ISO 9001
Progress: 100%
Management System (Clauses 4–7)
| ID | Name | Applicable | Level | Complete | Integrity | Policy | Practice | Proof | Reifegrad | Breite | Tiefe | Note | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Understanding the organization and its context | Understanding the organization and its context | • | Min | - | OK | - | * | * | - | - | - | ||
| Understanding the needs and expectations of interested parties | Understanding the needs and expectations of interested parties | • | Min | - | OK | - | - | - | - | - | - | Dokument vorhanden, aber nicht sofort greifbar | |
| Determining the scope of the information security management system | Determining the scope of the information security management system | • | Erw | - | OK | - | - | - | - | - | - | ||
| ISMS - Establish, implement, maintain, continually improve | ISMS - Establish, implement, maintain, continually improve | • | Min | - | OK | - | - | - | - | - | - | ||
| Leadership and commitment - establish objectives | Leadership and commitment - establish objectives | • | Min | - | OK | - | - | - | - | - | - | ||
| Leadership and commitment - ensuring integration into organization's processes | Leadership and commitment - ensuring integration into organization's processes | • | Min | - | OK | - | - | - | - | - | - | ||
| L & C - ensuring needed resources are available | L & C - ensuring needed resources are available | • | Min | - | OK | - | - | - | - | - | - | ||
| L & C - communicating importance and conforming to the ISMS | L & C - communicating importance and conforming to the ISMS | • | Min | - | OK | - | - | - | - | - | - | ||
| L & C - ensuring ISMS achieves intended outcomes | L & C - ensuring ISMS achieves intended outcomes | • | Min | - | OK | - | - | - | - | - | - | ||
| L & C - direction and support | L & C - direction and support | • | Min | - | OK | - | - | - | - | - | - | ||
| L & C - promoting continual improvement | L & C - promoting continual improvement | • | Min | - | OK | - | - | - | - | - | - | ||
| L &C - support other relevant management roles | L &C - support other relevant management roles | • | Min | - | OK | - | - | - | - | - | - | ||
| Policy - appropriate to purpose of organization | Policy - appropriate to purpose of organization | • | SdT | - | OK | - | - | - | - | - | - | ||
| Policy - includes objectives | Policy - includes objectives | • | SdT | - | OK | - | - | - | - | - | - | ||
| Policy - includes commitment to satisfy applicable requirements | Policy - includes commitment to satisfy applicable requirements | • | SdT | - | OK | - | - | - | - | - | - | ||
| Policy - includes commitment to continual improvement | Policy - includes commitment to continual improvement | • | Erw | - | OK | - | - | - | - | - | - | ||
| Policy - be available as documented information | Policy - be available as documented information | • | Erw | - | OK | - | - | - | - | - | - | ||
| Policy - be communicated within the organization | Policy - be communicated within the organization | • | Min | - | OK | - | - | - | - | - | - | ||
| Policy - be available to interested parties, as appropriate | Policy - be available to interested parties, as appropriate | • | Erw | - | OK | - | - | - | - | - | - | ||
| Roles - ensure that roles are assigned and communicated | Roles - ensure that roles are assigned and communicated | • | Min | - | OK | - | - | - | - | - | - | ||
| Roles - assign responsibility and authority for ensuring ISMS conforms to standard | Roles - assign responsibility and authority for ensuring ISMS conforms to standard | • | Min | - | OK | - | - | - | - | - | - | ||
| Roles - assign responsibility for reporting on the performance of the ISMS to top management | Roles - assign responsibility for reporting on the performance of the ISMS to top management | • | Min | - | OK | - | - | - | - | - | - | ||
| General: Risk Assessment Process | General: Risk Assessment Process | - | - | - | - | - | - | - | - | - | - | ||
| Risk Assessment - Risk acceptance criteria | Risk Assessment - Risk acceptance criteria | • | Min | - | OK | - | - | - | - | - | - | ||
| Risk Assessment - Criteria for performing information security risk assessment | Risk Assessment - Criteria for performing information security risk assessment | • | Min | - | OK | - | - | - | - | - | - | ||
| Risk Assessment - Consistent, valid and comparable results | Risk Assessment - Consistent, valid and comparable results | • | Erw | - | OK | - | - | - | - | - | - | ||
| Risk Assessment - C-I-A evaluation | Risk Assessment - C-I-A evaluation | • | Erw | - | OK | - | - | - | - | - | - | ||
| Risk Assessment - identify risk owners | Risk Assessment - identify risk owners | • | Min | - | OK | - | - | - | - | - | - | ||
| Risk Assessment - assess potential consequences of risks materializing | Risk Assessment - assess potential consequences of risks materializing | • | Min | - | OK | - | - | - | - | - | - | ||
| Risk Assessment - assess realistic likelihood of occurrence of risk | Risk Assessment - assess realistic likelihood of occurrence of risk | • | MIn | - | OK | - | - | - | - | - | - | ||
| Risk Assessment - determine levels of risk | Risk Assessment - determine levels of risk | • | Min | - | OK | - | - | - | - | - | - | ||
| Risk Assessment - Comparison of results with criteria established | Risk Assessment - Comparison of results with criteria established | • | Min | - | OK | - | - | - | - | - | - | ||
| Risk Assessment - prioritize analyzed risks for risk treatment | Risk Assessment - prioritize analyzed risks for risk treatment | • | Min | - | OK | - | - | - | - | - | - | ||
| retain documented information about risk assessment process | retain documented information about risk assessment process | • | Min | - | OK | - | - | - | - | - | - | ||
| General: Risk Treatment Process | General: Risk Treatment Process | - | - | - | - | - | - | - | - | - | - | ||
| Select risk treatment options | Select risk treatment options | • | Min | - | OK | - | - | - | - | - | - | ||
| Determine required controls (any source) | Determine required controls (any source) | • | Min | - | OK | - | - | - | - | - | - | ||
| Compare determined controls with Annex A and verify that no necessary controls have been omitted. | Compare determined controls with Annex A and verify that no necessary controls have been omitted. | • | Min | - | OK | - | - | - | - | - | - | ||
| Produce SoA | Produce SoA | • | Erw | - | OK | - | - | - | - | - | - | ||
| formulate risk treatment plan | formulate risk treatment plan | • | Min | - | OK | - | - | - | - | - | - | ||
| obtain risk owner approval of risk treatment plan and acceptance of residual risks | obtain risk owner approval of risk treatment plan and acceptance of residual risks | • | Min | - | OK | - | - | - | - | - | - | ||
| retain documented information about risk treatment process | retain documented information about risk treatment process | • | Erw | - | OK | - | - | - | - | - | - | ||
| General: InfoSec objectives at relevant functions and levels | General: InfoSec objectives at relevant functions and levels | • | Erw | - | OK | - | - | - | - | - | - | ||
| objectives to be consistent with information security policy | objectives to be consistent with information security policy | • | Erw | - | OK | - | - | - | - | - | - | ||
| objectives to be measurable, if practicable | objectives to be measurable, if practicable | • | Erw | - | OK | - | - | - | - | - | - | ||
| objective to take into account applicable IS requirements and results from risk assessment | objective to take into account applicable IS requirements and results from risk assessment | • | Erw | - | OK | - | - | - | - | - | - | ||
| objectives - communication of objectives | objectives - communication of objectives | • | Erw | - | OK | - | - | - | - | - | - | ||
| update of objectives as appropriate | update of objectives as appropriate | • | Erw | - | OK | - | - | - | - | - | - | ||
| retain documented information on objectives | retain documented information on objectives | • | Erw | - | OK | - | - | - | - | - | - | ||
| achvieving objectives - determine tasks | achvieving objectives - determine tasks | • | Erw | - | OK | - | - | - | - | - | - | ||
| achvieving objectives - determine resources required | achvieving objectives - determine resources required | • | Erw | - | OK | - | - | - | - | - | - | ||
| achvieving objectives - determine responsibilities | achvieving objectives - determine responsibilities | • | Erw | - | OK | - | - | - | - | - | - | ||
| achvieving objectives - determine planned completion | achvieving objectives - determine planned completion | • | Erw | - | OK | - | - | - | - | - | - | ||
| achvieving objectives - determine method of evaluation of results | achvieving objectives - determine method of evaluation of results | • | Erw | - | OK | - | - | - | - | - | - | ||
| Planning of changes | Planning of changes | - | - | - | - | - | - | - | - | - | - | ||
| Changes to ISMS shall be carried out in a planned manner. | Changes to ISMS shall be carried out in a planned manner. | - | Erw | - | OK | - | * | * | - | - | - | ||
| Support - Resources - determine and provide resources needed for establishment, implementation, maintenance and continual improvement of the ISMS | Support - Resources - determine and provide resources needed for establishment, implementation, maintenance and continual improvement of the ISMS | • | Min | - | OK | - | ~ | * | - | - | - | 2 fehlende Planstellen sowie keine Security-Rollen vorhanden | |
| Competence - determine necessary competence of persons under its control affecting IS performance | Competence - determine necessary competence of persons under its control affecting IS performance | • | Min | - | OK | - | * | * | - | - | - | teilweise kein Problem, weil Schulungen durchgängig genehmigt werden. | |
| Competence - ensure that persons are competent on the basis of education, training, or experience | Competence - ensure that persons are competent on the basis of education, training, or experience | • | Min | - | OK | - | * | * | - | - | - | ||
| Competence - where applicable, take action to acquire necessary competence and evaluate actions taken | Competence - where applicable, take action to acquire necessary competence and evaluate actions taken | • | Min | - | OK | - | * | * | - | - | - | ||
| retain appropriate documented information as evidence of competence | retain appropriate documented information as evidence of competence | • | Min | - | OK | - | * | * | - | - | - | ||
| Awareness - Awareness of information security policy | Awareness - Awareness of information security policy | • | Min | - | OK | - | * | * | - | - | - | Schulungen werden durchgeführt, es gibt aber keinen Nachweis der Anwesenheit. - 2x/Jahr Derzeit werden nur neue Mitarbeiter geschult. | |
| Awareness - General awareness of staff | Awareness - General awareness of staff | • | Min | - | OK | - | * | * | - | - | - | ||
| Awareness - of implications of not conforming with IS requirements | Awareness - of implications of not conforming with IS requirements | • | Erw | - | OK | - | * | * | - | - | - | ||
| Communication - determine need for internal and external communications | Communication - determine need for internal and external communications | • | SdT | - | OK | - | ~ | ~ | - | - | - | ||
| determination - include what to communicate | determination - include what to communicate | • | SdT | - | OK | - | ~ | ~ | - | - | - | ||
| determination - when to communicate | determination - when to communicate | • | SdT | - | OK | - | ~ | ~ | - | - | - | ||
| determination - with whom to communicate | determination - with whom to communicate | • | SdT | - | OK | - | ~ | ~ | - | - | - | ||
| determination - who to communicate | determination - who to communicate | • | SdT | - | OK | - | ~ | ~ | - | - | - | ||
| determination - processes by which communication shall be effected | determination - processes by which communication shall be effected | • | SdT | - | OK | - | ~ | ~ | - | - | - | ||
| Documented Information - as required by Standard | Documented Information - as required by Standard | • | Erw | - | OK | - | - | - | - | - | - | ||
| Documented information - as identified necessary | Documented information - as identified necessary | • | Erw | - | OK | - | - | - | - | - | - | ||
| Creating and updating - ensure identification and description | Creating and updating - ensure identification and description | • | Erw | - | OK | - | * | * | - | - | - | Confluence wird eingesetzt. | |
| Creating and updating - ensure appropriate format | Creating and updating - ensure appropriate format | • | Erw | - | OK | - | * | * | - | - | - | ||
| Creating and updating - review and approval for suitability and adequacy | Creating and updating - review and approval for suitability and adequacy | • | Erw | - | OK | - | * | * | - | - | - | ||
| Control of documented information - ensure availability and suitability for use, where and when needed | Control of documented information - ensure availability and suitability for use, where and when needed | • | Erw | - | OK | - | * | * | - | - | - | ||
| Control of documented information - ensure adequate protection (loss of confidentiality, availability, integrity) | Control of documented information - ensure adequate protection (loss of confidentiality, availability, integrity) | • | Erw | - | OK | - | * | * | - | - | - | ||
| Control of documented information - address distribution, access, retrieval and use | Control of documented information - address distribution, access, retrieval and use | • | Erw | - | OK | - | * | * | - | - | - | ||
| Control of documented information - address storage and preservation, including preservation of legibility | Control of documented information - address storage and preservation, including preservation of legibility | • | Erw | - | OK | - | * | * | - | - | - | ||
| Control of documented information - address control of changes (version control) | Control of documented information - address control of changes (version control) | • | Erw | - | OK | - | * | * | - | - | - | ||
| Control of documented information - address retention and disposition | Control of documented information - address retention and disposition | • | Erw | - | OK | - | * | * | - | - | - | ||
| Operational planning and control - Plan, implement, control processes needed to implement ISMS and implement actions from risk assessment | Operational planning and control - Plan, implement, control processes needed to implement ISMS and implement actions from risk assessment | • | Erw | - | OK | - | * | * | - | - | - | ||
| Operational planning and control - Implement plans to achieve IS objectives | Operational planning and control - Implement plans to achieve IS objectives | • | Min | - | OK | - | * | * | - | - | - | ||
| Operational planning and control - Keep documented information to the extent necessary to have confidence that processes are carried out as planned. | Operational planning and control - Keep documented information to the extent necessary to have confidence that processes are carried out as planned. | • | Erw | - | OK | - | * | * | - | - | - | ||
| Operational planning and control - organization to control planned changes and review consequences of unintended changes, take action to mitigate any adverse effects. | Operational planning and control - organization to control planned changes and review consequences of unintended changes, take action to mitigate any adverse effects. | • | Erw | - | OK | - | * | * | - | - | - | ||
| Operational planning and control - organization to ensure that outsourced processes are determined and controlled. | Operational planning and control - organization to ensure that outsourced processes are determined and controlled. | • | SdT | - | OK | - | * | * | - | - | - | ||
| IS risk assessment - perform at planned intervals or when significant changes are proposed or occur, based on risk criteria established | IS risk assessment - perform at planned intervals or when significant changes are proposed or occur, based on risk criteria established | • | Min | - | OK | - | - | - | - | - | - | ||
| IS risk assessment - retain documented information | IS risk assessment - retain documented information | • | Min | - | OK | - | - | - | - | - | - | ||
| IS risk treatment - implement risk treatment plan | IS risk treatment - implement risk treatment plan | • | Min | - | OK | - | ~ | ~ | - | - | - | Derzeit werden Security-Themen im Backlog geführt. | |
| IS risk treatment - retain documented information of results of IS risk treatment | IS risk treatment - retain documented information of results of IS risk treatment | • | Min | - | OK | - | ~ | ~ | - | - | - | ||
| Monitoring, measurement, analysis and evaluation - Evaluate information security performance and effectiveness of the ISMS (general process) | Monitoring, measurement, analysis and evaluation - Evaluate information security performance and effectiveness of the ISMS (general process) | • | Erw | - | OK | - | - | - | - | - | - | ||
| Determine what needs to be monitored & measured, including processes and controls | Determine what needs to be monitored & measured, including processes and controls | • | Erw | - | OK | - | - | - | - | - | - | ||
| Determine methods for monitoring, measurement, analysis and evaluation to ensure valid results (valid = comparable and reproducible) | Determine methods for monitoring, measurement, analysis and evaluation to ensure valid results (valid = comparable and reproducible) | • | Erw | - | OK | - | - | - | - | - | - | ||
| Determine when monitoring and measuring shall be performed | Determine when monitoring and measuring shall be performed | • | Erw | - | OK | - | - | - | - | - | - | ||
| Determine who shall monitor and measure | Determine who shall monitor and measure | • | Erw | - | OK | - | - | - | - | - | - | ||
| Determine when the results from monitoring and measurement shall be analysed and evaluated | Determine when the results from monitoring and measurement shall be analysed and evaluated | • | Erw | - | OK | - | - | - | - | - | - | ||
| Determine who shall analyse and evaluate these results | Determine who shall analyse and evaluate these results | • | Erw | - | OK | - | - | - | - | - | - | ||
| Internal Audit - conduct at planned intervals | Internal Audit - conduct at planned intervals | • | SdT | - | OK | - | ~ | ~ | - | - | - | ||
| ISMS conforms to org's own requirements | ISMS conforms to org's own requirements | • | SdT | - | OK | - | ~ | ~ | - | - | - | ||
| ISMS conforms to requirements of Standard | ISMS conforms to requirements of Standard | • | Erw | - | OK | - | ~ | ~ | - | - | - | ||
| ISMS is effectively implemented and maintained | ISMS is effectively implemented and maintained | • | SdT | - | OK | - | ~ | ~ | - | - | - | ||
| ISMS - plan, establish, and maintain audit program including frequency, methods, responsibilities planning requirements, and reporting. | ISMS - plan, establish, and maintain audit program including frequency, methods, responsibilities planning requirements, and reporting. | • | SdT | - | OK | - | ~ | ~ | - | - | - | ||
| Audit program to consider importance of processes concerned | Audit program to consider importance of processes concerned | • | SdT | - | OK | - | ~ | ~ | - | - | - | ||
| Audit program to consider results of previous audits | Audit program to consider results of previous audits | • | SdT | - | OK | - | ~ | ~ | - | - | - | ||
| Define audit criteria and scope for each audit | Define audit criteria and scope for each audit | • | SdT | - | OK | - | ~ | ~ | - | - | - | ||
| select auditors and conduct audits that ensure objectivity and impartiality | select auditors and conduct audits that ensure objectivity and impartiality | • | SdT | - | OK | - | ~ | ~ | - | - | - | ||
| ensure audit results are reported to relevant management | ensure audit results are reported to relevant management | • | SdT | - | OK | - | ~ | ~ | - | - | - | ||
| retain documented information as evidence of the audit programme and audit results | retain documented information as evidence of the audit programme and audit results | • | Erw | - | OK | - | ~ | ~ | - | - | - | ||
| Management Review - Review ISMS at planned intervals to ensure continued suitability, adequacy, and effectiveness | Management Review - Review ISMS at planned intervals to ensure continued suitability, adequacy, and effectiveness | • | Min | - | OK | - | ~ | ~ | - | - | - | ||
| review status of actions from previous management reviews | review status of actions from previous management reviews | • | Min | - | OK | - | ~ | ~ | - | - | - | ||
| changes to internal and external issues relevant to the ISMS | changes to internal and external issues relevant to the ISMS | • | Min | - | OK | - | ~ | ~ | - | - | - | ||
| feedback on performance including trends in | feedback on performance including trends in | • | Min | - | OK | - | ~ | ~ | - | - | - | ||
| nonconformities and corrective actions | nonconformities and corrective actions | • | Min | - | OK | - | ~ | ~ | - | - | - | ||
| monitoring and measurement results | monitoring and measurement results | • | Min | - | OK | - | ~ | ~ | - | - | - | ||
| audit results | audit results | • | Min | - | OK | - | ~ | ~ | - | - | - | ||
| fulfillment of information security objectives | fulfillment of information security objectives | • | Min | - | OK | - | ~ | ~ | - | - | - | ||
| feedback from interested parties | feedback from interested parties | • | Min | - | OK | - | ~ | ~ | - | - | - | ||
| results of risk assessment and status of risk treatment plan | results of risk assessment and status of risk treatment plan | • | Min | - | OK | - | ~ | ~ | - | - | - | ||
| opportunities for continual improvement | opportunities for continual improvement | • | Min | - | OK | - | ~ | ~ | - | - | - | ||
| Outputs shall include decisions related to continual improvement opportunities and needs for changes to the ISMS. | Outputs shall include decisions related to continual improvement opportunities and needs for changes to the ISMS. | • | Min | - | OK | - | ~ | ~ | - | - | - | ||
| retain documented information as evidence of the results of management reviews | retain documented information as evidence of the results of management reviews | • | Min | - | OK | - | ~ | ~ | - | - | - | ||
| Nonconformity and corrective action - react to nonconformity and correct it | Nonconformity and corrective action - react to nonconformity and correct it | • | Min | - | OK | - | ~ | ~ | - | - | - | ||
| Nonconformity and corrective action - deal with consequences of nonconformity | Nonconformity and corrective action - deal with consequences of nonconformity | • | Min | - | OK | - | ~ | ~ | - | - | - | ||
| Nonconformity and corrective action - Evaluate need for action to eliminate causes (root cause) of nonconformity in order to prohibit recurrence or occurrence elsewhere by: | Nonconformity and corrective action - Evaluate need for action to eliminate causes (root cause) of nonconformity in order to prohibit recurrence or occurrence elsewhere by: | • | Min | - | OK | - | ~ | ~ | - | - | - | ||
| - reviewing the nonconformity | - reviewing the nonconformity | • | Min | - | OK | - | ~ | ~ | - | - | - | ||
| - determining the causes of the nonconformity | - determining the causes of the nonconformity | • | Min | - | OK | - | ~ | ~ | - | - | - | ||
| - determining, if similar nonconformities exist, or could potentially occur | - determining, if similar nonconformities exist, or could potentially occur | • | Min | - | OK | - | ~ | ~ | - | - | - | ||
| Nonconformity and corrective action - implement any action needed | Nonconformity and corrective action - implement any action needed | • | Min | - | OK | - | ~ | ~ | - | - | - | ||
| Nonconformity and corrective action - review effectiveness of corrective action | Nonconformity and corrective action - review effectiveness of corrective action | • | Min | - | OK | - | ~ | ~ | - | - | - | ||
| Nonconformity and corrective action - make changes to the ISMS, if necessary | Nonconformity and corrective action - make changes to the ISMS, if necessary | • | Min | - | OK | - | ~ | ~ | - | - | - | ||
| Retain documented information as evidence of nature of nonconformities and subsequent actions taken | Retain documented information as evidence of nature of nonconformities and subsequent actions taken | • | Min | - | OK | - | ~ | ~ | - | - | - | ||
| Retain documented information as evidence of the results of corrective action | Retain documented information as evidence of the results of corrective action | • | Min | - | OK | - | ~ | ~ | - | - | - | ||
| Continuous improval of suitability, adequacy and effectiveness of the ISMS | Continuous improval of suitability, adequacy and effectiveness of the ISMS | • | Min | - | OK | - | * | * | - | - | - |