![]() |
ISO 27001 Readiness Assessment
Policy Questions | Yes | No | Partially In-Place | Flag for Discussion | |
1 | We have up-to-date security policies and procedures that align to industry standard best practices. | ☐ | ☐ | ☐ | ☐ |
2 | We have up-to-date business continuity and disaster recovery plan. | ☐ | ☐ | ☐ | ☐ |
3 | We have up-to-date change management and SDLC policy and procedures. | ☐ | ☐ | ☐ | ☐ |
4 | We have up-to-date data classification policy and procedures. | ☐ | ☐ | ☐ | ☐ |
5 | We have up-to-date access control policies and procedures. | ☐ | ☐ | ☐ | ☐ |
6 | We have up-to-date incident management and response policies and procedures. | ☐ | ☐ | ☐ | ☐ |
7 | We have up-to-date vendor management policies and procedures. | ☐ | ☐ | ☐ | ☐ |
8 | We have up-to-date privacy and appropriate use policies and procedures. | ☐ | ☐ | ☐ | ☐ |
9 | Our policies and procedures have been communicated to employees. | ☐ | ☐ | ☐ | ☐ |
10 | Our policies and procedures have been implemented. | ☐ | ☐ | ☐ | ☐ |
11 | We have recently undergone and audit (either internal or external). | ☐ | ☐ | ☐ | ☐ |
12 | Does your organization have a CISO, security governing body, or equivalent? | ☐ | ☐ | ☐ | ☐ |
|
|||||
Program Review Questions | Yes | No | Partially In-Place | Flag for Discussion | |
13 | We do quarterly (or more) network vulnerability scans? | ☐ | ☐ | ☐ | ☐ |
14 | We have do quarterly (or more) application vulnerability scans? | ☐ | ☐ | ☐ | ☐ |
15 | We have annual (or more) penetration tests? | ☐ | ☐ | ☐ | ☐ |
16 | We perform an annual and documented risk assessment? | ☐ | ☐ | ☐ | ☐ |
17 | Issues identified during vulnerability scans, audits, and risk assessments are prioritized and resolved in a timely manner? | ☐ | ☐ | ☐ | ☐ |
Technical Questions | Yes | No | Partially In-Place | Flag for Discussion | |
18 | We maintain a complete and accurate list of IT Assets (infrastructure and hardware). | ☐ | ☐ | ☐ | ☐ |
19 | We maintain a complete and accurate list of IT Assets (software). | ☐ | ☐ | ☐ | ☐ |
20 | We update all IT infrastructure with manufacturer recommended updates on regularly scheduled interviews (patch management). | ☐ | ☐ | ☐ | ☐ |
21 | All changes made to IT infrastructure follow a formalized and documented change management process. | ☐ | ☐ | ☐ | ☐ |
22 | All changes made to software follow a formalized and documented change management process. | ☐ | ☐ | ☐ | ☐ |
23 | We enforce password complexity on all systems. | ☐ | ☐ | ☐ | ☐ |
24 | Administrative access to all system is limited to only appropriate individuals. | ☐ | ☐ | ☐ | ☐ |
25 | We regularly review system access (including administrative access) to validate only appropriate individuals have access to systems. | ☐ | ☐ | ☐ | ☐ |
26 | We utilize 2FA/MFA for all administrative level accounts. | ☐ | ☐ | ☐ | ☐ |
27 | We monitor, log, and review all network traffic. | ☐ | ☐ | ☐ | ☐ |
28 | We utilize Firewalls, IPS, and IDS devices. | ☐ | ☐ | ☐ | ☐ |
29 | We utilize email and spam filtering tools. | ☐ | ☐ | ☐ | ☐ |
30 | We utilize web spam and filtering tools. | ☐ | ☐ | ☐ | ☐ |
31 | We utilize antivirus/malware tools. | ☐ | ☐ | ☐ | ☐ |
32 | We utilize mobile device management tools. | ☐ | ☐ | ☐ | ☐ |
33 | We back-up all critical systems on a regular basis. | ☐ | ☐ | ☐ | ☐ |
34 | We regularly test backups to verify they have completed fully and can be restored. | ☐ | ☐ | ☐ | ☐ |
35 | We have a documented disaster recovery and/or business continuity plan. | ☐ | ☐ | ☐ | ☐ |
36 | Remote logon requires VPN to access out network. | ☐ | ☐ | ☐ | ☐ |
37 | We encrypt all end-point devices. | ☐ | ☐ | ☐ | ☐ |
38 | We disable local administrative rights on laptop and desktop computers. | ☐ | ☐ | ☐ | ☐ |
39 | We change the default settings on all wireless access points, routers and switches. | ☐ | ☐ | ☐ | ☐ |
40 | Sensitive/Business critical systems and data are systematically segregated on the network. | ☐ | ☐ | ☐ | ☐ |
41 | We utilize a central point of access for all systems (i.e., LDAP, Active Directory) | ☐ | ☐ | ☐ | ☐ |
42 | We perform formalized and documented security training at least annually for all employees. | ☐ | ☐ | ☐ | ☐ |
43 | We perform a formalized and documented risk assessment at least annually. | ☐ | ☐ | ☐ | ☐ |
44 | A process is in place to remediation issues identified during the risk assessment. | ☐ | ☐ | ☐ | ☐ |
45 | We assess our vendors for security considerations prior to doing business and on a defined frequency thereafter. | ☐ | ☐ | ☐ | ☐ |
HR Related Questions | Yes | No | Partially In-Place | Flag for Discussion | |
46 | We do pre-employment background screening? | ☐ | ☐ | ☐ | ☐ |
47 | We have a documented employee onboarding process? | ☐ | ☐ | ☐ | ☐ |
48 | We do annual performance reviews? | ☐ | ☐ | ☐ | ☐ |
49 | We have a documented employee offboarding process? | ☐ | ☐ | ☐ | ☐ |
50 | We have an up to date employee handbook that all employees review. | ☐ | ☐ | ☐ | ☐ |
ISO 27001 Specific Questions | Yes | No | Partially In-Place | Flag for Discussion | |
51 | Do you have a documented ISMS? | ☐ | ☐ | ☐ | ☐ |
52 | Do you have a statement of applicability? | ☐ | ☐ | ☐ | ☐ |
53 | Have you defined your ISO 27001 scope? | ☐ | ☐ | ☐ | ☐ |
54 | Have you completed an ISO 27001 application letter? | ☐ | ☐ | ☐ | ☐ |
55 | Are you leveraging the 2013 or 2022 version of controls? | ☐ | ☐ | ☐ | ☐ |