical vulnerabilities is obtained and exposure is evaluated and addressed.

Evidence: Vulnerability-scan and remediation records.

Logs recording activities, exceptions, and events are produced, stored, and protected.

Evidence: Logging configuration and retention settings.

Networks, systems, and applications are monitored for anomalous behavior.

Evidence: Monitoring/alerting configuration and triage samples.

Rules for the effective use of cryptography, including key management, are defined and implemented.

Evidence: Cryptography policy and TLS/encryption configuration.

Changes to information processing facilities and systems are subject to change-management procedures.

Evidence: Change records with approvals and test evidence.

Backup copies of information, software, and systems are maintained and tested.

Evidence: Backup reports and restore-test results.

Information relating to security threats is collected and analyzed to produce threat intelligence.

Evidence: Threat-intelligence sources and analysis outputs.

An inventory of information and associated assets, including owners, is developed and maintained.

Evidence: Asset inventory with ownership.