UnixTime

Section

Overview

1 notes across 1 subsections

Back to top

Research Notes

1 notes
Research note 02 mins read

ISO27001 ISMS KB - Start Here

This knowledge base contains expanded study notes for ISO/IEC 27001 and ISO/IEC 27002.

ISO27001 iso27001 isms moc

Section

Fundamentals

15 notes across 2 subsections

Back to top

Framework Notes

2 notes
Framework note 02 mins read

Annex A and the Statement of Applicability

Annex A is a reference set of information security controls. The organization uses it to make sure it has not overlooked relevant controls when treating risks.

ISO27001 ISO27002 iso27001 annex-a soa
Framework note 03 mins read

ISO 27001 Clauses 4-10 vs Annex A

1. Clauses 4-10 — mandatory ISMS management-system requirements. 2. Annex A controls — a reference set of information security controls used for risk treatment and the Statement...

ISO27001 ISO27002 iso27001 isms annex-a

Research Notes

13 notes
Research note 01 min read

Access Control

Access control is the set of rules and mechanisms used to decide who can access information and systems, what they can do, and how that access is approved, changed, reviewed, an...

ISO27001 iso27001 isms fundamentals access-control
Research note 02 mins read

Control Attributes and Risk Treatment Effects

Control attributes are useful only if they help link a control to the risk treatment outcome you need.

risk-treatment control-attributes iso27002 isms
Research note 03 mins read

Field of Application, Usage, and Compliance

This topic explains who the guide is for, how ISO/IEC 27001 and ISO/IEC 27002 relate to each other, and what it means to claim compliance with ISO/IEC 27001.

iso27001 isms compliance audit
Research note 01 min read

Information Security Management System

An Information Security Management System is the structured set of policies, processes, roles, risks, controls, evidence, audits, management reviews, and improvement activities...

isms iso27001
Research note 01 min read

Information Security Policy

An information security policy is management's approved statement of what the organization expects for protecting information. It sets direction, assigns high-level expectations...

ISO27001 iso27001 isms policy fundamentals
Research note 01 min read

Internal Audit

Internal audit checks whether the ISMS conforms to ISO/IEC 27001 requirements, the organization's own requirements, and whether it is effectively implemented and maintained.

internal-audit iso27001 isms
Research note 03 mins read

ISO27002 Control Attributes

A control is the actual safeguard. An attribute is a label describing the safeguard.

ISO27002 iso27002 control-attributes annex-a risk-treatment
Research note 01 min read

Management Responsibilities

Management responsibilities means managers must make sure people follow the organization's information security policies, procedures, and role expectations. The security team ca...

ISO27001 iso27001 isms fundamentals management
Research note 01 min read

Management Review

Management review is the formal process where top management reviews ISMS performance, suitability, adequacy, and effectiveness.

management-review iso27001 isms
Research note 01 min read

Risk Assessment

Risk assessment identifies, analyzes, and evaluates information security risks so the organization can decide how to treat them.

risk iso27001 isms
Research note 01 min read

Roles and Responsibilities

Roles and responsibilities define who is accountable for information security activities, who performs them, who approves them, and who must be consulted or informed.

ISO27001 iso27001 isms fundamentals roles-and-responsibilities
Research note 01 min read

Segregation of Duties

Segregation of duties means sensitive work should be split so one person cannot request, approve, perform, and review the same activity without independent control.

ISO27001 iso27001 isms fundamentals segregation-of-duties
Research note 03 mins read

Statement of Applicability

The Statement of Applicability, usually called the SoA, is the ISO/IEC 27001 control decision record.

ISO27001 iso27001 isms soa annex-a

Section

ISO 27001

7 notes across 1 subsections

Back to top

Clauses

7 notes
Framework note 01 min read

ISO 27001 Clause 10 - Improvement

Placeholder clause card for Dataview tracking. Expand this when clause-specific study material is added.

ISO27001 iso27001 clause
Framework note 01 min read

ISO 27001 Clause 5 - Leadership

Placeholder clause card for Dataview tracking. Expand this when clause-specific study material is added.

ISO27001 iso27001 clause
Framework note 01 min read

ISO 27001 Clause 6 - Planning

Placeholder clause card for Dataview tracking. Expand this when clause-specific study material is added.

ISO27001 iso27001 clause
Framework note 01 min read

ISO 27001 Clause 7 - Support

Placeholder clause card for Dataview tracking. Expand this when clause-specific study material is added.

ISO27001 iso27001 clause
Framework note 01 min read

ISO 27001 Clause 8 - Operation

Placeholder clause card for Dataview tracking. Expand this when clause-specific study material is added.

ISO27001 iso27001 clause

Section

Annex A Organizational Controls

39 notes across 2 subsections

Back to top

Maps of Content

1 notes
Framework note 04 mins read

A.5 Organizational Controls MOC

Organizational controls establish governance, accountability, policy, process, and oversight for the ISMS.

ISO27001 ISO27002 iso27001 annex-a organizational-controls

Controls

38 notes
Framework note 06 mins read

ISO 27001 A.5.1 - Policies for Information Security

Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant...

ISO27001 ISO27002 iso27001 iso27002 annex-a
Framework note 04 mins read

ISO 27001 A.5.11 - Return of Assets

When someone leaves, changes role, ends a contract, or no longer needs an asset, the organization must get its assets back and ensure organizational information is returned or s...

ISO27001 ISO27002 iso27001 iso27002 annex-a
Framework note 04 mins read

ISO 27001 A.5.13 - Labelling of Information

If information is classified, people need a practical way to see or infer the classification so they can handle it correctly.

ISO27001 ISO27002 iso27001 iso27002 annex-a
Framework note 05 mins read

ISO 27001 A.5.14 - Information Transfer

The organization must define how information can be transferred safely, both internally and externally.

ISO27001 ISO27002 iso27001 iso27002 annex-a
Framework note 04 mins read

ISO 27001 A.5.15 - Access Control

The organization must define and enforce rules for who can access information, systems, services, networks, applications, repositories, and physical locations.

ISO27001 ISO27002 iso27001 iso27002 annex-a
Framework note 04 mins read

ISO 27001 A.5.16 - Identity Management

Every user identity should be created, changed, reviewed, disabled, and removed through a controlled process.

ISO27001 ISO27002 iso27001 iso27002 annex-a
Framework note 05 mins read

ISO 27001 A.5.17 - Authentication Information

The organization must control how secret authentication information is issued, changed, protected, reset, and handled.

ISO27001 ISO27002 iso27001 iso27002 annex-a
Framework note 04 mins read

ISO 27001 A.5.18 - Access Rights

Access rights must be granted, changed, reviewed, and removed through a controlled process.

ISO27001 ISO27002 iso27001 iso27002 annex-a
Framework note 05 mins read

ISO 27001 A.5.23 - Information Security for Use of Cloud Services

Cloud services must be governed from selection to exit. The organization needs defined processes for buying, configuring, using, monitoring, changing, and leaving cloud services...

ISO27001 ISO27002 iso27001 iso27002 annex-a
Framework note 03 mins read

ISO 27001 A.5.28 - Collection of Evidence

The organization must know how to identify, collect, acquire, preserve, store, and protect evidence related to security events so it remains complete, reliable, and usable.

ISO27001 ISO27002 iso27001 iso27002 annex-a
Framework note 03 mins read

ISO 27001 A.5.29 - Information Security During Disruption

The organization must decide in advance how information security will be maintained during serious disruption, crisis, disaster recovery, or business continuity events.

ISO27001 ISO27002 iso27001 iso27002 annex-a
Framework note 06 mins read

ISO 27001 A.5.3 - Segregation of Duties

No single person should be able to perform a sensitive activity from beginning to end without independent oversight, approval, review, or control.

ISO27001 ISO27002 iso27001 iso27002 annex-a
Framework note 03 mins read

ISO 27001 A.5.30 - ICT Readiness for Business Continuity

The organization must plan, build, maintain, and test ICT continuity capability so priority systems and services can recover in line with business continuity objectives.

ISO27001 ISO27002 iso27001 iso27002 annex-a
Framework note 04 mins read

ISO 27001 A.5.32 - Intellectual Property Rights

The organization must have procedures that prevent unauthorized use, copying, distribution, modification, or licensing misuse of software, documents, designs, source code, trade...

ISO27001 ISO27002 iso27001 iso27002 annex-a
Framework note 04 mins read

ISO 27001 A.5.33 - Protection of Records

The organization must protect required records for as long as they need to be retained, so they are not lost, destroyed, falsified, accessed without authorization, or released w...

ISO27001 ISO27002 iso27001 iso27002 annex-a
Framework note 04 mins read

ISO 27001 A.5.34 - Privacy and Protection of PII

The organization must identify privacy and PII protection requirements that apply to the personal information it collects, stores, processes, transmits, shares, or retains, then...

ISO27001 ISO27002 iso27001 iso27002 annex-a
Framework note 03 mins read

ISO 27001 A.5.35 - Independent Review of Information Security

The organization must have its information security management approach and actual implementation independently reviewed at planned intervals and when significant changes happen.

ISO27001 ISO27002 iso27001 iso27002 annex-a
Framework note 04 mins read

ISO 27001 A.5.37 - Documented Operating Procedures

The organization must document operating procedures for information processing facilities and make the current approved procedures available to the people who need to use them.

ISO27001 ISO27002 iso27001 iso27002 annex-a
Framework note 05 mins read

ISO 27001 A.5.4 - Management Responsibilities

Management must require all personnel to apply information security in accordance with the organization's information security policy, topic-specific policies, and procedures.

ISO27001 ISO27002 iso27001 iso27002 annex-a
Framework note 05 mins read

ISO 27001 A.5.5 - Contact with Authorities

The organization must know which external authorities matter for information security and must maintain usable contact paths before an incident, investigation, regulatory reques...

ISO27001 ISO27002 iso27001 iso27002 annex-a
Framework note 04 mins read

ISO 27001 A.5.6 - Contact with Special Interest Groups

The organization should stay connected to credible external security knowledge sources. Security teams should not rely only on internal experience, vendor marketing, or outdated...

ISO27001 ISO27002 iso27001 iso27002 annex-a
Framework note 05 mins read

ISO 27001 A.5.7 - Threat Intelligence

The organization must collect threat information, analyze it in context, and turn it into usable intelligence for decisions.

ISO27001 ISO27002 iso27001 iso27002 annex-a

Section

Annex A People Controls

9 notes across 2 subsections

Back to top

Maps of Content

1 notes
Framework note 02 mins read

A.6 People Controls MOC

A.5 is mostly governance and organizational control design. A.6 is about personnel trust and behavior. In an audit, A.6 evidence usually comes from HR, recruitment, line managem...

ISO27001 ISO27002 iso27001 iso27002 annex-a

Controls

8 notes
Framework note 05 mins read

ISO 27001 A.6.1 - Screening

The organization should check that people are who they claim to be, have the relevant background for the role, and do not present unmanaged personnel risk before they join or re...

ISO27001 ISO27002 iso27001 iso27002 annex-a
Framework note 05 mins read

ISO 27001 A.6.2 - Terms and Conditions of Employment

People should not have to guess what they are responsible for. Employment contracts, contractor agreements, confidentiality agreements, onboarding acknowledgements, or security...

ISO27001 ISO27002 iso27001 iso27002 annex-a
Framework note 05 mins read

ISO 27001 A.6.4 - Disciplinary Process

The organization needs a documented and communicated process for handling information security policy violations. People should know that violations can lead to action, and mana...

ISO27001 ISO27002 iso27001 iso27002 annex-a
Framework note 05 mins read

ISO 27001 A.6.6 - Confidentiality or Non-Disclosure Agreements

The organization should know when confidentiality or non-disclosure agreements are needed, use terms that match its information-protection needs, keep those agreements legally u...

ISO27001 ISO27002 iso27001 iso27002 annex-a
Framework note 05 mins read

ISO 27001 A.6.7 - Remote Working

When people work away from organization premises, the organization still has to protect information. That includes homes, hotels, coffee shops, customer sites, temporary offices...

ISO27001 ISO27002 iso27001 iso27002 annex-a
Framework note 05 mins read

ISO 27001 A.6.8 - Information Security Event Reporting

People need to know what might be a security event, how to report it, who to report it to, and what not to do. Reporting should be fast, simple, and no-blame enough that people...

ISO27001 ISO27002 iso27001 iso27002 annex-a

Section

Exam Prep

3 notes across 1 subsections

Back to top

Exam Notes

3 notes
Research note 28 mins read

Common Exam Traps

Research note.

exam iso27001 iso27002 traps
Research note 09 mins read

Exam Cues

- approved; - communicated; - acknowledged; - reviewed; - version controlled; - management commitment; - topic-specific; - relevant personnel and interested parties.

exam iso27001 iso27002
Research note 02 mins read

Quiz Review - Control Attributes and Compliance

Annex A is not a mandatory checklist for every organization. It is a reference set of controls used to help the organization check whether it has overlooked relevant risks or co...

exam quiz iso27001 iso27002

Section

Annex A Physical Controls

15 notes across 2 subsections

Back to top

Maps of Content

1 notes
Framework note 03 mins read

A.7 Physical Controls MOC

A.5 defines organizational governance and A.6 defines people behavior and personnel lifecycle controls. A.7 tests whether the physical environment supports those decisions. The...

ISO27001 ISO27002 iso27001 iso27002 annex-a

Controls

14 notes
Framework note 05 mins read

ISO 27001 A.7.1 - Physical Security Perimeters

The organization should know which physical areas need protection and where the boundaries are. A perimeter can be a building boundary, floor, room, cage, cabinet, loading area,...

ISO27001 ISO27002 iso27001 iso27002 annex-a
Framework note 05 mins read

ISO 27001 A.7.10 - Storage Media

The organization should control storage media from the moment it is obtained until it is erased, destroyed, disposed of, or transferred. Media includes digital and physical carr...

ISO27001 ISO27002 iso27001 iso27002 annex-a
Framework note 05 mins read

ISO 27001 A.7.11 - Supporting Utilities

Information processing facilities need supporting utilities to operate. Electricity, cooling, ventilation, telecommunications, water, fire protection, emergency lighting, and bu...

ISO27001 ISO27002 iso27001 iso27002 annex-a
Framework note 04 mins read

ISO 27001 A.7.12 - Cabling Security

Cables are part of the information processing environment. If they are badly routed, unprotected, mixed incorrectly, poorly labelled, or accessible to unauthorized people, they...

ISO27001 ISO27002 iso27001 iso27002 annex-a
Framework note 03 mins read

ISO 27001 A.7.13 - Equipment Maintenance

Equipment that runs reliably today can still fail tomorrow. The organization should define maintenance needs, follow supplier recommendations, use authorized maintainers, keep m...

ISO27001 ISO27002 iso27001 iso27002 annex-a
Framework note 04 mins read

ISO 27001 A.7.14 - Secure Disposal or Re-Use of Equipment

Before equipment is reused, sold, returned, repaired, donated, recycled, or discarded, the organization should verify that sensitive information and licensed software are no lon...

ISO27001 ISO27002 iso27001 iso27002 annex-a
Framework note 05 mins read

ISO 27001 A.7.2 - Physical Entry

If an area is secure, entry should be controlled. The organization should know who is allowed in, how entry is verified, how visitors are handled, how delivery/loading areas are...

ISO27001 ISO27002 iso27001 iso27002 annex-a
Framework note 05 mins read

ISO 27001 A.7.3 - Securing Offices, Rooms and Facilities

The organization should design and implement physical protections for offices, rooms, and facilities based on what those areas contain and how critical or sensitive the work is.

ISO27001 ISO27002 iso27001 iso27002 annex-a
Framework note 04 mins read

ISO 27001 A.7.4 - Physical Security Monitoring

The organization should monitor premises for unauthorized physical access, similar to how networks are monitored for intrusion. Monitoring may be manual, automated, or a mix of...

ISO27001 ISO27002 iso27001 iso27002 annex-a
Framework note 04 mins read

ISO 27001 A.7.6 - Working in Secure Areas

The organization should define how people work inside secure areas when the work itself is sensitive or critical. Physical entry controls are not enough. The rules must also cov...

ISO27001 ISO27002 iso27001 iso27002 annex-a
Framework note 04 mins read

ISO 27001 A.7.7 - Clear Desk and Clear Screen

People should not leave sensitive papers, removable media, printed documents, fax messages, or unlocked screens exposed where unauthorized people can see, photograph, remove, al...

ISO27001 ISO27002 iso27001 iso27002 annex-a
Framework note 05 mins read

ISO 27001 A.7.8 - Equipment Siting and Protection

The organization should place and protect equipment in a way that reduces physical damage, environmental damage, unauthorized access, unauthorized use, and information exposure.

ISO27001 ISO27002 iso27001 iso27002 annex-a
Framework note 05 mins read

ISO 27001 A.7.9 - Security of Assets Off-Premises

The organization should protect equipment, documents, data, software, and storage media when they leave the organization's controlled environment.

ISO27001 ISO27002 iso27001 iso27002 annex-a

Section

Audit Evidence Packs

92 notes across 5 subsections

Back to top

A.5 Evidence Packs

37 notes
Template note 02 mins read

A.5.1 Audit Evidence Pack

The auditor wants to confirm that information security policies are defined, approved, published, communicated, acknowledged, controlled, and reviewed.

ISO27001 ISO27002 audit evidence a5-1
Template note 02 mins read

A.5.10 Audit Evidence Pack

The auditor wants to confirm that acceptable use rules and information handling procedures are defined, communicated, acknowledged, implemented, and enforced for relevant users...

ISO27001 ISO27002 audit evidence a5-10
Template note 02 mins read

A.5.11 Audit Evidence Pack

The auditor wants to confirm that employees, contractors, third-party users, and other relevant parties return organizational assets when employment, contract, agreement, or rol...

ISO27001 ISO27002 audit evidence a5-11
Template note 02 mins read

A.5.12 Audit Evidence Pack

The auditor wants to confirm that the organization has a clear, usable classification scheme and that information is classified according to confidentiality, integrity, availabi...

ISO27001 ISO27002 audit evidence a5-12
Template note 02 mins read

A.5.13 Audit Evidence Pack

The auditor wants to confirm that labelling procedures exist, align with the classification scheme, and are implemented across relevant physical and digital forms of information.

ISO27001 ISO27002 audit evidence a5-13
Template note 02 mins read

A.5.14 Audit Evidence Pack

The auditor wants to confirm that the organization has documented and implemented rules, procedures, or agreements for transferring information internally and externally across...

ISO27001 ISO27002 audit evidence a5-14
Template note 02 mins read

A.5.15 Audit Evidence Pack

The auditor wants to confirm that physical and logical access rules are defined, implemented, approved, reviewed, and based on business and information security requirements.

ISO27001 ISO27002 audit evidence a5-15
Template note 02 mins read

A.5.16 Audit Evidence Pack

The auditor wants to confirm that identities are uniquely registered where possible and managed through the full lifecycle: creation, authorization, change, review, disabling, d...

ISO27001 ISO27002 audit evidence a5-16
Template note 02 mins read

A.5.17 Audit Evidence Pack

The auditor wants to confirm that secret authentication information is issued, managed, changed, reset, stored, and handled through a controlled process, and that users understa...

ISO27001 ISO27002 audit evidence a5-17
Template note 02 mins read

A.5.18 Audit Evidence Pack

The auditor wants to confirm that access rights are formally provisioned, reviewed, modified, and removed according to access control rules.

ISO27001 ISO27002 audit evidence a5-18
Template note 02 mins read

A.5.19 Audit Evidence Pack

The auditor wants to confirm that supplier information security risks are identified, assessed, controlled, contractually addressed, and reviewed.

ISO27001 ISO27002 audit evidence a5-19
Template note 02 mins read

A.5.2 Audit Evidence Pack

The auditor wants to confirm that information security roles and responsibilities are defined, allocated, documented, communicated, understood, accepted, current, and applied to...

ISO27001 ISO27002 audit evidence a5-2
Template note 02 mins read

A.5.20 Audit Evidence Pack

The auditor wants to confirm that supplier security requirements are established, agreed, authorized, and appropriate to the supplier relationship before access or information s...

ISO27001 ISO27002 audit evidence a5-20
Template note 02 mins read

A.5.21 Audit Evidence Pack

The auditor wants to confirm that ICT supply-chain risks are identified and managed, including inherited risks from subcontractors, cloud providers, support parties, hosting pro...

ISO27001 ISO27002 audit evidence a5-21
Template note 02 mins read

A.5.22 Audit Evidence Pack

The auditor wants to confirm that supplier security practices and service delivery are monitored, reviewed, evaluated, and changed through a controlled process.

ISO27001 ISO27002 audit evidence a5-22
Template note 02 mins read

A.5.23 Audit Evidence Pack

The auditor wants to confirm that cloud service acquisition, use, management, and exit are governed according to the organization's information security requirements.

ISO27001 ISO27002 audit evidence a5-23
Template note 02 mins read

A.5.24 Audit Evidence Pack

The auditor wants to confirm that incident management processes, roles, responsibilities, reporting routes, and preparation activities are defined, established, communicated, an...

ISO27001 ISO27002 audit evidence a5-24
Template note 02 mins read

A.5.25 Audit Evidence Pack

The auditor wants to confirm that reported security events are assessed using defined criteria and that the incident/non-incident decision is recorded with justification and tim...

ISO27001 ISO27002 audit evidence iso27001
Template note 02 mins read

A.5.26 Audit Evidence Pack

The auditor wants to confirm that confirmed information security incidents are responded to according to documented procedures and that response decisions, actions, responsibili...

ISO27001 ISO27002 audit evidence iso27001
Template note 02 mins read

A.5.27 Audit Evidence Pack

The auditor wants to confirm that knowledge from incidents is captured and used to improve controls, procedures, awareness, risk treatment, and the ISMS.

ISO27001 ISO27002 audit evidence iso27001
Template note 02 mins read

A.5.28 Audit Evidence Pack

The auditor wants to confirm that procedures exist and operate for identifying, collecting, acquiring, preserving, storing, and protecting evidence related to information securi...

ISO27001 ISO27002 audit evidence iso27001
Template note 02 mins read

A.5.29 Audit Evidence Pack

The auditor wants to confirm that information security is maintained at an appropriate level during disruption and that continuity plans include security objectives, roles, requ...

ISO27001 ISO27002 audit evidence iso27001
Template note 02 mins read

A.5.3 Audit Evidence Pack

The auditor wants to confirm that conflicting duties and responsibilities have been identified and segregated, or that compensating controls exist where segregation is not pract...

ISO27001 ISO27002 audit evidence a5-3
Template note 02 mins read

A.5.30 Audit Evidence Pack

The auditor wants to confirm that ICT readiness is planned, implemented, maintained, and tested based on business continuity objectives and ICT continuity requirements.

ISO27001 ISO27002 audit evidence iso27001
Template note 02 mins read

A.5.31 Audit Evidence Pack

The auditor wants to confirm that applicable legal, statutory, regulatory, and contractual information security requirements are identified, documented, owned, kept current, and...

ISO27001 ISO27002 audit evidence iso27001
Template note 02 mins read

A.5.32 Audit Evidence Pack

The auditor wants to confirm that procedures protect intellectual property rights and that software, content, source code, libraries, and AI-generated material are used within a...

ISO27001 ISO27002 audit evidence iso27001
Template note 02 mins read

A.5.33 Audit Evidence Pack

The auditor wants to confirm that required records are identified, retained, protected from loss/alteration/unauthorized access/release, reviewed, accessible through retention,...

ISO27001 ISO27002 audit evidence iso27001
Template note 02 mins read

A.5.34 Audit Evidence Pack

The auditor wants to confirm that privacy and PII requirements are identified, mapped, implemented, reviewed, and evidenced for all relevant PII holdings, roles, transfers, and...

ISO27001 ISO27002 audit evidence iso27001
Template note 02 mins read

A.5.35 Audit Evidence Pack

The auditor wants to confirm that the information security approach and implementation are independently reviewed at planned intervals and after significant changes, with findin...

ISO27001 ISO27002 audit evidence iso27001
Template note 02 mins read

A.5.36 Audit Evidence Pack

The auditor wants to confirm that compliance with information security policies, rules, and standards is regularly reviewed through management and technical checks, with finding...

ISO27001 ISO27002 audit evidence iso27001
Template note 02 mins read

A.5.37 Audit Evidence Pack

The auditor wants to confirm that operating procedures for information processing facilities are documented, controlled, current, available to personnel who need them, and used...

ISO27001 ISO27002 audit evidence iso27001
Template note 02 mins read

A.5.4 Audit Evidence Pack

The auditor wants to confirm that managers actively require personnel to apply information security according to policies and procedures.

ISO27001 ISO27002 audit evidence a5-4
Template note 02 mins read

A.5.5 Audit Evidence Pack

The auditor wants to confirm that the organization has identified relevant authorities, assigned authorized liaison roles, defined contact triggers, maintained accurate contact...

ISO27001 ISO27002 audit evidence a5-5
Template note 02 mins read

A.5.6 Audit Evidence Pack

The auditor wants to confirm that the organization maintains proportionate contact with relevant specialist security groups, forums, or professional associations and that useful...

ISO27001 ISO27002 audit evidence a5-6
Template note 02 mins read

A.5.7 Audit Evidence Pack

The auditor wants to confirm that threat information is collected, analyzed, validated, contextualized, and used to support risk assessment, risk treatment, control improvement,...

ISO27001 ISO27002 audit evidence a5-7
Template note 02 mins read

A.5.8 Audit Evidence Pack

The auditor wants to confirm that information security is integrated into the project management method and applied in real projects from initiation through transition to operat...

ISO27001 ISO27002 audit evidence a5-8
Template note 02 mins read

A.5.9 Audit Evidence Pack

The auditor wants to confirm that information and associated assets are identified, owned, classified, maintained, protected, and updated through change, project, procurement, a...

ISO27001 ISO27002 audit evidence a5-9

A.6 Evidence Packs

8 notes
Template note 02 mins read

A.6.1 Audit Evidence Pack

The auditor wants evidence that background verification checks are defined, applied, documented, and protected as personal data.

ISO27001 ISO27002 audit evidence a6-1
Template note 02 mins read

A.6.2 Audit Evidence Pack

The auditor wants evidence that security responsibilities are defined, accepted, role-appropriate, current, and applicable to employees, contractors, and third-party users in sc...

ISO27001 ISO27002 audit evidence a6-2
Template note 03 mins read

A.6.3 Audit Evidence Pack

The auditor wants evidence that training is role-relevant, current, recorded, repeated where needed, and improved based on effectiveness feedback.

ISO27001 ISO27002 audit evidence a6-3
Template note 02 mins read

A.6.4 Audit Evidence Pack

The auditor wants evidence that the organization can respond fairly and consistently when personnel or relevant interested parties violate information security policy.

ISO27001 ISO27002 audit evidence a6-4
Template note 02 mins read

A.6.5 Audit Evidence Pack

The auditor wants proof that old access and assets are removed, relevant parties are notified, and continuing duties are communicated after termination or role change.

ISO27001 ISO27002 audit evidence a6-5
Template note 02 mins read

A.6.6 Audit Evidence Pack

The auditor wants evidence that agreements reflect actual confidentiality requirements and are legally usable where needed.

ISO27001 ISO27002 audit evidence a6-6
Template note 02 mins read

A.6.7 Audit Evidence Pack

The auditor wants evidence that information remains protected when accessed, processed, or stored outside organization premises.

ISO27001 ISO27002 audit evidence a6-7
Template note 02 mins read

A.6.8 Audit Evidence Pack

The auditor wants proof that reporting channels are known, usable, timely, and connected to event assessment and incident management.

ISO27001 ISO27002 audit evidence a6-8

A.7 Evidence Packs

14 notes
Template note 02 mins read

A.7.1 Audit Evidence Pack

The auditor wants evidence that physical zones protect assets and information, not just a floorplan showing rooms.

ISO27001 ISO27002 audit evidence a7-1
Template note 02 mins read

A.7.10 Audit Evidence Pack

- Media handling follows classification. - Media is inventoried and labelled where appropriate. - Dispatches are authorized and recorded. - Sensitive media is protected during t...

ISO27001 ISO27002 audit evidence a7-10
Template note 02 mins read

A.7.11 Audit Evidence Pack

- Critical facilities have documented utility dependencies. - UPS/generator tests include load, runtime, cooling, and maintenance evidence. - Alarms detect utility failures and...

ISO27001 ISO27002 audit evidence a7-11
Template note 01 min read

A.7.12 Audit Evidence Pack

- Cable routes are documented and protected. - Power/data segregation is implemented where needed. - Patch panels, cabinets, and connections are locked or access-controlled. - L...

ISO27001 ISO27002 audit evidence a7-12
Template note 01 min read

A.7.13 Audit Evidence Pack

- Maintenance is scheduled and recorded. - Faults and repairs are tracked. - Maintainers are authorized and qualified. - External maintainers are escorted where required. - Conf...

ISO27001 ISO27002 audit evidence a7-13
Template note 02 mins read

A.7.14 Audit Evidence Pack

- Records identify asset, storage media, classification, method, verifier, and date. - Sanitization method matches media type and sensitivity. - Contractor records are asset-spe...

ISO27001 ISO27002 audit evidence a7-14
Template note 02 mins read

A.7.2 Audit Evidence Pack

The auditor wants evidence that only authorized people can enter secure areas and that visitor, badge, delivery, and loading controls operate in practice.

ISO27001 ISO27002 audit evidence a7-2
Template note 02 mins read

A.7.3 Audit Evidence Pack

- Controls are based on value, liability, importance, and classification. - Sensitive room purpose is not unnecessarily exposed. - Internal directories and access clues are prot...

ISO27001 ISO27002 audit evidence a7-3
Template note 02 mins read

A.7.4 Audit Evidence Pack

- Monitoring scope is documented and risk-based. - Alerts have owners, response times, and escalation paths. - Monitoring tests are performed and recorded. - Monitoring staff kn...

ISO27001 ISO27002 audit evidence a7-4
Template note 02 mins read

A.7.5 Audit Evidence Pack

- Hazard assessment includes site, room, utility, and neighbor risks. - Specialist advice exists for material hazards. - Controls are implemented and maintained. - Continuity ar...

ISO27001 ISO27002 audit evidence a7-5
Template note 02 mins read

A.7.6 Audit Evidence Pack

- Secure-area work is identified and risk-assessed. - Need-to-know, device, media, supervision, and dual-control rules are documented. - Employees, contractors, and third partie...

ISO27001 ISO27002 audit evidence a7-6
Template note 02 mins read

A.7.7 Audit Evidence Pack

- Rules cover papers, removable media, screens, printers, faxes, storage, and confidential waste. - Auto-lock settings are enforced. - Sensitive print/fax workflows are controll...

ISO27001 ISO27002 audit evidence a7-7
Template note 02 mins read

A.7.8 Audit Evidence Pack

- Equipment inventory includes location, owner, and protection requirement. - Siting assessment covers physical, environmental, viewing, access, and interference risks. - Networ...

ISO27001 ISO27002 audit evidence a7-8
Template note 02 mins read

A.7.9 Audit Evidence Pack

- Asset removal is authorized and logged. - Off-site assets are recorded with custodian, location, and review date. - Mobile devices are encrypted and managed. - Long-term loans...

ISO27001 ISO27002 audit evidence a7-9

Maps of Content

1 notes
Template note 03 mins read

Audit Evidence MOC

1. Design — is the control defined appropriately? 2. Implementation — has it been put in place? 3. Operation — is it operating as intended? 4. Evidence — can the organization pr...

audit iso27001 moc

Template Notes

32 notes
Template note 01 min read

A.8.1 Audit Evidence Pack

- Device inventory includes managed and BYOD endpoints. - Compliance reports show patching, encryption, screen lock, and malware/EDR status. - Remote access requires strong auth...

audit evidence a8-1 iso27001
Template note 01 min read

A.8.10 Audit Evidence Pack

- Deletion records match retention rules. - Deletion method matches sensitivity and storage type. - Items awaiting destruction are secured. - Cloud and backup data are included....

audit evidence a8-10 iso27001
Template note 01 min read

A.8.11 Audit Evidence Pack

- Masking methods are defined and matched to use cases. - Full-data access is role-based and approved. - Token lookup tables/keys are segregated. - Re-combination is logged and...

audit evidence a8-11 iso27001
Template note 02 mins read

A.8.12 Audit Evidence Pack

- DLP scope maps to sensitive/classified information. - Approved data flows and channels are defined. - DLP rules are tuned to the organization’s risk and data types. - Alerts a...

audit evidence a8-12 iso27001
Template note 02 mins read

A.8.13 Audit Evidence Pack

- Backup scope maps to critical information, systems, and software. - Frequency aligns with risk and continuity requirements. - Restore tests are documented and successful. - Ba...

audit evidence a8-13 iso27001
Template note 01 min read

A.8.14 Audit Evidence Pack

- Redundancy is linked to RTO/RPO and service criticality. - Critical dependencies are included. - Failover tests meet target recovery times. - Data replication and alternate-si...

audit evidence a8-14 iso27001
Template note 02 mins read

A.8.15 Audit Evidence Pack

- Logs include event, user/account, date/time, source, and action. - Privileged activity is logged and independently reviewed. - Logs are protected from source-system administra...

audit evidence a8-15 iso27001
Template note 02 mins read

A.8.16 Audit Evidence Pack

- Detection use cases trace to risk scenarios, assets, and critical services. - Monitoring source coverage includes relevant identity, endpoint, server, network, cloud, applicat...

audit evidence a8-16 iso27001
Template note 02 mins read

A.8.19 Audit Evidence Pack

- Installation records link to approved changes. - Security, compatibility, and regression tests are retained. - Deployment was performed by authorized personnel. - Production i...

audit evidence a8-19 iso27001
Template note 01 min read

A.8.2 Audit Evidence Pack

- Privileges are approved based on need-to-use. - Separate named admin IDs exist where feasible. - Privileged activity is logged and reviewed. - Logs are protected and retained....

audit evidence a8-2 iso27001
Template note 02 mins read

A.8.20 Audit Evidence Pack

- Diagrams match actual network configuration. - Sensitive traffic paths and public network exposure are identified. - Network zones are enforced and tested. - Network device ad...

audit evidence a8-20 iso27001
Template note 01 min read

A.8.21 Audit Evidence Pack

- Network services have owners and risk assessments. - Required security mechanisms are documented. - Agreements include security features and service levels. - Provider reports...

audit evidence a8-21 iso27001
Template note 01 min read

A.8.22 Audit Evidence Pack

- Zones are risk-based and documented. - Systems and services are assigned to zones. - Inter-zone rules are specific and reviewed. - Wireless and cloud networks are included. -...

audit evidence a8-22 iso27001
Template note 01 min read

A.8.23 Audit Evidence Pack

- Categories are mapped to policy and risk. - Filtering covers remote users and relevant devices. - Exceptions have approval, owner, and review date. - Users cannot casually dis...

audit evidence a8-23 iso27001
Template note 02 mins read

A.8.24 Audit Evidence Pack

- Cryptographic decisions trace to risk and classification. - Algorithms, key lengths, and protocols are approved and current. - Keys have owners, purpose, lifecycle status, and...

audit evidence a8-24 iso27001
Template note 01 min read

A.8.25 Audit Evidence Pack

- Secure development rules are mandatory and integrated into workflow. - Developers and reviewers have relevant training. - Reviews are performed by competent reviewers, not onl...

audit evidence a8-25 iso27001
Template note 01 min read

A.8.26 Audit Evidence Pack

- Requirements are specific and testable. - Requirements trace to risk, classification, and legal obligations. - Security and business owners approve requirements. - Testing pro...

audit evidence a8-26 iso27001
Template note 01 min read

A.8.27 Audit Evidence Pack

- Principles are specific and usable. - Architecture reviews reference principles. - Threat models identify and treat design risks. - Deviations are risk-assessed and approved....

audit evidence a8-27 iso27001
Template note 01 min read

A.8.28 Audit Evidence Pack

- Standards are language, framework, and risk-specific. - Developers can retrieve and explain applicable standards. - Automated checks run and findings are reviewed. - Secure co...

audit evidence a8-28 iso27001
Template note 01 min read

A.8.29 Audit Evidence Pack

- Test depth and frequency trace to risk. - Testing occurs during development and before acceptance. - Acceptance criteria are documented. - Defective input, regression, access...

audit evidence a8-29 iso27001
Template note 02 mins read

A.8.3 Audit Evidence Pack

- Access rules are approved by the information or application owner. - Role permissions are mapped to create/read/modify/delete/export/admin rights. - Application and database p...

audit evidence a8-3 iso27001
Template note 02 mins read

A.8.30 Audit Evidence Pack

- Contracts include secure development, testing, IP, audit, and training requirements. - Supplier deliverables have test and review evidence. - Findings are tracked to closure o...

audit evidence a8-30 iso27001
Template note 02 mins read

A.8.31 Audit Evidence Pack

- Access differs between development, test, and production. - Production deployments require approval and release records. - Network and administrative paths are restricted and...

audit evidence a8-31 iso27001
Template note 01 min read

A.8.32 Audit Evidence Pack

- Security impact is assessed before approval. - Testing and rollback are proportionate to risk. - Implementation logs match approved changes. - Release records identify include...

audit evidence a8-32 iso27001
Template note 01 min read

A.8.33 Audit Evidence Pack

- Synthetic or masked data is the default. - Each live-data use is authorized. - Test environments protect sensitive data appropriately. - Logs, caches, screenshots, and debug f...

audit evidence a8-33 iso27001
Template note 01 min read

A.8.34 Audit Evidence Pack

- Operational testing is planned before execution. - Scope, tools, timing, contacts, and stop criteria are documented. - Appropriate management authorizes the activity. - Tool u...

audit evidence a8-34 iso27001
Template note 02 mins read

A.8.4 Audit Evidence Pack

- Source code is centrally stored in controlled repositories. - Read/write/merge/build/release permissions are separated. - Changes require review, approval, and test evidence....

audit evidence a8-4 iso27001
Template note 01 min read

A.8.5 Audit Evidence Pack

- MFA is implemented for remote, privileged, and high-risk access where required. - MFA uses different factor types. - Failed logon handling includes lockout, delay, throttling,...

audit evidence a8-5 iso27001
Template note 01 min read

A.8.6 Audit Evidence Pack

- Critical systems have defined capacity plans. - Monitoring covers current and expected bottlenecks. - Trend analysis is reviewed and acted on. - Thresholds have owners and act...

audit evidence a8-6 iso27001
Template note 02 mins read

A.8.7 Audit Evidence Pack

- Malware protection coverage is inventoried. - Updates are monitored and exceptions are investigated. - Real-time scanning is enabled where feasible. - Sensitive/shared systems...

audit evidence a8-7 iso27001
Template note 02 mins read

A.8.8 Audit Evidence Pack

- Scanning covers all relevant systems. - Vulnerabilities have owners, severity, risk rating, and target dates. - Critical issues are prioritized by exploitability and exposure....

audit evidence a8-8 iso27001
Template note 01 min read

A.8.9 Audit Evidence Pack

- Baselines exist for major technology types. - Systems are mapped to applicable baselines. - Compliance is checked regularly or continuously. - Exceptions include risk rational...

audit evidence a8-9 iso27001

Section

ISMS Artifacts

59 notes across 1 subsections

Back to top

Research Notes

59 notes
Research note 01 min read

AQ-ISO27001-A.7.12 Cabling Security

Audit question set for ISO27001-A.7.12. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question iso27001
Research note 01 min read

AQ-ISO27001-A.7.13 Equipment Maintenance

Audit question set for ISO27001-A.7.13. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question iso27001
Research note 01 min read

AQ-ISO27001-A.7.14 Secure Disposal or Re-Use of Equipment

Audit question set for ISO27001-A.7.14. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question iso27001
Research note 01 min read

AQ-ISO27001-A.7.10 Storage Media

Audit question set for ISO27001-A.7.10. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question iso27001
Research note 01 min read

AQ-ISO27001-A.7.11 Supporting Utilities

Audit question set for ISO27001-A.7.11. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question iso27001
Research note 01 min read

AQ-ISO27001-A.7.9 Security of Assets Off-Premises

Audit question set for ISO27001-A.7.9. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question iso27001
Research note 01 min read

AQ-ISO27001-A.7.8 Equipment Siting and Protection

Audit question set for ISO27001-A.7.8. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question iso27001
Research note 01 min read

AQ-ISO27001-A.6.1 Screening

Audit question set for ISO27001-A.6.1. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question iso27001
Research note 01 min read

AQ-ISO27001-A.6.2 Terms and Conditions of Employment

Audit question set for ISO27001-A.6.2. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question iso27001
Research note 01 min read

AQ-ISO27001-A.6.4 Disciplinary Process

Audit question set for ISO27001-A.6.4. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question iso27001
Research note 01 min read

AQ-ISO27001-A.6.7 Remote Working

Audit question set for ISO27001-A.6.7. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question iso27001
Research note 01 min read

AQ-ISO27001-A.6.8 Information Security Event Reporting

Audit question set for ISO27001-A.6.8. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question iso27001
Research note 01 min read

AQ-ISO27001-A.7.1 Physical Security Perimeters

Audit question set for ISO27001-A.7.1. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question iso27001
Research note 01 min read

AQ-ISO27001-A.7.2 Physical Entry

Audit question set for ISO27001-A.7.2. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question iso27001
Research note 01 min read

AQ-ISO27001-A.7.3 Securing Offices, Rooms and Facilities

Audit question set for ISO27001-A.7.3. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question iso27001
Research note 01 min read

AQ-ISO27001-A.7.4 Physical Security Monitoring

Audit question set for ISO27001-A.7.4. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question iso27001
Research note 01 min read

AQ-ISO27001-A.7.6 Working in Secure Areas

Audit question set for ISO27001-A.7.6. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question iso27001
Research note 01 min read

AQ-ISO27001-A.7.7 Clear Desk and Clear Screen

Audit question set for ISO27001-A.7.7. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question iso27001
Research note 01 min read

AQ-ISO27001-A.5.33 Protection of Records

Audit question set for ISO27001-A.5.33. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question iso27001
Research note 01 min read

AQ-ISO27001-A.5.34 Privacy and Protection of PII

Audit question set for ISO27001-A.5.34. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question iso27001
Research note 01 min read

AQ-ISO27001-A.5.37 Documented Operating Procedures

Audit question set for ISO27001-A.5.37. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question iso27001
Research note 01 min read

AQ-ISO27001-A.5.28 Collection of Evidence

Audit question set for ISO27001-A.5.28. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question iso27001
Research note 01 min read

AQ-ISO27001-A.5.29 Information Security During Disruption

Audit question set for ISO27001-A.5.29. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question iso27001
Research note 01 min read

AQ-ISO27001-A.5.30 ICT Readiness for Business Continuity

Audit question set for ISO27001-A.5.30. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question iso27001
Research note 01 min read

AQ-ISO27001-A.5.32 Intellectual Property Rights

Audit question set for ISO27001-A.5.32. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question iso27001
Research note 01 min read

AQ-ISO27001-A.5.1 Policies for Information Security

Audit question set for ISO27001-A.5.1. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question iso27001
Research note 01 min read

AQ-ISO27001-A.5.11 Return of Assets

Audit question set for ISO27001-A.5.11. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question iso27001
Research note 01 min read

AQ-ISO27001-A.5.12 Classification of Information

Audit question set for ISO27001-A.5.12. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question iso27001
Research note 01 min read

AQ-ISO27001-A.5.13 Labelling of Information

Audit question set for ISO27001-A.5.13. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question iso27001
Research note 01 min read

AQ-ISO27001-A.5.14 Information Transfer

Audit question set for ISO27001-A.5.14. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question iso27001
Research note 01 min read

AQ-ISO27001-A.5.15 Access Control

Audit question set for ISO27001-A.5.15. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question iso27001
Research note 01 min read

AQ-ISO27001-A.5.16 Identity Management

Audit question set for ISO27001-A.5.16. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question iso27001
Research note 01 min read

AQ-ISO27001-A.5.17 Authentication Information

Audit question set for ISO27001-A.5.17. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question iso27001
Research note 01 min read

AQ-ISO27001-A.5.18 Access Rights

Audit question set for ISO27001-A.5.18. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question iso27001
Research note 01 min read

AQ-ISO27001-A.5.3 Segregation of Duties

Audit question set for ISO27001-A.5.3. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question iso27001
Research note 01 min read

AQ-ISO27001-A.5.4 Management Responsibilities

Audit question set for ISO27001-A.5.4. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question iso27001
Research note 01 min read

AQ-ISO27001-A.5.5 Contact with Authorities

Audit question set for ISO27001-A.5.5. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question iso27001
Research note 01 min read

AQ-ISO27001-A.5.6 Contact with Special Interest Groups

Audit question set for ISO27001-A.5.6. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question iso27001
Research note 01 min read

AQ-ISO27001-A.5.7 Threat Intelligence

Audit question set for ISO27001-A.5.7. Use it to validate implementation, operating evidence, exceptions, review cadence, ownership, and corrective action.

ISO27001 ISO27002 audit audit-question iso27001

Section

Annex a technological controls

33 notes across 2 subsections

Back to top

Maps of Content

1 notes
Framework note 06 mins read

A.8 Technological Controls MOC

A.5 sets governance rules, A.6 manages people responsibilities, and A.7 protects the physical environment. A.8 tests whether technical systems enforce and evidence those decisions.

ISO27001 ISO27002 iso27001 iso27002 annex-a

Framework Notes

32 notes
Framework note 04 mins read

ISO 27001 A.8.1 - User End Point Devices

The organization should protect laptops, desktops, mobile phones, tablets, personal devices, and other endpoint devices that users rely on to access organizational information.

ISO27001 ISO27002 iso27001 iso27002 annex-a
Framework note 04 mins read

ISO 27001 A.8.10 - Information Deletion

The organization should not keep information forever just because storage is cheap. When information is no longer needed for business, legal, regulatory, contractual, or evidenc...

ISO27001 ISO27002 iso27001 iso27002 annex-a
Framework note 04 mins read

ISO 27001 A.8.11 - Data Masking

The organization should hide, replace, tokenize, pseudonymize, or anonymize sensitive data where full visibility is not needed. The goal is to let people or systems use data for...

ISO27001 ISO27002 iso27001 iso27002 annex-a
Framework note 04 mins read

ISO 27001 A.8.12 - Data Leakage Prevention

The organization should prevent sensitive information from leaving approved locations, systems, networks, or channels without authorization. This requires understanding which in...

ISO27001 ISO27002 iso27001 iso27002 annex-a
Framework note 04 mins read

ISO 27001 A.8.13 - Information Backup

The organization should make backup copies of important information, software, and systems, protect those backups, and regularly test whether they can actually be restored.

ISO27001 ISO27002 iso27001 iso27002 annex-a
Framework note 04 mins read

ISO 27001 A.8.15 - Logging

The organization should collect useful logs, protect them from tampering, keep them long enough, and review or analyse them so security-relevant events can be detected and inves...

ISO27001 ISO27002 iso27001 iso27002 annex-a
Framework note 05 mins read

ISO 27001 A.8.16 - Monitoring Activities

The organization should actively watch important technology environments for signs that something abnormal or suspicious is happening. Monitoring should help detect possible att...

ISO27001 ISO27002 iso27001 iso27002 annex-a
Framework note 04 mins read

ISO 27001 A.8.2 - Privileged Access Rights

Privileged access allows users to administer systems, override controls, change configurations, access sensitive data, or recover systems during failure. Because privileged acce...

ISO27001 ISO27002 iso27001 iso27002 annex-a
Framework note 04 mins read

ISO 27001 A.8.20 - Networks Security

Networks are not just cables and routers. They are trust paths between users, systems, applications, cloud services, suppliers, and management interfaces. If the network is poor...

ISO27001 ISO27002 iso27001 iso27002 annex-a
Framework note 04 mins read

ISO 27001 A.8.21 - Security of Network Services

When the organization uses network services, especially third-party network services, it should know exactly what security features and service levels are required, what the pro...

ISO27001 ISO27002 iso27001 iso27002 annex-a
Framework note 04 mins read

ISO 27001 A.8.22 - Segregation of Networks

Large flat networks are hard to defend. Network segregation divides users, systems, and services into smaller physical or logical zones so traffic between them can be controlled.

ISO27001 ISO27002 iso27001 iso27002 annex-a
Framework note 04 mins read

ISO 27001 A.8.23 - Web Filtering

Users can be compromised by visiting malicious websites, downloading fake tools, following phishing links, or connecting to command-and-control infrastructure. Web filtering red...

ISO27001 ISO27002 iso27001 iso27002 annex-a
Framework note 04 mins read

ISO 27001 A.8.24 - Use of Cryptography

The organization should define when cryptography is required, what approved cryptographic methods may be used, who manages keys, how keys are protected, and how cryptographic co...

ISO27001 ISO27002 iso27001 iso27002 annex-a
Framework note 04 mins read

ISO 27001 A.8.25 - Secure Development Life Cycle

Development work should follow secure rules from the beginning. This applies to software, services, networks, infrastructure, environments, and systems that are built or changed...

ISO27001 ISO27002 iso27001 iso27002 annex-a
Framework note 04 mins read

ISO 27001 A.8.26 - Application Security Requirements

Application security requirements should be defined before the application is built, bought, integrated, or changed. The organization should decide what security the application...

ISO27001 ISO27002 iso27001 iso27002 annex-a
Framework note 04 mins read

ISO 27001 A.8.28 - Secure Coding

Developers should follow secure coding standards that fit the languages, frameworks, tools, and risk level of the software being built. The standard should explain both general...

ISO27001 ISO27002 iso27001 iso27002 annex-a
Framework note 05 mins read

ISO 27001 A.8.3 - Information Access Restriction

The organization should make sure users can only access the information, functions, applications, databases, reports, exports, and assets they need for their role.

ISO27001 ISO27002 iso27001 iso27002 annex-a
Framework note 04 mins read

ISO 27001 A.8.30 - Outsourced Development

If a supplier builds software or systems for the organization, the organization still owns the security outcome. Outsourcing the work does not outsource accountability.

ISO27001 ISO27002 iso27001 iso27002 annex-a
Framework note 04 mins read

ISO 27001 A.8.32 - Change Management

Changes to systems, infrastructure, networks, applications, code, integrations, operational processes, and information processing facilities should be planned, reviewed, approve...

ISO27001 ISO27002 iso27001 iso27002 annex-a
Framework note 04 mins read

ISO 27001 A.8.33 - Test Information

Test data should be chosen deliberately. Synthetic or fictitious data is usually safer. If production data is used for testing, it must be justified, authorized, protected, logg...

ISO27001 ISO27002 iso27001 iso27002 annex-a
Framework note 04 mins read

ISO 27001 A.8.4 - Access to Source Code

Source code, build tools, compilers, package repositories, CI/CD pipelines, and software libraries can directly change how systems behave. If an attacker or unauthorized insider...

ISO27001 ISO27002 iso27001 iso27002 annex-a
Framework note 04 mins read

ISO 27001 A.8.5 - Secure Authentication

Authentication is the point where a system tests whether the person, service, or device claiming an identity should be accepted. Secure authentication means the logon process do...

ISO27001 ISO27002 iso27001 iso27002 annex-a
Framework note 04 mins read

ISO 27001 A.8.6 - Capacity Management

The organization should know whether its systems, networks, storage, cloud services, databases, staff, and other resources can support current and future demand. Capacity manage...

ISO27001 ISO27002 iso27001 iso27002 annex-a
Framework note 05 mins read

ISO 27001 A.8.7 - Protection Against Malware

The organization should reduce the chance that malicious software infects systems, spreads through files or connected services, damages information, or gives attackers unauthori...

ISO27001 ISO27002 iso27001 iso27002 annex-a
Framework note 04 mins read

ISO 27001 A.8.8 - Management of Technical Vulnerabilities

The organization should actively find out what vulnerabilities affect its systems, assess how exposed it is, and respond in a risk-based timeframe. Response can include patching...

ISO27001 ISO27002 iso27001 iso27002 annex-a
Framework note 04 mins read

ISO 27001 A.8.9 - Configuration Management

The organization should define what secure and acceptable configuration looks like, apply it, monitor whether systems stay aligned to it, and review exceptions. If approved conf...

ISO27001 ISO27002 iso27001 iso27002 annex-a

Section

Implementer Guide

6 notes across 2 subsections

Back to top

Maps of Content

1 notes
Framework note 02 mins read

ISO 27001 Implementer Guide

This guide is the implementation view of the vault. It explains how to build and operate an ISMS using the existing ISO/IEC 27001 notes, Annex A controls, templates, evidence pa...

ISO27001 iso27001 implementer-guide isms moc

Framework Notes

5 notes
Framework note 04 mins read

A.5 Organizational Controls Implementation Guide

This note converts the covered A.5 control library into an implementer view. Use the individual control notes for detail and this guide for build sequencing.

ISO27001 ISO27002 iso27001 implementer-guide annex-a
Framework note 03 mins read

A.6 People Controls Implementation Guide

1. Identify people categories in ISMS scope: employees, contractors, temporary staff, consultants, and third-party users. 2. Map role risk using access level, information classi...

ISO27001 ISO27002 iso27001 implementer-guide people-controls
Framework note 04 mins read

A.7 Physical Controls Implementation Guide

1. Identify areas containing information and associated assets. 2. Classify zones by business process, asset sensitivity, customer/regulatory need, and risk. 3. Define perimeter...

ISO27001 ISO27002 iso27001 implementer-guide physical-controls
Framework note 08 mins read

A.8 Technological Controls Implementation Guide

1. Identify systems, endpoints, users, privileged access paths, information repositories, source repositories, authentication paths, critical capacity resources, malware protect...

ISO27001 iso27001 implementer-guide technological-controls
Framework note 02 mins read

ISMS Implementation Roadmap

- Start with the business and risk context, not Annex A. - Treat Annex A as a control library, not a mandatory checklist. - Keep evidence close to the process that creates it. -...

ISO27001 iso27001 implementer-guide isms roadmap

Section

Risk Knowledge Base

15 notes across 1 subsections

Back to top

Knowledge Base

15 notes
Research note 01 min read

RISK-0002 Incident Escalation Failure Due to Unclear Ownership

Because incident ownership, escalation criteria, and communication paths are not prepared or rehearsed, a serious security incident may be handled slowly or inconsistently.

ISO27005 risk iso27005 iso27001 incident-management
Research note 01 min read

RISK-0005 Repeat Incidents Due to Missing Lessons Learned

Because incident knowledge is not converted into corrective actions, the same failure mode may recur and leave the organization exposed to preventable incidents.

ISO27005 risk iso27005 iso27001 incident-management
Research note 01 min read

RISK-0006 Evidence Integrity Loss Due to Weak Chain of Custody

Because incident evidence is collected or stored without integrity controls, investigation, legal, regulatory, disciplinary, or audit conclusions may not be defensible.

ISO27005 risk iso27005 iso27001 incident-management
Research note 01 min read

RISK-0008 Orphaned Identities After Role or Employment Change

Because identities are not managed through a controlled lifecycle, inactive, duplicate, stale, or shared identities may remain usable after users change roles or leave.

ISO27005 risk iso27005 iso27001 identity-management
Research note 01 min read

RISK-0010 Stale Access Rights After Business Change

Because access rights are not reviewed, modified, and removed after role, employment, supplier, or system changes, users may retain access that is no longer justified.

ISO27005 risk iso27005 iso27001 access-rights
Research note 01 min read

RISK-0012 Supplier Access Before Security Requirements Are Agreed

Because supplier security requirements are not formally agreed before information sharing or access begins, the organization may rely on informal expectations that cannot be enforced during incidents, disputes, audits, or termination.

ISO27005 risk iso27005 iso27001 supplier-security
Research note 01 min read

RISK-0013 Inherited ICT Supply Chain Compromise Through Unreviewed Dependencies

Because ICT supplier dependencies, subcontractors, hosting platforms, software components, and support parties are not identified or reviewed, a compromise or control failure outside the direct supplier may affect the organization.

ISO27005 risk iso27005 iso27001 supplier-security
Research note 01 min read

RISK-0014 Supplier Service Change Without Risk Review

Because supplier service reports, security practices, incidents, and material changes are not actively reviewed, supplier risk may increase after onboarding without triggering control updates or management decisions.

ISO27005 risk iso27005 iso27001 supplier-security
Research note 02 mins read

RISK-0015 Cloud Governance and Exit Failure Due to Weak Cloud Service Controls

Because cloud services are not governed from acquisition through use, monitoring, change, and exit, the organization may misunderstand shared responsibility, misconfigure security controls, lose data location visibility, or fail to exit safely.

ISO27005 risk iso27005 iso27001 cloud-security

Section

Auditor Guide

6 notes across 2 subsections

Back to top

Maps of Content

1 notes
Framework note 01 min read

ISO 27001 Auditor Guide

This guide is the audit view of the vault. It turns the ISO/IEC 27001 and Annex A notes into audit planning, evidence testing, interview questions, findings, and corrective acti...

ISO27001 iso27001 auditor-guide internal-audit moc

Framework Notes

5 notes
Framework note 03 mins read

A.5 Organizational Controls Audit Guide

This note gives the audit view for the currently documented A.5 organizational controls. Use the evidence packs for detailed requests and this guide for audit logic.

ISO27001 ISO27002 iso27001 auditor-guide annex-a
Framework note 02 mins read

A.6 People Controls Audit Guide

1. Select samples across employees, contractors, temporary staff, and third-party users. 2. Compare onboarding dates, agreement dates, screening completion dates, and access pro...

ISO27001 ISO27002 iso27001 auditor-guide people-controls
Framework note 04 mins read

A.7 Physical Controls Audit Guide

1. Review zone registers, floor/security diagrams, and risk assessment. 2. Walk the physical site and test practical bypass paths. 3. Observe badge use, visitor handling, recept...

ISO27001 ISO27002 iso27001 auditor-guide physical-controls
Framework note 08 mins read

A.8 Technological Controls Audit Guide

1. Review policies and standards before sampling technical evidence. 2. Sample endpoint inventory against MDM/EDR/compliance reports. 3. Check remote access, timeout, encryption...

ISO27001 iso27001 auditor-guide technological-controls internal-audit
Framework note 02 mins read

Internal Audit Execution Guide

- What risk does this control treat? - Who owns the control? - How do you know it operated during the audit period? - What happens when the control fails? - What evidence would...

ISO27001 iso27001 auditor-guide internal-audit

Section

Control Knowledge Base

91 notes across 4 subsections

Back to top

A.5 Controls

37 notes
Framework note 01 min read

ISO27001-A.5.33 Protection of Records

The organization must protect required records for as long as they need to be retained, so they are not lost, destroyed, falsified, accessed without authorization, or released without authorization.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.5.34 Privacy and Protection of PII

The organization must identify privacy and PII protection requirements that apply to the personal information it collects, stores, processes, transmits, shares, or retains, then implement controls to meet those requirements.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.5.35 Independent Review of Information Security

The organization must have its information security management approach and actual implementation independently reviewed at planned intervals and when significant changes happen.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.5.37 Documented Operating Procedures

The organization must document operating procedures for information processing facilities and make the current approved procedures available to the people who need to use them.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.5.23 Information Security for Use of Cloud Services

Cloud services must be governed from selection to exit. The organization needs defined processes for buying, configuring, using, monitoring, changing, and leaving cloud services in line with its security requirements.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.5.28 Collection of Evidence

The organization must know how to identify, collect, acquire, preserve, store, and protect evidence related to security events so it remains complete, reliable, and usable.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.5.29 Information Security During Disruption

The organization must decide in advance how information security will be maintained during serious disruption, crisis, disaster recovery, or business continuity events.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.5.30 ICT Readiness for Business Continuity

The organization must plan, build, maintain, and test ICT continuity capability so priority systems and services can recover in line with business continuity objectives.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.5.32 Intellectual Property Rights

The organization must have procedures that prevent unauthorized use, copying, distribution, modification, or licensing misuse of software, documents, designs, source code, trademarks, patents, subscription content, and AI-generated or AI-assisted material.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.5.1 Policies for Information Security

The organization needs a formal information security policy structure, not random documents sitting in a shared folder.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.5.11 Return of Assets

When someone leaves, changes role, ends a contract, or no longer needs an asset, the organization must get its assets back and ensure organizational information is returned or securely removed.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.5.13 Labelling of Information

If information is classified, people need a practical way to see or infer the classification so they can handle it correctly.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.5.14 Information Transfer

The organization must define how information can be transferred safely, both internally and externally.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.5.15 Access Control

The organization must define and enforce rules for who can access information, systems, services, networks, applications, repositories, and physical locations.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.5.16 Identity Management

Every user identity should be created, changed, reviewed, disabled, and removed through a controlled process.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.5.17 Authentication Information

The organization must control how secret authentication information is issued, changed, protected, reset, and handled.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.5.18 Access Rights

Access rights must be granted, changed, reviewed, and removed through a controlled process.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.5.2 Information Security Roles and Responsibilities

People must know what they are responsible for, and the organization must be able to prove those responsibilities were assigned, communicated, accepted, and kept current.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.5.22 Monitoring, Review and Change Management of Supplier Services

Supplier security does not end when the contract is signed. The organization must keep checking whether the supplier is delivering the agreed service securely, whether controls still work, and whether supplier changes create new risk.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.5.3 Segregation of Duties

No single person should be able to perform a sensitive activity from beginning to end without independent oversight, approval, review, or control.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.5.5 Contact with Authorities

The organization must know which external authorities matter for information security and must maintain usable contact paths before an incident, investigation, regulatory request, or emergency happens.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.5.6 Contact with Special Interest Groups

The organization should stay connected to credible external security knowledge sources. Security teams should not rely only on internal experience, vendor marketing, or outdated training.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.5.7 Threat Intelligence

The organization must collect threat information, analyze it in context, and turn it into usable intelligence for decisions.

ISO27001 ISO27002 iso27001 annex_a control

A.6 Controls

8 notes
Framework note 01 min read

ISO27001-A.6.1 Screening

The organization should check that people are who they claim to be, have the relevant background for the role, and do not present unmanaged personnel risk before they join or receive access.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.6.2 Terms and Conditions of Employment

People should not have to guess what they are responsible for. Employment contracts, contractor agreements, confidentiality agreements, onboarding acknowledgements, or security responsibility addenda should clearly state what personnel must do to protect information and what the organization is responsible for.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.6.3 Information Security Awareness, Education and Training

People need to know how to behave securely in their actual role. Everyone needs baseline awareness, but people with specific responsibilities need deeper training that matches their work, systems, information access, and security duties.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.6.4 Disciplinary Process

The organization needs a documented and communicated process for handling information security policy violations. People should know that violations can lead to action, and managers should know how to trigger the process fairly and consistently.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.6.5 Responsibilities After Termination or Change of Employment

When someone leaves the organization or changes role, their old access, assets, and responsibilities must be handled deliberately. Some rights should stop immediately. Some duties, such as confidentiality, may continue after the relationship ends.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.6.6 Confidentiality or Non-Disclosure Agreements

The organization should know when confidentiality or non-disclosure agreements are needed, use terms that match its information-protection needs, keep those agreements legally usable, review them regularly, and make sure the right parties sign them before receiving confidential information.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.6.7 Remote Working

When people work away from organization premises, the organization still has to protect information. That includes homes, hotels, coffee shops, customer sites, temporary offices, shared workspaces, and other remote locations.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.6.8 Information Security Event Reporting

People need to know what might be a security event, how to report it, who to report it to, and what not to do. Reporting should be fast, simple, and no-blame enough that people do not hide mistakes.

ISO27001 ISO27002 iso27001 annex_a control

A.7 Controls

14 notes
Framework note 01 min read

ISO27001-A.7.12 Cabling Security

Cables are part of the information processing environment. If they are badly routed, unprotected, mixed incorrectly, poorly labelled, or accessible to unauthorized people, they can cause outages, interference, safety issues, interception, or tampering.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.7.13 Equipment Maintenance

Equipment that runs reliably today can still fail tomorrow. The organization should define maintenance needs, follow supplier recommendations, use authorized maintainers, keep maintenance and fault records, and protect confidential information during maintenance.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.7.14 Secure Disposal or Re-Use of Equipment

Before equipment is reused, sold, returned, repaired, donated, recycled, or discarded, the organization should verify that sensitive information and licensed software are no longer recoverable.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.7.10 Storage Media

The organization should control storage media from the moment it is obtained until it is erased, destroyed, disposed of, or transferred. Media includes digital and physical carriers such as USB drives, backup tapes, disks, removable drives, CDs/DVDs, printed records, and other portable media.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.7.11 Supporting Utilities

Information processing facilities need supporting utilities to operate. Electricity, cooling, ventilation, telecommunications, water, fire protection, emergency lighting, and building management systems can all affect availability.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.7.9 Security of Assets Off-Premises

The organization should protect equipment, documents, data, software, and storage media when they leave the organization's controlled environment.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.7.8 Equipment Siting and Protection

The organization should place and protect equipment in a way that reduces physical damage, environmental damage, unauthorized access, unauthorized use, and information exposure.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.7.1 Physical Security Perimeters

The organization should know which physical areas need protection and where the boundaries are. A perimeter can be a building boundary, floor, room, cage, cabinet, loading area, reception barrier, secure office, server room, records archive, or customer-specific zone.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.7.2 Physical Entry

If an area is secure, entry should be controlled. The organization should know who is allowed in, how entry is verified, how visitors are handled, how delivery/loading areas are controlled, and how access records are reviewed.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.7.3 Securing Offices, Rooms and Facilities

The organization should design and implement physical protections for offices, rooms, and facilities based on what those areas contain and how critical or sensitive the work is.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.7.4 Physical Security Monitoring

The organization should monitor premises for unauthorized physical access, similar to how networks are monitored for intrusion. Monitoring may be manual, automated, or a mix of both.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.7.5 Protecting Against Physical and Environmental Threats

The organization should protect sites, buildings, rooms, and infrastructure from hazards such as fire, flood, explosion, chemical leaks, civil unrest, utility failure, and threats from neighboring premises.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.7.6 Working in Secure Areas

The organization should define how people work inside secure areas when the work itself is sensitive or critical. Physical entry controls are not enough. The rules must also cover what people may know, bring in, take out, record, discuss, supervise, and modify while inside the secure area.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.7.7 Clear Desk and Clear Screen

People should not leave sensitive papers, removable media, printed documents, fax messages, or unlocked screens exposed where unauthorized people can see, photograph, remove, alter, or discard them.

ISO27001 ISO27002 iso27001 annex_a control

Knowledge Base

32 notes
Framework note 01 min read

ISO27001-A.8.1 User End Point Devices

Query-first control card for A.8.1 User End Point Devices. Use the linked detailed note for mentor-style implementation and audit guidance.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.8.10 Information Deletion

Query-first control card for A.8.10 Information Deletion. Use the linked detailed note for mentor-style implementation and audit guidance.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.8.11 Data Masking

Query-first control card for A.8.11 Data Masking. Use the linked detailed note for mentor-style implementation and audit guidance.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.8.12 Data Leakage Prevention

Query-first control card for A.8.12 Data Leakage Prevention. Use the linked detailed note for mentor-style implementation and audit guidance.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.8.13 Information Backup

Query-first control card for A.8.13 Information Backup. Use the linked detailed note for mentor-style implementation and audit guidance.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.8.15 Logging

Query-first control card for A.8.15 Logging. Use the linked detailed note for mentor-style implementation and audit guidance.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.8.16 Monitoring Activities

Query-first control card for A.8.16 Monitoring Activities. Use the linked detailed note for mentor-style implementation and audit guidance.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.8.2 Privileged Access Rights

Query-first control card for A.8.2 Privileged Access Rights. Use the linked detailed note for mentor-style implementation and audit guidance.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.8.20 Networks Security

Query-first control card for A.8.20 Networks Security. Use the linked detailed note for mentor-style implementation and audit guidance.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.8.21 Security of Network Services

Query-first control card for A.8.21 Security of Network Services. Use the linked detailed note for mentor-style implementation and audit guidance.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.8.22 Segregation of Networks

Query-first control card for A.8.22 Segregation of Networks. Use the linked detailed note for mentor-style implementation and audit guidance.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.8.23 Web Filtering

Query-first control card for A.8.23 Web Filtering. Use the linked detailed note for mentor-style implementation and audit guidance.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.8.24 Use of Cryptography

Query-first control card for A.8.24 Use of Cryptography. Use the linked detailed note for mentor-style implementation and audit guidance.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.8.25 Secure Development Life Cycle

Query-first control card for A.8.25 Secure Development Life Cycle. Use the linked detailed note for mentor-style implementation and audit guidance.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.8.26 Application Security Requirements

Query-first control card for A.8.26 Application Security Requirements. Use the linked detailed note for mentor-style implementation and audit guidance.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.8.28 Secure Coding

Query-first control card for A.8.28 Secure Coding. Use the linked detailed note for mentor-style implementation and audit guidance.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.8.3 Information Access Restriction

Query-first control card for A.8.3 Information Access Restriction. Use the linked detailed note for mentor-style implementation and audit guidance.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.8.30 Outsourced Development

Query-first control card for A.8.30 Outsourced Development. Use the linked detailed note for mentor-style implementation and audit guidance.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.8.32 Change Management

Query-first control card for A.8.32 Change Management. Use the linked detailed note for mentor-style implementation and audit guidance.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.8.33 Test Information

Query-first control card for A.8.33 Test Information. Use the linked detailed note for mentor-style implementation and audit guidance.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.8.4 Access to Source Code

Query-first control card for A.8.4 Access to Source Code. Use the linked detailed note for mentor-style implementation and audit guidance.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.8.5 Secure Authentication

Query-first control card for A.8.5 Secure Authentication. Use the linked detailed note for mentor-style implementation and audit guidance.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.8.6 Capacity Management

Query-first control card for A.8.6 Capacity Management. Use the linked detailed note for mentor-style implementation and audit guidance.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.8.7 Protection Against Malware

Query-first control card for A.8.7 Protection Against Malware. Use the linked detailed note for mentor-style implementation and audit guidance.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.8.8 Management of Technical Vulnerabilities

Query-first control card for A.8.8 Management of Technical Vulnerabilities. Use the linked detailed note for mentor-style implementation and audit guidance.

ISO27001 ISO27002 iso27001 annex_a control
Framework note 01 min read

ISO27001-A.8.9 Configuration Management

Query-first control card for A.8.9 Configuration Management. Use the linked detailed note for mentor-style implementation and audit guidance.

ISO27001 ISO27002 iso27001 annex_a control

Section

Evidence Library

4 notes across 1 subsections

Back to top

Research Notes

4 notes
Research note 01 min read

EVID-0001 Monthly Threat Intelligence Review

Monthly review record documenting relevant threats, advisories, indicators, affected assets, and follow-up actions.

evidence audit threat_intelligence
Research note 01 min read

EVID-0002 IOC Update Record

Record showing which indicators of compromise were received, assessed for relevance, and added to detection or blocking workflows.

evidence audit threat_intelligence
Research note 01 min read

EVID-0003 SIEM Rule Update

Record showing a SIEM rule, detection query, alert condition, or correlation rule updated because of relevant threat intelligence.

evidence audit threat_intelligence
Research note 01 min read

EVID-0004 Vendor Advisory Review

Record showing vendor advisories reviewed for relevance to organizational assets, exposures, and risk treatment.

evidence audit threat_intelligence

Section

ISO 27005 Risk Guide

2 notes across 2 subsections

Back to top

Maps of Content

1 notes
Framework note 01 min read

ISO 27005 Risk Management Guide

This guide is the ISO/IEC 27005 view of the vault. It will grow as you provide more risk-management material.

ISO27005 iso27005 risk-management isms moc

Framework Notes

1 notes
Framework note 02 mins read

ISO 27005 Risk Process Notes

ISO/IEC 27005 gives guidance for managing information security risk in support of an ISO/IEC 27001 ISMS. It helps turn risk thinking into a repeatable process for deciding what...

ISO27005 iso27005 risk-management risk-assessment isms

Section

Crosswalks

6 notes across 1 subsections

Back to top

Framework Notes

6 notes
Framework note 02 mins read

GDPR to ISO 27001 Engineering Crosswalk

A responsibility-aware map from GDPR obligations to ISO 27001 governance and Annex A controls without treating ISO certification as proof of GDPR compliance.

GDPR ISO27001 gdpr iso27001 crosswalk
Framework note 04 mins read

A.5 Controls Implementation Audit Risk Mapping

This table maps each covered A.5 organizational control to implementation output, audit evidence, and ISO/IEC 27005-style risk logic.

ISO27001 ISO27002 iso27001 iso27005 annex-a
Framework note 03 mins read

A.6 People Controls Implementation Audit Risk Mapping

- A.6 controls are people-risk treatments. They reduce the chance that the wrong person is trusted or that the right person lacks clear obligations. - A.6 evidence often sits ou...

ISO27001 ISO27002 iso27001 iso27005 iso27002
Framework note 05 mins read

A.7 Physical Controls Implementation Audit Risk Mapping

- Physical controls often fail through behavior, not technology. Observation and walkthrough evidence matter. - Physical controls should align to asset inventory, classification...

ISO27001 ISO27002 iso27001 iso27005 iso27002
Framework note 11 mins read

A.8 Technological Controls Implementation Audit Risk Mapping

- A.8 controls require technical evidence. Policies are not enough. - Endpoint controls connect to remote working, off-premises assets, and incident reporting. - Privileged acce...

ISO27001 iso27001 iso27005 iso27002 crosswalk
Framework note 03 mins read

ISO 27001 Implementer Auditor ISO 27005 Mapping

1. implementer view: what to build; 2. auditor view: what to verify; 3. ISO/IEC 27005 view: what risk logic supports the decision.

ISO27001 ISO27005 iso27001 iso27005 mapping

Section

Exam Preparation

41 notes across 1 subsections

Back to top

Exam Notes

41 notes
Research note 02 mins read

EXAM-016 - People Controls: Screening and Employment Terms

- Screening must be lawful, ethical, proportional, and risk-based. - Screening applies to employees, contractors, temporary staff, and third-party users in ISMS scope. - Candida...

ISO27001 ISO27002 exam iso27001 people-controls
Research note 01 min read

EXAM-017 - Awareness, Education and Training

A.6.3 Information Security Awareness Education and Training asks whether the right people receive the right security knowledge at the right time, with updates when things change.

ISO27001 exam iso27001 people-controls training
Research note 01 min read

EXAM-018 - Disciplinary, Termination, and Confidentiality

- A.6.4 requires a formalized and communicated disciplinary process, not ad hoc manager action. - A.6.4 should be evidence-based, fair, consistent, and proportionate. - A.6.5 co...

ISO27001 exam iso27001 people-controls
Research note 01 min read

EXAM-019 - Remote Working and Event Reporting

- Remote working is broader than VPN or remote access. - Remote work controls include physical environment, endpoint, secure connection, access, asset inventory, user awareness,...

ISO27001 exam iso27001 people-controls remote-working
Research note 01 min read

EXAM-020 - Physical Perimeters and Entry

- A.7.1 is about defined and used security perimeters. - A.7.2 is about entry controls and access points for secure areas. - Physical controls protect confidentiality, integrity...

ISO27001 exam iso27001 physical-controls
Research note 01 min read

EXAM-021 - Room Security and Physical Monitoring

- A.7.3 is risk-based physical design for offices, rooms, and facilities. - A.7.3 includes avoiding visible clues to sensitive targets, such as server-room signs or exposed dire...

ISO27001 exam iso27001 physical-controls
Research note 01 min read

EXAM-022 - Environmental Threats, Secure Areas, and Clear Desk

- A.7.5 is not just fire safety; it covers physical and environmental threats to infrastructure. - A.7.5 should link to risk assessment, specialist advice, and business continui...

ISO27001 exam iso27001 physical-controls
Research note 01 min read

EXAM-023 - Equipment Siting and Protection

- A.7.8 is broader than server room protection. - Equipment siting includes workstations, network devices, terminals, screens, communications equipment, and remote equipment. -...

ISO27001 exam iso27001 physical-controls
Research note 01 min read

EXAM-024 - Off-Premises Assets and Storage Media

- A.7.9 is not only remote access. It includes equipment, documents, data, software, paper, mobile devices, BYOD, custody, and return. - A.7.9 allows risk acceptance where off-s...

ISO27001 exam iso27001 physical-controls
Research note 01 min read

EXAM-025 - Supporting Utilities

- A.7.11 is not only electricity. - UPS or generator existence is weak unless capacity, runtime, maintenance, and tests match documented requirements. - Cooling must be included...

ISO27001 exam iso27001 physical-controls
Research note 01 min read

EXAM-026 - Cabling, Maintenance, and Equipment Disposal

- A.7.12 is not just tidy cable management; it covers interception, interference, and damage. - A.7.13 is not only availability; maintenance can expose data or introduce tamperi...

ISO27001 exam iso27001 physical-controls
Research note 01 min read

EXAM-028 - Source Code, Authentication, and Capacity

- A.8.4 includes development tools and software libraries, not only Git repositories. - Read access to source code can still be sensitive because it reveals system design and co...

ISO27001 exam iso27001 technological-controls
Research note 01 min read

EXAM-029 - Malware Protection

- Antivirus installation alone is not enough. - Malware risk is not limited to Windows endpoints. - User awareness is explicitly part of the control. - Automatic cleaning still...

ISO27001 exam iso27001 technological-controls malware-protection
Research note 01 min read

EXAM-030 - Vulnerability and Configuration Management

- A.8.8 is not just scanning or patching. - Vulnerability remediation should be risk-based and verified by retest. - Penetration testing supplements vulnerability management; it...

ISO27001 exam iso27001 technological-controls vulnerability-management
Research note 01 min read

EXAM-031 - Deletion and Data Masking

- A.8.10 is not only physical media destruction. - Retention policy alone is weak without deletion evidence. - Items awaiting destruction still need protection. - Masking is not...

ISO27001 exam iso27001 technological-controls privacy
Research note 01 min read

EXAM-032 - DLP and Backup

- DLP is not just a tool. - DLP requires knowing sensitive data and approved flows. - False positives affect DLP effectiveness. - Backup job success is not restore success. - Ba...

ISO27001 exam iso27001 technological-controls dlp
Research note 01 min read

EXAM-033 - Redundancy and Logging

- A.8.14 does not require full redundancy for every system. - Backup is not the same as redundancy. - Cloud resilience still needs design and testing evidence. - A.8.15 is not o...

ISO27001 exam iso27001 technological-controls redundancy
Research note 01 min read

EXAM-034 - Monitoring Activities

- Treating log collection as full monitoring. - Assuming vendor default detection rules are sufficient. - Treating every alert as an incident without triage. - Ignoring monitori...

ISO27001 exam iso27001 monitoring
Research note 01 min read

EXAM-035 - Software Installation and Network Security

- Treating developer skill as a substitute for production change control. - Assuming emergency production changes do not need records. - Treating licence and support checks as u...

ISO27001 exam iso27001 software-installation network-security
Research note 01 min read

EXAM-036 - Network Services, Segregation, and Web Filtering

- Treating provider service use as provider-owned risk. - Treating uptime SLAs as full network service security. - Treating perimeter firewalls as sufficient segregation. - Assu...

ISO27001 exam iso27001 network-services network-segregation
Research note 01 min read

EXAM-037 - Use of Cryptography

- Assuming encryption alone satisfies the control. - Ignoring key lifecycle management. - Treating public keys and certificates as needing no integrity protection. - Selecting s...

ISO27001 exam iso27001 cryptography
Research note 01 min read

EXAM-038 - Secure Development and Architecture

- Treating secure SDLC as only code scanning. - Treating acquired applications as outside application security requirements. - Treating architecture principles as generic slogan...

ISO27001 exam iso27001 secure-development application-security
Research note 01 min read

EXAM-039 - Secure Coding and Security Testing

- Treating secure SDLC as identical to secure coding. - Treating automated tools as complete proof of secure coding. - Treating functional testing as security testing. - Leaving...

ISO27001 exam iso27001 secure-coding security-testing
Research note 01 min read

EXAM-040 - Outsourced Development and Environment Separation

- Assuming a supplier contract alone satisfies outsourced development control. - Treating supplier security as fully delegated. - Accepting supplier deliverables based only on f...

ISO27001 exam iso27001 outsourced-development environment-separation
Research note 01 min read

EXAM-041 - Change Test Information and Audit Testing

- Treating approval alone as full change management. - Treating emergency changes as exempt from control. - Treating test data as low risk because it is outside production. - Ig...

ISO27001 exam iso27001 change-management test-information
Research note 01 min read

EXAM-014 - Records, Privacy, and PII

These controls are easy to confuse because both involve retained information. The exam distinction is purpose: records protection is about preserving required records; privacy/P...

ISO27001 exam iso27001 privacy records
Research note 01 min read

EXAM-015 - Assurance, Compliance, and Operating Procedures

These controls close the A.5 organizational control set by checking whether the ISMS is independently reviewed, whether policies and standards are followed, and whether operatin...

ISO27001 exam iso27001 assurance
Framework note 01 min read

EXAM-001 - Clauses 4-10 vs Annex A

The exam often tests whether you understand the difference between mandatory management-system requirements and risk-selected controls.

ISO27001 ISO27002 exam iso27001
Research note 01 min read

EXAM-002 - Statement of Applicability

The Statement of Applicability explains which Annex A controls apply, which do not, why those decisions were made, and whether selected controls are implemented.

ISO27001 exam iso27001
Framework note 01 min read

EXAM-003 - ISO 27002 Control Attributes

ISO/IEC 27002 attributes help categorize controls by properties such as control type, information security properties, cybersecurity concepts, operational capabilities, and secu...

ISO27002 exam iso27002
Research note 01 min read

EXAM-005 - Responsibility vs Accountability

Roles and responsibilities must be defined, communicated, accepted, and kept current. Managers remain accountable for ensuring security requirements are followed in their area.

ISO27001 exam iso27001
Research note 01 min read

EXAM-008 - Supplier and Cloud Control Distinctions

Supplier and cloud controls overlap in practice, but the exam often tests the distinction between supplier risk management, contractual requirements, supply chain dependencies,...

ISO27001 exam iso27001
Research note 01 min read

EXAM-010 - Incident Management Planning

Incident management planning defines roles, reporting paths, escalation, communications, evidence handling, recovery coordination, and lessons learned before an incident occurs.

ISO27001 exam iso27001
Research note 01 min read

EXAM-011 - Incident Management Lifecycle

A.5.24 to A.5.28 form a practical lifecycle for incident management. Each control tests a different part of the lifecycle.

ISO27001 exam iso27001 incident-management
Research note 01 min read

EXAM-012 - Continuity Security and ICT Readiness

A.5.29 and A.5.30 are related but not interchangeable. One protects security during disruption; the other ensures ICT availability and recovery capability.

ISO27001 exam iso27001 continuity
Research note 01 min read

EXAM-013 - Legal, IP, and Contractual Compliance

These controls are compliance-heavy. The exam may test whether the organization can prove obligations are known, current, owned, mapped to controls, and evidenced.

ISO27001 exam iso27001 compliance

Section

ISO 27001 Knowledge Base

2 notes across 2 subsections

Back to top

Maps of Content

1 notes
Framework note 02 mins read

ISO 27001 Knowledge Base

ISO/IEC 27001 is the requirements standard. It defines the management-system requirements, the risk-based control selection requirement, and Annex A as the control reference set...

ISO27001 iso27001 knowledge-base moc

Knowledge Base

1 notes

Section

ISO 27002 Knowledge Base

3 notes across 2 subsections

Back to top

Maps of Content

1 notes
Framework note 01 min read

ISO 27002 Knowledge Base

ISO/IEC 27002 provides guidance for information security controls. In this KB, it supports interpretation of ISO/IEC 27001 Annex A controls, evidence expectations, implementatio...

ISO27002 iso27002 knowledge-base moc

Knowledge Base

2 notes
Framework note 13 mins read

ISO 27002 Annex A Control Interpretation Map

This map separates the ISO/IEC 27002 interpretation layer from the ISO/IEC 27001 requirement layer.

ISO27001 ISO27002 iso27002 annex-a control-guidance
Framework note 01 min read

ISO 27002 Control Attributes Evidence Map

This note explains how ISO/IEC 27002 control attributes should be used in this KB.

ISO27002 iso27002 control-attributes evidence mapping

Section

ISO 27005 Knowledge Base

1 notes across 1 subsections

Back to top

Maps of Content

1 notes
Framework note 02 mins read

ISO 27005 Knowledge Base

ISO/IEC 27005 is the risk-management companion for this project. It supports ISO/IEC 27001 implementation by making risk context, risk assessment, risk treatment, residual risk,...

ISO27005 iso27005 knowledge-base risk-management moc

Section

GRC Knowledge Model

3 notes across 2 subsections

Back to top

Maps of Content

2 notes
Research note 01 min read

GRC Knowledge Model

This section turns the ISO learning notes into a future compliance/evidence software model.

grc data-model evidence compliance-saas
Research note 01 min read

Risk Knowledge Base

This section holds reusable risk knowledge for ISO/IEC 27005-style analysis and future GRC software modeling.

risk iso27005 grc moc

Research Notes

1 notes

Section

Gdpr

6 notes across 1 subsections

Back to top

Framework Notes

6 notes
Framework note 02 mins read

GDPR Lawful Bases and Processing Principles

How to select and document a lawful basis, apply Article 5 principles, control consent, and stop purpose or retention drift.

GDPR gdpr lawful-basis consent data-minimization
Framework note 02 mins read

GDPR Scope, Roles, and Operating Model

A practical starting point for deciding whether GDPR applies, identifying controller and processor roles, and turning legal scope into system ownership.

GDPR gdpr privacy scope controller
Framework note 02 mins read

GDPR Security and Personal Data Breach Response

A risk-based Article 32 control model and an evidence-driven workflow for assessing, recording, notifying, and learning from personal-data breaches.

GDPR gdpr article-32 personal-data-breach incident-response
Framework note 02 mins read

GDPR Transparency and Data Subject Rights

An operational guide to privacy notices, identity verification, access, correction, deletion, restriction, portability, and objections.

GDPR gdpr privacy-notice data-subject-rights dsar

Section

Templates

332 notes across 9 subsections

Back to top

A.5 Audit Checklists

37 notes
Template note 01 min read

A.5.10 Audit Checklist

Use this during internal audits to verify that acceptable use and handling rules are defined, acknowledged, implemented, and enforced.

ISO27001 ISO27002 template audit iso27001
Template note 01 min read

A.5.11 Audit Checklist

Use this during internal audits to verify that assets are returned during termination, contract end, agreement end, or role change.

ISO27001 ISO27002 template audit iso27001
Template note 01 min read

A.5.12 Audit Checklist

Use this during internal audits to verify that information classification is defined, implemented, understood, and maintained.

ISO27001 ISO27002 template audit iso27001
Template note 01 min read

A.5.13 Audit Checklist

Use this during internal audits to verify that information labelling procedures are defined and implemented in line with the classification scheme.

ISO27001 ISO27002 template audit iso27001
Template note 01 min read

A.5.14 Audit Checklist

Use this during internal audits to verify that information transfer rules, procedures, and agreements are defined and implemented across actual transfer channels.

ISO27001 ISO27002 template audit iso27001
Template note 01 min read

A.5.15 Audit Checklist

Use this during internal audits to verify that physical and logical access controls are defined, implemented, approved, and reviewed.

ISO27001 ISO27002 template audit iso27001
Template note 01 min read

A.5.16 Audit Checklist

Use this during internal audits to verify that identities are managed across the full lifecycle.

ISO27001 ISO27002 template audit iso27001
Template note 01 min read

A.5.17 Audit Checklist

Use this during internal audits to verify that secret authentication information is allocated and managed through a controlled process.

ISO27001 ISO27002 template audit iso27001
Template note 01 min read

A.5.18 Audit Checklist

Use this during internal audits to verify that access rights are provisioned, reviewed, modified, and removed according to access control rules.

ISO27001 ISO27002 template audit iso27001
Template note 01 min read

A.5.19 Audit Checklist

Use this during internal audits to verify that supplier information security risks are identified, assessed, controlled, and reviewed.

ISO27001 ISO27002 template audit iso27001
Template note 01 min read

A.5.20 Audit Checklist

Use this during internal audits to verify that supplier security requirements are formally agreed and appropriate to the supplier relationship.

ISO27001 ISO27002 template audit iso27001
Template note 01 min read

A.5.21 Audit Checklist

Use this during internal audits to verify that ICT supply-chain dependencies and inherited security risks are identified and managed.

ISO27001 ISO27002 template audit iso27001
Template note 01 min read

A.5.22 Audit Checklist

Use this during internal audits to verify that supplier services and security practices are monitored, reviewed, evaluated, and changed through a controlled process.

ISO27001 ISO27002 template audit iso27001
Template note 01 min read

A.5.23 Audit Checklist

Use this during internal audits to verify that cloud services are acquired, used, managed, and exited according to information security requirements.

ISO27001 ISO27002 template audit iso27001
Template note 01 min read

A.5.24 Audit Checklist

Use this during internal audits to verify that incident management planning and preparation are defined, communicated, and ready to operate.

ISO27001 ISO27002 template audit iso27001
Template note 01 min read

A.5.25 Audit Checklist

Use this during internal audits to test whether A.5.25 Assessment and Decision on Information Security Events is designed, implemented, operating, and evidenced.

ISO27001 ISO27002 template audit iso27001
Template note 01 min read

A.5.26 Audit Checklist

Use this during internal audits to test whether A.5.26 Response to Information Security Incidents is designed, implemented, operating, and evidenced.

ISO27001 ISO27002 template audit iso27001
Template note 01 min read

A.5.27 Audit Checklist

Use this during internal audits to test whether A.5.27 Learning from Information Security Incidents is designed, implemented, operating, and evidenced.

ISO27001 ISO27002 template audit iso27001
Template note 01 min read

A.5.28 Audit Checklist

Use this during internal audits to test whether A.5.28 Collection of Evidence is designed, implemented, operating, and evidenced.

ISO27001 ISO27002 template audit iso27001
Template note 01 min read

A.5.29 Audit Checklist

Use this during internal audits to test whether A.5.29 Information Security During Disruption is designed, implemented, operating, and evidenced.

ISO27001 ISO27002 template audit iso27001
Template note 01 min read

A.5.30 Audit Checklist

Use this during internal audits to test whether A.5.30 ICT Readiness for Business Continuity is designed, implemented, operating, and evidenced.

ISO27001 ISO27002 template audit iso27001
Template note 01 min read

A.5.31 Audit Checklist

Use this during internal audits to test whether A.5.31 Legal, Statutory, Regulatory and Contractual Requirements is designed, implemented, operating, and evidenced.

ISO27001 ISO27002 template audit iso27001
Template note 01 min read

A.5.32 Audit Checklist

Use this during internal audits to test whether A.5.32 Intellectual Property Rights is designed, implemented, operating, and evidenced.

ISO27001 ISO27002 template audit iso27001
Template note 01 min read

A.5.33 Audit Checklist

Use this during internal audits to test whether A.5.33 Protection of Records is designed, implemented, operating, and evidenced.

ISO27001 ISO27002 template audit iso27001
Template note 01 min read

A.5.34 Audit Checklist

Use this during internal audits to test whether A.5.34 Privacy and Protection of PII is designed, implemented, operating, and evidenced.

ISO27001 ISO27002 template audit iso27001
Template note 01 min read

A.5.35 Audit Checklist

Use this during internal audits to test whether A.5.35 Independent Review of Information Security is designed, implemented, operating, and evidenced.

ISO27001 ISO27002 template audit iso27001
Template note 01 min read

A.5.36 Audit Checklist

Use this during internal audits to test whether A.5.36 Compliance with Policies, Rules and Standards for Information Security is designed, implemented, operating, and evidenced.

ISO27001 ISO27002 template audit iso27001
Template note 01 min read

A.5.37 Audit Checklist

Use this during internal audits to test whether A.5.37 Documented Operating Procedures is designed, implemented, operating, and evidenced.

ISO27001 ISO27002 template audit iso27001
Template note 01 min read

A.5.5 Audit Checklist

Use this during internal audits to test whether relevant authority contacts are identified, maintained, authorized, and usable.

ISO27001 ISO27002 template audit iso27001
Template note 01 min read

A.5.6 Audit Checklist

Use this during internal audits to verify that the organization maintains relevant external security knowledge contacts and uses received information appropriately.

ISO27001 ISO27002 template audit iso27001
Template note 01 min read

A.5.7 Audit Checklist

Use this during internal audits to verify that threat information is collected, analyzed, contextualized, and used to support ISMS decisions.

ISO27001 ISO27002 template audit iso27001
Template note 01 min read

A.5.8 Audit Checklist

Use this during internal audits to verify that information security is embedded in project governance and applied to sampled projects.

ISO27001 ISO27002 template audit iso27001
Template note 01 min read

A.5.9 Audit Checklist

Use this during internal audits to verify that information and associated assets are inventoried, owned, maintained, and protected.

ISO27001 ISO27002 template audit iso27001

A.6 Audit Checklists

8 notes
Template note 01 min read

A.6.1 Audit Checklist

- Confirm the organization has a documented screening procedure. - Confirm screening applies to employees, contractors, temporary staff, and third-party users in ISMS scope. - C...

ISO27001 ISO27002 template audit iso27001
Template note 01 min read

A.6.2 Audit Checklist

Use this checklist during an internal audit of employment, contractor, and third-party security responsibility terms.

ISO27001 ISO27002 template audit iso27001
Template note 01 min read

A.6.3 Audit Checklist

Use this checklist during an internal audit of information security awareness, education, training, and update processes.

ISO27001 ISO27002 template audit iso27001
Template note 01 min read

A.6.4 Audit Checklist

Use this checklist during an internal audit of disciplinary handling for information security policy violations.

ISO27001 ISO27002 template audit iso27001
Template note 01 min read

A.6.5 Audit Checklist

Use this checklist during an internal audit of leaver, mover, contractor offboarding, and continuing responsibility controls.

ISO27001 ISO27002 template audit iso27001
Template note 01 min read

A.6.6 Audit Checklist

Use this checklist during an internal audit of confidentiality and non-disclosure agreement controls.

ISO27001 ISO27002 template audit iso27001
Template note 01 min read

A.6.7 Audit Checklist

- Confirm remote working policy and procedures exist. - Confirm authorized remote workers, locations, activities, data, and controls are recorded. - Check remote working risk as...

ISO27001 ISO27002 template audit iso27001
Template note 01 min read

A.6.8 Audit Checklist

Use this checklist during an internal audit of information security event reporting.

ISO27001 ISO27002 template audit iso27001

A.7 Audit Checklists

14 notes
Template note 01 min read

A.7.1 Audit Checklist

- Confirm physical security perimeters are defined. - Confirm zones are linked to information/assets and risk. - Review perimeter diagrams or zone register. - Walk the perimeter...

ISO27001 ISO27002 template audit iso27001
Template note 01 min read

A.7.10 Audit Checklist

Use this checklist during an internal audit of storage media acquisition, use, transport, storage, disposal, destruction, and damaged-media handling.

ISO27001 ISO27002 template audit iso27001
Template note 01 min read

A.7.11 Audit Checklist

Use this checklist during an internal audit of power, cooling, telecommunications, water, emergency lighting, fire protection, and building-management utility resilience.

ISO27001 ISO27002 template audit iso27001
Template note 01 min read

A.7.12 Audit Checklist

Use this checklist during an internal audit of power, data, telecommunications, and supporting service cabling.

ISO27001 ISO27002 template audit iso27001
Template note 01 min read

A.7.13 Audit Checklist

Use this checklist during an internal audit of equipment maintenance and repair controls.

ISO27001 ISO27002 template audit iso27001
Template note 01 min read

A.7.14 Audit Checklist

Use this checklist during an internal audit of equipment disposal, reuse, sale, donation, recycling, or repair dispatch.

ISO27001 ISO27002 template audit iso27001
Template note 01 min read

A.7.2 Audit Checklist

- Confirm secure areas are identified. - Confirm entry controls match risk and sensitivity. - Review physical access authorization and logs. - Check physical access review recor...

ISO27001 ISO27002 template audit iso27001
Template note 01 min read

A.7.3 Audit Checklist

Use this checklist during an internal audit of physical security design for offices, rooms, and facilities.

ISO27001 ISO27002 template audit iso27001
Template note 01 min read

A.7.4 Audit Checklist

- Confirm premises monitoring scope is documented. - Confirm monitoring is continuous where required. - Review monitoring service or personnel responsibilities. - Check alarm re...

ISO27001 ISO27002 template audit iso27001
Template note 01 min read

A.7.5 Audit Checklist

Use this checklist during an internal audit of physical and environmental threat protection.

ISO27001 ISO27002 template audit iso27001
Template note 01 min read

A.7.6 Audit Checklist

Use this checklist during an internal audit of work performed inside secure areas.

ISO27001 ISO27002 template audit iso27001
Template note 01 min read

A.7.7 Audit Checklist

Use this checklist during an internal audit of clear desk, clear screen, printer, fax, and unattended information controls.

ISO27001 ISO27002 template audit iso27001
Template note 01 min read

A.7.8 Audit Checklist

Use this checklist during an internal audit of equipment siting, physical protection, environmental exposure, and remote equipment scope.

ISO27001 ISO27002 template audit iso27001
Template note 01 min read

A.7.9 Audit Checklist

Use this checklist during an internal audit of assets taken, used, stored, or accessed outside organization premises.

ISO27001 ISO27002 template audit iso27001

Templates

75 notes
Template note 01 min read

Application Security Requirements Approval Record

Use this record to show business, system owner, and security approval of application security requirements.

template iso27001 technological-controls application-security
Template note 01 min read

Audit Tool Validation Record

Use this record when approving or validating tools used for audit testing, scanning, extraction, or assurance activities on operational systems.

template iso27001 audit-testing tooling
Template note 01 min read

Authentication Exception and Compensating Control Record

Use this record when a system cannot meet the secure authentication standard and needs risk acceptance or compensating controls.

template iso27001 technological-controls authentication exception
Template note 01 min read

Availability Requirement Mapping

Use this matrix to connect business availability requirements to redundancy, backup, capacity, and continuity controls.

template iso27001 technological-controls availability continuity
Template note 01 min read

Backup and Restore Test Record

Use this record to prove backup restore capability was tested without compromising live data.

template iso27001 technological-controls backup restore
Template note 01 min read

Building Management System Security Review

Use this review where building management systems are in ISMS scope or can affect information processing facilities.

template iso27001 physical-controls supporting-utilities
Template note 01 min read

Certificate Authority and Certificate Review

Use this review for internal or external certificate authorities, public-key certificates, TLS certificates, signing certificates, and certificate lifecycle checks.

template iso27001 technological-controls certificates cryptography
Template note 01 min read

Change Request and Security Impact Assessment

- Access control impact reviewed. - Logging/monitoring impact reviewed. - Backup/recovery impact reviewed. - Vulnerability or configuration impact reviewed. - Supplier or integr...

template iso27001 change-management
Template note 01 min read

Configuration Drift Alert Review Record

Use this record when configuration monitoring identifies drift from an approved baseline.

template iso27001 technological-controls configuration-management monitoring
Template note 01 min read

Configuration Exception and Risk Acceptance Record

Use this record when a system cannot comply with an approved configuration baseline and the deviation needs risk-based approval.

template iso27001 technological-controls configuration-management risk-acceptance
Template note 01 min read

Cryptographic Legal Requirements Assessment

Use this when encryption, digital signatures, electronic communications, key management, or cross-border services may be affected by legal or regulatory rules.

template iso27001 compliance cryptography
Template note 01 min read

Damaged Media Handling Decision Record

Use this record before sending damaged media for repair, manufacturer return, warranty replacement, disposal, or destruction.

template iso27001 physical-controls storage-media
Template note 01 min read

DLP Alert Review and Tuning Log

Use this log to record DLP alerts, false positives, prioritization, tuning decisions, and escalation.

template iso27001 technological-controls dlp monitoring
Template note 01 min read

Dynamic Privilege Session Record

Use this record when temporary elevated access, remote support control, third-party troubleshooting, or dynamic privilege is granted to access information or functions.

template iso27001 technological-controls access-control privileged-access
Template note 01 min read

Emergency Change Record

Use this record when an urgent operational or security situation requires a change outside the normal approval cycle.

template iso27001 change-management emergency-change
Template note 01 min read

Emergency Privileged Access Record

Use this record when emergency or break-glass privileged access is issued or used.

template iso27001 technological-controls privileged-access
Template note 01 min read

Equipment Siting and Protection Assessment

Use this template when placing, reviewing, relocating, or risk-assessing equipment that processes, stores, transmits, or displays information.

template iso27001 physical-controls equipment
Template note 01 min read

Evidence Collection and Chain of Custody Log

Use this when evidence related to an information security event may need to support investigation, legal action, regulatory response, disciplinary action, insurance, or formal r...

template iso27001 evidence forensics
Template note 01 min read

ICT Continuity Requirements and Test Record

Use this to document ICT continuity requirements, recovery priorities, RTO/RPO expectations, test results, and improvement actions.

template iso27001 continuity ict-readiness
Template note 01 min read

Incident Response Record

Use this to record incident response decisions, actions, approvals, communications, evidence decisions, containment, recovery, and closure.

template iso27001 incident-management
Template note 01 min read

Information and Associated Asset Inventory

Use this to maintain the inventory required by A.5.9 for information and associated assets, including owners, custodians, classification, location, backup/recovery, retention, a...

template iso27001 a5-9 asset-management
Template note 01 min read

Information Security Continuity Requirements

Use this to define the minimum information security requirements that must remain in place during disruption, crisis response, disaster recovery, or business continuity events.

template iso27001 continuity
Template note 01 min read

Information Security Event Report Form

Use this form to report observed or suspected information security events or weaknesses.

template iso27001 event-reporting incident-management
Template note 01 min read

Log Review and Alert Triage Record

Use this record to document log review, alert triage, security impact assessment, escalation, and closure.

template iso27001 technological-controls logging incident-response
Template note 01 min read

Long-Term Asset Loan Attestation

Use this attestation for assets assigned off-premises for an extended period, such as home-worker equipment or long-term project equipment.

template iso27001 physical-controls off-premises-assets
Template note 01 min read

Maintenance Access and Tamper Check Record

Use this record when internal or external personnel perform maintenance on equipment that can affect information security.

template iso27001 physical-controls equipment-maintenance
Template note 01 min read

Malware Infection Response Record

Use this record when malware is suspected or confirmed and the organization needs evidence of detection, containment, cleaning/rebuild, verification, and lessons learned.

template iso27001 technological-controls incident-response malware-protection
Template note 01 min read

Monitoring Alert Threshold Review

Use this record to review whether monitoring thresholds create useful alerts without hiding real incidents or overwhelming the response team.

template iso27001 technological-controls monitoring alert-tuning
Template note 01 min read

Monitoring Coverage and Data Source Map

Use this map to prove which networks, systems, applications, cloud services, and security tools feed the monitoring process.

template iso27001 technological-controls monitoring evidence
Template note 01 min read

Network Device Configuration and Change Review

Use this record to review firewall, router, switch, VPN, wireless, SD-WAN, load balancer, or virtual network device configuration and changes.

template iso27001 technological-controls network-security configuration-management
Template note 01 min read

Office Room and Facility Security Assessment

Use this assessment to determine physical security controls for offices, rooms, and facilities based on the information and assets inside them.

template iso27001 physical-controls facilities
Template note 01 min read

Personnel Security Responsibility Acknowledgement

Use this acknowledgement during onboarding, contractor setup, role change, or access expansion to record acceptance of security responsibilities.

template iso27001 people-controls responsibilities
Template note 01 min read

Physical and Environmental Threat Assessment

Use this template to assess site, building, room, utility, and neighboring-premises hazards that could affect information assets or ICT continuity.

template iso27001 physical-controls environmental-threats
Template note 01 min read

Physical Entry Access Review

Use this template to review physical access rights for secure areas, badges, keys, cards, PINs, or biometric access.

template iso27001 physical-entry access-review
Template note 01 min read

Physical Security Alarm Test Record

Use this record to document tests of physical alarms, monitoring services, notification chains, and escalation response.

template iso27001 physical-controls monitoring
Template note 01 min read

Re-Identification Risk Assessment

Use this assessment when data is claimed to be anonymised or when combinations of fields may still identify individuals.

template iso27001 technological-controls privacy data-masking
Template note 01 min read

Redundancy Failover Test Record

Use this record to prove failover or redundancy testing met availability requirements.

template iso27001 technological-controls redundancy continuity
Template note 01 min read

Remote Working Risk Assessment

Use this template to assess remote working risk for a role, location type, activity, system, or information classification.

template iso27001 iso27005 remote-working risk
Template note 01 min read

Secure Code Review Record

Use this record to document secure code review, reviewer independence, findings, and remediation.

template iso27001 technological-controls secure-code-review
Template note 01 min read

Secure Coding Exception Record

Use this record when secure coding rules cannot be fully applied because of legacy constraints, technology limits, or justified operational need.

template iso27001 technological-controls secure-coding
Template note 01 min read

Security Acceptance Sign-Off Record

- Acceptance criteria are met or exceptions approved. - High-risk findings are closed or formally accepted. - Operations readiness is confirmed. - User/security training is comp...

template iso27001 technological-controls security-testing
Template note 01 min read

Security Architecture Review Record

Use this record to document architecture review against secure engineering principles.

template iso27001 technological-controls secure-architecture
Template note 01 min read

Security Engineering Deviation Record

Use this record when a system design deviates from approved secure architecture or engineering principles.

template iso27001 technological-controls secure-architecture
Template note 01 min read

Security Test Results and Remediation Tracker

Use this tracker to record security test findings, remediation, retesting, and residual risk acceptance.

template iso27001 technological-controls security-testing
Template note 01 min read

Security Training Record

Use this record for individual or group training evidence. Avoid storing unnecessary personal data in the vault if HR systems hold the authoritative record.

template iso27001 awareness training
Template note 01 min read

Sensitive Data Transfer Approval Record

Use this record when sensitive information needs to be transferred outside normal approved flows or to an external party.

template iso27001 technological-controls dlp information-transfer
Template note 01 min read

Sensitive Room Signage and Directory Review

Use this checklist to review whether signs, directories, phone lists, notice boards, or visible labels reveal sensitive targets or access information.

template iso27001 physical-controls review
Template note 01 min read

Software and Content Licence Compliance Inventory

Use this to reconcile software, development tools, libraries, subscription content, and licensed resources against actual use.

template iso27001 software-licensing
Template note 01 min read

Storage Media Movement Log

Use this log when storage media is removed, transported, couriered, archived, delivered, or returned.

template iso27001 physical-controls storage-media
Template note 01 min read

Supplier Development Evidence Request List

Use this list when preparing an internal audit, supplier review, or acceptance review for outsourced development.

template iso27001 supplier-security audit
Template note 01 min read

Supplier Security Risk Assessment

Use this before onboarding or materially changing a supplier relationship, and during periodic supplier review.

template iso27001 a5-19 supplier-risk
Template note 01 min read

Supplier Service Review and Change Log

Use this to record periodic supplier reviews, security report reviews, service delivery issues, supplier changes, incidents, and follow-up actions.

template supplier-security supplier-monitoring change-management iso27001
Template note 01 min read

Supporting Utility Inspection and Test Log

Use this log to record inspections, tests, maintenance, alarms, and corrective actions for supporting utilities.

template iso27001 physical-controls supporting-utilities
Template note 01 min read

Template - Control Attribute Review

Use this when reviewing whether a selected control matches the intended risk treatment effect.

template control-attributes iso27002
Template note 01 min read

Template - Corrective Action Tracker

Use this to track nonconformities, audit findings, policy violations, or control weaknesses.

template audit corrective-action
Template note 01 min read

Template - Information Security Role Definition

Use this for roles with significant information security responsibilities, such as system owner, asset owner, administrator, incident manager, vendor owner, or risk owner.

template roles a5-2
Template note 01 min read

Template - Internal Audit Interview Question Bank

- Where can you find the information security policy? - What are your main information security responsibilities? - How do you report a suspected security incident? - What secur...

template audit interview
Template note 01 min read

Template - Management Responsibilities Interview Questions

- What are your information security responsibilities? - How do you ensure your team follows information security policies? - How do you know your team completed required traini...

template audit interview a5-4
Template note 01 min read

Template - Role and Responsibility Interview Questions

- What are your basic information security responsibilities? - Where can you find the information security policy? - How do you report a suspected incident? - What should you do...

template audit interview a5-2
Template note 01 min read

Test Data Security Approval Record

Use this record before production or sensitive data is copied into development, test, staging, analytics, or supplier environments.

template iso27001 test-data environment-separation
Template note 01 min read

UPS and Generator Capacity Test Record

Use this record to verify whether UPS and generator capacity matches the documented availability and continuity requirements.

template iso27001 physical-controls supporting-utilities
Template note 01 min read

Virtual Network and Hypervisor Security Review

Use this checklist when reviewing virtual networks, cloud networks, hypervisors, security groups, route tables, virtual firewalls, or management planes.

template iso27001 technological-controls network-security virtualization
Template note 01 min read

Visitor Access Log

Research note.

template iso27001 physical-entry visitors
Template note 01 min read

Vulnerability Exception and Risk Acceptance Record

Use this record when a vulnerability will not be remediated within the normal timeframe and requires risk-based exception approval.

template iso27001 technological-controls vulnerability-management risk-acceptance
Template note 01 min read

Web Filtering Coverage Review

Use this review to verify that web filtering applies to required users, devices, locations, remote-working scenarios, and network paths.

template iso27001 technological-controls web-filtering
Template note 01 min read

Wireless Network Security Assessment

Use this assessment when wireless networks connect to organizational networks or provide access to business systems.

template iso27001 technological-controls wireless-security

Template Forms

5 notes
Template note 01 min read

Template Clause Note

Use this when creating an ISO/IEC 27001 clause note under the ISO 27001 knowledge base.

template iso27001 clause
Template note 01 min read

Template Control Card

Use this when creating a reusable control card that maps ISO/IEC 27001 Annex A, ISO/IEC 27002 guidance, ISO/IEC 27005 risk logic, evidence, audit questions, and software objects.

template iso27001 iso27002 control-card
Template note 01 min read

Template Evidence Item

Use this when defining an evidence item for an audit, control, risk treatment, or future GRC data model.

template evidence audit
Template note 01 min read

Template Risk Scenario

markdown type: risk-scenario asset: "" threat: "" vulnerability: "" risk level: "" likelihood: "" impact: "" treatment option: "" related controls: evidence required: owner: ""...

template iso27005 risk-scenario
Template note 01 min read

Template Weekly Review

Use this at the end of each study week to keep learning, artifacts, mappings, and weak areas connected.

template weekly-review roadmap

Checklists

91 notes
Template note 01 min read

A.8.1 Audit Checklist

- Review endpoint policy and device security standard. - Confirm endpoint inventory includes corporate and BYOD devices. - Sample endpoint compliance reports. - Check patch, mal...

template audit iso27001 a8-1
Template note 01 min read

A.8.10 Audit Checklist

Use this checklist during an internal audit of retention, deletion, destruction, cloud deletion, backup deletion, and media awaiting destruction.

template audit iso27001 a8-10
Template note 01 min read

A.8.11 Audit Checklist

Use this checklist during an internal audit of masking, pseudonymisation, tokenisation, anonymisation, re-combination, and re-identification controls.

template audit iso27001 a8-11
Template note 01 min read

A.8.12 Audit Checklist

Use this checklist during an internal audit of DLP scope, data flows, DLP rules, alert handling, transfer approvals, and user awareness.

template audit iso27001 a8-12
Template note 01 min read

A.8.13 Audit Checklist

Use this checklist during an internal audit of backup scope, schedule, protection, job monitoring, restore testing, archive recoverability, and corrective action.

template audit iso27001 a8-13
Template note 01 min read

A.8.14 Audit Checklist

Use this checklist during an internal audit of redundancy requirements, architecture, failover testing, recovery performance, and redundancy-related risk.

template audit iso27001 a8-14
Template note 01 min read

A.8.15 Audit Checklist

Use this checklist during an internal audit of log generation, storage, protection, retention, analysis, alerting, and corrective action.

template audit iso27001 a8-15
Template note 01 min read

A.8.16 Audit Checklist

Use this checklist during an internal audit of security monitoring, alerting, anomaly detection, triage, escalation, and incident evaluation.

template audit iso27001 a8-16
Template note 01 min read

A.8.19 Audit Checklist

Use this checklist during an internal audit of software installation, release, testing, licence, support, and rollback controls for operational systems.

template audit iso27001 a8-19
Template note 01 min read

A.8.2 Audit Checklist

Use this checklist during an internal audit of privileged access allocation, use, monitoring, emergency access, and removal.

template audit iso27001 a8-2
Template note 01 min read

A.8.20 Audit Checklist

Use this checklist during an internal audit of network architecture, device security, zoning, routing, virtual networks, monitoring, and change control.

template audit iso27001 a8-20
Template note 01 min read

A.8.21 Audit Checklist

Use this checklist during an internal audit of network service security mechanisms, service levels, service requirements, provider controls, and monitoring.

template audit iso27001 a8-21
Template note 01 min read

A.8.22 Audit Checklist

Use this checklist during an internal audit of network zones, inter-zone controls, wireless segregation, segmentation tests, and exceptions.

template audit iso27001 a8-22
Template note 01 min read

A.8.23 Audit Checklist

Use this checklist during an internal audit of web filtering policy, tool configuration, coverage, exceptions, bypass resistance, monitoring, and awareness.

template audit iso27001 a8-23
Template note 01 min read

A.8.24 Audit Checklist

Use this checklist during an internal audit of cryptographic policy, approved algorithms, key management, certificate handling, legal requirements, and escrow/recovery.

template audit iso27001 a8-24
Template note 01 min read

A.8.25 Audit Checklist

Use this checklist during an internal audit of secure development rules, competence, code review, vulnerability follow-up, and supplier development.

template audit iso27001 a8-25
Template note 01 min read

A.8.26 Audit Checklist

Use this checklist during an internal audit of application security requirements for developed or acquired applications.

template audit iso27001 a8-26
Template note 01 min read

A.8.27 Audit Checklist

Use this checklist during an internal audit of secure architecture and engineering principles.

template audit iso27001 a8-27
Template note 01 min read

A.8.28 Audit Checklist

Use this checklist during an internal audit of secure coding principles, standards, tools, reviews, generated code, and exceptions.

template audit iso27001 a8-28
Template note 01 min read

A.8.29 Audit Checklist

Use this checklist during an internal audit of security testing in development and acceptance.

template audit iso27001 a8-29
Template note 01 min read

A.8.3 Audit Checklist

Use this checklist during an internal audit of application, database, report, export, print, maintenance utility, and dynamic privilege access restrictions.

template audit iso27001 a8-3
Template note 01 min read

A.8.30 Audit Checklist

- Outsourced development scope is identified. - Supplier development risk assessment exists. - Contract/SOW includes security requirements. - IP ownership and licence obligation...

template audit iso27001 a8-30
Template note 01 min read

A.8.31 Audit Checklist

Use this checklist when auditing separation of development, test, staging, and production environments.

template audit iso27001 a8-31
Template note 01 min read

A.8.32 Audit Checklist

Use this checklist when auditing change management for information systems and information processing facilities.

template audit iso27001 a8-32
Template note 01 min read

A.8.33 Audit Checklist

Use this checklist when auditing selection, protection, management, and deletion of test information.

template audit iso27001 a8-33
Template note 01 min read

A.8.34 Audit Checklist

Use this checklist when auditing protection of operational systems during audit testing and assurance activities.

template audit iso27001 a8-34
Template note 01 min read

A.8.4 Audit Checklist

Use this checklist during an internal audit of source code, development tools, software libraries, and code-impacting scripts or macros.

template audit iso27001 a8-4
Template note 01 min read

A.8.5 Audit Checklist

Use this checklist during an internal audit of authentication mechanisms, MFA, failed logon controls, recovery flows, and authentication exceptions.

template audit iso27001 a8-5
Template note 01 min read

A.8.6 Audit Checklist

Use this checklist during an internal audit of resource monitoring, trend analysis, capacity forecasting, scaling, tuning, and staffing capacity.

template audit iso27001 a8-6
Template note 01 min read

A.8.7 Audit Checklist

Use this checklist during an internal audit of malware protection deployment, update status, scanning, infection response, and user awareness.

template audit iso27001 a8-7
Template note 01 min read

A.8.8 Audit Checklist

Use this checklist during an internal audit of vulnerability intelligence, scanning, risk evaluation, remediation, patching, exceptions, and retesting.

template audit iso27001 a8-8
Template note 01 min read

A.8.9 Audit Checklist

Use this checklist during an internal audit of secure configuration baselines, implementation, monitoring, exceptions, and review.

template audit iso27001 a8-9
Template note 01 min read

Access Review Checklist

Use this for periodic reviews of logical or physical access to systems, repositories, applications, networks, cloud platforms, and sensitive locations.

template iso27001 a5-15 access-review
Template note 01 min read

AI-Generated Code Security Review Checklist

Use this checklist when code, scripts, infrastructure-as-code, tests, or configuration snippets are generated by AI or other automated code-generation tools.

template iso27001 technological-controls secure-coding ai
Template note 01 min read

AI-Generated Content IP Review Checklist

Use this before externally using AI-generated or AI-assisted material in policies, templates, consulting deliverables, training, marketing, software, or client work.

template iso27001 intellectual-property ai-governance
Template note 01 min read

Application Transaction Security Checklist

Use this checklist for applications that perform payments, customer transactions, public-network transactions, or legally significant actions.

template iso27001 technological-controls application-security transactions
Template note 01 min read

Asset Return Checklist

Use this when an employee, contractor, third-party user, or other relevant party leaves, changes role, ends a contract, or no longer requires organizational assets.

template iso27001 a5-11 offboarding
Template note 01 min read

Authentication Mechanism Review Checklist

Use this checklist during design review, audit preparation, or system assessment to test whether authentication behavior is secure.

template iso27001 technological-controls authentication
Template note 01 min read

Background Verification Checklist

Use this checklist during hiring, contractor onboarding, or role change into a higher-risk position.

template iso27001 screening people-controls
Template note 01 min read

Cabling Inspection Checklist

Use this checklist during physical walkthroughs to verify cabling is protected from interception, interference, damage, and unsafe installation.

template iso27001 physical-controls cabling
Template note 01 min read

Clear Desk and Clear Screen Checklist

Use this checklist for routine clear desk and clear screen inspections, especially in shared offices, visitor-exposed areas, and areas handling sensitive information.

template iso27001 physical-controls clear-desk clear-screen
Template note 01 min read

Cloud and Backup Deletion Checklist

Use this checklist when verifying deletion of information from cloud services, backups, archives, snapshots, or replicated storage.

template iso27001 technological-controls cloud backup
Template note 01 min read

Cloud Security Requirements and Exit Checklist

Use this before acquiring a cloud service, during periodic cloud review, and before exiting or migrating from a cloud provider.

template cloud-security supplier-security iso27001
Template note 01 min read

Confidentiality Agreement Review Checklist

Use this checklist to review NDA/confidentiality agreement needs, content, signing, enforceability, and review status.

template iso27001 confidentiality non-disclosure
Template note 01 min read

Configuration Compliance Review Checklist

Use this checklist to compare systems against approved configuration baselines and record compliance gaps.

template iso27001 technological-controls configuration-management
Template note 01 min read

Critical System Capacity Review Checklist

Use this checklist for periodic review of capacity risks in critical systems, cloud services, networks, databases, and support teams.

template iso27001 technological-controls capacity-management
Template note 01 min read

Delivery and Loading Area Security Checklist

Use this checklist to control deliveries, collections, loading bays, and goods movement into or out of secure areas.

template iso27001 physical-entry delivery
Template note 01 min read

Development Test Production Separation Checklist

Use this checklist to review whether development, test, staging, and production separation is real and enforceable.

template iso27001 environment-separation audit
Template note 01 min read

Development Tool and Library Integrity Checklist

Use this checklist to review compilers, build tools, CI/CD runners, package sources, dependency registries, and library integrity controls.

template iso27001 technological-controls secure-development
Template note 01 min read

Disciplinary Process Checklist

Use this checklist when reviewing whether the disciplinary process can fairly handle information security policy violations.

template iso27001 people-controls disciplinary-process
Template note 01 min read

Endpoint Loss or Theft Response Checklist

Use this checklist when a laptop, phone, tablet, or other endpoint device is lost, stolen, or suspected compromised.

template iso27001 technological-controls endpoint-security
Template note 01 min read

Environmental Protection Inspection Checklist

Use this checklist during site walkthroughs to confirm physical and environmental protections remain effective.

template iso27001 physical-controls environmental-threats
Template note 01 min read

Equipment Protection Inspection Checklist

Use this checklist during physical walkthroughs to confirm equipment is still sited securely and protected from damage, interference, unauthorized access, and unauthorized viewing.

template iso27001 physical-controls equipment
Template note 01 min read

Equipment Sanitization Verification Checklist

Use this checklist before equipment containing storage media is reused, sold, donated, recycled, discarded, or transferred outside organizational control.

template iso27001 physical-controls equipment-disposal
Template note 01 min read

Information Access Restriction Review Checklist

Use this checklist to test whether application, database, reporting, export, and maintenance access restrictions match approved access rules.

template iso27001 technological-controls access-review
Template note 01 min read

Key Escrow and Emergency Recovery Checklist

Use this checklist when cryptographic keys must be recoverable for legal, operational, continuity, or organizational control reasons.

template iso27001 technological-controls key-management cryptography
Template note 01 min read

Leaver and Role Change Security Checklist

Use this checklist for employee leavers, contractor offboarding, third-party user removal, and internal role changes.

template iso27001 people-controls termination role-change
Template note 01 min read

Log Integrity and Access Review Checklist

Use this checklist to review whether logs are protected against unauthorized modification, deletion, redirection, shutdown, and overwrite.

template iso27001 technological-controls logging access-review
Template note 01 min read

Long-Term Archive Recoverability Checklist

Use this checklist to verify that archived information can still be read and interpreted for legal, regulatory, or business retention requirements.

template iso27001 technological-controls backup records
Template note 01 min read

Malware Awareness Checklist

Use this checklist when designing or reviewing user awareness content for malware prevention and reporting.

template iso27001 technological-controls awareness malware-protection
Template note 01 min read

Network Segmentation Test Checklist

Use this checklist to test that network zone boundaries block and allow traffic as intended.

template iso27001 technological-controls network-segregation
Template note 01 min read

Network Service Provider Review Checklist

Use this checklist during periodic review of supplier-provided network services.

template iso27001 technological-controls network-services supplier-security
Template note 01 min read

Off-Premises Asset Protection Checklist

Use this checklist when approving, reviewing, or auditing assets used away from organization premises.

template iso27001 physical-controls off-premises-assets
Template note 01 min read

Out-of-Hours Monitoring Escalation Checklist

Use this checklist to define and test how monitoring alerts are handled outside normal business hours.

template iso27001 technological-controls monitoring incident-response
Template note 01 min read

Patch Testing and Rollback Checklist

Use this checklist before applying patches where testing, change approval, outage planning, or rollback is required.

template iso27001 technological-controls patch-management change-control
Template note 01 min read

Physical Security Perimeter Review Checklist

Use this checklist during physical security reviews, office moves, layout changes, tenancy changes, or internal audits.

template iso27001 physical-controls review
Template note 01 min read

PII Handling and Access Review Checklist

Use this to review whether PII handling, access, transfer, retention, and training controls remain appropriate.

template iso27001 privacy access-review
Template note 01 min read

Printer and Fax Security Checklist

Use this checklist to review whether printers and fax machines expose sensitive information through location, unattended output, or weak secure-printing practices.

template iso27001 physical-controls printing fax
Template note 01 min read

Privacy Breach Notification Readiness Checklist

Use this to test whether privacy breach notification obligations are known and can be acted on quickly. Verify specific legal deadlines and content requirements against official...

template iso27001 privacy incident-management
Template note 01 min read

Privileged Access Review Checklist

Use this checklist during periodic reviews of privileged users, privileged roles, emergency access, and stale access.

template iso27001 technological-controls privileged-access
Template note 01 min read

Privileged Activity Log Review Checklist

Use this checklist to review privileged account activity logs for appropriate, authorized, and traceable use.

template iso27001 technological-controls privileged-access
Template note 01 min read

Records Inventory Review Checklist

Use this for the documented annual check that required records still exist, remain protected, and remain accessible through retention.

template iso27001 records-management
Template note 01 min read

Remote Access and Endpoint Connection Checklist

Use this checklist to verify that endpoints connecting remotely meet security requirements before accessing organizational systems.

template iso27001 technological-controls endpoint-security remote-access
Template note 01 min read

Remote Working Security Checklist

Use this checklist before approving remote work or during periodic review of remote working controls.

template iso27001 remote-working checklist
Template note 01 min read

Repair Dispatch Data Protection Checklist

Use this checklist before sending equipment for repair, warranty return, vendor analysis, or replacement.

template iso27001 physical-controls equipment-disposal equipment-maintenance
Template note 01 min read

Secure Coding Compliance Review Checklist

Use this checklist to verify code against the applicable secure coding standard.

template iso27001 technological-controls secure-coding
Template note 01 min read

Secure Development Compliance Review Checklist

Use this checklist to verify that a project or development team follows secure development rules.

template iso27001 technological-controls secure-development
Template note 01 min read

Security Acceptance Criteria Checklist

Use this checklist to define the security conditions that must be met before a system is accepted for operational use.

template iso27001 technological-controls security-testing
Template note 01 min read

Security Terms and Conditions Checklist

Use this checklist when reviewing employment contracts, contractor terms, onboarding acknowledgements, or security addenda for A.6.2 coverage.

template iso27001 people-controls employment-terms
Template note 01 min read

Sensitive Function and Export Control Checklist

Use this checklist when reviewing whether sensitive application functions, reports, downloads, exports, and print features are restricted according to access rules.

template iso27001 technological-controls access-control
Template note 01 min read

Software Licence and Support Verification Checklist

Use this checklist before acquiring or installing software on operational systems, and during periodic review of supported operational software.

template iso27001 technological-controls licence-management
Template note 01 min read

Software Rollback and Fallback Checklist

Use this checklist before installing software on operational systems where failure could affect confidentiality, integrity, availability, or business service.

template iso27001 technological-controls rollback
Template note 01 min read

Source Code Change Control Checklist

Use this checklist when reviewing whether code, scripts, macros, reports, and database logic changes are controlled before release.

template iso27001 technological-controls source-code change-control
Template note 01 min read

Supplier Security Agreement Requirements Checklist

Use this before signing or renewing supplier agreements where the supplier has access to information, systems, facilities, services, or security-relevant dependencies.

template supplier-security contracts iso27001
Template note 01 min read

Template - Policy Review Checklist

Use this during planned policy reviews or event-driven reviews after significant changes.

template policy review a5-1
Template note 01 min read

Test Data Protection Checklist

Use this checklist before and after testing that involves sensitive, production-derived, personal, or confidential information.

template iso27001 test-information privacy
Template note 01 min read

Third-Party Information Transfer Agreement Checklist

Use this when sensitive information or software is exchanged with suppliers, customers, partners, regulators, contractors, or other third parties.

template iso27001 a5-14 third-parties

Registers

58 notes
Template note 01 min read

Access Rights Request and Review Register

Use this to document access requests, approvals, provisioned rights, reviews, modifications, and removals.

template iso27001 a5-18 access-rights
Template note 01 min read

Application Security Requirements Register

Use this register to document security requirements for developed, acquired, or changed applications.

template iso27001 technological-controls application-security
Template note 01 min read

Approved Sensitive Data Flow Register

Use this register to document approved sensitive data transfers, channels, protections, and authorization requirements.

template iso27001 technological-controls dlp information-transfer
Template note 01 min read

Authority Contact Register

Use this to document and maintain official authority contacts required for incident response, breach notification, continuity, legal compliance, sector regulation, or emergency...

template iso27001 a5-5 authorities
Template note 01 min read

Backup Scope and Coverage Register

Use this register to confirm that important information, software, systems, configurations, and dependencies are covered by backups.

template iso27001 technological-controls backup
Template note 01 min read

Cabling Route and Protection Register

Use this register to document important power, data, and supporting service cable routes and the protection applied to them.

template iso27001 physical-controls cabling
Template note 01 min read

Capacity Monitoring and Forecast Register

Use this register to record capacity metrics, trends, forecasts, thresholds, and planned actions.

template iso27001 technological-controls capacity-management
Template note 01 min read

Cloud Service Register

Use this to track approved cloud services, ownership, data exposure, shared responsibility, review status, and exit readiness.

template cloud-security supplier-security iso27001
Template note 01 min read

Confidentiality Agreement Register

Use this register to track confidentiality and non-disclosure agreements for employees, contractors, temporary staff, third-party users, suppliers, partners, visitors, and other...

template iso27001 confidentiality people-controls
Template note 01 min read

Configuration Baseline Register

Use this register to record approved configuration baselines and map them to systems, platforms, services, and networks.

template iso27001 technological-controls configuration-management
Template note 01 min read

Cryptographic Key Management Register

Use this register to track cryptographic keys, owners, purpose, storage, lifecycle dates, rotation, revocation, and destruction.

template iso27001 technological-controls key-management
Template note 01 min read

Cryptographic Use Case and Algorithm Register

Use this register to document where cryptography is used and whether the chosen algorithm, protocol, and key parameters are appropriate.

template iso27001 technological-controls cryptography
Template note 01 min read

Data Masking Decision Register

Use this register to record where masking, pseudonymisation, tokenisation, or anonymisation is used and why.

template iso27001 technological-controls data-masking
Template note 01 min read

DLP Scope and Rule Register

Use this register to define sensitive information in DLP scope and map DLP rules to systems, channels, and devices.

template iso27001 technological-controls dlp
Template note 01 min read

Endpoint Device Inventory and Compliance Register

Use this register to track user endpoint devices, custodians, ownership model, and security compliance.

template iso27001 technological-controls endpoint-security
Template note 01 min read

Equipment Disposal and Reuse Register

Use this register to track equipment disposal, reuse, sale, donation, recycling, repair dispatch, or transfer where storage media or licensed software may be present.

template iso27001 physical-controls equipment-disposal
Template note 01 min read

Equipment Maintenance Register

Use this register to track equipment maintenance requirements, completed maintenance, fault history, and replacement indicators.

template iso27001 physical-controls equipment-maintenance
Template note 01 min read

Event Triage and Incident Classification Register

Use this to record reported information security events and the decision on whether each event is an information security incident.

template iso27001 incident-management
Template note 01 min read

ICT Supply Chain Risk Register

Use this for critical ICT products and services where subcontractors, cloud platforms, hosting providers, software components, support parties, or other dependencies may affect...

template supplier-security ict-supply-chain risk-assessment iso27001
Template note 01 min read

Identity Lifecycle Register

Use this to track identity creation, changes, reviews, deactivation, deletion, and shared-identity exceptions.

template iso27001 a5-16 identity-management
Template note 01 min read

Incident Lessons Learned Register

Use this after incidents or recurring events to capture what changed in controls, training, procedures, risk assessment, supplier management, or management review.

template iso27001 continual-improvement
Template note 01 min read

Information Deletion and Destruction Register

Use this register to record deletion or destruction of information, systems, storage media, backups, and cloud data.

template iso27001 technological-controls information-deletion
Template note 01 min read

Intellectual Property Rights Register

Use this to track protected software, documents, designs, source code, trademarks, patents, subscription content, and other intellectual property material used or created by the...

template iso27001 intellectual-property
Template note 01 min read

Legal and Contractual Requirements Register

Use this to identify, document, assign, review, and evidence legal, statutory, regulatory, and contractual information security requirements.

template iso27001 compliance
Template note 01 min read

Log Source and Retention Register

Use this register to track log sources, event types, retention periods, protection methods, and review ownership.

template iso27001 technological-controls logging
Template note 01 min read

Malware Protection Coverage and Update Register

Use this register to track malware protection deployment, update status, scan settings, and exceptions across systems.

template iso27001 technological-controls malware-protection
Template note 01 min read

Monitoring Detection Use Case Register

Use this register to translate risks and threat scenarios into concrete monitoring rules, alerts, thresholds, and response actions.

template iso27001 technological-controls monitoring detection
Template note 01 min read

Network Monitoring and Corrective Action Register

Use this register to record network faults, suspicious events, monitoring alerts, problem records, and corrective actions.

template iso27001 technological-controls network-security monitoring
Template note 01 min read

Network Service Security Requirements Register

Use this register to define required security mechanisms, service levels, and service requirements for network services.

template iso27001 technological-controls network-services
Template note 01 min read

Off-Premises Asset Authorization Register

Use this register to authorize and track organization assets, information, software, or media taken outside controlled premises.

template iso27001 physical-controls off-premises-assets
Template note 01 min read

Operating Procedure Register

Use this to inventory operating procedures, owners, versions, approvals, users, and review dates.

template iso27001 operating-procedures
Template note 01 min read

Outsourced Development Review Register

Use this register to track ongoing supplier development reviews, issues, and acceptance decisions.

template iso27001 supplier-security outsourced-development
Template note 01 min read

Personnel Screening Register

Use this register to track whether screening was completed for employees, contractors, temporary staff, and third-party users before joining or receiving sensitive access.

template iso27001 people-controls screening
Template note 01 min read

Physical Security False Alarm Register

Use this register to track repeated false alarms and corrective actions that prevent alarm fatigue.

template iso27001 physical-controls monitoring
Template note 01 min read

Physical Security Zone Register

Use this register to define physical security zones, their purpose, protected assets, access routes, and perimeter controls.

template iso27001 physical-controls physical-security
Template note 01 min read

Policy and Technical Compliance Review Register

Use this to track management compliance reviews, spot checks, technical compliance checks, findings, actions, and follow-up.

template iso27001 compliance-review
Template note 01 min read

Policy Violation and Disciplinary Action Register

Use this register to track security policy violation cases, evidence review, decision, outcome, and closure.

template iso27001 disciplinary-process policy-compliance
Template note 01 min read

Privileged Access Register

Use this register to record privileged accounts, roles, approvals, scope, expiry, and review status.

template iso27001 technological-controls privileged-access
Template note 01 min read

Project Security Requirements Register

Use this for projects that build, buy, configure, integrate, outsource, or materially change systems, services, processes, suppliers, infrastructure, or data flows.

template iso27001 a5-8 project-management risk-assessment
Template note 01 min read

Records Retention and Protection Register

Use this to identify required records, retention periods, protection requirements, storage locations, access restrictions, readability dependencies, and disposal rules.

template iso27001 records-management
Template note 01 min read

Redundancy Requirements and Architecture Register

Use this register to map availability requirements to implemented redundancy for critical information processing facilities.

template iso27001 technological-controls redundancy
Template note 01 min read

Remote Equipment Register

Use this register to track equipment outside core premises, including branch, remote, home-office, customer-site, or supplier-hosted equipment within ISMS responsibility.

template iso27001 physical-controls equipment remote-working
Template note 01 min read

Remote Working Authorization Register

Use this register to track who is authorized to work remotely, from what location type, for which activities, with which data, equipment, and controls.

template iso27001 remote-working people-controls
Template note 01 min read

Secure Area Access Register

Use this register to track who is authorized to access secure areas and when physical access rights should be reviewed or removed.

template iso27001 physical-entry access-control
Template note 01 min read

Secure Area Work Authorization Register

Use this register to record approved sensitive work, authorized personnel, supervision needs, device restrictions, and dual-control requirements inside secure areas.

template iso27001 physical-controls secure-areas
Template note 01 min read

Secure Media Disposal and Destruction Register

Use this register to record erasure, destruction, disposal, contractor handoff, and verification for storage media that may contain organizational information.

template iso27001 physical-controls storage-media
Template note 01 min read

Source Code Access Register

Use this register to record source repositories, access rights, owner approvals, and periodic review status.

template iso27001 technological-controls source-code
Template note 01 min read

Special Interest Group Participation Register

Use this to track the specialist security groups, forums, associations, advisories, and communities the organization uses to keep security knowledge current.

template iso27001 a5-6 professional-associations
Template note 01 min read

Supplier Security Register

Use this as the master security view of suppliers, products, and services that can affect information security.

template iso27001 a5-19 supplier-security
Template note 01 min read

Supporting Utility Dependency Register

Use this register to map critical facilities, services, and equipment to required supporting utilities and continuity expectations.

template iso27001 physical-controls supporting-utilities
Template note 01 min read

Template - Control Owner Register

Use this to map ISMS processes and controls to accountable owners, responsible teams, evidence, and review cycles.

template control-owner a5-2 isms
Template note 01 min read

Template - Policy Register

Use this to track policy ownership, approval, version control, review, and acknowledgement requirements.

template policy a5-1
Template note 01 min read

Test Information Management Register

Use this register to track test data sets, their source, sensitivity, approval, protection, retention, and deletion.

template iso27001 test-information test-data
Template note 01 min read

Threat Intelligence Register

Use this to record threat information that has been reviewed, contextualized, and converted into intelligence for risk, control, incident response, vulnerability, or management...

template iso27001 a5-7 threat-intelligence
Template note 01 min read

Vulnerability Register and Remediation Tracker

Use this tracker to record vulnerabilities, exposure, owners, treatment actions, due dates, retests, and closure.

template iso27001 technological-controls vulnerability-management
Template note 01 min read

Web Filtering Exception Register

Use this register to record approved web filtering exceptions, false positives, and business-required access to otherwise blocked categories.

template iso27001 technological-controls web-filtering

Matrices

13 notes
Template note 01 min read

Access Control Matrix

Use this to define standard access rights by role, asset, classification, and approval owner.

template iso27001 a5-15 access-control
Template note 01 min read

Developer Security Training Matrix

Use this matrix to track security training expectations for developers, reviewers, DevOps, testers, and architects.

template iso27001 technological-controls secure-development training
Template note 01 min read

Incident Roles and Communications Matrix

Use this to assign incident response roles, escalation contacts, communications responsibilities, and decision authority before an incident happens.

template incident-management communications iso27001
Template note 01 min read

Information Access Rule Matrix

Use this matrix when defining or reviewing role-based access to an application, service, database, report set, or information repository.

template iso27001 technological-controls access-control
Template note 01 min read

Information Classification and Handling Matrix

Use this to define classification levels, handling rules, labelling expectations, owner responsibilities, and review rules for information assets.

template iso27001 a5-12 a5-13 classification
Template note 01 min read

Information Transfer Rules Matrix

Use this to define which transfer methods are approved for each information classification and what controls must be used.

template iso27001 a5-14 information-transfer
Template note 01 min read

Network Zone and Connection Matrix

- Zone owner identified. - Allowed flows are specific. - Broad rules are justified. - Sensitive paths are monitored. - Rules are reviewed periodically.

template iso27001 technological-controls network-segregation zoning
Template note 01 min read

PII Inventory and Privacy Requirements Matrix

Use this to document PII holdings and map privacy protections back to legal, regulatory, and contractual requirements.

template iso27001 privacy pii
Template note 01 min read

Role-Based Security Training Matrix

Use this matrix to map training requirements to roles, responsibilities, systems, and information access.

template iso27001 training people-controls
Template note 01 min read

Supplier Security Responsibility Matrix

Use this when a supplier relationship has shared security responsibilities and the contract needs a clear split between the organization, the supplier, and any shared control ar...

template supplier-security contracts iso27001
Template note 01 min read

Template - Segregation of Duties Matrix

Use this to identify incompatible duties and document whether they are segregated or covered by compensating controls.

template sod a5-3
Template note 01 min read

Web Filtering Policy and Category Matrix

Use this matrix to map web filtering policy decisions to blocked, warned, allowed, monitored, and exception-handled categories.

template iso27001 technological-controls web-filtering

Policies and Procedures

31 notes
Template note 02 mins read

Acceptable Use and Information Handling Rules

Use this as a practical rules template for personnel, contractors, and third-party users who use organizational information and associated assets.

template iso27001 a5-10 acceptable-use
Template note 01 min read

Audit Testing Plan and Authorization Record

Use this record before audit tests, scans, assurance checks, or tool-assisted reviews are performed on operational systems.

template iso27001 audit-testing assurance
Template note 01 min read

Authentication Information Handling Standard

Use this to define how passwords, PINs, recovery answers, MFA tokens, biometric authentication data, privileged credentials, and service secrets are issued, handled, reset, and...

template iso27001 a5-17 authentication
Template note 01 min read

Backup Policy and Schedule

Use this template to define backup frequency, scope, retention, storage location, protection, and restore testing requirements.

template iso27001 technological-controls backup
Template note 01 min read

Capacity Management Plan

Use this plan to define how critical systems and services will be monitored, trended, forecast, and adjusted for capacity.

template iso27001 technological-controls capacity-management
Template note 01 min read

Change Management Procedure

Use this procedure to define how changes to systems, infrastructure, applications, code, networks, cloud resources, and operational environments are controlled.

template iso27001 change-management
Template note 01 min read

Cryptographic Controls Policy

Use this policy to define approved cryptographic uses, algorithms, protocols, key management responsibilities, legal checks, and exceptions.

template iso27001 technological-controls cryptography
Template note 01 min read

Data Masking Standard

Use this standard to define masking, pseudonymisation, tokenisation, anonymisation, full-data access, and re-identification controls.

template iso27001 technological-controls data-masking privacy
Template note 01 min read

Development Environment Separation Standard

Use this standard to define the minimum security expectations for development, test, staging, and production environments.

template iso27001 environment-separation secure-development
Template note 01 min read

Endpoint Device Security Standard

Use this standard to define the minimum security baseline for user endpoint devices before they access organizational information.

template iso27001 technological-controls endpoint-security
Template note 01 min read

Incident Management Plan

Use this to define how information security events, weaknesses, and incidents are reported, triaged, investigated, escalated, recovered from, reviewed, and improved.

template incident-management iso27001
Template note 01 min read

Information Retention and Deletion Rules

Use this template to define retention periods, deletion triggers, deletion methods, and evidence requirements by information type.

template iso27001 technological-controls retention information-deletion
Template note 01 min read

Logging and Monitoring Standard

Use this standard to define loggable events, minimum log fields, retention, protection, review, and escalation requirements.

template iso27001 technological-controls logging monitoring
Template note 01 min read

Malware Protection Standard

Use this standard to define minimum malware protection requirements for endpoints, servers, mobile devices, cloud workloads, email, web access, file uploads, and removable media.

template iso27001 technological-controls malware-protection
Template note 01 min read

Network Security Architecture and Zoning Standard

Use this standard to document network zones, trust boundaries, sensitive traffic paths, management networks, public exposure, and virtual/cloud network scope.

template iso27001 technological-controls network-security zoning
Template note 01 min read

Operational Software Installation Procedure

Use this procedure to define how software, packages, libraries, patches, tools, and vendor updates are approved and installed on operational systems.

template iso27001 technological-controls software-installation
Template note 01 min read

Physical Security Monitoring Procedure

Use this procedure template to define how premises are monitored for unauthorized physical access.

template iso27001 physical-controls monitoring
Template note 01 min read

Release and Rollback Plan

Use this plan for significant releases or grouped changes before operational implementation.

template iso27001 release-management rollback
Template note 01 min read

Secure Architecture Principles Standard

Use this standard to document the secure engineering principles that system development activities must apply.

template iso27001 technological-controls secure-architecture
Template note 01 min read

Secure Area Working Procedure

Use this procedure template to define how sensitive work is performed inside secure areas.

template iso27001 physical-controls secure-areas
Template note 01 min read

Secure Authentication Standard

Use this standard to define minimum authentication expectations for applications, operating systems, remote access, privileged access, and third-party access.

template iso27001 technological-controls authentication
Template note 01 min read

Secure Coding Standard

Use this standard to define secure coding principles and language/framework-specific rules.

template iso27001 technological-controls secure-coding
Template note 01 min read

Secure Development Policy

Use this policy to define mandatory secure development rules for internal teams, contractors, and suppliers.

template iso27001 technological-controls secure-development
Template note 01 min read

Security Awareness and Training Plan

Use this plan to define annual, induction, refresher, and role-specific information security training.

template iso27001 awareness training people-controls
Template note 01 min read

Security Test Plan

Use this plan to define risk-based security testing during development and before acceptance.

template iso27001 technological-controls security-testing
Template note 01 min read

Storage Media Handling Procedure

Use this procedure to define how storage media is acquired, approved, labelled, used, stored, transported, erased, destroyed, and disposed of.

template iso27001 physical-controls storage-media
Template note 01 min read

Technical Compliance Review Plan

Use this before running configuration checks, vulnerability scans, firewall reviews, cloud configuration reviews, penetration tests, or other technical conformity checks.

template iso27001 technical-compliance
Template note 02 mins read

Template - Top-Level Information Security Policy

Use this to draft or review the organization's high-level information security policy under A.5.1 Policies for Information Security.

template policy a5-1 iso27001
Template note 01 min read

Vulnerability Management Procedure

Use this procedure to define how the organization identifies, evaluates, treats, retests, and reports technical vulnerabilities.

template iso27001 technological-controls vulnerability-management

Section

Indexes

5 notes across 3 subsections

Back to top

Maps of Content

2 notes
Framework note 03 mins read

Annex A Controls MOC

Research note.

ISO27001 ISO27002 annex-a moc iso27001
Template note 06 mins read

Templates MOC

Research note.

templates moc iso27001

Framework Notes

1 notes
Framework note 02 mins read

ISO 27001 Overview

Research note.

ISO27001 iso27001 moc overview

Research Notes

2 notes
Research note 01 min read

Exam Cues Index

Research note.

exam moc iso27001

Section

Templates

6 notes across 1 subsections

Back to top

Template Notes

6 notes
Template note 01 min read

Template Audit Question

markdown type: audit question question id: "" question: "" related standard: ISO27001 related clause: "" related controls: related risks: expected evidence: status: draft answer...

template audit iso27001
Template note 01 min read

Template Clause Note

markdown type: clause standard: ISO27001 clause id: "" clause name: "" status: not started priority: medium related iso27005 topics: related iso27002 topics: related controls: r...

template iso27001 clause
Template note 01 min read

Template Control Card

Use this for ISO 27001 Annex A controls that should appear in Dataview dashboards.

template iso27001 control
Template note 01 min read

Template Evidence Item

markdown type: evidence evidence id: "" evidence name: "" evidence type: "" status: draft related standard: ISO27001 related controls: related risks: owner: "" source system: ""...

template evidence audit
Template note 01 min read

Template Exam Topic

markdown type: exam topic standard: ISO27001 topic: "" status: not started confidence: low confidence rank: 1 exam relevance: medium exam relevance rank: 2 weak area: true relat...

template exam
Template note 01 min read

Template Risk Scenario

Use this for ISO 27005-style risk scenarios that should appear in Dataview dashboards.

template iso27005 risk