5.5
Contactwithauthorities
5.6
Contact with special interestgroups
5.7
5.8
Threatintelligence
Information security in projectmanagement
5.9
Inventoryofinformation and other associated assets
Has your organization established andmaintainedcontactwithrelevant authorities?
Has your organization established and maintained contact with special interest groups or other specialist security forums and professional associations?
Have you collected Information relatingtoinformationsecuritythreats and analyzed the information to get detailsaboutthethreat
Have you integrated Information securityintoprojectmanagement?
Haveyoudevelopedandmaintained aninventoryofinformationandother associated assets, including informationoftheirowners?
5.10
Acceptable use of information and other associatedassets
Haveyouidentified,documentedand implemented the rules for the acceptable use and procedures for handling information and other associatedassets?
5.11
Returnofassets
Do the personnel and other interested parties return all the organization’s assets in their possession upon change or termination of their employment, contractoragreement?
Have you classified Information accordingtotheinformationsecurity needsof yourorganization?Whatis thebasisofclassification?
5.12
Classification of information
Is this classification based on confidentiality, integrity, availability and relevant interested party requirements?
5.13
Labellingofinformation
Have you developed and implemented procedures for information labelling in accordance with the information classification schemeofyourorganization?
5.14
Informationtransfer
Have you established information transfer rules/ procedures/ agreements for all types of transfer facilities within the organization and between the organization and other parties?
5.15 Accesscontrol
Have you established and implemented Rules to control physical and logical access to information and other associated assets?
Are these rules based on business and information security requirements?
How do you manage identity of individuals and systems accessing the organization’s information and otherassociatedassets?
5.16
Identitymanagement
Haveyoumanagedthefulllifecycle ofidentities?
Is there any formal user registration and de-registration procedure for granting access to all information systemsandservices?
5.17
Authentication information
Do you have a process to control allocation and management of authenticationinformation?
Arepersonneladvisedonappropriate handling of authentication information?
5.18
Accessrights
Have you provided access rights to information and other associated assets in accordance with the organization’spolicyonandrulesfor accesscontrol?
Areaccessrightsreviewed,modified and removed in accordance with thesepolicyandrules?
5.19
Information security in supplierrelationships
Have you defined and implemented Processes and procedures to managetheinformationsecurityrisks associated with the use of supplier’s productsorservices?
5.20
5.21
Managing information security in the ICT supplychain
Have you established relevant information security requirements based on the type of supplier relationship?
Are these requirements agreed with eachsupplier?
Have you defined and implemented Processes and procedures to managetheinformationsecurityrisks associatedwiththeICTproductsand servicessupplychain?
5.22
Monitoring, review and changemanagementof supplierservices
Are any changes in supplier information security practices and servicedeliverymonitored,reviewed, evaluated and managed on regular basis?
5.23
Information security for useofcloudservices
Have you established processes for acquisition, use, management and exitfromcloudservices?
Are these processes established in accordance with the organization’s informationsecurityrequirements?
5.24
Information security incident management planning and preparation
Has your organization planned and prepared for managing information securityincidents?
Has it defined, established and communicated information security incident management processes, roles and responsibilities to all relevantpersonnel?
5.25
Assessment and decisiononinformation securityevents
Does your organization assess informationsecurityevents?
Is any decision taken to categorize such events as information security incidents?
5.26
Response to information security incidents
5.27
Learning from information security incidents
How do you respond to Information security incidents? Are they respondedtoinaccordancewiththe documentedprocedures?
Haveyouusedtheknowledgegained frominformationsecurityincidentsto strengthen and improve the informationsecuritycontrols?
5.28
Collectionofevidence
5.29
Information security duringdisruption
Have you established and implemented procedures for the identification, collection, acquisition andpreservationofevidencerelated toinformationsecurityevents?
Have you planned how to maintain information security during disruption?
5.30
ICT readiness for businesscontinuity
Does the organization have ICT continuity plans, including response and recovery procedures detailing how the organization is planning to manageanICTservicedisruption?
Are these plans implemented, maintained and tested based on business continuity objectives and ICTcontinuityrequirements?
5.31
Legal, statutory, regulatory and contractual requirements
Are these plans regularly evaluated throughexercisesandtests?
Haveyouidentifiedanddocumented Legal, statutory, regulatory and contractual requirements relevant to informationsecurity?
Are these requirements updated periodicallyorincaseofchanges?
Haveyouidentifiedanddocumented the organization’s approach to meet theserequirements?
5.32
Intellectual property rights
5.33 Protectionofrecords
Has the organization implemented appropriate procedures to protect intellectualpropertyrights?
Does the organization ensure protection of records from loss, destruction, falsification, unauthorized access and unauthorizedrelease?
5.34
Privacy and protection ofPII
Has the organization identified and fulfilled the requirements regarding the preservation of privacy and protection of PII according to applicable laws and regulations and contractualrequirements?
Is the organization’s approach to managinginformationsecurityandits implementation including people, processes and technologies reviewedindependently?
5.35
Independent review of informationsecurity
Who conducts the review? What is thefrequencyofreview?
Is review of information security approach and its implementation conducted in case of any significant changes?
5.36
Compliance with policies, rules and standards for informationsecurity
Is information security implemented andoperatedinaccordancewiththe organization’s information security policy, topic-specific policies, rules andstandards?
Iscompliancewiththeorganization’s information security policy, topicspecificpolicies,rulesandstandards reviewedregularly?
5.37
Documented operating procedures Has the organization properly documented the Operating
6. People controls
6.1 Screening
procedures for information processingfacilities?
Are these procedures available to personnelwhoneedthem?
Does the organization conduct Backgroundverificationchecksofall employeespriortojoining?
Are such checks of Background verification checks of all employees carriedoutonregularbasis?
Are these checks conducted in accordance with applicable laws, regulationsandethics?
Arethesechecksproportionaltothe business requirements, the classificationoftheinformationtobe accessedandtheperceivedrisks?
6.2
Terms and conditions ofemployment
Are the employees’ and the organization’s responsibilities for information security clearly mentioned in their job agreements/ contracts?
Has the organization established an information security awareness, education and training program for employees and relevant interested parties?
6.3
Information security awareness, education andtraining
Are they provided with appropriate information security awareness, education and training considering the information to be protected and theinformationsecuritycontrolsthat havebeenimplemented?
Do they receive regular updates of the organization's information securitypolicy,topic-specificpolicies andprocedures,asrelevantfortheir jobfunction?
6.4
Disciplinaryprocess
Hastheorganizationestablishedand implementedadisciplinaryprocessto take actions against employees and otherrelevantinterestedpartieswho have committed an information securitypolicyviolation?
Is this process communicated to all employees and relevant interested parties?
6.5
Responsibilities after termination or change ofemployment
Has the organization defined and enforced Information security responsibilities and duties that remain valid after termination or changeofemployment?
Are these things communicated to relevant personnel and other interestedparties?
Has the organization identified and documented Confidentiality or nondisclosure agreements? Do these agreementsreflecttheorganization’s needs for the protection of information?
6.6
Confidentiality or nondisclosureagreements
6.7 Remoteworking
Are these agreements regularly reviewed?
Have employees and other relevant interested parties signed Confidentiality/ Non-disclosure agreements?
Has the organization implemented securitymeasuresincasesofremote workingbypersonnel?
Have policy, operational plan and procedures been developed and implemented for remote working activities?
Howteleworkingactivityisauthorized andcontrolledbymanagement?
Does it ensure protection of information accessed, processed or stored outside the organization’s premises?
Is a mechanism available for employees to report observed or suspected information security eventsthroughappropriatechannels inatimelymanner?
6.8
Information security eventreporting
Doesthismechanismsupporttimely, consistent and effective reporting of informationsecurityevents?
Are employees aware of the procedure for reporting information security events and the point of contacttowhichtheeventsshouldbe reported?
