AuditFlow – Certification Details

1

Policies for information security

Policies for information security • Policies for information security

2

Information security roles and responsibilities

Information security roles and responsibilities • Information security roles and responsibilities

3

Segregation of duties

Segregation of duties • Segregation of duties

4

Management responsiblities

Management responsiblities • Management responsiblities

5

Contact with authorities

Contact with authorities • Contact with authorities

6

Contact with special interest groups

Contact with special interest groups • Contact with special interest groups

7

Threat intelligence

Threat intelligence • Threat intelligence

8

Information security in project management

Information security in project management • Information security in project management

9

Inventory of information and other associated assets

Inventory of information and other associated assets • Inventory of information and other associated assets

10

Acceptable use of information and associated assets

Acceptable use of information and associated assets • Acceptable use of information and associated assets

11

Return of assets

Return of assets • Return of assets

12

Classification of information

Classification of information • Classification of information

13

Labelling of information

Labelling of information • Labelling of information

14

Information transfer

Information transfer • Information transfer

15

Access control

Access control • Access control

16

Identity management

Identity management • Identity management

17

Authentication information

Authentication information • Authentication information

18

Access rights

Access rights • Access rights

19

Information security in supplier relationships

Information security in supplier relationships • Information security in supplier relationships

20

Addressing information security within supplier agreements

Addressing information security within supplier agreements • Addressing information security within supplier agreements

21

Managing information security in the ICT supply chain

Managing information security in the ICT supply chain • Managing information security in the ICT supply chain

22

Monitoring, review and change management of supplier services

Monitoring, review and change management of supplier services • Monitoring, review and change management of supplier services

23

Information security for use of cloud services

Information security for use of cloud services • Information security for use of cloud services

24

Information security incident management responsibliities and preperation

Information security incident management responsibliities and preperation • Information security incident management responsibliities and preperation

25

Assessment and decision of information security events

Assessment and decision of information security events • Assessment and decision of information security events

26

Response to information security incidents

Response to information security incidents • Response to information security incidents

27

Learning from information security incidents

Learning from information security incidents • Learning from information security incidents

28

Collection of evidence

Collection of evidence • Collection of evidence

29

Information security during disruption

Information security during disruption • Information security during disruption

30

ICT readiness for business continuity

ICT readiness for business continuity • ICT readiness for business continuity

31

Identification of legal, statutory, regulatory and contractual requirements

Identification of legal, statutory, regulatory and contractual requirements • Identification of legal, statutory, regulatory and contractual requirements

32

Intellectual property rights

Intellectual property rights • Intellectual property rights

33

Protection of records

Protection of records • Protection of records

34

Privacy and protection of PII

Privacy and protection of PII • Privacy and protection of PII

35

Independent review of information security

Independent review of information security • Independent review of information security

36

Compliance with policies and standards for information security

Compliance with policies and standards for information security • Compliance with policies and standards for information security

37

Documented operation procedures

Documented operation procedures • Documented operation procedures

38

People controls

People controls • People controls

39

Screening

Screening • Screening

40

Terms and conditions of employment

Terms and conditions of employment • Terms and conditions of employment

41

Information security awareness, education and training

Information security awareness, education and training • Information security awareness, education and training

42

Disciplinary process

Disciplinary process • Disciplinary process

43

Responsibilities after termination or change of employment

Responsibilities after termination or change of employment • Responsibilities after termination or change of employment

44

Confidentiality or non-disclosure agreements

Confidentiality or non-disclosure agreements • Confidentiality or non-disclosure agreements

45

Remote working

Remote working • Remote working

46

Information security event reporting

Information security event reporting • Information security event reporting

47

Physical controls

Physical controls • Physical controls

48

Physical security perimeter

Physical security perimeter • Physical security perimeter

49

Phyiscal entry controls

Phyiscal entry controls • Phyiscal entry controls

50

Securing offices, rooms and facilities

Securing offices, rooms and facilities • Securing offices, rooms and facilities

51

Physical security monitoring

Physical security monitoring • Physical security monitoring

52

Protecting against physical and environmental threats

Protecting against physical and environmental threats • Protecting against physical and environmental threats

53

Working in secure areas

Working in secure areas • Working in secure areas

54

Clear desk and clear screen

Clear desk and clear screen • Clear desk and clear screen

55

Equipment siting and protection

Equipment siting and protection • Equipment siting and protection

56

Security of assets off-premises

Security of assets off-premises • Security of assets off-premises

57

Storage media

Storage media • Storage media

58

Supporting utilities

Supporting utilities • Supporting utilities

59

Cabling security

Cabling security • Cabling security

60

Equipment maintenance

Equipment maintenance • Equipment maintenance

61

Secure disposal or re-use of equipment

Secure disposal or re-use of equipment • Secure disposal or re-use of equipment

62

Technological controls

Technological controls • Technological controls

63

User endpoint devices

User endpoint devices • User endpoint devices

64

Privileged access rights

Privileged access rights • Privileged access rights

65

Information access restriction

Information access restriction • Information access restriction

66

Access to source code

Access to source code • Access to source code

67

Secure authentication

Secure authentication • Secure authentication

68

Capacity management

Capacity management • Capacity management

69

Protection against malware

Protection against malware • Protection against malware

70

Management of technical vulnerabilities

Management of technical vulnerabilities • Management of technical vulnerabilities

71

Configuration management

Configuration management • Configuration management

72

Information deletion

Information deletion • Information deletion

73

Data masking

Data masking • Data masking

74

Data leakage prevention

Data leakage prevention • Data leakage prevention

75

Information backup

Information backup • Information backup

76

Redundancy of information processing facilities

Redundancy of information processing facilities • Redundancy of information processing facilities

77

Logging

Logging • Logging

78

Monitoring activities

Monitoring activities • Monitoring activities

79

Clock synchronization

Clock synchronization • Clock synchronization

80

Use of privileged utility programs

Use of privileged utility programs • Use of privileged utility programs

81

Installation of software on operational systems

Installation of software on operational systems • Installation of software on operational systems

82

Network security

Network security • Network security

83

Security of network services

Security of network services • Security of network services

84

Segregation of networks

Segregation of networks • Segregation of networks

85

Web filtering

Web filtering • Web filtering

86

Use of cryptography

Use of cryptography • Use of cryptography

87

Secure development lifecycle

Secure development lifecycle • Secure development lifecycle

88

Application security requirements

Application security requirements • Application security requirements

89

Secure system architecture and engineering principles

Secure system architecture and engineering principles • Secure system architecture and engineering principles

90

Secure coding

Secure coding • Secure coding

91

Security testing in development and acceptance

Security testing in development and acceptance • Security testing in development and acceptance

92

Outsourced development

Outsourced development • Outsourced development

93

Seperation of development, test and production environments

Seperation of development, test and production environments • Seperation of development, test and production environments

94

Change management

Change management • Change management

95

Test information

Test information • Test information

96

Protection of information systems during audit testing

Protection of information systems during audit testing • Protection of information systems during audit testing

ISO 27001

Statement of Applicability

No	Control	Applicability	Status	Owner	Due	Completed	Justification / Comments
1	Policies for information security Policies for information security • Policies for information security
2	Information security roles and responsibilities Information security roles and responsibilities • Information security roles and responsibilities
3	Segregation of duties Segregation of duties • Segregation of duties
4	Management responsiblities Management responsiblities • Management responsiblities
5	Contact with authorities Contact with authorities • Contact with authorities
6	Contact with special interest groups Contact with special interest groups • Contact with special interest groups
7	Threat intelligence Threat intelligence • Threat intelligence
8	Information security in project management Information security in project management • Information security in project management
9	Inventory of information and other associated assets Inventory of information and other associated assets • Inventory of information and other associated assets
10	Acceptable use of information and associated assets Acceptable use of information and associated assets • Acceptable use of information and associated assets
11	Return of assets Return of assets • Return of assets
12	Classification of information Classification of information • Classification of information
13	Labelling of information Labelling of information • Labelling of information
14	Information transfer Information transfer • Information transfer
15	Access control Access control • Access control
16	Identity management Identity management • Identity management
17	Authentication information Authentication information • Authentication information
18	Access rights Access rights • Access rights
19	Information security in supplier relationships Information security in supplier relationships • Information security in supplier relationships
20	Addressing information security within supplier agreements Addressing information security within supplier agreements • Addressing information security within supplier agreements
21	Managing information security in the ICT supply chain Managing information security in the ICT supply chain • Managing information security in the ICT supply chain
22	Monitoring, review and change management of supplier services Monitoring, review and change management of supplier services • Monitoring, review and change management of supplier services
23	Information security for use of cloud services Information security for use of cloud services • Information security for use of cloud services
24	Information security incident management responsibliities and preperation Information security incident management responsibliities and preperation • Information security incident management responsibliities and preperation
25	Assessment and decision of information security events Assessment and decision of information security events • Assessment and decision of information security events
26	Response to information security incidents Response to information security incidents • Response to information security incidents
27	Learning from information security incidents Learning from information security incidents • Learning from information security incidents
28	Collection of evidence Collection of evidence • Collection of evidence
29	Information security during disruption Information security during disruption • Information security during disruption
30	ICT readiness for business continuity ICT readiness for business continuity • ICT readiness for business continuity
31	Identification of legal, statutory, regulatory and contractual requirements Identification of legal, statutory, regulatory and contractual requirements • Identification of legal, statutory, regulatory and contractual requirements
32	Intellectual property rights Intellectual property rights • Intellectual property rights
33	Protection of records Protection of records • Protection of records
34	Privacy and protection of PII Privacy and protection of PII • Privacy and protection of PII
35	Independent review of information security Independent review of information security • Independent review of information security
36	Compliance with policies and standards for information security Compliance with policies and standards for information security • Compliance with policies and standards for information security
37	Documented operation procedures Documented operation procedures • Documented operation procedures
38	People controls People controls • People controls
39	Screening Screening • Screening
40	Terms and conditions of employment Terms and conditions of employment • Terms and conditions of employment
41	Information security awareness, education and training Information security awareness, education and training • Information security awareness, education and training
42	Disciplinary process Disciplinary process • Disciplinary process
43	Responsibilities after termination or change of employment Responsibilities after termination or change of employment • Responsibilities after termination or change of employment
44	Confidentiality or non-disclosure agreements Confidentiality or non-disclosure agreements • Confidentiality or non-disclosure agreements
45	Remote working Remote working • Remote working
46	Information security event reporting Information security event reporting • Information security event reporting
47	Physical controls Physical controls • Physical controls
48	Physical security perimeter Physical security perimeter • Physical security perimeter
49	Phyiscal entry controls Phyiscal entry controls • Phyiscal entry controls
50	Securing offices, rooms and facilities Securing offices, rooms and facilities • Securing offices, rooms and facilities
51	Physical security monitoring Physical security monitoring • Physical security monitoring
52	Protecting against physical and environmental threats Protecting against physical and environmental threats • Protecting against physical and environmental threats
53	Working in secure areas Working in secure areas • Working in secure areas
54	Clear desk and clear screen Clear desk and clear screen • Clear desk and clear screen
55	Equipment siting and protection Equipment siting and protection • Equipment siting and protection
56	Security of assets off-premises Security of assets off-premises • Security of assets off-premises
57	Storage media Storage media • Storage media
58	Supporting utilities Supporting utilities • Supporting utilities
59	Cabling security Cabling security • Cabling security
60	Equipment maintenance Equipment maintenance • Equipment maintenance
61	Secure disposal or re-use of equipment Secure disposal or re-use of equipment • Secure disposal or re-use of equipment
62	Technological controls Technological controls • Technological controls
63	User endpoint devices User endpoint devices • User endpoint devices
64	Privileged access rights Privileged access rights • Privileged access rights
65	Information access restriction Information access restriction • Information access restriction
66	Access to source code Access to source code • Access to source code
67	Secure authentication Secure authentication • Secure authentication
68	Capacity management Capacity management • Capacity management
69	Protection against malware Protection against malware • Protection against malware
70	Management of technical vulnerabilities Management of technical vulnerabilities • Management of technical vulnerabilities
71	Configuration management Configuration management • Configuration management
72	Information deletion Information deletion • Information deletion
73	Data masking Data masking • Data masking
74	Data leakage prevention Data leakage prevention • Data leakage prevention
75	Information backup Information backup • Information backup
76	Redundancy of information processing facilities Redundancy of information processing facilities • Redundancy of information processing facilities
77	Logging Logging • Logging
78	Monitoring activities Monitoring activities • Monitoring activities
79	Clock synchronization Clock synchronization • Clock synchronization
80	Use of privileged utility programs Use of privileged utility programs • Use of privileged utility programs
81	Installation of software on operational systems Installation of software on operational systems • Installation of software on operational systems
82	Network security Network security • Network security
83	Security of network services Security of network services • Security of network services
84	Segregation of networks Segregation of networks • Segregation of networks
85	Web filtering Web filtering • Web filtering
86	Use of cryptography Use of cryptography • Use of cryptography
87	Secure development lifecycle Secure development lifecycle • Secure development lifecycle
88	Application security requirements Application security requirements • Application security requirements
89	Secure system architecture and engineering principles Secure system architecture and engineering principles • Secure system architecture and engineering principles
90	Secure coding Secure coding • Secure coding
91	Security testing in development and acceptance Security testing in development and acceptance • Security testing in development and acceptance
92	Outsourced development Outsourced development • Outsourced development
93	Seperation of development, test and production environments Seperation of development, test and production environments • Seperation of development, test and production environments
94	Change management Change management • Change management
95	Test information Test information • Test information
96	Protection of information systems during audit testing Protection of information systems during audit testing • Protection of information systems during audit testing