ISO IEC 17799 2000 (BS 7799)
INFORMATION SECURITY AUDIT TOOL

The following material will introduce our ISO 17799 (BS 7799)
Information Security Audit Tool.  However, it will not present the
complete product.  Instead, it will show you how our audit tool is 
organized and it will provide you with a sample of our approach.
Once you've examined our approach, we hope you'll consider
purchasing our ISO 17799 Information Security Audit Tool.

We begin with a table of contents. It shows how we've organized
our product. In order to illustrate our approach, we also provide
an example of our audit questionnaire. The complete product
has 10 such questionnaires and is 137 pages long.

The audit questionnaires are used to identify the gaps that exist
between the ISO 17799 (BS 7799) Security Standard and your
security practices and processes. As a result, our audit tool is
also a Gap Analysis Tool. Once you've identified and filled
all of your security gaps, you can be sure that you've done
everything you can to protect your information systems
and facilities.  If you use our Information Security Audit
Tool you will not only meet ISO's information security
requirements but you will also improve the overall
effectiveness of your information security program.

(THE FOLLOWING MATERIAL IS OBSOLETE)

 See our NEW ISO 27002 (17799 2005) Audit Tool

ISO IEC 17799 2000 (BS 7799)
INFORMATION SECURITY AUDIT TOOL

TABLE OF CONTENTS

PART

PAGE

1

Audit Profile

3

2

Audit Overview

4

3

Security Policy Audit

5

4

Organizational Security Audit

8

5

Asset Classification and Control Audit

21

6

Personnel Security Management Audit

25

7

Physical and Environmental Security Audit

33

8

Communications and Operations Management Audit

43

9

Information Access Management Control Audit

69

10

Systems Development and Maintenance Audit

95

11

Business Continuity Management Audit

<< SAMPLE

12

Compliance Management Audit

122

13

Security Performance Scores

135

14

Legal and Contact Information

136

OCT 2004

COPYRIGHT © 2004 BY PRAXIOM RESEARCH GROUP LIMITED 

VER 1.0

ISO IEC 17799 2000
INFORMATION SECURITY AUDIT TOOL

11. BUSINESS CONTINUITY MANAGEMENT AUDIT

11.1 DESIGN A CONTINUITY MANAGEMENT PROCESS

1

Have you developed a business continuity
management process to protect your critical
business processes during business disruptions,
security failures, and disasters?

YES

NO

N/A

2

Is your business continuity management process
used to prevent business disruptions, security
failures, and disasters?

YES

NO

N/A

3

Is your business continuity management process
used to recover from business disruptions, security
failures, and disasters?

YES

NO

N/A

4

Is your business continuity management
process used to identify and reduce risks?

YES

NO

N/A

5

Is your business continuity management process
used to ensure that essential operations are restored
as quickly as possible?

YES

NO

N/A

6

Is your business continuity management process used
to limit the impact that damaging incidents could have?

YES

NO

N/A

7

Have you analyzed the impact that disasters
could have on your critical business processes?

YES

NO

N/A

8

Have you analyzed the impact that security failures
could have on your critical business processes?

YES

NO

N/A

9

Have you analyzed the impact that a loss of service
could have on your critical business processes?

YES

NO

N/A

10

Have you developed contingency plans in order to
ensure that critical business processes are restored
within a reasonable period of time?

YES

NO

N/A

11

Do you practice implementing your contingency plans?

YES

NO

N/A

11.1.1 ESTABLISH YOUR CONTINUITY MANAGEMENT PROCESS

12

Have you established a process to manage and maintain
business continuity throughout your organization?

YES

NO

N/A

13

Have you identified and prioritized your
most critical business processes?

YES

NO

N/A

14

Have you identified the risks that threaten
the security of your business processes?

YES

NO

N/A

15

Have you estimated the likelihood that your organization
will be exposed to significant security risks and threats?

YES

NO

N/A

16

Have you analyzed the impact that serious threats could
have on the security of your organization’s processes?

YES

NO

N/A

17

Have you analyzed the impact that interruptions
could have on the viability of your business?

YES

NO

N/A

18

Have you found solutions to the security problems
that could undermine the viability of your business?

YES

NO

N/A

19

Have you found solutions for the security threats
and problems that are smaller and less serious?

YES

NO

N/A

20

Have you increased your security through
the purchase of suitable insurance?

YES

NO

N/A

21

Have you formulated business objectives and
priorities for your information processing facilities?

YES

NO

N/A

22

Have you formulated a business continuity strategy
for your information processing facilities?

YES

NO

N/A

23

Have you documented your continuity strategy?

YES

NO

N/A

24

Is your business continuity strategy consistent
with your business objectives and priorities?

YES

NO

N/A

25

Have you formulated business continuity plans
for your information processing facilities?

YES

NO

N/A

26

Have you documented your business continuity plans?

YES

NO

N/A

27

Are your business continuity plans consistent
with your business continuity strategy?

YES

NO

N/A

28

Has responsibility for coordinating your continuity
management process been assigned to someone
at the appropriate level within your organization?

YES

NO

N/A

29

Have you institutionalized continuity management?

YES

NO

N/A

11.1.2 PERFORM THREAT ANALYSIS AND IMPACT ANALYSIS

30

Have you carried out a threat analysis in order to identify
the events that could interrupt your business processes?

YES

NO

N/A

31

Did you carry out your threat analysis with the full
involvement of process and resource owners?

YES

NO

N/A

32

Did your threat analysis include all business processes?

YES

NO

N/A

33

Have you carried out a risk assessment in order to identify
the impact that business process interruptions could have?

YES

NO

N/A

34

Has your impact analysis identified how much damage
your business process interruptions could cause?

YES

NO

N/A

35

Has your impact analysis identified how long it would
take to recover from business process interruptions?

YES

NO

N/A

36

Did you carry out your impact analysis with the
full involvement of process and resource owners?

YES

NO

N/A

37

Did your impact analysis include all business processes?

YES

NO

N/A

38

Did you use the results of your analyses and assessments
to develop a strategy that defines your organization’s
general approach to business continuity?

YES

NO

N/A

39

Did your senior management endorse your
general business continuity strategy?

YES

NO

N/A

11.1.3 DEVELOP YOUR BUSINESS CONTINUITY PLANS

40

Have you developed plans to restore and continue
business operations after critical processes have
failed or been interrupted?

YES

NO

N/A

41

Do your business continuity plans help you
to achieve your business objectives?

YES

NO

N/A

42

Do your business continuity plans help you to restore
services to customers within a reasonable time period?

YES

NO

N/A

43

Do your business continuity plans identify the resources
that will be needed to restore your business processes?

YES

NO

N/A

44

Do your business continuity plans identify the services
that will be needed to restore your business processes?

YES

NO

N/A

45

Do your business continuity plans identify the staffing
that will be needed to restore your business processes?

YES

NO

N/A

46

Do your business continuity plans identify and assign
all emergency management responsibilities?

YES

NO

N/A

47

Do your business continuity plans define all
necessary emergency response procedures?

YES

NO

N/A

48

Do your emergency response procedures ensure
that your critical processes will be recovered and
restored within the required time limits?

YES

NO

N/A

49

Do your emergency response procedures accommodate
and deal with all external business interdependencies?

YES

NO

N/A

50

Do your emergency response procedures respect
and reflect all related business contracts?

YES

NO

N/A

51

Have you documented emergency response procedures?

YES

NO

N/A

52

Have you documented critical business processes?

YES

NO

N/A

53

Do your business continuity plans identify fallback
arrangements for information processing facilities?

YES

NO

N/A

54

Have you taught your staff members how to
use your emergency response procedures?

YES

NO

N/A

55

Have you taught your staff members how your critical
business processes will be recovered and restored?

YES

NO

N/A

56

Have you taught your staff members about your
crisis management methods and procedures?

YES

NO

N/A

57

Do you regularly test your business continuity plans?

YES

NO

N/A

58

Do you regularly update your business continuity plans?

YES

NO

N/A

11.1.4 MAINTAIN A CONTINUITY PLANNING FRAMEWORK

59

Have you established a single framework of business
continuity plans in order to ensure that all plans are
consistent with one another?

YES

NO

N/A

60

Do you use your business continuity planning
framework to determine plan testing priorities?

YES

NO

N/A

61

Do you use your business continuity planning
framework to determine plan maintenance priorities?

YES

NO

N/A

62

Does each business continuity plan include a
maintenance schedule that explains how and
when the plan will be tested and maintained?

YES

NO

N/A

63

Do you amend your business continuity plans whenever
new security threats or requirements are identified?

YES

NO

N/A

64

Does each business continuity plan clearly specify
the conditions that must met before it is activated?

YES

NO

N/A

65

Does each business continuity plan specify the process
that must be followed before a plan may be activated?

YES

NO

N/A

66

Does each business continuity plan explain how a crisis
situation should be assessed before a plan is activated?

YES

NO

N/A

67

Does each business continuity plan specify who should
be contacted and involved before a plan may be activated?

YES

NO

N/A

68

Does each business continuity plan clearly specify who
is responsible for executing each part of the plan?

YES

NO

N/A

69

Does each business continuity plan nominate
alternative personnel who would be responsible for 
executing the plan if those who are primarily
responsible are unable to do so?

YES

NO

N/A

70

Does each business continuity plan describe the
emergency procedures that must be followed and the
actions that must be taken to handle security incidents?

YES

NO

N/A

71

Does each business continuity plan explain how relations
with the public must be managed during an emergency?

YES

NO

N/A

72

Does each business continuity plan explain how relations
with governmental agencies and authorities should be
managed during an emergency?

YES

NO

N/A

73

Does each business continuity plan explain how
relations with emergency responders should be
managed during an emergency?

YES

NO

N/A

74

Does each business continuity plan describe fallback
procedures that should be followed to move essential
business activities and services to alternative locations?

YES

NO

N/A

75

Does each business continuity plan describe fallback
procedures that should be followed to reactivate your
business processes within the required time limits?

YES

NO

N/A

76

Does each business continuity plan describe resumption
procedures that should be followed to bring your business
rocesses and services back to normal?

YES

NO

N/A

77

Does each business continuity plan describe the education
and awareness activities that should be carried out to help
ensure that staff members understand your business
continuity methods and procedures?

YES

NO

N/A

78

Does each business continuity plan specify who owns
and is responsible for managing and maintaining the plan?

YES

NO

N/A

79

Have owners of business processes and resources been
given the responsibility to manage the implementation of
related fallback and business resumption plans?

YES

NO

N/A

80

Are owners of business processes and resources
responsible for managing the implementation of the
emergency response procedures that effect their areas?

YES

NO

N/A

81

Are technical service providers responsible for managing
the implementation of alternative technical services and
fallback arrangements?

YES

NO

N/A

82

Are information service providers responsible for managing
the implementation of alternative information processing
facilities and fallback arrangements?

YES

NO

N/A

83

Are communications service providers responsible
for managing the implementation of alternative
communications facilities and fallback arrangements?

YES

NO

N/A

Etcetera ...

YES

NO

N/A

OTHER ISO 27002 2005 (17799) WEB PAGES

Introduction to ISO 27002 2005 (17799) Information Security Standard

Overview of the ISO 27002 2005 (17799) Information Security Standard

ISO 27002 2005 (17799 2005) Information Security Management Definitions

ISO 27002 2005 (17799 2005) Information Security Standard in Plain English

ISO 27002 2005 (17799 2005) Table of Contents and Product Samples

ISO 27002 2005 (17799 2005) Information Security Audit Tool

ISO 17799 2000 Translated into Plain English

Our Products

Our Prices

Our Guarantee

Table of Contents

Our License

Our Customers