| Clause | Requirement & Audit Check Points | Status | Evidence Required | Auditor Notes |
|---|---|---|---|---|
| Clause 4: Context of the Organisation | ||||
| 4.1 | Understanding the Organisation and Its Context • Internal and external issues affecting IS documented and reviewed at planned intervals? • Context analysis (PESTLE/SWOT or equivalent) referenced in ISMS scope decisions? • Climate change and geopolitical factors considered per ISO 27001:2022 update? | — | Context analysis doc; board minutes | |
| 4.2 | Understanding Needs and Expectations of Interested Parties • Interested parties (customers, regulators, employees, suppliers) identified and documented? • IS requirements and expectations of each party recorded? • Contractual and regulatory IS obligations captured? | — | Stakeholder register; regulatory obligations register | |
| 4.3 | Determining the Scope of the ISMS • ISMS scope statement formally documented covering all applicable locations, processes, and systems? • Exclusions from scope identified and justified with rationale? • Scope reviewed and updated when organisational changes occur? | — | ISMS Scope Statement; exclusion justification | |
| 4.4 | Information Security Management System • ISMS established, implemented, maintained, and continually improved per the standard? • ISMS processes and their interactions defined and documented? • Evidence of ISMS operation (records, logs, meeting minutes) retained? | — | ISMS process map; operational records | |
| Clause 5: Leadership | ||||
| 5.1 | Leadership and Commitment • Top management demonstrate commitment through resource allocation, communication, and active participation in ISMS? • IS policy and objectives established consistent with strategic direction? • Management actively promote continual improvement? | — | Board resolution; ISMS budget approval; mgmt review minutes | |
| 5.2 | Information Security Policy • IS Policy documented, approved by top management, and published? • Reviewed at planned intervals or after significant changes? • Communicated to all personnel and relevant external parties? | — | IS Policy; management approval record; distribution evidence | |
| 5.3 | Organisational Roles, Responsibilities and Authorities • ISMS roles (CISO, risk owner, data owner, system owner) formally defined and assigned? • ISMS performance reporting route to top management documented? • Roles communicated throughout the organisation? | — | RACI matrix; job descriptions; org chart with IS roles | |
| Clause 6: Planning | ||||
| 6.1.1 | Actions to Address Risks and Opportunities: General • Risks and opportunities relevant to IS context and objectives identified? • Actions planned and integrated into ISMS processes? • Effectiveness of actions evaluated? | — | Risk management framework; risk register | |
| 6.1.2 | Information Security Risk Assessment • Risk assessment methodology documented with acceptance criteria and likelihood/impact scales? • Assessment conducted at planned intervals AND when significant changes occur? • Risk owners assigned for each identified risk? | — | Risk assessment methodology; completed risk register with dates | |
| 6.1.3 | Information Security Risk Treatment • Risk treatment options selected and treatment plan documented? • Statement of Applicability (SOA) produced covering all 93 Annex A controls with inclusion/exclusion rationale? • Residual risks formally accepted by risk owners? | — | Risk treatment plan; SOA; risk acceptance records | |
| 6.2 | IS Objectives and Planning to Achieve Them • IS objectives documented at relevant functions and levels, measurable, and consistent with IS policy? • Plans identify what, who, when, how evaluated? • Objectives monitored and progress reported to management? | — | IS objectives register; KPI reports; management review inputs | |
| 6.3 | Planning of Changes • Changes to the ISMS carried out in a planned and controlled manner? • IS impact assessments performed for significant organisational or system changes? | — | Change management log; ISMS change impact assessments | |
| Clause 7: Support | ||||
| 7.1 | Resources • Adequate resources (budget, personnel, tools) allocated for ISMS operation? • Resource requirements reviewed at management review? | — | ISMS budget; headcount allocation; management review records | |
| 7.2 | Competence • Competence requirements defined for all IS-relevant roles? • Training provided and records retained to demonstrate competence? • Training effectiveness evaluated (tests, certifications, practical assessment)? | — | Competency matrix; training records; certification evidence | |
| 7.3 | Awareness • All personnel aware of IS policy, their contribution to ISMS, and consequences of non-compliance? • Awareness delivered at onboarding and regularly thereafter? • Phishing simulations or assessments used to measure effectiveness? | — | Training completion records; phishing simulation results | |
| 7.4 | Communication • IS communication plan identifies what, when, with whom, and by whom? • Internal IS communications (policy updates, alerts) delivered effectively? | — | Communications plan; evidence of IS communications | |
| 7.5 | Documented Information • Required ISMS documented information identified, controlled (version, approval, distribution)? • Document control procedure in place (creation, review, update, retention, disposal)? • External documented information (standards, contracts) identified and controlled? | — | Document control procedure; document register; version history | |
| Clause 8: Operation | ||||
| 8.1 | Operational Planning and Control • ISMS processes planned, implemented, controlled, and documented? • Outsourced IS processes identified and controlled? | — | Operational procedures; outsourced process controls | |
| 8.2 | Information Security Risk Assessment (Operational) • Risk assessments performed at planned intervals AND triggered by significant changes? • Results retained as documented information? | — | Risk assessment records with dates; change-triggered assessments | |
| 8.3 | Information Security Risk Treatment (Operational) • Risk treatment plan implemented with actions, owners, and target dates? • Treatment effectiveness monitored and reported? | — | Risk treatment tracker; action completion evidence | |
| Clause 9: Performance Evaluation | ||||
| 9.1 | Monitoring, Measurement, Analysis and Evaluation • IS performance metrics defined, monitored, and reported at planned intervals? • Monitoring methods produce valid and reproducible results? • Results analysed and used to drive improvement? | — | IS KPI dashboard; measurement methodology; analysis reports | |
| 9.2 | Internal Audit • Internal audit programme covering all ISMS areas, with criteria, scope, and frequency defined? • Auditors selected to ensure objectivity and impartiality (no self-audit)? • Audit results reported to management; findings tracked to closure? | — | Audit programme; audit reports; NC tracking log | |
| 9.3 | Management Review • Management review conducted at planned intervals (at least annually) covering all required inputs? • Inputs include: audit results, security performance, risk treatment status, stakeholder feedback? • Outputs (decisions, actions) documented and tracked? | — | Management review meeting minutes; action register | |
| Clause 10: Improvement | ||||
| 10.1 | Continual Improvement • Continual improvement process drawing on audit results, performance data, and management review outputs? • Improvement initiatives documented with measurable outcomes? | — | Improvement register; before/after metrics | |
| 10.2 | Nonconformity and Corrective Action • Process for identifying, documenting, and evaluating nonconformities in place? • Root cause analysis performed; corrective actions prevent recurrence? • Corrective action log maintained with status and verification of effectiveness? | — | Corrective action log; root cause analyses; closure evidence | |
| Ref | Control Name & Audit Check Points | Status | Evidence Required | Auditor Notes |
|---|---|---|---|---|
| A.5.1 | Policies for Information Security • IS policy and topic-specific policies documented, approved by management, published, and accessible to all staff? • Policies reviewed at planned intervals or following significant changes? • Staff acknowledgement of policies recorded? | — | IS Policy suite; version history; management approval; staff sign-off log | |
| A.5.2 | IS Roles and Responsibilities • IS roles formally defined with written responsibilities (CISO, data owners, system owners)? • Roles assigned to competent individuals and communicated throughout the organisation? | — | RACI matrix; job descriptions; org chart | |
| A.5.3 | Segregation of Duties • Conflicting duties identified for sensitive processes (finance, access provisioning, admin)? • Segregation controls implemented; compensating controls where full separation not feasible? • SoD reviewed periodically and exceptions documented? | — | SoD matrix; process controls; access reviews | |
| A.5.4 | Management Responsibilities • Management actively require staff to apply IS policies? • Commitment evidenced through security meetings, communications, resource allocation? | — | Management communications; IS steering committee minutes | |
| A.5.5 | Contact with Authorities • Contacts with relevant authorities (regulators, law enforcement, national CERTs) maintained? • Procedure defining when and how to contact authorities exists and is tested? | — | Authority contact register; incident escalation procedure | |
| A.5.6 | Contact with Special Interest Groups • Organisation participates in relevant IS forums, ISACs, or professional groups? • Threat intelligence and best practices shared/received through these channels? | — | Membership records; threat intel subscription evidence | |
| A.5.7 | Threat Intelligence • Threat intelligence collected from multiple relevant sources (government, ISAC, commercial feeds)? • Intelligence analysed and used to update risk assessments and control decisions? • Threat intelligence process documented and reviewed regularly? | — | Threat intel sources; analysis reports; risk register updates | |
| A.5.8 | IS in Project Management • IS integrated into project management methodology from initiation? • IS risk assessments conducted for all significant projects? • IS requirements tracked and verified at project closure? | — | PM policy; IS risk assessment templates; project closure checklists | |
| A.5.9 | Inventory of Information and Other Associated Assets • Complete and current inventory maintained covering information, software, hardware, and services? • Records include: asset type, location, classification, and owner? • Inventory reviewed and reconciled at regular intervals? | — | Asset register; last review date; asset owner sign-offs | |
| A.5.10 | Acceptable Use of Information and Other Associated Assets • Acceptable Use Policy (AUP) documented and covering all relevant asset types? • AUP communicated to all personnel and contractors; acknowledgement recorded? • AUP violations monitored, reported, and addressed? | — | AUP document; signed acknowledgements; violation log | |
| A.5.11 | Return of Assets • Process for return of assets upon termination or role change documented? • Asset return checklists completed and signed on offboarding? • Asset register updated promptly following return? | — | Offboarding checklist; asset return records; register updates | |
| A.5.12 | Classification of Information • Classification scheme documented with clear categories (e.g. Public/Internal/Confidential/Restricted)? • Classification criteria applied consistently across all information assets? • Levels aligned to legal, regulatory, and contractual requirements? | — | Classification policy; asset register with classification; training records | |
| A.5.13 | Labelling of Information • Labelling procedure defined and implemented for all classification levels? • Labels applied to documents, emails, storage media, and systems? • Labelling compliance audited? | — | Labelling procedure; DLP/labelling tool config; audit results | |
| A.5.14 | Information Transfer • Policies and procedures for information transfer (internal and external) documented? • Transfer agreements with third parties covering confidentiality and security? • Encryption used for transfer of sensitive information? | — | Data transfer policy; NDAs; encryption evidence; transfer logs | |
| A.5.15 | Access Control • Access control policy documented based on need-to-know and least privilege? • Access provisioned and revoked through formal approval process? • Access rights reviewed at regular intervals (at least annually)? | — | Access control policy; access request records; periodic access reviews | |
| A.5.16 | Identity Management • Formal identity lifecycle management process in place (create, change, suspend, delete)? • Shared/generic accounts controlled, justified, and audited? • Identity management integrated with HR joiner/mover/leaver processes? | — | IAM system records; HR-IT integration evidence; generic account register | |
| A.5.17 | Authentication Information • Authentication credentials managed through a formal process? • Default credentials changed on all systems before deployment? • Strong password/passphrase policy enforced technically (length, complexity, MFA)? | — | Password policy; AD/IdP configuration; default credential audit | |
| A.5.18 | Access Rights • Access rights granted based on formal approval and business justification? • Reviewed periodically (quarterly for privileged, annually for standard accounts)? • Access rights revoked promptly on termination or role change? | — | Access approval records; access review reports; revocation evidence | |
| A.5.19 | IS in Supplier Relationships • Policy for managing IS risks in supplier relationships documented? • IS requirements identified and assessed before engaging suppliers? • Supplier IS risk assessments performed and documented? | — | Supplier IS policy; supplier risk assessments; vendor register | |
| A.5.20 | IS within Supplier Agreements • Supplier agreements include IS requirements (data protection, incident notification, right to audit)? • Agreements reviewed and updated when IS requirements change? • Compliance with contractual IS clauses monitored? | — | Supplier contracts with IS clauses; contract review records | |
| A.5.21 | Managing IS in the ICT Supply Chain • IS requirements communicated to and through the ICT supply chain? • Supply chain IS risks assessed (hardware/software provenance, vendor due diligence)? • Process to verify supplier IS practices and subcontractor controls? | — | Supply chain risk assessments; procurement IS requirements; SBOM | |
| A.5.22 | Monitoring, Review and Change Management of Supplier Services • Supplier IS performance monitored against contractual obligations? • Supplier service reviews conducted at planned intervals? • Changes to supplier services assessed for IS impact? | — | Supplier review minutes; SLA performance reports; change assessments | |
| A.5.23 | IS for Use of Cloud Services • Policy for acquisition, use, management, and exit from cloud services documented? • Cloud agreements reviewed for IS clauses (data location, encryption, audit rights)? • Cloud services assessed against organisational classification and risk criteria? | — | Cloud usage policy; provider contracts; cloud risk assessments | |
| A.5.24 | IS Incident Management Planning and Preparation • IS incident management procedure documented with roles, escalation paths, and timelines? • Incident response team defined, trained, and contactable 24/7? • Procedure tested (tabletop or live exercise) at planned intervals? | — | Incident response plan; team assignments; exercise reports | |
| A.5.25 | Assessment and Decision on IS Events • Process defined for categorising and prioritising IS events against severity criteria? • Triage performed within defined timeframes? | — | Event triage procedure; severity classification criteria; event logs | |
| A.5.26 | Response to IS Incidents • Incident response playbook covering containment, eradication, and recovery? • Incidents responded to within defined SLAs? • Evidence preserved for potential legal or regulatory purposes? | — | IR playbook; incident records; evidence handling procedure | |
| A.5.27 | Learning from IS Incidents • Post-incident reviews (PIRs) conducted for all significant incidents? • Lessons learned documented and communicated? • Recurring incidents tracked; root causes addressed through corrective actions? | — | PIR reports; lessons-learned log; corrective action records | |
| A.5.28 | Collection of Evidence • Procedures for collecting, preserving, and handling digital forensic evidence documented? • Chain of custody maintained for all evidence collected? | — | Evidence handling procedure; chain of custody forms; training records | |
| A.5.29 | IS During Disruption • IS controls maintained during disruptive incidents? • IS continuity covered within BCP/DRP and tested as part of exercises? | — | BCP/DRP with IS section; IS continuity test results | |
| A.5.30 | ICT Readiness for Business Continuity • ICT recovery objectives (RTO/RPO) defined and documented for all critical systems? • Redundancy and failover capabilities in place and tested? • ICT continuity integrated with overall BCP programme? | — | ICT BCP; RTO/RPO register; DR test results | |
| A.5.31 | Legal, Statutory, Regulatory and Contractual Requirements • Applicable legal, regulatory, and contractual IS requirements identified and documented? • Process for tracking changes to requirements in place? • Obligations recorded in a compliance register and assigned to owners? | — | Legal/regulatory obligations register; compliance tracking process | |
| A.5.32 | Intellectual Property Rights • Procedures to comply with IP rights (software licensing, copyright, patents) implemented? • Software licence register maintained and reconciled? | — | Software licence register; IP policy; training records | |
| A.5.33 | Protection of Records • Records retention schedule defined, documented, and implemented? • IS records protected from loss, destruction, falsification, and unauthorised access? • Records securely disposed of at end of retention period? | — | Retention schedule; records management procedure; disposal records | |
| A.5.34 | Privacy and Protection of PII • Privacy/data protection policy documented and implemented? • DPIA process in place for systems processing personal data? • PII handling requirements embedded in system and supplier contracts? | — | Privacy policy; DPIA register; DPA agreements; ROPA | |
| A.5.35 | Independent Review of IS • Independent IS reviews (internal audit, external assessment) conducted at planned intervals? • Review results reported to management; findings tracked to closure? | — | Internal audit reports; external assessment reports; NC tracker | |
| A.5.36 | Compliance with IS Policies, Rules and Standards • Regular compliance reviews performed against IS policies and standards? • Non-compliance documented, remediated, and tracked to closure? | — | Compliance monitoring reports; management attestations; NC log | |
| A.5.37 | Documented Operating Procedures • Operating procedures for IS-relevant processes documented and available to those who need them? • Procedures reviewed and updated when processes change? | — | Procedure library; version control records; review logs |
| Ref | Control Name & Audit Check Points | Status | Evidence Required | Auditor Notes |
|---|---|---|---|---|
| A.6.1 | Screening • Background screening conducted prior to employment, commensurate with role sensitivity and data access? • Screening results documented and retained confidentially? • Re-screening conducted for high-risk roles or significant changes? | — | Pre-employment screening policy; screening provider records; HR files | |
| A.6.2 | Terms and Conditions of Employment • Employment contracts include IS responsibilities, confidentiality, and AUP obligations? • IS responsibilities communicated before access is granted? • Contracts reviewed and updated when IS requirements change? | — | Employment contract template; signed contracts; IS clauses review | |
| A.6.3 | IS Awareness, Education and Training • IS awareness programme delivered at onboarding and at regular intervals thereafter? • Training tailored to different roles (technical, management, general staff)? • Training effectiveness measured (assessments, phishing simulations, completion rates)? | — | Training plan; completion records; phishing simulation results; assessment scores | |
| A.6.4 | Disciplinary Process • Formal disciplinary process for IS policy violations documented and communicated? • Applied consistently; actions proportionate and documented? | — | Disciplinary policy; HR records of IS-related disciplinary actions | |
| A.6.5 | Responsibilities After Termination or Change of Employment • IS responsibilities upon termination documented (confidentiality, asset return, access revocation)? • NDAs and confidentiality obligations surviving termination enforced? • Offboarding process triggers timely access revocation and asset recovery? | — | Offboarding checklist; post-termination NDA; access revocation logs | |
| A.6.6 | Confidentiality or Non-Disclosure Agreements • NDAs in place for all staff, contractors, and relevant third parties? • Agreements include specific IS obligations (scope, duration, consequences)? • Signed NDAs retained and breaches tracked and acted upon? | — | NDA template; signed NDA register; breach log | |
| A.6.7 | Remote Working • Remote working policy documented covering approved locations, devices, and security requirements? • Remote access controls implemented: VPN, MFA, endpoint encryption, screen privacy? • Remote working risks assessed and controls verified through monitoring? | — | Remote working policy; VPN logs; MDM configuration; MFA evidence | |
| A.6.8 | Information Security Event Reporting • Clear and accessible mechanism for staff to report IS events? • Staff trained to recognise and report IS events promptly? • Reports acknowledged and tracked; reporting volumes monitored? | — | Reporting channel documentation; training records; event log statistics |
| Ref | Control Name & Audit Check Points | Status | Evidence Required | Auditor Notes |
|---|---|---|---|---|
| A.7.1 | Physical Security Perimeters • Physical security perimeters defined and documented for all facilities? • Perimeters protected with appropriate barriers; all entry/exit points controlled and monitored? | — | Facility plan; access control system records; security inspection reports | |
| A.7.2 | Physical Entry • Access to secure areas controlled by authentication (card, PIN, biometric)? • Visitor access logged, time-limited, and escorted throughout? • Access logs reviewed regularly for anomalies? | — | Access control logs; visitor register; access review records | |
| A.7.3 | Securing Offices, Rooms and Facilities • Offices protected against unauthorised access? • IS assets secured when areas unoccupied? • Cleaning/maintenance staff supervised in sensitive areas? | — | Physical security policy; inspection records; third-party access logs | |
| A.7.4 | Physical Security Monitoring • CCTV or equivalent monitoring in place for critical and sensitive areas? • Alarms and intrusion detection operational, tested, and monitored 24/7? • Monitoring records retained per legal requirements and reviewed regularly? | — | CCTV system spec; alarm test records; monitoring retention policy | |
| A.7.5 | Protecting Against Physical and Environmental Threats • Physical/environmental threats identified (fire, flood, power failure, extreme weather)? • Countermeasures implemented (fire suppression, flood barriers, UPS, temperature controls)? • Controls tested and maintained at planned intervals? | — | Environmental risk assessment; fire/flood test records; UPS test logs | |
| A.7.6 | Working in Secure Areas • Procedures for working in secure areas defined and communicated? • Photography/recording restricted; secure areas inspected regularly? | — | Secure area procedures; inspection records; signage | |
| A.7.7 | Clear Desk and Clear Screen • Clear desk and clear screen policy documented and communicated? • Unattended screens auto-lock enforced via GPO or MDM? • Compliance audits conducted; findings actioned? | — | Clear desk policy; GPO/MDM screen lock settings; audit walkthrough reports | |
| A.7.8 | Equipment Siting and Protection • Equipment sited to minimise environmental risk and restricted from public view? • Equipment protected from power fluctuations (surge protection, UPS)? | — | Facilities plan; equipment placement assessment; power protection evidence | |
| A.7.9 | Security of Assets Off-Premises • Policy for assets taken off-premises documented (encryption, tracking, insurance)? • Off-site assets encrypted at rest and tracked? • Process for reporting and responding to lost/stolen assets defined and tested? | — | Off-premises asset policy; encryption evidence; lost/stolen incident records | |
| A.7.10 | Storage Media • Removable media managed and controlled (registration, authorisation, tracking)? • Media sanitised before reuse and securely destroyed when retired? • Media register maintained and reconciled? | — | Media management policy; media register; destruction certificates | |
| A.7.11 | Supporting Utilities • Critical utilities (power, cooling) protected with redundancy? • UPS and generator capacity tested at planned intervals? • Utility failures monitored with automated alerts? | — | UPS test records; generator test logs; utility monitoring alerts | |
| A.7.12 | Cabling Security • Power and network cabling protected from interception, interference, and physical damage? • Cabling routes documented, labelled, and comms rooms physically secured? | — | Cabling diagram; physical inspection records; comms room access logs | |
| A.7.13 | Equipment Maintenance • Equipment maintained per manufacturer specifications with records kept? • Third-party maintenance personnel authorised, supervised, and logged? | — | Maintenance schedule; service records; third-party access logs | |
| A.7.14 | Secure Disposal or Re-Use of Equipment • Secure data destruction procedure implemented before equipment disposal or reuse? • Certificates of destruction obtained from third-party disposal providers? • Equipment disposal records retained? | — | Disposal procedure; destruction certificates; disposal register |
| Ref | Control Name & Audit Check Points | Status | Evidence Required | Auditor Notes |
|---|---|---|---|---|
| A.8.1 | User Endpoint Devices • Policy for endpoint device management documented covering corporate and BYOD devices? • All endpoints enrolled in MDM/EMM with security baseline enforced (encryption, screen lock, AV, patching)? • Lost/stolen device procedure documented, tested, and remote-wipe capability verified? | — | Endpoint policy; MDM enrolment report; remote wipe test evidence | |
| A.8.2 | Privileged Access Rights • Privileged accounts inventoried, minimised, and reviewed at least quarterly? • PAM solution in place for admin credential vaulting and session recording? • Privileged access provisioned on just-in-time or need basis? | — | Privileged account register; PAM system evidence; quarterly access reviews | |
| A.8.3 | Information Access Restriction • Access to information restricted based on least privilege and need-to-know? • RBAC or equivalent implemented across systems? • Access restrictions enforced at system level? | — | Access control configuration; RBAC matrix; access restriction testing | |
| A.8.4 | Access to Source Code • Access to source code repositories restricted to authorised developers? • Source code stored in version-controlled repository with access logging? • Code changes tracked, reviewed, and approved? | — | Repository access controls; audit logs; code review records | |
| A.8.5 | Secure Authentication • MFA enforced for privileged access, remote access, and cloud services? • No weak authentication protocols in use (NTLM, basic auth, Telnet)? • Failed authentication attempts logged, alerted, and investigated? | — | MFA configuration; authentication protocol audit; failed login alert configuration | |
| A.8.6 | Capacity Management • Capacity thresholds defined and monitored for all critical systems (CPU, memory, storage, bandwidth)? • Capacity forecasts produced at planned intervals? • Automated alerts triggered before limits are reached? | — | Capacity monitoring dashboard; threshold alert config; forecast reports | |
| A.8.7 | Protection Against Malware • Anti-malware deployed and up to date on all endpoints, servers, and email gateways? • Definition updates automated with alert on failure? • Malware incidents logged, responded to per IR procedure, and reviewed? | — | AV deployment report; update policy; malware incident log | |
| A.8.8 | Management of Technical Vulnerabilities • Vulnerability management programme in place with regular scanning (at least quarterly)? • Vulnerabilities prioritised by CVSS and KEV status; SLAs defined per criticality tier? • Critical vulnerabilities closed within defined SLAs; progress tracked and reported? | — | Vulnerability scan reports; SLA policy; remediation tracker; KPI metrics | |
| A.8.9 | Configuration Management • Secure configuration baselines (CIS Benchmarks or equivalent) defined for all asset types? • Configuration compliance monitored via automated scanning? • Configuration changes managed through formal change control? | — | Baseline configuration documents; compliance scan results; change records | |
| A.8.10 | Information Deletion • Procedure for secure deletion of information at end of retention period implemented? • Deletion aligned to retention schedule and data subject requests? • Deletion records maintained (what, when, method)? | — | Deletion procedure; retention schedule; deletion audit trail | |
| A.8.11 | Data Masking • Data masking applied to sensitive data (PII, PCI, credentials) in non-production environments? • Masking controls verified and tested to prevent re-identification? • Exceptions from masking documented, approved, and risk-accepted? | — | Masking policy; non-prod data classification evidence; masking test results | |
| A.8.12 | Data Leakage Prevention • DLP technology deployed across email, endpoints, cloud, and web channels? • DLP policies configured to detect and block/alert on sensitive data exfiltration? • DLP alerts reviewed and investigated within defined timeframes? | — | DLP tool configuration; policy ruleset; alert investigation log | |
| A.8.13 | Information Backup • Backup policy defined with RTO/RPO requirements per system criticality? • Backups tested by full restoration at regular intervals (at least annually)? • Backups stored securely (encrypted), including offsite or immutable cloud storage? | — | Backup policy; restore test records; backup job success logs; offsite evidence | |
| A.8.14 | Redundancy of Information Processing Facilities • Critical systems configured with redundancy (HA, failover, load balancing)? • Failover tested at planned intervals to verify RTO objectives are met? • Redundancy capacity adequate to sustain full operations during primary failure? | — | Architecture diagrams; HA configuration; failover test reports | |
| A.8.15 | Logging • Audit logs generated for IS-relevant events: authentication, privilege escalation, data access, admin actions? • Logs protected from tampering (write-once, SIEM forwarding, integrity checking)? • Log retention periods defined, enforced, and adequate for regulatory requirements? | — | Logging policy; SIEM configuration; log integrity controls; retention settings | |
| A.8.16 | Monitoring Activities • SIEM/IDS/IPS in place for real-time network and system monitoring? • Anomalous activities alerted and investigated within defined SLAs? • Monitoring coverage, thresholds, and use cases reviewed and tuned regularly? | — | SIEM deployment evidence; alert configuration; investigation records; tuning log | |
| A.8.17 | Clock Synchronisation • NTP or equivalent implemented to synchronise all system clocks to an authoritative source? • All endpoints, servers, and network devices synchronised? • Clock drift monitored and alerted? | — | NTP configuration; time sync monitoring; drift alert settings |
| Ref | Control Name & Audit Check Points | Status | Evidence Required | Auditor Notes |
|---|---|---|---|---|
| A.8.18 | Use of Privileged Utility Programs • Privileged utility programs (network scanners, admin tools, password utilities) controlled and inventoried? • Use of utility programs logged and reviewed? • Unnecessary utility programs removed or disabled from production systems? | — | Privileged tool inventory; usage logs; software baseline | |
| A.8.19 | Installation of Software on Operational Systems • Policy restricting software installation to authorised personnel and approved software? • Installation controlled via MDM, application whitelisting, or standard images? • Unapproved software detected via scanning and remediated? | — | Software installation policy; MDM configuration; software inventory scans | |
| A.8.20 | Networks Security • Network security policy documented and implemented? • Networks segmented by function (production, DMZ, user, guest, OT/IoT)? • Network access controls (firewalls, ACLs) managed, documented, and reviewed? | — | Network architecture diagram; firewall ruleset; network security policy | |
| A.8.21 | Security of Network Services • Security requirements and SLAs defined for all network services? • Network service providers assessed for IS compliance? • Service performance and security monitored against SLAs? | — | Network service SLAs; provider IS assessment; monitoring evidence | |
| A.8.22 | Segregation of Networks • Networks segregated by function and sensitivity (VLAN, DMZ, zero-trust microsegmentation)? • Traffic between zones inspected by firewall/NGFW? • Lateral movement between segments monitored and alerted? | — | Network segmentation diagram; inter-zone firewall rules; NDR/IDS alerts | |
| A.8.23 | Web Filtering • Web content filtering deployed to block malicious, phishing, and policy-violating sites? • Filtering policies documented with categories defined? • Filter bypass attempts (VPN, DNS-over-HTTPS) detected and investigated? | — | Web filter configuration; block category policy; bypass attempt logs | |
| A.8.24 | Use of Cryptography • Cryptography policy specifying approved algorithms (AES-256, RSA-2048+, TLS 1.2/1.3) documented? • Encryption applied to data at rest and in transit for sensitive data? • Key management lifecycle documented (generation, distribution, storage, rotation, revocation)? | — | Cryptography policy; encryption configuration; key management procedure | |
| A.8.25 | Secure Development Life Cycle • IS integrated into SDLC from requirements through design, development, testing, and deployment? • Security requirements defined at project initiation; threat modelling performed? • SAST/DAST performed as part of CI/CD pipeline? | — | SDLC security policy; threat model examples; SAST/DAST scan reports | |
| A.8.26 | Application Security Requirements • IS requirements identified, specified, and approved for all applications at design stage? • Requirements derived from risk assessments and regulatory obligations? • IS requirements verified through security testing before go-live? | — | Application IS requirements specs; risk assessments; pre-go-live test reports | |
| A.8.27 | Secure System Architecture and Engineering Principles • Secure architecture principles applied (defence-in-depth, zero trust, least privilege, fail-secure)? • Security design reviews conducted for new and changed systems? • Architecture decisions documented, reviewed, and approved? | — | Security architecture standards; design review records; architecture decision records | |
| A.8.28 | Secure Coding • Secure coding standards documented and enforced (OWASP Top 10, CERT/SEI)? • Developers trained in secure coding practices? • Code reviewed (peer review and/or SAST) before each release? | — | Secure coding standards; developer training records; code review evidence | |
| A.8.29 | Security Testing in Development and Acceptance • Security testing (penetration testing, vulnerability scanning) conducted pre-release? • Testing results documented and findings tracked to resolution? • Critical/high findings resolved as acceptance criteria before production deployment? | — | Pre-release pentest/scan reports; remediation evidence; go/no-go records | |
| A.8.30 | Outsourced Development • IS requirements included in outsourced development contracts? • Outsourced code reviewed (code review/SAST) before acceptance? • Outsourced developers subject to IS controls (screening, NDAs, access controls)? | — | Outsourcing contracts with IS clauses; code review records; developer screening | |
| A.8.31 | Separation of Development, Test and Production Environments • Development, test, and production environments physically or logically separated? • Production data prohibited from test environments (or masked where unavoidable)? • Access controls differ between environments; production access tightly restricted? | — | Environment architecture; access control comparison; test data policy | |
| A.8.32 | Change Management • Formal change management process governing all IS-relevant changes (RFC, impact assessment, approval, CAB)? • IS impact assessed for all changes? • Changes tested in non-production before deployment; rollback plans documented? | — | Change management procedure; RFC records; CAB minutes; rollback plans | |
| A.8.33 | Test Information • Production data prohibited from use in test environments by policy? • Where production-like data needed, is it masked/anonymised before use? • Test environment data controls documented and enforced? | — | Test data policy; data masking evidence; test environment access controls | |
| A.8.34 | Protection of IS During Audit Testing • Audit and penetration test activities planned, scoped, and approved in advance (Rules of Engagement)? • Access for audit testing restricted, time-limited, and logged? • Audit test results and tools protected from unauthorised access? | — | Rules of Engagement/SOW; test window approvals; audit access logs; report controls |