ISO27001 - Checklist Capítulo9

8/3/2019 ISO27001 - Checklist Captulo9

1/49

Aplicvel

1 GOALDo you use physical methods to prevent unauthorized access to

your organizations information and premises?-

2 GOAL Do you use physical methods to prevent people from damagingyour information and premises?

-

3 GOALDo you use physical methods to prevent people

from interfering with your information and premises?-

4 GOALDo you keep your organizations critical or sensitive information

processing facilities in secure areas?-

5 GOALDo you use defined security perimeters to protect your critical or

sensitive information processing facilities?-

6 GOALDo you use appropriate security barriers to protect your critical or

sensitive information processing facilities?-

7 GOALDo you use entry controls to protect your critical or sensitive

information processing facilities?-

8 GOALAre your physical protection methods commensurate with

identified security risks?

-

9 CTRLDo you use physical security perimeters and barriers to protect

areas that contain information?-

10 CTRLDo you use physical security perimeters and barriers to protect

areas that contain information processing facilities?-

11 CTRLDo you use walls to protect areas that contain your information

and information processing facilities?-

12 CTRLDo you use manned reception desks to protect areas that

contain information and information processing facilities?-

13 CTRLDo you use card controlled entry gates to protect areas that

contain information and information processing facilities?-

14 GUIDE Are your security perimeters clearly defined? -

15 GUIDEDo you assess your security risks and make sure that your

security perimeters actually reduce your security risk?-

16 GUIDE make sure that your security perimeters meet those -

17 GUIDEDo you reduce your risk and meet your security requirements by

ensuring that security perimeters are properly sited?-

18 GUIDEDo you reduce your risk and meet your security requirements by

ensuring that security perimeters are strong enough?-

19 GUIDEAre your physical security barriers and perimeters free of

physical gaps and weaknesses?-

20 GUIDEAre external walls of buildings and sites that contain information

processing facilities solidly constructed?-

21 GUIDEDo you use external door control mechanisms to prevent

unauthorized access to information processing facilities?-

22 GUIDEDo you use bars to prevent unauthorized access to your

organizations information processing facilities?-

23 GUIDEDo you use locks to prevent unauthorized access to your


24 GUIDEDo you use alarms to prevent unauthorized access to your


9. PHYSICAL & ENVIRONMENT

9.1 USE SECURITY AREAS TO PROTECT FACILITIES

9.1.1 USE PHYSICAL SECURITY PERIMETERS TO PROTECT AREAS


2/49

25 GUIDE Are your doors locked when unattended? -

26 GUIDE Are your windows locked when unattended? -

27 GUIDE Do you use external protection for windows at ground level? -

28 GUIDE Do you use physical access controls to ensure that access tosites and buildings is restricted to authorized personnel?

-

29 GUIDE Do you use physical barriers to prevent unauthorized access? -

30 GUIDEDo you use physical barriers to prevent contamination from

external environmental sources?-

31 GUIDE Do you alarm all external perimeter fire doors? -

32 GUIDE Do you monitor all external perimeter fire doors? -

33 GUIDEAre external perimeter fire doors and walls strong enough and

provide the required resistance?-

34 GUIDE surrounding walls to ensure that they comply with all relevant

-

35 GUIDE Do external perimeter fire doors comply with local fire codes? -

36 GUIDE Are your external perimeter fire doors failsafe? -

37 GUIDE Have you installed suitable intruder detection systems? -

38 GUIDEDo your intruder detection systems cover

all external doors and accessible windows?-

39 GUIDEDo your intruder detection systems cover all communications

centers and computer rooms?-

40 GUIDEDo your intruder detection systems comply with all relevant

regional, national, or international standards?-

41 GUIDE Do you test all intruder detection systems in order to ensure thatthey comply with all relevant standards?

-

42 GUIDE Do you alarm your unoccupied areas at all times? -

43 GUIDEHave you separated your organizations information processing

facilities from those managed by third parties?-

44 NOTEHave you considered using multiple physical barriers to protect

your premises and information processing facilities?-

45 NOTEDo you use lockable offices to protect your organizations

information and information processing facilities?-

46 NOTEDo you use continuous internal physical security barriers to

protect your information and information processing facilities?-

47 NOTEDo you use special physical access security precautions when

multiple organizations are housed in the same building?-

48 CTRL Do you use physical entry controls to protect secure areas? -

49 CTRLDo your physical entry controls allow only authorized personnel

to gain access to secure areas?-

50 GUIDEDo you record the date and time visitors enter or leave secure

areas?-

9.1.2 USE PHYSICAL ENTRY CONTROLS TO PROTECT SECURE AREAS


3/49

51 GUIDEDo you supervise all visitors to secure areas unless their access

was previously approved?-

52 GUIDE authorized and visitors have a specific reason why they need to

-

53 GUIDEDo all visitors to secure areas understand the security

requirements that apply to the areas being visited?-

54 GUIDE Are all visitors to secure areas made aware of the emergencyprocedures that apply to those areas?

-

55 GUIDEDo you control access to areas where sensitive information is

stored?-

56 GUIDEDo you control access to areas where sensitive information is

processed?-

57 GUIDE Do you restrict access to authorized personnel only? -

58 GUIDEDo you use authentication controls (e.g., access control card

plus PIN) to validate and authorize access?-

59 GUIDE Do you maintain secure records of all access to secure areas? -

60 GUIDE Do all employees wear visible identification? -

61 GUIDE Do all contractors wear visible identification? -

62 GUIDE Do all third-party users wear visible identification? -

63 GUIDE Do all visitors wear visible identification? -

64 GUIDEDo all personnel notify your security people if they encounter

anyone not wearing visible identification?-

65 GUIDEDo you allow third-party support service personnel to access

secure areas only when necessary and only if authorized?-

66 GUIDE

-

sensitive information processing facilities only when necessary

-

67 GUIDE Do you monitor third-party support service personnel while theyhave access to secure areas and sensitive facilities?

-

68 GUIDE Do you review access rights to secure areas on a regular basis? -

69 GUIDE Do you update access rights to secure areas on a regular basis? -

70 GUIDEDo you revoke access rights to secure areas when it is

necessary to do so?-

71 CTRLHave you designed physical security controls and do you apply

them to your offices, rooms, and facilities?-

72 GUIDEDo your physical security controls comply with all relevant health

and safety regulations and standards?-

73 GUIDEDo you site important or sensitive facilities in order to avoid

public access to them?-

74 GUIDEAre buildings, which are used for information processing,

unobtrusive and do they conceal their true purpose?-

75 GUIDE

Do you prevent public access to internal telephone books,

directories, and documents that identify the location

of sensitive information processing facilities?

-

9.1.3 SECURE YOUR ORGANIZATIONS OFFICES, ROOMS, AND FACILITIES


4/49

76 CTRLDo you use physical methods to protect your facilities from the

damage that natural disasters can cause?-


damage that man-made disasters can cause?-

78 CTRL

Do you use physical methods to protect your facilities from the

damage that fires can cause? -


damage that floods can cause?-


damage that earthquakes can cause?-


damage that explosions can cause?-


damage that civil unrest can cause?-

83 GUIDEDo you protect your facilities from the security threats that

neighboring premises could potentially present?-

84 GUIDEDo you protect your facilities from the damage a fire in a

neighboring building could cause?-

85 GUIDEDo you protect your facilit ies from the damage an explosion in

the street could cause?-

86 GUIDEDo you protect your facilities from the damage water leaking from

the roof, from below, or from the next office could cause?-

87 GUIDE Do you store hazardous materials away from secure areas? -

88 GUIDE Do you store combustible materials away from secure areas? -

89 GUIDE site in order to ensure that it isnt damaged

-

90 GUIDEIs appropriate f ire f ighting equipment suitably situated and

available when needed?-

91 CTRLDo you use guidelines to control how work is performed in

secure areas?-

92 GUIDE Do you control how employees perform work in secure areas? -

93 GUIDE Do you control how contractors perform work in secure areas? -

94 GUIDEDo you control how third-party users perform work in secure

areas?-

95 GUIDEDo you use a need-to-know policy to control what personnel

know about the work that is done in secure areas?-

96 GUIDE Do you supervise all work performed in secure areas? -

97 GUIDE Do you lock secure areas that are vacant? -

98 GUIDE Do you check secure areas that are vacant? -

99 GUIDEDo you prevent the unauthorized use of recording equipment

inside secure areas?-

100 GUIDEDo you prevent the unauthorized use of photographic equipment

inside secure areas?-

9.1.4 PROTECT FACILITIES FROM NATURAL AND HUMAN THREATS

9.1.5 USE WORK GUIDELINES TO PROTECT SECURE AREAS


5/49

101 GUIDEDo you prevent the unauthorized use of video equipment inside

secure areas?-

102 GUIDEDo you prevent the unauthorized use of audio equipment inside

secure areas?-

103 CTRL

Do you control public access points in order to prevent

unauthorized persons from entering your premises? -

104 CTRLAre public access points isolated and separate from your

information processing facilities?-

105 CTRL Do you isolate and control access to your delivery areas? -

106 CTRL Do you isolate and control access to your loading areas? -

107 GUIDEDo you restrict access to delivery and loading areas in order to

prevent unauthorized access from outside of your building?-

108 GUIDEAre only identified and authorized personnel allowed to access

your organizations delivery and loading areas?-

109 GUIDE

Are delivery and loading areas designed so that supplies can be

unloaded without allowing delivery personnel to have access to

the rest of the building?

-

110 GUIDEAre your delivery and loading areas designed so that external

doors are secured when internal doors are open?-

111 GUIDE

Do you inspect all incoming supplies and materials to ensure that

all hazards are identified before these items are transferred from

delivery and loading areas to points of use?

-

112 GUIDEDo you register all supplies and materials when they enter your

site?-

113 GUIDEAre incoming registration activities carried out in accordance with

your asset management procedures?-

114 GUIDE Do you segregate your incoming and outgoing shipments? -

115 GOAL Do you prevent damage to your organizations equipment? -

116 GOAL Do you prevent the loss of your organizations equipment? -

117 GOAL Do you prevent the theft of your organizations equipment? -

118 GOAL Do you protect your equipment from physical threats? -

119 GOAL Do you protect your equipment from environmental threats? -

120 GOAL Do you protect your equipment to avoid work interruptions? -

121 GOALDo you protect your equipment in order to avoid unauthorized

access to your organizations information?-

122 GOAL Do you protect your equipment through proper disposal? -

123 GOAL Do you use secure siting strategies to protect equipment? -

9.1.6 ISOLATE AND CONTROL PUBLIC ACCESS POINTS

9.2 PROTECT YOUR ORGANIZATIONS EQUIPMENT


6/49

124 GOAL Do you use special controls to protect supporting facilities? -

125 CTRLDo you protect your equipment from environmental risks and

hazards through the use of secure siting strategies?-

126 CTRL

Do you prevent opportunities for unauthorized access to

equipment through the use of secure siting strategies? -

127 GUIDEDo you site your organizations equipment so that unnecessary

access to work areas is minimized?-

128 GUIDEDo you position information processing facilities so that sensitive

information cannot be viewed by unauthorized persons?-

129 GUIDEDo you position information storage facilities so that sensitive

information cannot be viewed by unauthorized persons?-

130 GUIDEDo you isolate your equipment when it requires an extra level of

protection?-

131 GUIDEDo you use security controls to minimize the risk that equipment

could be damaged by physical threats and hazards?-


will be stolen?-


will be vandalized?-


will be damaged by fire?-


will be damaged by smoke?-


will be damaged by explosives?-


will be damaged by flooding?-


will be damaged by water leaks?-


will be damaged by dust?-


will be damaged by grime?-


will be damaged by vibration?-


will be damaged by destructive or corrosive chemicals?-


will be damaged by electromagnetic radiation?-


will be damaged by electrical interference?-


will be accidentally damaged?-

9.2.1 USE EQUIPMENT SITING AND PROTECTION STRATEGIES


7/49

146 GUIDEHave you established guidelines to control eating, drinking, and

smoking near your information processing facilities?-

147 GUIDEDo you monitor environmental conditions when changes could

damage your information processing facilities?-

148 GUIDE

Do you monitor temperature and humidity when these conditions

could impair the operation of your organizations information

processing facilities?

-

149 GUIDE Do you protect your buildings from lightning strikes? -

150 GUIDEDo you protect incoming power lines using lightning protection

filters?-

151 GUIDEDo you protect incoming communications lines using lightning

protection filters?-

152 GUIDEDo you use special methods to protect equipment that is used in

harsh industrial environments?-

153 GUIDEDo you use keyboard membranes to protect equipment that is

used in harsh industrial environments?-

154 GUIDE

Do you protect equipment that is used to process sensitive

information by minimizing the risk that information will leak due toemanation?

-

155 CTRLDo you protect your equipment from disruptions caused by utility

failures?-

156 CTRLDo you protect your equipment from disruptions caused by power

failures?-

157 GUIDEAre all supporting utilities capable of supporting your

organizations systems?-

158 GUIDEAre all electrical utilities capable of supporting your


159 GUIDE

Does your electrical supply conform to your equipment

manufacturers specifications? -

160 GUIDE Are water utilities capable of supporting your systems? -

161 GUIDE Are sewage utilities capable of supporting your systems? -

162 GUIDE Are heating utilities capable of supporting your systems? -

163 GUIDE Are ventilation systems capable of supporting your systems? -

164 GUIDEIs your air conditioning system capable of supporting your


165 GUIDE

Do you inspect your supporting utilities regularly in order to make

sure that theyre still functioning properly and in order to reduce

the risk of failure?

-

166 GUIDE

Do you test your supporting utilities regularly in order to make

sure that theyre still functioning properly and in order to reduce

the risk of failure?

-

167 GUIDEDo you use uninterruptible power supplies (UPSs) to protect

equipment that is used to support critical business operations?-

9.2.2 MAKE SURE THAT SUPPORTING UTILITIES ARE RELIABLE


8/49


9/49

192 GUIDE Do you avoid routing network cables through public areas? -

193 GUIDEDo you use conduits to prevent unauthorized interception or

damage to network cables?-

194 GUIDEDo you prevent interference by segregating power cables from

telecommunications cables?-

195 GUIDEDo you use clearly marked cable and equipment markings inorder to minimize the chance that the wrong network cables will

be accidentally patched?

-

196 GUIDEDo you use documented patch lists in order to reduce the chance

that the wrong network cables will be accidentally patched?-

197 GUIDEDo you use armored conduit to protect sensitive or critical

systems?-

198 GUIDEDo you protect sensitive or critical systems by using locked

rooms at inspection and termination points?-

199 GUIDEDo you protect sensitive or critical systems by using boxes at

inspection and termination points?-

200 GUIDE Do you protect sensitive or critical systems by using alternativeroutings or transmission media? -

201 GUIDEDo you protect sensitive or critical systems by considering the

use of fiber optic cables?-

202 GUIDE

Do you protect sensitive or critical systems by using physical

inspections to detect the presence of unauthorized cable

monitoring devices?

-

203 GUIDEDo you protect your sensitive or critical systems by controlling

access to patch panels and cable rooms?-

204 GUIDE

Do you protect sensitive or critical cables by using technical

sweeps to detect the presence of unauthorized cable monitoring

devices?

-

205 GUIDE Do you protect sensitive or critical cables by usingelectromagnetic shielding? -

206 CTRLDo you maintain your equipment in order to protect its integrity

and to ensure that its available when you need it?-

207 GUIDEDo you follow the equipment manufacturers recommended

maintenance schedule?-

208 GUIDEDo you follow the equipment manufacturers recommended

maintenance specifications?-

209 GUIDEDo you allow only authorized maintenance people to service and

repair your equipment?-

210 GUIDEDo you keep a record of your organizations preventive and

corrective maintenance activities?-

211 GUIDE Do you keep a record of all equipment faults and problems? -

212 GUIDE Do you control on-site equipment maintenance and repair? -

213 GUIDEDo you control off-site equipment maintenance and repair?

-

9.2.4 MAINTAIN YOUR ORGANIZATIONS EQUIPMENT


10/49

214 GUIDE

Do you provide security clearance for maintenance personnel or

clear sensitive information from your equipment before

maintenance and repair activities are carried out?

-

215 GUIDEDo you comply with the requirements that insurance polices

impose on your equipment maintenance and repair activities?-

216 CTRL Do you use security measures to protect off-site equipment? -

217 CTRLDo your equipment security measures deal with the range of

risks that off-site equipment is exposed to?-

218 GUIDEHave you developed special security measures to address your

organizations unique or unusual off-site security risks?-

219 GUIDE

Is management authorization required before any information

processing equipment can be removed and used outside of your

premises?

-

220 GUIDE Do your personnel never leave information processingequipment or media unattended in public places?

-

221 GUIDEDo personnel treat portable computers as hand luggage while

they are traveling?-

222 GUIDEDo your personnel conceal or disguise their portable computers

while they are traveling?-

223 GUIDEDo your personnel follow your equipment manufacturers

recommended security practices and precautions?-

224 GUIDE Do you protect equipment from strong electromagnetic fields? -

225 GUIDEDo you perform risk assessments in order to determine what

kinds of home-working security controls are required?-

226 GUIDE

Have you developed special security measures and controls for

people who work at home? -

227 GUIDEAre suitable controls applied when personnel use your

equipment to work at home?-

228 GUIDEDo personnel use lockable fil ing cabinets when they use your


229 GUIDEDo personnel follow a clear desk policy when they use your


230 GUIDEAre computer access controls used when personnel use your

computers to work at home?-

231 GUIDEAre secure communications methods used when communicating

between the office and the home?-

232 GUIDEDoes your organization have adequate insurance coverage to

protect its off-site equipment?-

233 NOTEAre security measures taken to control the off-site use of mobile

equipment?-

234 NOTEAre all appropriate security measures taken to control the off-site

use of personal computers?-


use of personal organizers?-


use of mobile phones?-

9.2.5 PROTECT YOUR OFF-SITE EQUIPMENT


11/49


use of smart cards?-


use of paper documents?-

239 CTRL Do you check all equipment containing storage media in order toensure that all sensitive data has been removed or securely

overwritten before you dispose of this equipment?

-

240 CTRL

Do you check all equipment containing storage media in order to

ensure that all licensed software has been removed or securely

overwritten before you dispose of this equipment?

-

241 GUIDEDo you destroy data storage devices containing sensitive

information before you dispose of these devices?-

242 GUIDEDo you destroy, delete, or securely overwrite all sensitive data

before you allow anyone to re-use data storage devices?

-

243 GUIDEDo you use techniques that ensure that the original data is non-

retrievable once it has been destroyed or overwritten?-

244 NOTE

Do you use risk assessments to determine whether damaged

information storage devices should be physically destroyed,

discarded, or repaired?

-

245 CTRLDo you ensure that your organizations assets are not taken off-

site without prior authorization?-

246 CTRL Do you ensure that your organizations equipment is not taken offsite without prior authorization?

-

247 CTRLDo you ensure that your organizations information is not taken

off-site without prior authorization?-

248 CTRLDo you ensure that your organizations software is not taken off-

site without prior authorization?-

249 GUIDEHave you identified employees who are authorized to allow

people to remove and use assets off-site?-

250 GUIDEHave you identified contractors who are authorized to allow

people to remove and use assets off-site?-

251 GUIDEHave you identified third-party users who are authorized to allow

people to remove and use your assets off-site?-

252 GUIDE

Do you use time limits to control how long people are allowed to

use equipment off-site? -

253 GUIDEDo you check returns to ensure that people have complied with

the time limits placed on off-site equipment usage?-

254 GUIDE Do you record the off-site removal and return of equipment? -

255 NOTEDo you use spot checks to detect the unauthorized removal of

assets?-

9.2.6 CONTROL EQUIPMENT DISPOSAL AND RE-USE

9.2.7 CONTROL THE USE OF ASSETS OFF-SITE


12/49


13/49

Compliance Comentrios

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

L SECURITY MANAGEMENT AUDIT


14/49

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-


15/49

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-


16/49

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-


17/49

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-


18/49

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-


19/49

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-


20/49

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-


21/49

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-


22/49

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-


23/49

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-


24/49

-

-

-


25/49


26/49


27/49


28/49


29/49


30/49


31/49


32/49


33/49


34/49


35/49


36/49


37/49

ControloBS25999-2:2007 (the specification) says in clause 3.4.1.1, that the BCMS must,

as a minimum, contain the documents listed below:

3.4.3 Control of BCMS documentation

3.2.1 Scope and objectives of the BCMS and procedures;

3.2.2 The BCM policy;

3.2.3 The provision of resources; (Roles & Responsibilities);

3.2.4The competency of BCM personnel and associated training records; (PPT, plus

copies of PGs, Guidance for Head of HR, BCMS Role Competencies);

4.1.1 The business impact analysis(BIA Workbook);

4.1.2 The risk assessment;

4.2 The business continuity strategy;

4.3.2 The incident response structure;

4.3.3 Business continuity plans and incident management plans;

4.4.2 BCM exercising;

4.4.3 The maintenance and review of BCM arrangements;

5.1 Internal audit;

5.2 Management review of the BCMS;

6.1 Preventive and corrective actions;

6.2 Continual improvement;

Procedures

Gesto de Activos (Inventrio dos Activos, Propriedade dos Activos, Uso Aceitvel

dos Activos)

Classificao de Informao (Linhas orientadoras para a classificao da

Informao)

Classificao de Instalaes (Classificao dos Espaos Fsicos)

Backups e Dispositivos de Armazenamento (Backup e Dispositivos de

Armazenamento, Backup da Informao, Manuseamento de Dispositivos de

Armazenamento, Eliminao de Dispositivos de Armazenamento)

Gesto de Acessos (Gesto de Acessos, Processo de gesto de acessos,

Identificadores (User IDs), Acessos privilegiados, Reviso dos acessos)

Mandatory BS25


38/49


39/49


40/49


41/49


42/49


43/49

Aplicvel Compliance

- -

- -

- -

- -

- -

- -

- -

- -

- -

- -

- -

- -

- -

- -

- -

- -

Aplicvel Compliance

- -

- -

- -

- -

- -

99 Documentation


44/49


45/49


46/49


47/49


48/49


49/49

Comentrios

Procedures

ISO27001 - Checklist Capítulo9

Documents

Transcript of ISO27001 - Checklist Capítulo9