|
Our ISO 17799 2000 Audit Tool is now OBSOLETE
And the NEW ISO 27002 2005 Information Security Standard
|
|
OTHER SAFETY AND SECURITY RESOURCES ISO 27001 Information Security Management OHSAS 18001 2007 Internal OH&S Audit Program OHSAS 18001 2007 Occupational Health and Safety Standard ISO 22000 2005 Internal Food Safety Management Audit ISO 22000 2005 Food Safety Management Standard
|
|
The following material will
introduce our ISO 17799 (BS 7799) We begin with a table of
contents. It shows how we've organized The audit questionnaires
are used to identify the gaps that exist
|
|
(THE FOLLOWING MATERIAL IS OBSOLETE) See our NEW ISO 27002 (17799 2005) Audit Tool |
||
ISO IEC 17799 2000 (BS
7799)
|
||
| TABLE OF CONTENTS | ||
| PART | PAGE | |
| 1 | Audit Profile | 3 |
| 2 | Audit Overview | 4 |
| 3 | Security Policy Audit | 5 |
| 4 | Organizational Security Audit | 8 |
| 5 | Asset Classification and Control Audit | 21 |
| 6 | Personnel Security Management Audit | 25 |
| 7 | Physical and Environmental Security Audit | 33 |
| 8 | Communications and Operations Management Audit | 43 |
| 9 | Information Access Management Control Audit | 69 |
| 10 | Systems Development and Maintenance Audit | 95 |
| 11 | Business Continuity Management Audit | << SAMPLE |
| 12 | Compliance Management Audit | 122 |
| 13 | Security Performance Scores | 135 |
| 14 | Legal and Contact Information | 136 |
| OCT 2004 | COPYRIGHT Ó 2004 BY PRAXIOM RESEARCH GROUP LIMITED | VER 1.0 |
| The following material is now OBSOLETE. |
ISO IEC 17799 2000
|
||||||
| 11.1 DESIGN A CONTINUITY MANAGEMENT PROCESS | ||||||
| 1 | Have you developed a business continuity management process to protect your critical business processes during business disruptions, security failures, and disasters? | YES | NO | N/A | ||
| 2 |
Is your business continuity management process used to prevent business disruptions, security failures, and disasters? |
YES | NO | N/A | ||
| 3 |
Is your business continuity management process used to recover from business disruptions, security failures, and disasters? |
YES | NO | N/A | ||
| 4 |
Is your business continuity management process used to identify and reduce risks? |
YES | NO | N/A | ||
| 5 |
Is your business continuity management process used to ensure that essential operations are restored as quickly as possible? |
YES | NO | N/A | ||
| 6 | Is your business continuity management process used to limit the impact that damaging incidents could have? | YES | NO | N/A | ||
| 7 |
Have you analyzed the impact that disasters could have on your critical business processes? |
YES | NO | N/A | ||
| 8 |
Have you analyzed the impact that security failures could have on your critical business processes? |
YES | NO | N/A | ||
| 9 |
Have you analyzed the impact that a loss of service could have on your critical business processes? |
YES | NO | N/A | ||
| 10 |
Have you developed contingency plans in order to ensure that critical business processes are restored within a reasonable period of time? |
YES | NO | N/A | ||
| 11 | Do you practice implementing your contingency plans? | YES | NO | N/A | ||
| 11.1.1 ESTABLISH YOUR CONTINUITY MANAGEMENT PROCESS | ||||||
| 12 | Have you established a process to manage and maintain business continuity throughout your organization? | YES | NO | N/A | ||
| 13 |
Have you identified and prioritized your most critical business processes? |
YES | NO | N/A | ||
| 14 |
Have you identified the risks that threaten the security of your business processes? |
YES | NO | N/A | ||
| 15 | Have you estimated the likelihood that your organization will be exposed to significant security risks and threats? | YES | NO | N/A | ||
| 16 | Have you analyzed the impact that serious threats could have on the security of your organization’s processes? | YES | NO | N/A | ||
| 17 |
Have you analyzed the impact that interruptions could have on the viability of your business? |
YES | NO | N/A | ||
| 18 |
Have you found solutions to the security problems that could undermine the viability of your business? |
YES | NO | N/A | ||
| 19 | Have you found solutions for the security threats and problems that are smaller and less serious? | YES | NO | N/A | ||
| 20 |
Have you increased your security through the purchase of suitable insurance? |
YES | NO | N/A | ||
| 21 |
Have you formulated business objectives and priorities for your information processing facilities? |
YES | NO | N/A | ||
| 22 |
Have you formulated a business continuity strategy for your information processing facilities? |
YES | NO | N/A | ||
| 23 | Have you documented your continuity strategy? | YES | NO | N/A | ||
| 24 |
Is your business continuity strategy consistent with your business objectives and priorities? |
YES | NO | N/A | ||
| 25 |
Have you formulated business continuity plans for your information processing facilities? |
YES | NO | N/A | ||
| 26 | Have you documented your business continuity plans? | YES | NO | N/A | ||
| 27 |
Are your business continuity plans consistent with your business continuity strategy? |
YES | NO | N/A | ||
| 28 |
Has responsibility for coordinating your continuity
management process been assigned to someone at the appropriate level within your organization? |
YES | NO | N/A | ||
| 29 | Have you institutionalized continuity management? | YES | NO | N/A | ||
| 11.1.2 PERFORM THREAT ANALYSIS AND IMPACT ANALYSIS | ||||||
| 30 | Have you carried out a threat analysis in order to identify the events that could interrupt your business processes? | YES | NO | N/A | ||
| 31 | Did you carry out your threat analysis with the full involvement of process and resource owners? | YES | NO | N/A | ||
| 32 | Did your threat analysis include all business processes? | YES | NO | N/A | ||
| 33 | Have you carried out a risk assessment in order to identify the impact that business process interruptions could have? | YES | NO | N/A | ||
| 34 |
Has your impact analysis identified how much damage your business process interruptions could cause? |
YES | NO | N/A | ||
| 35 | Has your impact analysis identified how long it would take to recover from business process interruptions? | YES | NO | N/A | ||
| 36 | Did you carry out your impact analysis with the full involvement of process and resource owners? | YES | NO | N/A | ||
| 37 | Did your impact analysis include all business processes? | YES | NO | N/A | ||
| 38 | Did you use the results of your analyses and assessments to develop a strategy that defines your organization’s general approach to business continuity? | YES | NO | N/A | ||
| 39 |
Did your senior management endorse your general business continuity strategy? |
YES | NO | N/A | ||
| 11.1.3 DEVELOP YOUR BUSINESS CONTINUITY PLANS | ||||||
| 40 |
Have you developed plans to restore and continue business operations after critical processes have failed or been interrupted? |
YES | NO | N/A | ||
| 41 |
Do your business continuity plans help you to achieve your business objectives? |
YES | NO | N/A | ||
| 42 | Do your business continuity plans help you to restore services to customers within a reasonable time period? | YES | NO | N/A | ||
| 43 | Do your business continuity plans identify the resources that will be needed to restore your business processes? | YES | NO | N/A | ||
| 44 | Do your business continuity plans identify the services that will be needed to restore your business processes? | YES | NO | N/A | ||
| 45 | Do your business continuity plans identify the staffing that will be needed to restore your business processes? | YES | NO | N/A | ||
| 46 |
Do your business continuity plans identify and assign all emergency management responsibilities? |
YES | NO | N/A | ||
| 47 |
Do your business continuity plans define all necessary emergency response procedures? |
YES | NO | N/A | ||
| 48 |
Do your emergency response procedures ensure that your critical processes will be recovered and restored within the required time limits? |
YES | NO | N/A | ||
| 49 | Do your emergency response procedures accommodate and deal with all external business interdependencies? | YES | NO | N/A | ||
| 50 |
Do your emergency response procedures respect and reflect all related business contracts? |
YES | NO | N/A | ||
| 51 | Have you documented emergency response procedures? | YES | NO | N/A | ||
| 52 | Have you documented critical business processes? | YES | NO | N/A | ||
| 53 | Do your business continuity plans identify fallback arrangements for information processing facilities? | YES | NO | N/A | ||
| 54 |
Have you taught your staff members how to use your emergency response procedures? |
YES | NO | N/A | ||
| 55 | Have you taught your staff members how your critical business processes will be recovered and restored? | YES | NO | N/A | ||
| 56 |
Have you taught your staff members about your crisis management methods and procedures? |
YES | NO | N/A | ||
| 57 | Do you regularly test your business continuity plans? | YES | NO | N/A | ||
| 58 | Do you regularly update your business continuity plans? | YES | NO | N/A | ||
| 11.1.4 MAINTAIN A CONTINUITY PLANNING FRAMEWORK | ||||||
| 59 | Have you established a single framework of business continuity plans in order to ensure that all plans are consistent with one another? | YES | NO | N/A | ||
| 60 |
Do you use your business continuity planning framework to determine plan testing priorities? |
YES | NO | N/A | ||
| 61 |
Do you use your business continuity planning framework to determine plan maintenance priorities? |
YES | NO | N/A | ||
| 62 |
Does each business continuity plan include a maintenance schedule that explains how and when the plan will be tested and maintained? |
YES | NO | N/A | ||
| 63 | Do you amend your business continuity plans whenever new security threats or requirements are identified? | YES | NO | N/A | ||
| 64 |
Does each business continuity plan clearly specify the conditions that must met before it is activated? |
YES | NO | N/A | ||
| 65 |
Does each business continuity plan specify the process that must be followed before a plan may be activated? |
YES | NO | N/A | ||
| 66 | Does each business continuity plan explain how a crisis situation should be assessed before a plan is activated? | YES | NO | N/A | ||
| 67 | Does each business continuity plan specify who should be contacted and involved before a plan may be activated? | YES | NO | N/A | ||
| 68 |
Does each business continuity plan clearly specify who is responsible for executing each part of the plan? |
YES | NO | N/A | ||
| 69 | Does each business continuity plan nominate alternative personnel who would be responsible for executing the plan if those who are primarily responsible are unable to do so? | YES | NO | N/A | ||
| 70 | Does each business continuity plan describe the emergency procedures that must be followed and the actions that must be taken to handle security incidents? | YES | NO | N/A | ||
| 71 | Does each business continuity plan explain how relations with the public must be managed during an emergency? | YES | NO | N/A | ||
| 72 | Does each business continuity plan explain how relations with governmental agencies and authorities should be managed during an emergency? | YES | NO | N/A | ||
| 73 |
Does each business
continuity plan explain how relations with emergency responders should be managed during an emergency? |
YES | NO | N/A | ||
| 74 | Does each business continuity plan describe fallback procedures that should be followed to move essential business activities and services to alternative locations? | YES | NO | N/A | ||
| 75 | Does each business continuity plan describe fallback procedures that should be followed to reactivate your business processes within the required time limits? | YES | NO | N/A | ||
| 76 | Does each business continuity plan describe resumption procedures that should be followed to bring your business processes and services back to normal? | YES | NO | N/A | ||
| 77 | Does each business continuity plan describe the education and awareness activities that should be carried out to help ensure that staff members understand your business continuity methods and procedures? | YES | NO | N/A | ||
| 78 | Does each business continuity plan specify who owns and is responsible for managing and maintaining the plan? | YES | NO | N/A | ||
| 79 | Have owners of business processes and resources been given the responsibility to manage the implementation of related fallback and business resumption plans? | YES | NO | N/A | ||
| 80 | Are owners of business processes and resources responsible for managing the implementation of the emergency response procedures that effect their areas? | YES | NO | N/A | ||
| 81 | Are technical service providers responsible for managing the implementation of alternative technical services and fallback arrangements? | YES | NO | N/A | ||
| 82 | Are information service providers responsible for managing the implementation of alternative information processing facilities and fallback arrangements? | YES | NO | N/A | ||
| 83 |
Are communications service providers responsible for managing the implementation of alternative communications facilities and fallback arrangements? |
YES | NO | N/A | ||
| Etcetera ... | YES | NO | N/A | |||
| How to Order | Our Products | Our Prices | Our Guarantee |
| Home Page | Table of Contents | Our License | Our Customers |
|
PRAXIOM RESEARCH GROUP
LIMITED |
|||
|
Updated on November 29, 2008. On the Web since May 25, 1997. |
|||
Disclaimer and Limitation of Liability
The publisher and authors have used their best efforts in designing
and
developing this electronic publication. We make no representation
or warranties
with respect to accuracy or completeness of the contents of this
publication and
specifically disclaim any implied warranties or merchantability
or fitness for any
particular purpose and shall in no event be liable for any loss
of profit or any
other commercial damage, including but not limited to special,
incidental,
consequential, or other damages.
Legal
Restrictions on the Use of this Page
Thank
you for visiting this page. You are, of course, welcome to view our
material as often as you wish, free of charge. And as long as you
keep intact
all copyright notices, you are also welcome to print or make one
copy of this
page for your own personal, noncommercial, home use. But, you are not
legally authorized to print or produce additional copies, or to
copy and paste
any of our material onto another web site. If you would like
to purchase our
material, please contact our Sales Desk. Our staff would be very
pleased
to take your order or to answer any questions you might have.
Copyright © 1997 - 2008 by Praxiom Research Group Limited. All Rights Reserved.